Thread: Team Project: PHP Processor v1.2???
View Single Post
  #2  
Old 02-23-2004, 17:42
padawan
 
Posts: n/a
crusader, sorry, I made a mistake about the tracing stop condition ... the one I used is EIP < 900000 (I corrected the previous post). And although the OEP is indeed < 900000 tracing NEVER stops and just goes on forever!!! As I said, I repeated this step numerous times and then puzzled I just gave up defeated. But I'd like to understand why this is happening.

The tuts I read talk about anti-softice tricks ... they don't mention any other trick to address other tools (ida, w32dasm, ollydbg, procdump, etc.) or any generic (anti-debugger, anti-disassembler) tricks. Could you say something on this? I imagine that different versions may also implement different countermeasures.

As for the exception counting method, it is true that there may be a different number of exceptions generated by different versions BUT can't I just count the number of exceptions for the specific target and stop just one before and then trace to find the OEP????

And no, the tuts I read say nothing as to why exceptions are generated. Is it to verify if the application is being debugged (exceptions in a debugged application are sent to the debugger ... so if an app generates one exception but does not "receive" it it's a sign that the app is being debugged)???? Or is it an API calling technique (exceptions are generated with an index and this is used by the exception handling routine to invoke a given API with the parameters that have been pushed on the stack)????

As for memory breakpoints, well, they do work (haven't tried HW breakpoints)!!
When I was battling with this tracing stop condition not working, arrived at the 19th exception I tried placing a memory breakpoint on the instruction following the OEP to stop ollydbg if the trace stop condition would not work and that breakpoint did stop ollydbg's tracing!! This is one of the tests I made to verify that tracing stop conditions where failing. Could it be that from the 19th exception on asprotect does not check or remove breakpoints anymore (this is done acting on the debug registers, right?).


padawan

PS: around what asprotect version where stolen bytes introduced???
Last edited by padawan; 02-23-2004 at 17:57.
Reply With Quote