2

I am trying to reverse a program which is employing some kind of anti-debugging trick based on the use of SEHs and the TF. The code stars with:

enter image description here

So apparently it's generating an exception with

XOR DWORD PTR [ESP], 154h

Which ultimately terminates with a call to ExitProcess() without even running the program.

I tried using NOPs to bypass this but since upon execution the EP is already pointing to this problematic piece of code it did not work.

How can I bypass this and what's really triggering the exception?

Improve this question

1 Answer 1

Reset to default
2

It is setting a trap flag with that xor instruction

when it is run normally (not under debugger)

the trap flag is triggered so the handler gets a chance to execute

when the binary is run under debugger the trap flag is ignored and the handler doesn't get a chance to execute

hard patch to point to the handler directly or simply change the eip in debugger for analyzing

your screenshot looks like you are using ollydbg

if so just press shift + f9 after setting a breakpoint at 0x401060 @ the seh handler that would pass the exception to the program and would bypass the trick

Improve this answer
1
  • Most likely this is ollydbg specific behavior. Commented Aug 7, 2018 at 23:44

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.