waliedassar

"REP: PUSHFD" Anti-Tracing Trick

Jan 4th, 2013
332
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //An anti-tracing trick that works against OllyDbg v1.10. Prefixing "PUSHFD" with "REP:" can fool
  5. // OllyDbg v1.10 into thinking it is not a PUSHFD instruction.
  6.  
  7.  
  8. #include "stdafx.h"
  9. #include "windows.h"
  10. #include "stdio.h"
  11.  
  12.  
  13. int main(int argc, char* argv[])
  14. {
  15.     unsigned long eflags=0;
  16.     printf("Welcome\r\n");
  17.     __asm
  18.     {
  19.         __emit 0xF3
  20.         __emit 0xF3
  21.         __emit 0xF3
  22.         __emit 0xF3
  23.         __emit 0xF3
  24.         pushfd
  25.         pop eax
  26.         mov eflags,eax
  27.     }
  28.     if(eflags&0x100)    printf("Being traced\r\n");
  29.     else                printf("Expected behavior\r\n");
  30.  
  31.     return 0;
  32. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×