[Report] CreateActCtxW detector function does not initialize return value.
Posted: Wed Feb 01, 2023 1:26 am
The following code is the excutable created by Enigma Virtual Box x86 10.10
This function may return the first assembler code size in CreateActCtxW.
It only supports "pop eax = 1" "push xxxxxxxx = 5" "mov xx,xx =2 or indefinite edx register value" "jmp xxxxxxxx = 5".
otherwise assume indefinite edx register value.
It seems not to initialize return result value, doesn't it ?
the return value depends previous GetProcAddress function edx value. (It may be too huge value)
So, when any security application or game guard application hook CreateActCtxW, the excutable may crash.
Code: Select all
mov cl,[eax]
add cl,0xB0
sub cl,08h
jc L0048224A //58 pop eax
sub cl,10h
jz L00482252 //68 push 0xyyyyyyyy
sub cl,23h
jz L00482239 //8b [mov ]
sub cl,5Eh
[i] jnz L00482257[/i]
mov edx,00000005h //e9
mov eax,edx
retn
L00482239:
mov al,[eax+01h]
add al,40h
sub al,40h
[i] jnc L00482257
[/i] mov edx,00000002h
mov eax,edx
retn
L00482257:
mov eax,edx
retn
It only supports "pop eax = 1" "push xxxxxxxx = 5" "mov xx,xx =2 or indefinite edx register value" "jmp xxxxxxxx = 5".
otherwise assume indefinite edx register value.
It seems not to initialize return result value, doesn't it ?
the return value depends previous GetProcAddress function edx value. (It may be too huge value)
So, when any security application or game guard application hook CreateActCtxW, the excutable may crash.
The function return value was really undefined that might cause issue.