Wanted to share this with the world:

e 0:0 cc
e 100 c4 c4 54 27

9 Responses to “Escape”

  1. Yoni says:

    I don’t get it :(

  2. arkon says:

    Then probably it’s not for you ;)

  3. AmiRach says:

    Ho no! my NTVDM ! :P

  4. Peter Ferrie says:

    It’s the VDM Debugger interface. WinDbg supports it, too.
    Check my Anti-Unpacker 2 paper part 2. :-)
    You can make it remove breakpoints and other cool things.

  5. arkon says:

    V. interesting, link us please ;)

  6. Peter Ferrie says:

    Looking into NTVDM.EXE, I see why the crash happens.
    The table is only 0x1e entries large, and the index is not checked, so any value larger than 0x1e will make it go somewhere unexpected.
    The environment is ring3 32-bit flat memory at that point, but only the DOS memory is mapped in.
    Then if a crash occurs, you get the VDM Debugger DLL (ntvdmd.dll) loaded.

  7. arkon says:

    Yep, thanks for saving me the description.
    I meant, give us a link to your paper. :)

  8. Peter Ferrie says:

    It’s on
    If I give a direct link, you might miss the other interesting things. ;-)

Leave a Reply