vinnie Posted April 6, 2008 Posted April 6, 2008 Figured out my bsod... firewall was causing it.Now, I still can't get anywhere... I figured to bp GetProcAddress before , but I can't get it to go even that far. It just runs around in the loops/obfuscation forever and never starts to load any API's or anything.:/I finally tried Whats' hints and found that for some reason SND Olly will not break on GetProcAddress. I finally got the thing to break on GetProcAddress with the new Olly SABRE GOLD and now I can see the antidebugging APIs (OutputDebugStringA, UnhandledExceptionFilter, ProcessNextW, etc). The thing I don't understand is why I get further without any of the hiding plugins activated? If I turn the plugins on then I get stuck in loop much earlier. Is it checking for patches being made to these APIs?
Teddy Rogers Posted April 6, 2008 Posted April 6, 2008 Maybe it is checking for anti-debugging tricks?Ted.
vinnie Posted April 6, 2008 Posted April 6, 2008 Maybe it is checking for anti-debugging tricks?Ted.LOL..And the nobel prize for stating the obvious goes to......Ted. :biggrin: I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.
Teddy Rogers Posted April 6, 2008 Posted April 6, 2008 LOL..And the nobel prize for stating the obvious goes to......Ted. :biggrin: Lol! I won a prize... Ted.
What Posted April 6, 2008 Posted April 6, 2008 (edited) I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.Did you check the settings, they probably differ from each other. I can do it manually with a unmodded olly and olly ollyadanced, with only Flexible breakpoints checked, not anti debugger checked (have a odbgscript for that 1). Also with a unmodded, no nothing, ollydbg v2 (which was lame because there is no memory bp yet, that or I am blind). I hope this helps a little more. Edited April 6, 2008 by What
vinnie Posted April 6, 2008 Posted April 6, 2008 (edited) I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.Did you check the settings, they probably differ from each other. I can do it manually with a unmodded olly and olly ollyadanced, with only Flexible breakpoints checked, not anti debugger checked (have a odbgscript for that 1). Also with a unmodded, no nothing, ollydbg v2 (which was lame because there is no memory bp yet, that or I am blind). I hope this helps a little more.I did quickly skim through the settings but didn't notice anything different. I will have a closer look. Thanks What.i tried it and you were right. All it needed was the flexible BP. Edited April 6, 2008 by vinnie
sdy100 Posted April 11, 2008 Posted April 11, 2008 (edited) I will give you some hint1.load ollydbg 2.0 2.go to OutputDebugStringA3.change lilke this before7C859F78 OutputDebugStringA 68 34020000 push 2347C859F7D 68 A0A2857C push kernel32.7C85A2A0after7C859F78 OutputDebugStringA 31C0 xor eax,eax7C859F7A C2 0400 retn 44. run Edited April 11, 2008 by sdy100
Loki Posted April 11, 2008 Posted April 11, 2008 I will give you some hint1.load ollydbg 2.0 2.go to OutputDebugStringA 3.change lilke this before 7C859F78 OutputDebugStringA 68 34020000 push 234 7C859F7D 68 A0A2857C push kernel32.7C85A2A0 after 7C859F78 OutputDebugStringA 31C0 xor eax,eax 7C859F7A C2 0400 retn 4 4. run It might take a little more than that
ahmadmansoor Posted April 11, 2008 Posted April 11, 2008 I note that Mr.sdy100 .....as if lena after she study Olly 1.X very carfully ..... I think she discover some weakness in this Ver of olly ...so if u try u load any target protected with this protector it make Olly go in infinity Loop ....but if u open the target with Olly 2.0 Or IDA it will pass this infinity loop as if the weakness point in this ver has fixed .....
What Posted April 11, 2008 Posted April 11, 2008 Ollydbg 2 is kinda lame right now so I think I will stick to running it under Olly 1.10. :tongue:
syk071c Posted April 11, 2008 Posted April 11, 2008 xor eax,eax retn 4 things such as this are checked.. a lot of the anti debug tricks are findable by tracing through.. if you have the patience and the time... time has been quite limited to me lately...
What Posted April 11, 2008 Posted April 11, 2008 @syk071c, Have you seen the updated larp, which can be found on armageddon, or whatever it is called, if you dont trace through you'll never figure it out.
sdy100 Posted April 12, 2008 Posted April 12, 2008 more hint "INT 2D Debugger Detection" it does't work olldbg 2.0
ahmadmansoor Posted April 12, 2008 Posted April 12, 2008 U mean sofice my dear friend :biggrin: ... I think it is our puzzle of the week :tongue: .................we must find a solution for this or we will die ..... Oooooo i like that ....more puzzle boys ......hehe more hint "INT 2D Debugger Detection" it does't work olldbg 2.0
syk071c Posted April 12, 2008 Posted April 12, 2008 Haven't seen the updated larp on armageddon.. but i probably am quite curious now.. ah yes the int2d's yes they were quite a pain to find too i can say a hell of a lot of anti-debug used doesn't rely on api's so you must trace..
vinnie Posted April 13, 2008 Posted April 13, 2008 (edited) @What,Can I IMPLORE you to do a tut on this protector.....please........prettyplease........with sugar on top?I have got the thing running in Olly just fine now with a script I made with the hints you provided but what I don't get is how the protection works. Like why will it run if you set BPs on GetProcAddress and ZwContinue and bypass a few debug APIs.I can understand everyones' reluctance to shed light on the protector cause you guys use it to protect your releases but maybe the tut shouldn't be on "how to unpack Larp" but more on the antidebugging used in the protector. Would make good reading.Also now that I have got the Pro version running I am trying the standard version and I am getting stuck on the GetTickCount. I have read the info on this and it says to modify EAX after API call but it didn't work for me there. In the Pro version I didn't even worry about this API and it still runned. Any help there What? Thanks for your info on this so far. I learned alot...e.g Like there is a lot more ways to antidebugging that I have no knowledge about. Edited April 13, 2008 by vinnie
lena151 Posted April 13, 2008 Author Posted April 13, 2008 @Vinnie: pm me the anti-debug you don't understand. ASA I find the time, I'll code it and send you the source. I guess that will be the best solution and also best for your understanding. Also, some of the tricks are machine specific, hence it may very well be that if someone sends you a walkthrough ... it may not even work on your machine ... .Hope this will help you out.lena151.
SunBeam Posted April 14, 2008 Posted April 14, 2008 Vinnie, trust me, I would love to know the inner working of lARP, but I am honestly fed up with reading tutorials. I like this protector because it's not "documented" and that makes it something unique (see EXECryptor and Themida, there's nothing left to study about them, other than the VM, which involves time and understanding of code). Here's my idea, and I believe this will work, as Lena might've overlooked it.. In incipient stages, lARP had a bug with its custom named section. If you changed the name of that section, application ran and crashed in memory. Alas, you could attach and dump it (IAT was intact, no stolen OEP, etc..). That bug got fixed, BUT.. There's a huge big hole on the same side-line. Maybe that hint helps you Also, I began studying the "VM" lol. Here's another hint - Hacker Disassembler - and oh it helps a lot Other than that, I never got to open it in Olly
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now