tag:blogger.com,1999:blog-5036198523690297182.post6140175198661327252..comments2024-02-05T00:25:13.117-08:00Comments on waliedassar: OllyDbg v1.10 And Wow64waliedhttp://www.blogger.com/profile/18278414703959705421noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5036198523690297182.post-71318670674184749072015-08-08T15:02:51.768-07:002015-08-08T15:02:51.768-07:00In 0.2, you patch a jump. How does the fix work? I...In 0.2, you patch a jump. How does the fix work? It seems completely different from 0.1. The trap flag stays now, doesn't it?Anonymnoreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-10339401754663101832012-03-30T02:17:03.248-07:002012-03-30T02:17:03.248-07:00The original instruction "OR DWORD PTR[EBX+0x...The original instruction "OR DWORD PTR[EBX+0xC0],0x100" sets the trap flag (EBX points at the CONTEXT structure and at offset 0xC0 is the EFLAGS). The asm code block in the first image above is related to activating Debug Registers. I can't find any good reason why Olly sets the trap flag when activating Debug Registers.<br /><br />OllyDbg v1.10 and Immunity Debugger v1.85 share the same bug, while OllyDbg v2.0 is not affected.<br /><br />OllyDbg is not subject to ASLR as it does not have the "IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE" flag set in the "Dll Characteristics" field of its PE header.waliedhttps://www.blogger.com/profile/18278414703959705421noreply@blogger.comtag:blogger.com,1999:blog-5036198523690297182.post-66105858471792871122012-03-30T01:39:24.543-07:002012-03-30T01:39:24.543-07:00I'm curious, I see the fix consists in filling...I'm curious, I see the fix consists in filling 0x42ea04 to 0x42ea0e with NOPs, but why? Is it an OllyDbg specific thing? And why is it not affected by ASLR?Anonymousnoreply@blogger.com