SP (stack pointer) Anti-debug Trick - x86

Question

SP (stack pointer) Anti-debug Trick - x86

Listing 7.1. Cascade virus decoder

lea si, Start ; position to decrypt (dynamically set)

mov     sp, 0682    ; length of encrypted body (1666 bytes)

Decrypt:
xor     [si],si ; decryption key/counter 1
xor     [si],sp ; decryption key/counter 2
inc     si  ; increment one counter
dec     sp  ; decrement the other
jnz     Decrypt ; loop until all bytes are decrypted

Start:  ; Encrypted/Decrypted Virus Body

Note that this decoder has antidebug functions because the SP register (stack pointer) is used as one of the decryption keys.

Can someone explain why using the SP register acts like a debugging function? Correct me if I am wrong, but I do not think that the work of the debugger changes the structure of the stack ...

Thanks in advance

+5

assembly x86 cracking reverse-engineering

user452188 20 sept '10 at 11:14

source share

4 answers

Ira Baxter · Answer 1 · 2010-10-09T23:55:30+0000

" ", , . , (INT n) , ( ) , .

DOS, ; , . Windows Linux ( 16- ).

ruslik · Answer 2 · 2010-09-20T23:47:50+0000

( COM .exe-? .com, DS CS), ( ) ss: [sp] , - ( ).

Eight-Bit Guru · Answer 3 · 2010-09-20T11:24:56+0000

x86-fu , , , , , - , , sp, , , .

Igor Skochinsky · Answer 4 · 2010-09-20T11:41:27+0000

Most debuggers expect [e] sp to be valid and point to the stack area. I think it is possible that some debuggers fail if sp does not point to a valid memory, but I don't know anything.

SP (stack pointer) Anti-debug Trick - x86

More articles: