
                               BPX bypassing
                               =============

     And here is one more anti-debugging method.

     There are two common ways of breakpoint setting.
     1. First (and older) way is to insert INT3 (0xCC) at some address, and
 save original byte.
     2. Other (and later) way is  to setup DRx registers to enable hardware
 breakpoint at some fixed memory address.
     This  is  like  eulerian  and  lagrangian viewpoints: one method is to
 insert  breakpoint  into information (matter), and move with it, and other
 is to enable breakpoint at some fixed space address, matter goes through.
     Within Soft-ICE this is BPX and BMP X commands correspondingly.

     Well, typical haxor's trick is to do the following:

       BPX MessageBoxA

     that will insert CC byte into beginning of the MessageBoxA function.

     Here is how this functions looks:

      USER32.DLL!MessageBoxA
      .text:77E38CAE 55             push    ebp
      .text:77E38CAF 8B EC          mov     ebp, esp
      .text:77E38CB1 51             push    ecx
      .text:77E38CB2 83 3D 98 94 .. cmp     dword_77E69498, 0
      .text:77E38CB9 0F 85 C4 05 .. jnz     loc_77E49283
      .text:77E38CBF 6A 00          push    0
      .text:77E38CC1 FF 75 14       push    dword ptr [ebp+14h]
      .text:77E38CC4 FF 75 10       push    dword ptr [ebp+10h]
      .text:77E38CC7 FF 75 0C       push    dword ptr [ebp+0Ch]
      .text:77E38CCA FF 75 08       push    dword ptr [ebp+8]
      .text:77E38CCD E8 04 00 00 00 call    MessageBoxExA
      .text:77E38CD2 C9             leave
      .text:77E38CD3 C2 10 00       retn    10h

     And here is how this function is called:

                                    call    USER32.DLL!MessageBoxA

     Idea is to the following:

       E8 xx xx xx xx               call    my_MessageBoxA
                                    ...
       my_MessageBoxA:
       55                           push    ebp
       8B EC                        mov     ebp, esp
       51                           push    ecx
       E9 xx xx xx xx               jmp     (USER32.DLL!MessageBoxA + 4)

     So,  there  will  be  skipped all the breakpoints inserted by debugger
 into system functions which may be called by our program.

     Examples:

       NOBPX0 -- MessageBoxA is called in normal way
       NOBPX1 -- alredy-known instruction is skipped
       NOBPX2 -- single unknown instruction is skipped
       NOBPX3 -- several unknown instructions are skipped

                                   * * *
