[Report] CreateActCtxW detector function does not initialize return value.

Issues related to Enigma Virtual Box
Post Reply
blackwingcat2000
Posts: 4
Joined: Tue Jan 25, 2022 5:14 am

[Report] CreateActCtxW detector function does not initialize return value.

Post by blackwingcat2000 »

The following code is the excutable created by Enigma Virtual Box x86 10.10

Code: Select all

  		mov	cl,[eax]
  		add	cl,0xB0
  		sub	cl,08h
  		jc 	L0048224A //58 pop eax
  		sub	cl,10h
  		jz 	L00482252 //68 push 0xyyyyyyyy
  		sub	cl,23h
  		jz 	L00482239 //8b [mov ]
  		sub	cl,5Eh
[i]  		jnz	L00482257[/i]
  		mov	edx,00000005h //e9
  		mov	eax,edx
  		retn
 L00482239:
  		mov	al,[eax+01h]
  		add	al,40h
  		sub	al,40h
[i]  		jnc	L00482257
[/i]  		mov	edx,00000002h
  		mov	eax,edx
  		retn
 L00482257:
  		mov	eax,edx
  		retn
This function may return the first assembler code size in CreateActCtxW.
It only supports "pop eax = 1" "push xxxxxxxx = 5" "mov xx,xx =2 or indefinite edx register value" "jmp xxxxxxxx = 5".
otherwise assume indefinite edx register value.
It seems not to initialize return result value, doesn't it ?
the return value depends previous GetProcAddress function edx value. (It may be too huge value)

So, when any security application or game guard application hook CreateActCtxW, the excutable may crash.
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: [Report] CreateActCtxW detector function does not initialize return value.

Post by Enigma »

Thanks for that :) The function return value was really undefined that might cause issue.

As for multiple hooking of the same function - what do you think is the chance, that mutliple systems will hook same CreateActCtxW function? I believe chances are low. Moreover, if hook is done, it usually done by jmp xxxxxx instruction that EVB can handle.
Post Reply