I am trying to figure out what is going on.
Osama
nanojmp macro jmp_t, __xxx ;
local nano ;
nano: int 3h ; set int 3h
db jmp_t ; jmp type (see nano.inc)
dd offset __xxx - offset nano ; relative displacement added to EIP
endm
jmp_jz equ 1
jmp_jnz equ 2
jmp_jb equ 3
jmp_jnb equ 4
jmp_jmp equ 5
nanojmp jmp_jz, terminate_process
terminate_process: ;
xor eax, eax ;
push eax ;
dec eax ;
push eax ;
call TerminateProcess
seems like they need to add 70h to the opcodes :P
i think i get it
there must be an exception handler in the INC file that fixes the opcode for a NEAR branch
they can also use the INT 3 byte to create the branch
Super Dave,
The code is some kind of Anti_Reverse_Engineering stuff.
Andy
I post this stuff to slow down the butt_h*ads.
:t