Hi people!
I have bypassed the anti-debugging mechanisms in tlscallback for now.
But I don’t see the relationship between pcode, vmrun and vm sections. The only thing that I found was a set of functions that allows me to move data (most often, data is the addresses of the executable code) between sections and go to these addresses to execute the code. But to my regret, there is a very long chain of transitions to these addresses and I lose the logical thread of what is happening - it confuses me.
My idea is simple (or even stupid) - I am trying to find code that will have a loop with a simple “xor” instruction that will give me a flag. As I noticed, this task is very similar to a malicious sample. But I am missing my experience.
maybe I missed something?
does it make sense to fix the values returned by anti-debugging mechanisms?
give a hint or write me a pm.
my head is boiling))