I am reversing a file which is not running properly in Vmware.The code from the AEP is as shown below :
POP EDI ; value of edi is 0x7C816D4F kernel32.7C816D4F
PUSH EAX ;value of eax is 0
INC EBP ;value of ebp was 0x12FFF0
IN EAX,DX ;value of DX is 0xEB94
AAS
IN AL,0BF
DEC ESP
What I think is that a privileged instruction(IN) is called from user mode which is not allowed and therefore execution fails. IN is used for anti VM code but it requires specific values (VMXh port value in EAX etc) but in my case it is not being used.
My question is ,is it some kind of anti debugging or is the file corrupt and will it run on a non VM machine(in my case XP).
And lastly,if a packer uses the method I mentioned above ie calling IN from usermode for Anti-reversing how come the sample runs on a real machine(since in this case also the privileged instruction will be called in user mode).
Aucun commentaire:
Enregistrer un commentaire