«
»

Escape

Wanted to share this with the world:

e 0:0 cc
e 100 c4 c4 54 27

This entry was posted on Sunday, February 1st, 2009 at 11:24 am and is filed under Assembly, Debugging, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Escape”

  1. Yoni says:
    February 1, 2009 at 2:47 pm

    I don’t get it :(

  2. arkon says:
    February 1, 2009 at 3:09 pm

    Then probably it’s not for you ;)

  3. AmiRach says:
    February 1, 2009 at 5:34 pm

    Ho no! my NTVDM ! :P

  4. arkon says:
    February 1, 2009 at 6:02 pm

    Spoiler

  5. Peter Ferrie says:
    February 2, 2009 at 11:58 pm

    It’s the VDM Debugger interface. WinDbg supports it, too.
    Check my Anti-Unpacker 2 paper part 2. :-)
    You can make it remove breakpoints and other cool things.

  6. arkon says:
    February 3, 2009 at 12:14 am

    V. interesting, link us please ;)

  7. Peter Ferrie says:
    February 3, 2009 at 4:50 pm

    :-)
    Looking into NTVDM.EXE, I see why the crash happens.
    The table is only 0×1e entries large, and the index is not checked, so any value larger than 0×1e will make it go somewhere unexpected.
    The environment is ring3 32-bit flat memory at that point, but only the DOS memory is mapped in.
    Then if a crash occurs, you get the VDM Debugger DLL (ntvdmd.dll) loaded.

  8. arkon says:
    February 3, 2009 at 5:51 pm

    Yep, thanks for saving me the description.
    I meant, give us a link to your paper. :)

  9. Peter Ferrie says:
    February 3, 2009 at 6:49 pm

    It’s on pferrie.tripod.com.
    If I give a direct link, you might miss the other interesting things. ;-)

Leave a Reply