vinnie Posted April 6, 2008 Share Posted April 6, 2008 Figured out my bsod... firewall was causing it.Now, I still can't get anywhere... I figured to bp GetProcAddress before , but I can't get it to go even that far. It just runs around in the loops/obfuscation forever and never starts to load any API's or anything.:/I finally tried Whats' hints and found that for some reason SND Olly will not break on GetProcAddress. I finally got the thing to break on GetProcAddress with the new Olly SABRE GOLD and now I can see the antidebugging APIs (OutputDebugStringA, UnhandledExceptionFilter, ProcessNextW, etc). The thing I don't understand is why I get further without any of the hiding plugins activated? If I turn the plugins on then I get stuck in loop much earlier. Is it checking for patches being made to these APIs? Link to comment Share on other sites More sharing options...
Teddy Rogers Posted April 6, 2008 Share Posted April 6, 2008 Maybe it is checking for anti-debugging tricks?Ted. Link to comment Share on other sites More sharing options...
vinnie Posted April 6, 2008 Share Posted April 6, 2008 Maybe it is checking for anti-debugging tricks?Ted.LOL..And the nobel prize for stating the obvious goes to......Ted. :biggrin: I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly. Link to comment Share on other sites More sharing options...
Teddy Rogers Posted April 6, 2008 Share Posted April 6, 2008 LOL..And the nobel prize for stating the obvious goes to......Ted. :biggrin: Lol! I won a prize... Ted. Link to comment Share on other sites More sharing options...
syk071c Posted April 6, 2008 Share Posted April 6, 2008 Link to comment Share on other sites More sharing options...
What Posted April 6, 2008 Share Posted April 6, 2008 (edited) I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.Did you check the settings, they probably differ from each other. I can do it manually with a unmodded olly and olly ollyadanced, with only Flexible breakpoints checked, not anti debugger checked (have a odbgscript for that 1). Also with a unmodded, no nothing, ollydbg v2 (which was lame because there is no memory bp yet, that or I am blind). I hope this helps a little more. Edited April 6, 2008 by What Link to comment Share on other sites More sharing options...
vinnie Posted April 6, 2008 Share Posted April 6, 2008 (edited) I gathered as much Ted but I was hoping someone would tell me why SND olly failed to BP on GetProcAddress whereas the new Olly did so I can maybe attempt to patch the SND olly.Did you check the settings, they probably differ from each other. I can do it manually with a unmodded olly and olly ollyadanced, with only Flexible breakpoints checked, not anti debugger checked (have a odbgscript for that 1). Also with a unmodded, no nothing, ollydbg v2 (which was lame because there is no memory bp yet, that or I am blind). I hope this helps a little more.I did quickly skim through the settings but didn't notice anything different. I will have a closer look. Thanks What.i tried it and you were right. All it needed was the flexible BP. Edited April 6, 2008 by vinnie Link to comment Share on other sites More sharing options...
sdy100 Posted April 11, 2008 Share Posted April 11, 2008 (edited) I will give you some hint1.load ollydbg 2.0 2.go to OutputDebugStringA3.change lilke this before7C859F78 OutputDebugStringA 68 34020000 push 2347C859F7D 68 A0A2857C push kernel32.7C85A2A0after7C859F78 OutputDebugStringA 31C0 xor eax,eax7C859F7A C2 0400 retn 44. run Edited April 11, 2008 by sdy100 Link to comment Share on other sites More sharing options...
Loki Posted April 11, 2008 Share Posted April 11, 2008 I will give you some hint1.load ollydbg 2.0 2.go to OutputDebugStringA 3.change lilke this before 7C859F78 OutputDebugStringA 68 34020000 push 234 7C859F7D 68 A0A2857C push kernel32.7C85A2A0 after 7C859F78 OutputDebugStringA 31C0 xor eax,eax 7C859F7A C2 0400 retn 4 4. run It might take a little more than that Link to comment Share on other sites More sharing options...
ahmadmansoor Posted April 11, 2008 Share Posted April 11, 2008 I note that Mr.sdy100 .....as if lena after she study Olly 1.X very carfully ..... I think she discover some weakness in this Ver of olly ...so if u try u load any target protected with this protector it make Olly go in infinity Loop ....but if u open the target with Olly 2.0 Or IDA it will pass this infinity loop as if the weakness point in this ver has fixed ..... Link to comment Share on other sites More sharing options...
What Posted April 11, 2008 Share Posted April 11, 2008 Ollydbg 2 is kinda lame right now so I think I will stick to running it under Olly 1.10. :tongue: Link to comment Share on other sites More sharing options...
syk071c Posted April 11, 2008 Share Posted April 11, 2008 xor eax,eax retn 4 things such as this are checked.. a lot of the anti debug tricks are findable by tracing through.. if you have the patience and the time... time has been quite limited to me lately... Link to comment Share on other sites More sharing options...
What Posted April 11, 2008 Share Posted April 11, 2008 @syk071c, Have you seen the updated larp, which can be found on armageddon, or whatever it is called, if you dont trace through you'll never figure it out. Link to comment Share on other sites More sharing options...
sdy100 Posted April 12, 2008 Share Posted April 12, 2008 more hint "INT 2D Debugger Detection" it does't work olldbg 2.0 Link to comment Share on other sites More sharing options...
ahmadmansoor Posted April 12, 2008 Share Posted April 12, 2008 U mean sofice my dear friend :biggrin: ... I think it is our puzzle of the week :tongue: .................we must find a solution for this or we will die ..... Oooooo i like that ....more puzzle boys ......hehe more hint "INT 2D Debugger Detection" it does't work olldbg 2.0 Link to comment Share on other sites More sharing options...
syk071c Posted April 12, 2008 Share Posted April 12, 2008 Haven't seen the updated larp on armageddon.. but i probably am quite curious now.. ah yes the int2d's yes they were quite a pain to find too i can say a hell of a lot of anti-debug used doesn't rely on api's so you must trace.. Link to comment Share on other sites More sharing options...
vinnie Posted April 13, 2008 Share Posted April 13, 2008 (edited) @What,Can I IMPLORE you to do a tut on this protector.....please........prettyplease........with sugar on top?I have got the thing running in Olly just fine now with a script I made with the hints you provided but what I don't get is how the protection works. Like why will it run if you set BPs on GetProcAddress and ZwContinue and bypass a few debug APIs.I can understand everyones' reluctance to shed light on the protector cause you guys use it to protect your releases but maybe the tut shouldn't be on "how to unpack Larp" but more on the antidebugging used in the protector. Would make good reading.Also now that I have got the Pro version running I am trying the standard version and I am getting stuck on the GetTickCount. I have read the info on this and it says to modify EAX after API call but it didn't work for me there. In the Pro version I didn't even worry about this API and it still runned. Any help there What? Thanks for your info on this so far. I learned alot...e.g Like there is a lot more ways to antidebugging that I have no knowledge about. Edited April 13, 2008 by vinnie Link to comment Share on other sites More sharing options...
lena151 Posted April 13, 2008 Author Share Posted April 13, 2008 @Vinnie: pm me the anti-debug you don't understand. ASA I find the time, I'll code it and send you the source. I guess that will be the best solution and also best for your understanding. Also, some of the tricks are machine specific, hence it may very well be that if someone sends you a walkthrough ... it may not even work on your machine ... .Hope this will help you out.lena151. Link to comment Share on other sites More sharing options...
SunBeam Posted April 14, 2008 Share Posted April 14, 2008 Vinnie, trust me, I would love to know the inner working of lARP, but I am honestly fed up with reading tutorials. I like this protector because it's not "documented" and that makes it something unique (see EXECryptor and Themida, there's nothing left to study about them, other than the VM, which involves time and understanding of code). Here's my idea, and I believe this will work, as Lena might've overlooked it.. In incipient stages, lARP had a bug with its custom named section. If you changed the name of that section, application ran and crashed in memory. Alas, you could attach and dump it (IAT was intact, no stolen OEP, etc..). That bug got fixed, BUT.. There's a huge big hole on the same side-line. Maybe that hint helps you Also, I began studying the "VM" lol. Here's another hint - Hacker Disassembler - and oh it helps a lot Other than that, I never got to open it in Olly Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now