well,i joined a learning course about computing and we're given an executable (PE) to analyze for a certain purpose...while i was tracking instructions to understand the PE i faced an abnormal instruction "INT 1" and when i execute it the program leaves into "ntdll" to run a block of instructions and then comes back to the original location (the program) but what i noticed is that the instruction that comes after the "INT 1" (which is "XOR EAX,EBX") doesn't execute and directly starts from following instruction (i use OllyDBG) and this whole matter made it harder for me to reach my purpose ...so please can you help me understand what's going on.
PS:
1-The result in EAX after executing "INT 1" depend on the word from the user input (DWORD PTR [ESI] ).
2-the author talked about something called "Structured Exception handling and Vectored exception handling" which describes my situation but i didn't understand it very well.
This is the block of instructions where things happen:
LODS DWORD PTR [ESI] ;loads the 4 bytes user input into eax
MOV EBX,495F4265
INT 1 ;our enemy
XOR EAX,EBX ;This one is not executed as shown in OllyDBG
CMP EAX,FF2CF8E5 ;eax content changes each time depending on user input
JE
For any further information don't hesitate to ask me for ...Thnx in advance :))
INT 1is the debug interrupt. My guess is that NTDLL modifies the return address to skip thatXORstatement. (fun fact: 0x495f4265 represents the stringdB_I) – Drew McGowen