[原创]intel指令手册、OD、WinDBG引擎中发现的错误
很多undocumented大家都在用，慢慢只好变成documented了

[求助]masm32 无法编译
masm的bug，可以用org $+max_programsize模拟

[原创]隐藏ploymorphic代码到数学函数中
这样跟xor一下有啥区别？

[求助]int 3 原理疑问
可能是DPL不对

[求助]是不是CreateRemoteThread的线程中不能使用VCL窗口？
运行以后注入应该没什么问题，如果CreateProcess CREATE_SUSPENDED之后就注入可能引起ui的各种不正常

[求助]怎么知道CreateProcess的进程已经完全初始化完成
CREATE_SUSPENDED之后想办法拦住BaseProcessStart，就可以算是初始化完了

讨论]可惜啊，没有这样一种功能的软件，也没有硬件
heisenbug啊

[原创]PYdotDLL. a simple python hook engine / update 2010.9.28
给个改良decorator的方案，仅供参考。

import inspect

def is_recursion():
    def get_code(depth):
        return inspect.currentframe(depth+1).f_code
    return get_code(1) is get_code(2)

def hook(dllname, funcname=None, calltype=None, restype=c_ulong, **kwargs):

    def decorator(f):

        if funcname is None:
            funcname = f.__name__

        functype = {
            None: WINFUNCTYPE,
            'C': CFUNCTYPE, 
        } [calltype]
        
        argnames = inspect.getargspec(f).args
        argtypes = [kwargs.get(argname, c_ulong) for argname in argnames]

        prototype = functype(restype, *argtypes)
        trampoline = prototype(hook_engine(dllname, funcname))

        def g(*v, **k):
            if is_recursion():
                return trampoline(*v, **k)
            else:
                return f(**v, **k)
        return g

    return decorator

@hook('user32')
def MessageBoxA(hWnd, lpText, lpCaption, uType):
    return MessageBoxA(a, 'fuck', c, d)

[原创]与坛子里的兄弟们交流交流艺术[8P]
甘道夫怎么看着像萨鲁曼

[原创]PYdotDLL. a simple python hook engine / update 2010.9.28
可以考虑设计个decorator

@hook('user32', 'MessageBoxA', msg=c_char_p, title=c_char_p) # default type=c_ulong
def my_MessageBox(hwnd, msg, title, icon):
    yield (hwnd, msg, title, icon)

[求助]问个暂停线程APC相关的问题
单核是kernel apc，多核会引发ipi

[原创]PYdotDLL. a simple python hook engine / update 2010.9.28
这么好的帖子没人顶啊

[求助]如何获取一个程序的堆地址空间范围和栈地址空间范围？

dd fs:[18h]

7FFDF000  0012FFE0  (Pointer to SEH chain)
7FFDF004  00130000  (Top of thread's stack)
7FFDF008  0012D000  (Bottom of thread's stack)

[注意]2010中国计算机网络安全年会暨FIRST技术研讨会
见到SAC太诡异了

[求助]哪个标志位是检测跳转是否实现的？

Mnemonic              Meaning                    Jump Condition
  JA     Jump if Above                         CF=0 and ZF=0
  JAE    Jump if Above or Equal                CF=0
  JB     Jump if Below                         CF=1
  JBE    Jump if Below or Equal                CF=1 or ZF=1
  JC     Jump if Carry                         CF=1
  JCXZ   Jump if CX Zero                       CX=0
  JE     Jump if Equal                         ZF=1
  JG     Jump if Greater (signed)              ZF=0 and SF=OF
  JGE    Jump if Greater or Equal (signed)     SF=OF
  JL     Jump if Less (signed)                 SF != OF
  JLE    Jump if Less or Equal (signed)        ZF=1 or SF != OF
  JMP    Unconditional Jump                    unconditional
  JNA    Jump if Not Above                     CF=1 or ZF=1
  JNAE   Jump if Not Above or Equal            CF=1
  JNB    Jump if Not Below                     CF=0
  JNBE   Jump if Not Below or Equal            CF=0 and ZF=0
  JNC    Jump if Not Carry                     CF=0
  JNE    Jump if Not Equal                     ZF=0
  JNG    Jump if Not Greater (signed)          ZF=1 or SF != OF
  JNGE   Jump if Not Greater or Equal (signed) SF != OF
  JNL    Jump if Not Less (signed)             SF=OF
  JNLE   Jump if Not Less or Equal (signed)    ZF=0 and SF=OF
  JNO    Jump if Not Overflow (signed)         OF=0
  JNP    Jump if No Parity                     PF=0
  JNS    Jump if Not Signed (signed)           SF=0
  JNZ    Jump if Not Zero                      ZF=0
  JO     Jump if Overflow (signed)             OF=1
  JP     Jump if Parity                        PF=1
  JPE    Jump if Parity Even                   PF=1
  JPO    Jump if Parity Odd                    PF=0
  JS     Jump if Signed (signed)               SF=1
  JZ     Jump if Zero                          ZF=1

[求助]有没有人知道怎么用known plan text搞定zip的中文密码
得先看是zip加密还是aes加密