Jump to content
Tuts 4 You

Pass Debugger Check in VMprotect 2.x

mojtaba

By mojtaba
in Malware Reverse Engineering

 Share

Recommended Posts

mojtaba

mojtaba

Posted
Posted

I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE).

i checked some windows api like :

  • CheckRemoteDebuggerPresent ()
  • IsDebuggerPresent ()
  • ...

and use some ollydbg plugins like:

  • Olly Advanced
  • Hide Debugger
  • StrongOD

But it still get this error:

debugger-detect.PNG.02e4e72b1e07ed9cc07c768b22f9e965.PNG

 

Here is my log data:log-MyApp.txt

what should i do to pass this error and open the app by debugger?

Link to comment
Share on other sites
  • 3 weeks later...
mojtaba

mojtaba

Posted
  • Author
Posted (edited)
On 12/25/2019 at 1:17 PM, HostageOfCode said:

If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks.

hello 

I tried it, but i dont know if i used it in right way or not?! do i have to attach the app to debugger and then find the app's PID (i used this : 

tasklist

in cmd ) and insert the PID into the gui and select the methods and hit the 'Hide' button.

Capture.PNG.d5ad517f65d8a61c03e1314446721ff6.PNG

but it still detect the debugger !!! :((

 

I tested the TitanHide test file and it works correctly. when i hided it, all of the flags turns 0.

but still it does'nt works on my app!

Edited by mojtaba
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...