Flag: Tornado!
Hurricane!
|
|
| LordPE Anti Dumping |
Dumping |
ap0x |
AntiLordPE.zip |
March 11 2006 |
|
|
.586
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.code
start:
; MASM32 antiLordPE example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example was taken from Pavol Cerven`s book Crackproof your Software.
; This example increments size of image of our process by 0x3000. By doing this
; we confuse LordPE and it can not dump. There is a way to overcome this LordPE`s
; problem. You can always use Correct size of image option and make a process dump.
ASSUME FS:NOTHING
MOV EAX,DWORD PTR FS:[30h]
TEST EAX,EAX
JS @found_win9x
@found_winNT:
MOV EAX,[EAX+0Ch]
MOV EAX,[EAX+0Ch]
ADD DWORD PTR[EAX+20h],3000h
JMP @exit
@found_win9x:
PUSH 0
CALL GetModuleHandle
TEST EDX,EDX
JNS @exit
CMP DWORD PTR[EDX+08],-1
JNE @exit
MOV EDX,[EDX+4]
ADD DWORD PTR[EDX+50h],3000h
@exit:
PUSH 0
CALL ExitProcess
end start
|
|
|
|
|
There are 31,320 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}