cozofdeath Posted October 1, 2011 Posted October 1, 2011 I'm checking it out today and can't figure out why it keeps clearing the stack (esp = 0) and then pushing a value onto it killing Olly. Clearly I'm doing something wrong because this isn't valid in Olly or Windows but I can't figure it out. I'm on a win7 computer. Running it outside the debugger works fine. But inside it fails every time at the same spot early in the code. It happens at 102fe75 (XCHG EAX, ESP) right after changing the hardware registers. Any info on this?
LCF-AT Posted October 1, 2011 Posted October 1, 2011 @ cozofdeath Disable Protect DRx in Phant0m [or other plugins patching DRx] Enable Skip some Exceptions in StrongOD With this head setting you can run VProtect in Olly.Use only soft BPs.If you want to break on APIs then use the ret for stopping.VProtect also has selfcode checks so if you set soft BPs in the code [mostly in VM] and if it checks then it gets wrong values.You know the opcode where the BP is set will read now as CC byte = crash later.If you want to analyze some VM code inside the you should better hook the KiUserExceptionDispatcher API and keep a eye on the stack results.There you can also catch some bad AV = VP has found | detecd you. PS: Unpack script is still in progress but I am close for completion the first public version. greetz
cozofdeath Posted October 2, 2011 Posted October 2, 2011 (edited) Thanks for the reply. I still can't get it to work with any setting. It errors quick with this exception: 0xC0000235. No matter what anti-debug setting I have it on. I always have an extremely hard time trying to get around the anti-debugs on this computer. But I appreciate you listing the anti-debug settings. I'll give it a go on the old faithful XP computer.Good luck on the script! Edited October 2, 2011 by cozofdeath
LCF-AT Posted October 2, 2011 Posted October 2, 2011 C0000235 (HANDLE NOT CLOSABLE)--------------------------------------StrongOD:--------------------------------------Enable HidePEBEnable KernelModeEnable !*Kill BadPE Bug (optinal)Enable Skip some ExceptionsNormal--------------------------------------Phant0m:--------------------------------------Enable Protect DRx--------------------------------------Olly Custom Exceptions: 00000000-FFFFFFFF--------------------------------------Do not forget to rename the drivernames in the Olly ini file.The other options in Strong & Phant0m you have to DISABLE.Now you should run your VProtect targets in Olly without problems.You can also check if you have still running a old driver in background.Use IceSword | SSDT table have a look and if you see some \temp\....sys which is not from strongOD then restore it.You can also find in some cases a old Phant0m driver which is no more used.If yes then restore it too.Now check this and try again.PS: So test also some diffrent VProtect unpackmes and see whether you get the same bad result or not.If you also use more Olly's with StrongOD & Phant0m then use also the same driver names in the other Olly ini files.Also use no more the Phant0m plugin with loading a driver so in many cases Phant0m has problems to unload the driver itself.greetz
cozofdeath Posted October 2, 2011 Posted October 2, 2011 Thanks LCF-AT for the quick and informative response. I will try everything mentioned.
thisistest Posted December 15, 2011 Author Posted December 15, 2011 vprotect 2.1.0.0vprotectdemo 2.1.0.0.rar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now