Alessandro Pignotti writes:
>> On 2013-02-07 17:00, Alessandro Pignotti wrote:
>> >+opcode=(unsigned char*)context->Eip;
>> >+if (*opcode==0x65 && /* GS segment instruction prefix */
>> >+context->SegGs!=ntdll_get_thread_data()->gs)
>>
>> Segment-override prefix may be preceded b
> On 2013-02-07 17:00, Alessandro Pignotti wrote:
> >+opcode=(unsigned char*)context->Eip;
> >+if (*opcode==0x65 && /* GS segment instruction prefix */
> >+context->SegGs!=ntdll_get_thread_data()->gs)
>
> Segment-override prefix may be preceded by repeat or operand-size
> override
On 2013-02-07 17:00, Alessandro Pignotti wrote:
+opcode=(unsigned char*)context->Eip;
+if (*opcode==0x65 && /* GS segment instruction prefix */
+context->SegGs!=ntdll_get_thread_data()->gs)
Segment-override prefix may be preceded by repeat or operand-size
override prefixes.
So
Alessandro Pignotti writes:
> Hi everyone,
>
> I've found two different games:
>
> -) Of orcs and men
> -) The testament of sherlock holmes
>
> which are using a protection scheme which reset the GS segment selector,
> possibly to confuse virtual machines. Since on linux the GS selector is
> used
