OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: November 8, 2011 02:22 CST by pank4j .

I'm trying to debug a program which apparently escapes the step in thing in windbg.

Its is a hello world program, which prints "hi" if no command line arguments are passed to it, and "hello" otherwise. The program is compiled with gcc that is shipped with Dev-C++.

Steps to reproduce the problem:
1. Load test4.exe in windbg.
2. Put a breakpoint at 7789fbc8 (bu 7789fbc8).
3. Let it run and hit the breakpoint (g).
4. Once it hits the breakpoint, remove the breakpoint (bc *).
5. Step in a few instructions till it reaches 778901c4 (mov dword ptr [esp+4],eax ss:002b:0028fff4=00401220).
6. Stepping in this instruction runs the program and it prints "hi". This can be confirmed by installing a breakpoint at 401291 which lies in main( ).

A new thread is created just when it executes the instruction at 778901c4. But isn't it supposed to break when stepping in?

How can I intercept it in windbg?

Here's the exe:
http://uploadbin.net/d076aaa65b32102f8831d42f70a4e48c/test4.exe

PeterFerrie		November 9, 2011 11:15.46 CST
You could start by telling us the exact platform, since those addresses are meaningless without context because they are not inside the module, but inside some DLL.

anonymouse		November 9, 2011 21:54.38 CST
Like Peter Posted those addresses are meaningless since they are inside dll they can be meaningless even if you said it was xp sp3 as dll load address can be randomized by ASLR bu in windbg is for setting a bp with symbol do not use it for setting bu Address set bu like this bu ntdll!LdrInitializeThunk+0x18 this bp will let windbg resolve the symbol whereever the dll is loaded and set the correct bp when the module is loaded (BU works on defered / delayed / demand loads also) also the sequence you posted does not seem to exist in any meaningful position on xpsp3 0:000> u eip l2 ntdll!DbgBreakPoint: 7c90120e cc int 3 7c90120f c3 ret 0:000> a eip 7c90120e mov dword ptr [esp+4],eax mov dword ptr [esp+4],eax 7c901212 0:000> u eip l2 ntdll!DbgBreakPoint: 7c90120e 89442404 mov dword ptr [esp+4],eax ntdll!DbgUserBreakPoint: 7c901212 cc int 3 0:000> # "89442404" ntdll L?b2000 ntdll!LdrInitializeThunk+0x4: 7c90116a 89442404 mov dword ptr [esp+4],eax ntdll!DbgBreakPoint: 7c90120e 89442404 mov dword ptr [esp+4],eax ntdll!_fload_withFB+0x2d: 7c90e2a3 89442404 mov dword ptr [esp+4],eax 0:000> # "89442404" kernel32 L?f0000 0:000> lm start end module name 00400000 00406000 image00400000 (no symbols) 77c10000 77c68000 msvcrt (pdb symbols) \msvcrt.pdb 7c800000 7c8f6000 kernel32 (pdb symbols) \kernel32.pdb 7c900000 7c9b2000 ntdll (pdb symbols) \ntdll.pdb 0:000> # "89442404" msvcrt L?f0000 msvcrt!_fload_withFB+0x2d: 77c50c52 89442404 mov dword ptr [esp+4],eax for me your exe stops on 401291 without problems in windbg 0:000> .restart CommandLine: "C:\Documents and Settings\Admin\Desktop\test4.exe" Symbol search path is: SRVF:\symbolshttp://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00400000 00406000 image00400000 ModLoad: 7c900000 7c9b2000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll (c5c.cc4): Break instruction exception - code 80000003 (first chance) eax=00361eb4 ebx=7ffdd000 ecx=00000004 edx=00000010 esi=00361f48 edi=00361eb4 eip=7c90120e esp=0023fb20 ebp=0023fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e cc int 3 0:000> bp 401291 *** ERROR: Module load completed but symbols could not be loaded for image00400000 0:000> g ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll Breakpoint 0 hit eax=00000001 ebx=00004000 ecx=00492dc0 edx=00492450 esi=016bf784 edi=016bf6ee eip=00401291 esp=0023ff78 ebp=0023ffb0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 image00400000+0x1291: 00401291 89e5 mov ebp,esp windbg> .hh s -a 0:000> s -a 403000 403030 "h" 00403000 68 65 6c 6c 6f 0a 00 68-69 0a 00 00 00 00 00 00 hello..hi....... 00403007 68 69 0a 00 00 00 00 00-00 2d 4c 49 42 47 43 43 hi.......-LIBGCC 0:000> ln poi(poi(401822)) (77c4186a) msvcrt!printf \| (77c418d5) msvcrt!puts Exact matches: msvcrt!printf = <no type information> 0:000> uf eip image00400000+0x1291: 00401291 89e5 mov ebp,esp 00401293 83ec08 sub esp,8 00401296 83e4f0 and esp,0FFFFFFF0h 00401299 b800000000 mov eax,0 0040129e 83c00f add eax,0Fh 004012a1 83c00f add eax,0Fh 004012a4 c1e804 shr eax,4 004012a7 c1e004 shl eax,4 004012aa 8945fc mov dword ptr [ebp-4],eax 004012ad 8b45fc mov eax,dword ptr [ebp-4] 004012b0 e87b040000 call image00400000+0x1730 (00401730) 004012b5 e816010000 call image00400000+0x13d0 (004013d0) 004012ba 837d0802 cmp dword ptr [ebp+8],2 004012be 750e jne image00400000+0x12ce (004012ce) image00400000+0x12c0: 004012c0 c7042400304000 mov dword ptr [esp],offset image00400000+0x3000 (00403000) 004012c7 e854050000 call image00400000+0x1820 (00401820) 004012cc eb0c jmp image00400000+0x12da (004012da) image00400000+0x12ce: 004012ce c7042407304000 mov dword ptr [esp],offset image00400000+0x3007 (00403007) 004012d5 e846050000 call image00400000+0x1820 (00401820) image00400000+0x12da: 004012da b800000000 mov eax,0 004012df c9 leave 004012e0 c3 ret

pank4j		November 13, 2011 20:39.01 CST
I have tried it on Win7 SP1 (64-bit) and WinXP SP3 (32-bit). For XP SP3, here's how to reproduce it. 1. Load the exe and setup a breakpoint at ntdll!ZwContinue 2. Continue till it hits the breakpoint. Now remove the breakpoint. 3. Step in a few instruction till you reach sysenter instruction. 4. Stepping in here, Windbg runs the program till it terminates. Executable search path is: ModLoad: 00400000 00406000 image00400000 ModLoad: 7c900000 7c9af000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll (840.65c): Break instruction exception - code 80000003 (first chance) eax=00341eb4 ebx=7ffdd000 ecx=00000004 edx=00000010 esi=00341f48 edi=00341eb4 eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!DbgBreakPoint: 7c90120e cc int 3 0:000> bu ntdll!ZwContinue 0:000> g Breakpoint 0 hit eax=00000000 ebx=7ffdd000 ecx=7c91b00a edx=7c90e4f4 esi=00000000 edi=0022fd30 eip=7c90d040 esp=0022fd24 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!ZwContinue: 7c90d040 b820000000 mov eax,20h 0:000> bc * 0:000> t eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=7c90e4f4 esi=00000000 edi=0022fd30 eip=7c90d045 esp=0022fd24 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!ZwContinue+0x5: 7c90d045 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 0:000> t eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=7ffe0300 esi=00000000 edi=0022fd30 eip=7c90d04a esp=0022fd24 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!ZwContinue+0xa: 7c90d04a ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e4f0)} 0:000> t eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=7ffe0300 esi=00000000 edi=0022fd30 eip=7c90e4f0 esp=0022fd20 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCall: 7c90e4f0 8bd4 mov edx,esp 0:000> t eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=0022fd20 esi=00000000 edi=0022fd30 eip=7c90e4f2 esp=0022fd20 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCall+0x2: 7c90e4f2 0f34 sysenter 0:000> t hi eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97b120 esi=7c90de50 edi=00000000 eip=7c90e4f4 esp=0022fe68 ebp=0022ff64 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 7c90e4f4 c3 ret 0:000> t ^ No runnable debuggees error in 't' Wasn't it supposed to break in after sysenter instruction above?

anonymouse		November 13, 2011 21:12.39 CST
no it wont break if you come to think of it you should have realized that if every app broke after every sysenter then bill gates would have been a BROKE by now YOU NEED ATLEAST ONE BREAKPOINT IF YOU WNAT TO BREAK NO BREAKPOINTS MEANS NO BREAK IT IS AS SIMPLE AS THAT look at the documentation of ZwContinue find what params it takes you will after reading a few times realize where this function is going to return to set a break there and and hit t , p, wt , whatever you fancy windbg will break if your breakpoint was right bp ntdll.ZwContinue "bp pointer to stackarg.type.member;g"

pank4j		November 13, 2011 21:58.32 CST
just one quick question: by stepping in, afaik, we break at every instruction regardless of what it is (nothing to do with ZwContinue here, or any other function for that matter). if u look at the instructions above sysenter in my post above, u'll notice it did break after mov, call and mov instructions. y not after sysenter? :-) it does execute the ret instruction after sysenter; i have verified it using a bp there.

PeterFerrie		November 14, 2011 11:19.25 CST
The ret that you saw execute after the sysenter is not the one that you think it is. It's returning from a call that was performed by a different request. ZwContinue resumes execution from [[esp+4]+0b8] Check the stack, you'll see that value is inside your module.. Just place a breakpoint at the host entrypoint and it will be hit. Then you can step as much as you want.

anonymouse		November 14, 2011 13:37.20 CST
well i didnt want to give you [esp+4]+0xb8 so i wrote bp pointer to stackarg.type.member;g which is (API Arg 2)context.eip eip that ZwContinue should return to is passed as a parameter to that call via CONTEXT structure the ret you see is KiFastCallRet which isnt executed serially like you think it is executed as a part of Process Termination Debug Event type sxd epr (disable exit process exception event) and then do what you did you can notice if the ret executes or not use bp ntdll!ZwContinue "bp poi(poi(esp+4)+0xb8)" will break on Kernel32!BaseProcessStartThunk CommandLine: "C:\Documents and Settings\Admin\Desktop\test4.exe" Symbol search path is: SRVF:\symbolshttp://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00400000 00406000 image00400000 ModLoad: 7c900000 7c9b2000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 64d00000 64d34000 C:\Program Files\Alwil Software\Avast5\snxhk.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll (edc.be8): Break instruction exception - code 80000003 (first chance) eax=00361eb4 ebx=7ffdf000 ecx=00000004 edx=00000010 esi=00361f48 edi=00361eb4 eip=7c90120e esp=0023fb20 ebp=0023fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e cc int 3 0:000> bp ntdll!ZwContinue "bp poi(poi(esp+4)+0xb8)" 0:000> g ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll eax=00000000 ebx=7ffdf000 ecx=7c91b02a edx=7c90e514 esi=00e8f784 edi=0023fd30 eip=7c90d05e esp=0023fd24 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!NtContinue: 7c90d05e b820000000 mov eax,20h 0:000> bl 0 e 7c90d05e 0001 (0001) 0:** ntdll!NtContinue "bp poi(poi(esp+4)+0xb8)" 1 e 7c810705 0001 (0001) 0: kernel32!BaseProcessStartThunk 0:000> t eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=7c90e514 esi=00e8f784 edi=0023fd30 eip=7c90d063 esp=0023fd24 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!NtContinue+0x5: 7c90d063 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 0:000> t eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=7ffe0300 esi=00e8f784 edi=0023fd30 eip=7c90d068 esp=0023fd24 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!NtContinue+0xa: 7c90d068 ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e510)} 0:000> t eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=7ffe0300 esi=00e8f784 edi=0023fd30 eip=7c90e510 esp=0023fd20 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCall: 7c90e510 8bd4 mov edx,esp 0:000> t eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=0023fd20 esi=00e8f784 edi=0023fd30 eip=7c90e512 esp=0023fd20 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCall+0x2: 7c90e512 0f34 sysenter 0:000> t Breakpoint 1 hit eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c810705 esp=0023fffc ebp=00000330 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202 kernel32!BaseProcessStartThunk: 7c810705 33ed xor ebp,ebp 0:000> t eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c810707 esp=0023fffc ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStartThunk+0x2: 7c810707 50 push eax 0:000> t eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c810708 esp=0023fff8 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStartThunk+0x3: 7c810708 6a00 push 0 0:000> t eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c81070a esp=0023fff4 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStartThunk+0x5: 7c81070a e945690000 jmp kernel32!BaseProcessStart (7c817054) 0:000> t eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c817054 esp=0023fff4 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart: 7c817054 6a0c push 0Ch 0:000> t eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c817056 esp=0023fff0 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x2: 7c817056 688070817c push offset kernel32!`string'+0x98 (7c817080) 0:000> t eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c81705b esp=0023ffec ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x7: 7c81705b e876b4feff call kernel32!_SEH_prolog (7c8024d6) 0:000> p eax=0023ffe0 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c817060 esp=0023ffc8 ebp=0023fff0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000216 kernel32!BaseProcessStart+0xc: 7c817060 8365fc00 and dword ptr [ebp-4],0 ss:0023:0023ffec=ffffffff 0:000> eax=0023ffe0 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c817064 esp=0023ffc8 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x10: 7c817064 6a04 push 4 0:000> eax=0023ffe0 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c817066 esp=0023ffc4 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x12: 7c817066 8d4508 lea eax,[ebp+8] 0:000> eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c817069 esp=0023ffc4 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x15: 7c817069 50 push eax 0:000> eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c81706a esp=0023ffc0 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x16: 7c81706a 6a09 push 9 0:000> eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c81706c esp=0023ffbc ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x18: 7c81706c 6afe push 0FFFFFFFEh 0:000> eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee eip=7c81706e esp=0023ffb8 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 kernel32!BaseProcessStart+0x1a: 7c81706e ff15b013807c call dword ptr [kernel32!_imp__NtSetInformationThread (7c8013b0)] ds:0023:7c8013b0={ntdll!ZwSetInformationThread (7c90dcae)} 0:000> eax=00000000 ebx=7ffdf000 ecx=0023ffb0 edx=7c90e514 esi=00e8f784 edi=00e8f6ee eip=7c817074 esp=0023ffc8 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 kernel32!BaseProcessStart+0x20: * ERROR: Module load completed but symbols could not be loaded for image00400000 7c817074 ff5508 call dword ptr [ebp+8] ss:0023:0023fff8=00401220 0:000> t eax=00000000 ebx=7ffdf000 ecx=0023ffb0 edx=7c90e514 esi=00e8f784 edi=00e8f6ee eip=00401220 esp=0023ffc4 ebp=0023fff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 image00400000+0x1220: 00401220 55 push ebp

Note: Registration is required to post to the forums.

There are 29,886 total registered users.

Recently Created Topics
Decompiling raw bina...	May/22
Incorrect bitness wh...	May/20
PaiMei stalker modul...	May/19
Attach to program us...	May/13
IDA PRO how to make ...	May/12
FACT: OpenRCE is dead.	May/08
Int 3 anti debug?	May/05
help needed - Beginn...	May/03
Attaching IDA Pro to...	Apr/27
File type	Apr/21

Recent Forum Posts
Debugging iphone app...	staree2010
Ollydbg 2.0 - Plugin...	openrce...
IDA PRO how to make ...	codeinject
FACT: OpenRCE is dead.	codeinject
IDA Resource Viewer ...	r2x64
FACT: OpenRCE is dead.	djnemo
FACT: OpenRCE is dead.	codeinject
FACT: OpenRCE is dead.	pedram
help needed - Beginn...	araujo
Attaching IDA Pro to...	codeinject

Recent Blog Entries
	sweetyss	May/18
Adam Wainwright continues t...
	lowpriority	Apr/13
OllyMigrate Plugin for Olly...
	everdox	Mar/08
2 anti-trace mechanisms spe...
	everdox	Mar/07
Advanced debugging techniques
	everdox	Mar/06
Branch tracing and LBR acce...
More ...

Recent Blog Comments
	clarisonic on:	Apr/03
New version of Ollydbg!
	clarisonic on:	Apr/03
New version of Ollydbg!
	trackerx90 on:	Mar/04
SuppressDebugMsg As Anti-De...
	coachfactory on:	Feb/25
Portable Executable Format ...
	coachfactory on:	Feb/25
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit