I have a few questions about hackshield.
First:
I have been looking in a dumped ehsvc.dll. I found some interesting things. xD
I saw that a lot of functions jmp to a function with the same structure.
just a random Example(I dont think it is important to bypass this function, but this is just for example) :
[IMG]https://i946.photobucke*****m/albums/ad303/BoerTim/function.png[/IMG]
LOC_1006FEA9 :
[IMG]https://i946.photobucke*****m/albums/ad303/BoerTim/detected.png[/IMG]
My question: Is this sort off hackdetection/ crash where LOC_1006FD3A to jmp's?
If yes it is, we need to prevent it. Then we need to prevent
that:
Code:
___:1006FD32 jz short loc_1006FD3A ;
Goes to:
Code:
___:1006FD3A loc_1006FD3A: ; CODE XREF: sub_1006FCF4+3Ej
___:1006FD3A xor eax, eax
___:1006FD3C jmp loc_1006FEA9 ;
So (what I think xD) :
1006FD32 Need to jmp to --> 1006FD38
Am I correct (this is just what I came up to with my brains, Im new to ASM and how to work with IDA. lol )
Or must I jmp over the whole function?
If im wrong please try to explain it to me.
My second question:
How can I figure out which bytes I need to use to jump to the Address I want to?
In the example:
1006FD32 (bytes: 74 06) ---> 1006FD38 (bytes: 75 07)
Thanks in advance.