Closed RomanSilinenko closed 1 year ago
RomanSilinenko
commented
1 year ago It turned out relaunching the debugger session and tracing the binary once again did the trick and now the code disassembled correctly. But anyway would be great to hear if you know some trick to fix such things right away? Also the IDA did the same disassembly mistake. I couldn't find how to force it to split the command into two.
malware-unicorn
commented
1 year ago It can be 1 of 2 things. 1) The breakpoint is on the wrong address and the disassembler does its best effort to parse, 2) this is a UI bug in x32dbg, if you scroll too fast in the CPU window the disassembly is incorrect. To fix the second problem, you can right click on the address of EIP register in the register window and follow in CPU view. This should reset the CPU disassembly.
RomanSilinenko
commented
1 year ago Thanks.
Hi. Would you please advise how to proceed with the following issue?
At step 7, you telling to set a BP "after the JNE instruction at 0x0041CBDF". But it is not cleare how to reach this address. If I manually trace the code with F7 (Step one instruction) I end up at 0041CBD2 where the x32dbg incorrectly trying to make a crazy CMP which leads to exception state. I understand that the code is heavily obfuscated and this makes debugger to struggle to render correct assembly mnemonics. But have no idea how to force the debugger to split this big CMP instruction and execute it as two instructions?