Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   DVRStudioPro terminate Olly maybe a new asprotec version (https://forum.exetools.com/showthread.php?t=6893)

the_beginner 02-21-2005 00:15
DVRStudioPro terminate Olly maybe a new asprotec version
 
When i try to attach Olly DVRStudioPro RC04 terminates with exit code E1 (225).
I use HideDebugger v1.2.2, OllyDbg v1.10 and XP (SP1).
I have all Options in HideDebugger enabled.
In Olly all exceptions are enabled.

www.haenlein-software.de

JuneMouse 02-21-2005 02:35
have you tried using Re-Pair or have you considered the possibility
that it may be using the %S%S trick on OutPutDebugString() vulnerability
there is a thread here about it named armadillo crashes ollydbg

MaRKuS-DJM 02-21-2005 03:06
you don't need to attach. if your olly is hidden well, you can load it and start it then

the_beginner 02-21-2005 04:06
thanks ,I cant run :-( on olly ,but driverstudio 2.6 with iceext run perfect

dyn!o 02-21-2005 04:33
Check if it uses NtQueryInformationProcess or ZwYieldExecution APIs. Olly and other ring3 debuggers can be easily detected by using any of them.

Good luck.

mc707 02-21-2005 07:17
Quote:
Originally Posted by dyn!o
ZwYieldExecution
It is known how NtQueryInformationProcess used against ring3 debugger. But how about ZwYieldExecution ? How can it help to catch debugger?

asterix 02-21-2005 07:50
What packer or protector used in DVRStudioPro?
What PEiD says?

dyn!o 02-21-2005 17:54
mc707: well, both NtQueryInformationProcess and ZwYieldExecution APIs are just kind of toys for "casual" market (like protectors developers). The hardcore ones are still behind the official knowledge ;)

I am talking about anti-debug methods theoretically not possible to skip. The only metod to skip them is to write own software emulator (like VMWare) with wide CPU emulation ability. Debugger detections like XProtector and Starforce have are still toys (althought XP and SF debugger detection doesn't play so important role - even if you deal with it there is significant decompilation work to perform).

Ehh... these are topics for another threads..

Good luck.

the_beginner 02-22-2005 19:27
DVRStudioPro RC04 PEID 0.93 -->Asprotect 2.0 but the Version RC03 can i Debug with olly without problem

bollygud 02-25-2005 13:20
the only thing 'special' i saw with this particular app is that it uses int41 to detect debuggers.

works like this:

mov eax,04F
int 41
cmp ax,0F386
je debugger_detected

and it kills olly in the int41.

so that may be your problem. this is very easy to overcome, obviously, you can just nop these commands and have it flow the way you want.

the_beginner 02-25-2005 13:32
hi
thanks but I have found in two case int41 and nop this,the next debugger check is int 68 its very old on this Soft ,can you nop and it's run until RC03 now RC04 not :confused: :confused:


All times are GMT +8. The time now is 19:39.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX