Hello crusader,

yes, I'm reading tutorials from LaBBa, MrGandalf and Ricardo.
Tracing works fine now for me too. I had the option to trace over system DLLs selected and I was always starting tracing from inside ntdll.dll. Unfortunately OllyDbg seems to have a bug because in this situation somehow any pause condition (such as EIP<900000) is somehow ignored and tracing goes on forever (even after getting out of the ntdll.dll).

About the exceptions, from what you say it seems that they are generated just to remove HW breakpoints (no debugger detection e no API calling thru them) ... I expect memory breakpoints (int 3) to work though. Can you confirm???

The tuts I've read however said nothing about why exceptions are generated .... only on how they can be exploited to identify the OEP. I'll need to find one that describes how HW breakpoints can be removed by generation of an exception.

crusader, could you please answer the following question:

1) around what asprotect version where stolen bytes introduced???
2) the tuts I read talk about anti-softice tricks ... they don't mention any other trick that addresses other tools (ida, w32dasm, ollydbg, procdump, etc.) or any generic (anti-debugger, anti-disassembler) tricks. Could you say something on this?

I suppose I should now dump the application when at the OEP. But maybe I should look for other ways to find the OEP. Let me know. In the meantime I'll read other tuts.


padawan