Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   OllyDbg - invisible process (https://forum.exetools.com/showthread.php?t=14827)

daujones 02-22-2013 18:18
OllyDbg - invisible process
 
Hello Folks,

sorry for asking a probably noob question.

I am trying to debug an installer, but ollydbg crashes when starting it from inside ollydbg.

So I tried to attach the running process - but its not in my list of processes to attach on. It seems invisible.

Can you help me?

[hepL3r] 02-22-2013 22:57
What's the install maker?
scan it with ProtectionID and put the output here
and for hiding between processes ,maybe it's using SSDT hooks to hide itself,so take a look at ssdt hooks ,have you tried to load it in olly with StrongOD and Phantom ?

daujones 03-01-2013 22:33
Quote:
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2473840 (025BF70h) Byte(s)
-> File Appears to be Digitally Signed @ Offset 025AA00h, size : 01570h / 05488 byte(s)
[File Heuristics] -> Flag : 00000000000001001001000000000100 (0x00049004)
[!] Possible CD/DVD-Key or Serial Check -> ActivationCode
[!] Possible License Protection String -> CheckLicense
[!] File appears to have no protection or is using an unknown protection
Sorry, what is strongOD/Phantom? Plugin for Olly?

wilson bibe 03-02-2013 02:37
I think it's s better you unpack this installer with Universl Extractor, or other unpacker that you have, some times more than two temporay pastes are open in the temp windows in the doccuments and settings when you run the any installer. Try this, maybe your question will be resolved.
Regards

Dreamer 03-02-2013 05:52
i am think you have installer password protected becouse of that you want to debug him to reverse and skip password otherwise i am dont know why you want to debug installer if its not password protected

N0P 03-02-2013 10:53
Quote:
Originally Posted by daujones (Post 83032)
Sorry, what is strongOD/Phantom? Plugin for Olly?
http://tuts4you.com/download.php?view.2028
http://tuts4you.com/download.php?view.1276

daujones 03-02-2013 22:24
1 Attachment(s)
Quote:
Originally Posted by wilson bibe (Post 83035)
I think it's s better you unpack this installer with Universl Extractor, or other unpacker that you have, some times more than two temporay pastes are open in the temp windows in the doccuments and settings when you run the any installer. Try this, maybe your question will be resolved.
Regards
First thing I did was to uniExtract the exe, yes. But I only got this:

Attachment 6666

With both OllyDBG plugins I still can't debug the process.

Dreamer 03-02-2013 22:39
@daujones send me file on pm to look

wilson bibe 03-03-2013 03:51
When this happens(your picture), look in the temporary temp windows in the doccuments and settings(XP X86) when the setup.exe file is running, you will see the .msi package installation file or files for this APP. Copy this file(s) to a any paste (when the setup in running), made this, unpack it(the .msi file(s)), with 7ZIP or any msi unpacker, if you find files in this .msi package with extensions .cab maybe you have a hasp or sentinel protect file, if you find any password you maybe can remove it using this APP's(wise solutions, InstallShield 2010 Premier or Install Shield Password Finder tw).
Regards


All times are GMT +8. The time now is 07:07.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX