Thread: How to debug Safedisc in OllyDbg
View Single Post
  #2  
Old 01-21-2005, 23:39
SystemeD SystemeD is offline
Friend
  
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Hi,
I tried to do that for long time and now I believe that it's really impossible.
The problem is that Safedisc modifies some bytes of the original program (let's call them stolen bytes) with instructions as int3, ud2, sgdt xxx, etc... and it needs to correct them at runtime, doing some kind of "debugging".
When you load the program in Olly, Safecast fails to start this process and hangs on a WaitForSingleObject.
If you change the value that is pushed before this call, with one of an existing object, you will be able to continue your stepping, to reach the OEP and to dump the full unpacked original program.
In this way you can rebuild completely the IAT with Olly, but for recovering the stolen bytes you still need to use SoftIce and step into the routine that patch them.
That was my experience...
Regards,
SystemeD
Reply With Quote