Jump to content
Tuts 4 You

Debugger Detected


Beast_Hunter

Recommended Posts

How To Fix Debugger Detected In x64dbg Picture

ProtectionID  Scan

Spoiler

-=[ ProtectionID v0.6.7.0 OCTOBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 31/10/15-14:35:10
Ready...
Scanning -> C:\Users\Dell\Desktop\VNHAX_PUBGM.exe
File Type : 32-Bit Exe (Subsystem : Win CUI / 3), Size : 531968 (081E00h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT)
[TimeStamp] 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT) | PE Header | - | Offset: 0x00000118 | VA: 0x00400118 | -
[TimeStamp] 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT) | DebugDirectory | - | Offset: 0x0002FA14 | VA: 0x00430614 | -
[TimeStamp] 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT) | DebugDirectory | - | Offset: 0x0002FA30 | VA: 0x00430630 | -
[!] Executable uses SEH Tables (/SAFESEH) (43 calculated 38 recorded... 3 invalid addresses) 
[!]    * table may be compressed / encrypted *
[File Heuristics] -> Flag #1 : 00000100000001001001000000000000 (0x04049000)
[Entrypoint Section Entropy] : 6.67 (section #0) ".text   " | Size : 0x21EBC (138940) byte(s)
[DllCharacteristics] -> Flag : (0x8140) -> ASLR | DEP | TSA
[SectionCount] 5 (0x5) | ImageSize 0x85000 (544768) byte(s)
[Debug Info] (record 1 of 2) (file offset 0x2FA10)
Characteristics : 0x0 | TimeDateStamp : 0x5C42DE39 (Sat 19th Jan 2019 08:22:17 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 13 (0xD) -> Undocumented | Size : 0x314 (788) 
AddressOfRawData : 0x31168 | PointerToRawData : 0x30568
[Debug Info] (record 2 of 2) (file offset 0x2FA2C)
Characteristics : 0x0 | TimeDateStamp : 0x5C42DE39 (Sat 19th Jan 2019 08:22:17 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 14 (0xE) -> Undocumented | Size : 0x0 (0) 
AddressOfRawData : 0x0 | PointerToRawData : 0x0
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 9.204 Second(s) [000002644h (9796) tick(s)] [503 of 577 scan(s) done]
 

 

Edited by Beast_Hunter
  • Thanks 1
Link to comment

Depends on what Software/Protection detected it. Use protectionID to scan the binary and find it's protection. You should probably put a little more effort into your posts.

  • Like 1
Link to comment

you can use RDG Packer Detector , this scanner can give you some extra informations , especially if there was an anti-Debugging technique 

for example : IsDebuggerPresent 

once you comfirm the software uses an api callled IsDebuggerPresent you can easily bypass it !

Link to comment
On 1/19/2019 at 1:22 PM, deepzero said:

Depends on what Software/Protection detected it. Use protectionID to scan the binary and find it's protection. You should probably put a little more effort into your posts.

thanks bro and thanks alot for advice i am new here nice meeting you.

Link to comment
23 hours ago, Rever7eR said:

you can use RDG Packer Detector , this scanner can give you some extra informations , especially if there was an anti-Debugging technique 

for example : IsDebuggerPresent 

once you comfirm the software uses an api callled IsDebuggerPresent you can easily bypass it !

i found the api isdebuggerpresent and what should can i do?

Link to comment
4 hours ago, Beast_Hunter said:

i found the api isdebuggerpresent and what should can i do?

i don't know what you're trying to do , and am not good at unpacking put i know one thing 

if you want to bypass IsDebuggerPresent you can load the software to the debugger and go to EBX register => follow in dump and change the value from 1 to 0 

or you can simply use a plugin to do this job :) 

someone correct me if am wrong 

Edited by Rever7eR
Link to comment
On 1/19/2019 at 7:57 AM, Beast_Hunter said:

Scanning -> C:\Users\Dell\Desktop\VNHAX_PUBGM.exe

According to similar soft, the used protection is VMProtect...

Link to comment
12 hours ago, Insid3Code said:

According to similar soft, the used protection is VMProtect...

 

14 hours ago, deepzero said:

Do you have ScyllaHide installed? https://github.com/x64dbg/ScyllaHide

If yes, what's the configuration?

Did you scan the software to identify the protection?

 

15 hours ago, Rever7eR said:

i don't know what you're trying to do , and am not good at unpacking put i know one thing 

if you want to bypass IsDebuggerPresent you can load the software to the debugger and go to EBX register => follow in dump and change the value from 1 to 0 

or you can simply use a plugin to do this job :) 

someone correct me if am wrong 

 

On 1/19/2019 at 5:09 PM, Mad Max said:

VMProtect.:^

Every One Thanks Alot Now its Ruining In x69dbg. i am really thankfull to you will for helping me out.

Link to comment
  • 2 weeks later...
On 1/21/2019 at 10:48 AM, Beast_Hunter said:

Every One Thanks Alot Now its Ruining In x69dbg. i am really thankfull to you will for helping me out.

3

Are you going to share how you did it so we all benefit?

Link to comment
  • 2 weeks later...

thanks bro 

1 hour ago, i51121 said:

this is VMProtect , you can try sharpodx64 (https://forum.tuts4you.com/topic/39806-sharpod-x64-a_antidebug-plugin-support-for-x64dbg/) ,  ScyllaHide is no effect 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...