Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Unknown protection? (https://forum.exetools.com/showthread.php?t=5007)

djneo 08-16-2004 21:22
Unknown protection?
 
Hello,

I would like to know how you should attack a packed file that PEid don't find the protection.

When I want to open it with Ollydbg the program don't stop at the EP but break on a INT3 exception. After it's a sequence of exception and finally the program stop.

I think all the protection it's around anti debug but I'm not sure, and I don't know how the program can run without break at OP.

Please give me some tricks to begin :)

amnesia 08-16-2004 22:57
Click on view->breakpoint, remove break on INT3, then press F9.

epikur 08-16-2004 23:06
Sometimes Olly just fail to debug a program, (exceptions and terminated)

I think it has to do with some exceptiontrick, a way to detect if the program is being debugged.

There are some plugins for olly, letting olly being undetected by the program. Keep up-to-date with those plugins. I know two.
-IsDebuggerPresent
-UnhandledExceptionFilter

Ofcause new programs, will eventuelly at some time have been packed by new packers (which programs like PEid dont recognise), and with new Antidebugger-trick.

In this case, I usually have multiple programs, (debuggers, disassemblers, resource hackers, etc..)

But in the end, it's about being able to debug/disassemble, so you must know how to defeat antidebugger tricks and learn how they work. But if you're a beginner, I usually just move on until somebody makes a tut about it :)


... Just what I would do in my case :)

djneo 08-16-2004 23:43
Thank you to answer!

I have the plugin IsDebuggerPresent but not the other, where can I get it?
Otherwise, I am sure that my level in anti debug is not sufficient. Which tutorials you advise to me?

McS2oo4 08-17-2004 01:06
Hope this helps...
 
Quote:
Originally Posted by djneo
Thank you to answer!

I have the plugin IsDebuggerPresent but not the other, where can I get it?
Otherwise, I am sure that my level in anti debug is not sufficient. Which tutorials you advise to me?
http://biw.rult.at/tuts/pum_detectolly.zip?PHPSESSID=50221ff7540dcf7a322af132d720ba4e

if link is dead google for this file: pum_detectolly.zip

b/r
.McS.

epikur 08-17-2004 01:32
^^ That link above is for documentation about how to detect olly. That exception SetUnhandledExceptionFilter is mentioned there

you can get the olly plugin for SetUnhandledExceptionFilter here
http://community.anticrack.de/viewtopic.php?t=3440

djneo 08-17-2004 05:23
Thank you for your link.

But I think my problem is not a debugger detection, but utilisation of exceptions and Ollydbg is lost.

Ollydbg can't find the good address exception?

homersux 08-17-2004 05:45
maybe you could let us know about the target if it's not against the board rule?

djneo 08-17-2004 06:14
The sofware is vx30 Encoder.

www.vx30.com

I hope to have allow to give link :confused:


All times are GMT +8. The time now is 20:55.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX