LODSB

LODSB

NtSetInformationThread: Disabling ThreadHideFromDebugger

Nov 25, 2021 4 min read

One common anti-debugging technique is to make use of the Windows API to simply mark your threads as invisible to the debugger. This isn't officially documented by Microsoft but it has been quite robust across windows versions. The documentation for ...

NtSetInformationThread: Disabling ThreadHideFromDebugger

Guide to reversing VMProtect (old versions)

Sep 2, 2021 16 min read

This is one I've been working on for a while, and most of the ideas here come from Rolf Rolles, so I'd encourage you to read through his article series on this and other virtualization obfuscators. I'm not going to go into details of how VMProtect ...

Calculating EFLAGS for various x86 opcodes

Sep 1, 2021 4 min read

I've found it hard to find a source for these in one place so I've put some code together to calculate these for me. You can find the code I used to generate these results here: https://github.com/samrussell/TestFlags Intro This is all based off http...

Reversing DOS functions: LDIV and LMOD

Aug 24, 2021 8 min read

Here we find 4 functions: LDIV, LUDIV, LMOD, and LUMOD, and the standard variations: N_LDIV@, F_LDIV@, N_LUDIV@, F_LUDIV@, N_LMOD@, F_LMOD@, N_LUMOD@, F_LUMOD@ Like with PADD and PSUB we find multiple entrypoints to the same function: We see the s...

Reversing DOS functions: PADD and PSUB

Aug 19, 2021 5 min read

These two are both intertwined so it makes sense to analyse them together: We can see a few variations on names at the top here: N_PADD@ and F_PADD@ for PADD, and N_PSUB@ and F_PSUB@ respectively. The prolog for the near versions is the same; it pop...

Reversing DOS functions: PCMP

Aug 18, 2021 3 min read

After recently reversing the unpacker for Commander Keen, I moved on to reversing the game itself. One thing that shows up when reversing is the functions that get inserted by the compiler of the day. Old DOS games such as Commander Keen end up with ...