Jump to content
Tuts 4 You

Recommended Posts

Posted

I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE).

i checked some windows api like :

  • CheckRemoteDebuggerPresent ()
  • IsDebuggerPresent ()
  • ...

and use some ollydbg plugins like:

  • Olly Advanced
  • Hide Debugger
  • StrongOD

But it still get this error:

debugger-detect.PNG.02e4e72b1e07ed9cc07c768b22f9e965.PNG

 

Here is my log data:log-MyApp.txt

what should i do to pass this error and open the app by debugger?

  • Like 1
Posted (edited)

@CodeExplorer

thanks, But it didn't help me and  i still have the debugger detection problem!

do you know any other solution? :(

Edited by mojtaba
HostageOfCode
Posted

If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks.

  • Like 1
  • 3 weeks later...
Posted (edited)
  On 12/25/2019 at 9:47 AM, HostageOfCode said:

If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks.

Expand  

hello 

I tried it, but i dont know if i used it in right way or not?! do i have to attach the app to debugger and then find the app's PID (i used this :

tasklist

in cmd ) and insert the PID into the gui and select the methods and hit the 'Hide' button.

Capture.PNG.d5ad517f65d8a61c03e1314446721ff6.PNG

but it still detect the debugger !!! :((

 

I tested the TitanHide test file and it works correctly. when i hided it, all of the flags turns 0.

but still it does'nt works on my app!

Edited by mojtaba
  • 4 years later...
Posted
  On 1/16/2020 at 4:57 AM, mojtaba said:

hello 

I tried it, but i dont know if i used it in right way or not?! do i have to attach the app to debugger and then find the app's PID (i used this :

tasklist

in cmd ) and insert the PID into the gui and select the methods and hit the 'Hide' button.

Capture.PNG.d5ad517f65d8a61c03e1314446721ff6.PNG

but it still detect the debugger !!! :((

 

I tested the TitanHide test file and it works correctly. when i hided it, all of the flags turns 0.

but still it does'nt works on my app!

Expand  

Same here, doesn't work either.

Regards.

sean.

  • Like 1
Posted

Just old good professional grade Ollydbg v2  + ScyllaHide, no any dangerous driver based titan hiders

Before

image.png.33dc91ef4d93f5faa47b130ae9fdbd80.pngBe

 

After

image.png.a84998bcafa73373b6412707e560755c.png

 

Scylla Hide plugin:

image.png.b54d30e53301585b88780e987a27879d.png

  • Like 1
  • Thanks 1
Posted
  On 3/19/2024 at 9:10 AM, jackyjask said:

Just old good professional grade Ollydbg v2  + ScyllaHide, no any dangerous driver based titan hiders

Before

image.png.33dc91ef4d93f5faa47b130ae9fdbd80.pngBe

 

After

image.png.a84998bcafa73373b6412707e560755c.png

 

Scylla Hide plugin:

image.png.b54d30e53301585b88780e987a27879d.png

Expand  

Just works for 2.x versions.

Regards.

sean.

  • Like 1
Posted

I dont have any vmp-ed sample for 2.x ver

do u?

Posted
  On 3/19/2024 at 11:39 AM, jackyjask said:

I dont have any vmp-ed sample for 2.x ver

do u?

Expand  

@jackyjask oh, it was 1.7x. it will be bypassed nicely without TitanHide. however higher versions of them will not be bypassed even if using TitanHide.

Regards.

sean.

  • Like 1
Posted

@windowbasedon't use titanhide on your main system.

  • Like 2
Posted
  On 3/19/2024 at 1:46 PM, X0rby said:

@windowbasedon't use titanhide on your main system.

Expand  

Why @X0rby?

Regards.

sean.

  • Like 1
Posted
  On 3/19/2024 at 1:50 PM, windowbase said:

Why @X0rby?

Regards.

sean.

Expand  

Even if you do everything correctly it can crush your system and give you a blue screen, not that only but as I already told you in the past you MUST create a VM dedicated only to RCE, not your main everyday system.

  • Like 2
InvizCustos
Posted
  On 3/19/2024 at 1:03 PM, windowbase said:

higher versions of them will not be bypassed even if using TitanHide

Expand  

Really?)

  Reveal hidden contents

 

Posted
  On 3/19/2024 at 2:09 PM, InvizCustos said:

Really?)

  Reveal hidden contents

 

Expand  

@InvizCustos Try this. 

Regards.

sean.

 

  • Like 1
InvizCustos
Posted
  On 3/19/2024 at 4:04 PM, windowbase said:

Try this. 

Expand  

Bandicam? They use additional custom detection methods that have nothing to do with VMProtect.

If you try to debug the application without TitanHide, you will get the expected message from VMP that the debugger has been detected.

If you use TitanHide, you will get a custom initialization error message from Bandicam.

  • Like 1
Posted
  On 3/19/2024 at 4:04 PM, windowbase said:

@InvizCustos Try this. 

Regards.

sean.

 

Expand  

Just load the TiTanHide driver and you can build it yourself and enable testing mode to try it out. In the video, I added some signatures to the driver and did not enable testing mode.

 I had already provided a driver with signatures.

https://forum.tuts4you.com/topic/38747-driver-doesnt-want-to-start/?do=findComment&comment=216368

 

  • Like 2
Posted (edited)
  On 3/19/2024 at 5:09 PM, X0rby said:

My x64dbg can debug it successfully without using titanhide GUI...

 

 

Expand  

@X0rby you can't debug it. try to pause and run it again.

Regards.

sean.

Edited by windowbase
adding words.
  • Like 1
  • Haha 1
Posted
  On 3/20/2024 at 3:51 AM, windowbase said:

@X0rby you can't debug it. try to pause and run it again.

Expand  

Really Sean? challenging me to bypass anti-debug?

Of course, I can do it - no doubt. 

Posted
  On 3/20/2024 at 4:30 AM, X0rby said:

Really Sean? challenging me to bypass anti-debug?

Of course, I can do it - no doubt. 

Expand  

@X0rby without using TitanHide. is it possible to debug?

Regards.

sean.

  • Like 1
Posted (edited)
  On 3/20/2024 at 4:37 AM, windowbase said:

@X0rby without using TitanHide. is it possible to debug?

Expand  

Everything is possible - if you can't do it now you can still use this solution and then u can bypass it manually or make a plugin to do it automatically.

Edited by X0rby
  • Like 1
Posted
  On 3/20/2024 at 4:37 AM, windowbase said:

@X0rby without using TitanHide. is it possible to debug?

Regards.

sean.

Expand  

Sean scillahide is enought for this target, when you have a problem, reset the kernel timer, download scilla again or disable kernell debuging from windows.

  • Thanks 1
Posted (edited)
  On 3/20/2024 at 1:03 PM, azufo said:

Sean scillahide is enought for this target, when you have a problem, reset the kernel timer, download scilla again or disable kernell debuging from windows.

Expand  

@azufo Can you show me screenshot of scyllahide checked options.

Regards.

sean.

Edited by windowbase
editing some words.
  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...