Jump to content
Tuts 4 You
Sign in to follow this  
mojtaba

Pass Debugger Check in VMprotect 2.x

Recommended Posts

mojtaba

I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE).

i checked some windows api like :

  • CheckRemoteDebuggerPresent ()
  • IsDebuggerPresent ()
  • ...

and use some ollydbg plugins like:

  • Olly Advanced
  • Hide Debugger
  • StrongOD

But it still get this error:

debugger-detect.PNG.02e4e72b1e07ed9cc07c768b22f9e965.PNG

 

Here is my log data:log-MyApp.txt

what should i do to pass this error and open the app by debugger?

Share this post


Link to post
mojtaba

@CodeExplorer

thanks, But it didn't help me and  i still have the debugger detection problem!

do you know any other solution? :(

Edited by mojtaba (see edit history)

Share this post


Link to post
HostageOfCode

If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks.

  • Like 1

Share this post


Link to post
mojtaba
On 12/25/2019 at 1:17 PM, HostageOfCode said:

If it's 64bit try sharpod if 32bit titanhide or scylla hide but titanhide hooks all the kernel checks.

hello 

I tried it, but i dont know if i used it in right way or not?! do i have to attach the app to debugger and then find the app's PID (i used this :

tasklist

in cmd ) and insert the PID into the gui and select the methods and hit the 'Hide' button.

Capture.PNG.d5ad517f65d8a61c03e1314446721ff6.PNG

but it still detect the debugger !!! :((

 

I tested the TitanHide test file and it works correctly. when i hided it, all of the flags turns 0.

but still it does'nt works on my app!

Edited by mojtaba (see edit history)

Share this post


Link to post
HostageOfCode

sharpod.jpg

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...