mojtaba Posted December 17, 2019 Share Posted December 17, 2019 I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE). i checked some windows api like : CheckRemoteDebuggerPresent () IsDebuggerPresent () ... and use some ollydbg plugins like: Olly Advanced Hide Debugger StrongOD But it still get this error: Here is my log data:log-MyApp.txt what should i do to pass this error and open the app by debugger? Link to comment Share on other sites More sharing options...
CodeExplorer Posted December 17, 2019 Share Posted December 17, 2019 (edited) Did you tried this Olly modification: https://forum.tuts4you.com/files/file/479-ollydbg-110-special-for-guru-lcf-ats-vmprotect-api-turbo-tracer-11-script/ Edited December 17, 2019 by CodeExplorer 1 Link to comment Share on other sites More sharing options...
mojtaba Posted December 25, 2019 Author Share Posted December 25, 2019 (edited) @CodeExplorer thanks, But it didn't help me and i still have the debugger detection problem! do you know any other solution? Edited December 25, 2019 by mojtaba Link to comment Share on other sites More sharing options...
HostageOfCode Posted December 25, 2019 Share Posted December 25, 2019 If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks. 1 Link to comment Share on other sites More sharing options...
mojtaba Posted January 16, 2020 Author Share Posted January 16, 2020 (edited) On 12/25/2019 at 1:17 PM, HostageOfCode said: If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks. hello I tried it, but i dont know if i used it in right way or not?! do i have to attach the app to debugger and then find the app's PID (i used this : tasklist in cmd ) and insert the PID into the gui and select the methods and hit the 'Hide' button. but it still detect the debugger !!! :(( I tested the TitanHide test file and it works correctly. when i hided it, all of the flags turns 0. but still it does'nt works on my app! Edited January 16, 2020 by mojtaba Link to comment Share on other sites More sharing options...
HostageOfCode Posted January 16, 2020 Share Posted January 16, 2020 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 19 Share Posted March 19 On 1/16/2020 at 1:57 PM, mojtaba said: hello I tried it, but i dont know if i used it in right way or not?! do i have to attach the app to debugger and then find the app's PID (i used this : tasklist in cmd ) and insert the PID into the gui and select the methods and hit the 'Hide' button. but it still detect the debugger !!! :(( I tested the TitanHide test file and it works correctly. when i hided it, all of the flags turns 0. but still it does'nt works on my app! Same here, doesn't work either. Regards. sean. Link to comment Share on other sites More sharing options...
jackyjask Posted March 19 Share Posted March 19 Just old good professional grade Ollydbg v2 + ScyllaHide, no any dangerous driver based titan hiders Before Be After Scylla Hide plugin: 1 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 19 Share Posted March 19 6 minutes ago, jackyjask said: Just old good professional grade Ollydbg v2 + ScyllaHide, no any dangerous driver based titan hiders Before Be After Scylla Hide plugin: Just works for 2.x versions. Regards. sean. Link to comment Share on other sites More sharing options...
jackyjask Posted March 19 Share Posted March 19 I dont have any vmp-ed sample for 2.x ver do u? Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 19 Share Posted March 19 1 hour ago, jackyjask said: I dont have any vmp-ed sample for 2.x ver do u? @jackyjask oh, it was 1.7x. it will be bypassed nicely without TitanHide. however higher versions of them will not be bypassed even if using TitanHide. Regards. sean. Link to comment Share on other sites More sharing options...
X0rby Posted March 19 Share Posted March 19 @windowbasedon't use titanhide on your main system. 2 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 19 Share Posted March 19 3 minutes ago, X0rby said: @windowbasedon't use titanhide on your main system. Why @X0rby? Regards. sean. Link to comment Share on other sites More sharing options...
X0rby Posted March 19 Share Posted March 19 1 minute ago, windowbase said: Why @X0rby? Regards. sean. Even if you do everything correctly it can crush your system and give you a blue screen, not that only but as I already told you in the past you MUST create a VM dedicated only to RCE, not your main everyday system. 2 Link to comment Share on other sites More sharing options...
InvizCustos Posted March 19 Share Posted March 19 1 hour ago, windowbase said: higher versions of them will not be bypassed even if using TitanHide Really?) Spoiler Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 19 Share Posted March 19 1 hour ago, InvizCustos said: Really?) Reveal hidden contents @InvizCustos Try this. Regards. sean. Link to comment Share on other sites More sharing options...
InvizCustos Posted March 19 Share Posted March 19 37 minutes ago, windowbase said: Try this. Bandicam? They use additional custom detection methods that have nothing to do with VMProtect. If you try to debug the application without TitanHide, you will get the expected message from VMP that the debugger has been detected. If you use TitanHide, you will get a custom initialization error message from Bandicam. 1 Link to comment Share on other sites More sharing options...
X0rby Posted March 19 Share Posted March 19 (edited) My x64dbg can debug it successfully without using titanhide GUI... 1 hour ago, windowbase said: Try this. bandicam.mp4 Edited March 19 by X0rby video 1 Link to comment Share on other sites More sharing options...
boot Posted March 19 Share Posted March 19 3 hours ago, windowbase said: @InvizCustos Try this. Regards. sean. Just load the TiTanHide driver and you can build it yourself and enable testing mode to try it out. In the video, I added some signatures to the driver and did not enable testing mode. Video_2024-03-20_030824.mp4 I had already provided a driver with signatures. https://forum.tuts4you.com/topic/38747-driver-doesnt-want-to-start/?do=findComment&comment=216368 2 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 20 Share Posted March 20 (edited) 10 hours ago, X0rby said: My x64dbg can debug it successfully without using titanhide GUI... bandicam.mp4 3.71 MB · 0 downloads @X0rby you can't debug it. try to pause and run it again. Regards. sean. Edited March 20 by windowbase adding words. 1 Link to comment Share on other sites More sharing options...
X0rby Posted March 20 Share Posted March 20 32 minutes ago, windowbase said: @X0rby you can't debug it. try to pause and run it again. Really Sean? challenging me to bypass anti-debug? Of course, I can do it - no doubt. Really!.mp4 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 20 Share Posted March 20 6 minutes ago, X0rby said: Really Sean? challenging me to bypass anti-debug? Of course, I can do it - no doubt. Really!.mp4 @X0rby without using TitanHide. is it possible to debug? Regards. sean. Link to comment Share on other sites More sharing options...
X0rby Posted March 20 Share Posted March 20 (edited) 6 minutes ago, windowbase said: @X0rby without using TitanHide. is it possible to debug? Everything is possible - if you can't do it now you can still use this solution and then u can bypass it manually or make a plugin to do it automatically. Edited March 20 by X0rby 1 Link to comment Share on other sites More sharing options...
azufo Posted March 20 Share Posted March 20 8 hours ago, windowbase said: @X0rby without using TitanHide. is it possible to debug? Regards. sean. Sean scillahide is enought for this target, when you have a problem, reset the kernel timer, download scilla again or disable kernell debuging from windows. 1 Link to comment Share on other sites More sharing options...
Sean Park - Lovejoy Posted March 20 Share Posted March 20 (edited) 1 hour ago, azufo said: Sean scillahide is enought for this target, when you have a problem, reset the kernel timer, download scilla again or disable kernell debuging from windows. @azufo Can you show me screenshot of scyllahide checked options. Regards. sean. Edited March 20 by windowbase editing some words. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now