ChupaChu Posted September 13, 2007 Posted September 13, 2007 I wonder if there is a way to hide calls i make from inlined asm?For example if i call RDTSC regullary (every few sec's) to check ifcode execution is geting too slow (usualy means: i'm being debuged)by searching my exe for '0F 31' bytes or RDTSC command in ollythis anti-debug trick is very easy to be found.So is there a simple way to get around this?Regards, ChupaChu!
Loki Posted September 13, 2007 Posted September 13, 2007 You could make the code self modifying so that just before the command is run, it decrypts itself. A simple XOR would do the job, and you could even choose an XOR value which turns it into another seemingly legit command.
ChupaChu Posted September 13, 2007 Author Posted September 13, 2007 You could make the code self modifying so that just before the command is run, it decrypts itself. A simple XOR would do the job, and you could even choose an XOR value which turns it into another seemingly legit command.Sounds good enough for me. I have never coded something like that.Do You have any examples i coud take look at?at the moment i am thinking to create a variable, lets say string with hex code i need to encrypt. Then i would xored it with lets say 33h.. byte bybyte and create new string - now this string i can use to decypher wholecommand in my exe.. ok.. i think i might be correct by now..But how do i then make jump to that decyphered string!?can you provide simple asm sample (to work with delphi inline)?Thanks, ChupaChu!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now