Unknown protection?

Hello,

I would like to know how you should attack a packed file that PEid don't find the protection.

When I want to open it with Ollydbg the program don't stop at the EP but break on a INT3 exception. After it's a sequence of exception and finally the program stop.

I think all the protection it's around anti debug but I'm not sure, and I don't know how the program can run without break at OP.

Please give me some tricks to begin

Click on view->breakpoint, remove break on INT3, then press F9.

Sometimes Olly just fail to debug a program, (exceptions and terminated)

I think it has to do with some exceptiontrick, a way to detect if the program is being debugged.

There are some plugins for olly, letting olly being undetected by the program. Keep up-to-date with those plugins. I know two.
-IsDebuggerPresent
-UnhandledExceptionFilter

Ofcause new programs, will eventuelly at some time have been packed by new packers (which programs like PEid dont recognise), and with new Antidebugger-trick.

In this case, I usually have multiple programs, (debuggers, disassemblers, resource hackers, etc..)

But in the end, it's about being able to debug/disassemble, so you must know how to defeat antidebugger tricks and learn how they work. But if you're a beginner, I usually just move on until somebody makes a tut about it :)


... Just what I would do in my case :)

Thank you to answer!

I have the plugin IsDebuggerPresent but not the other, where can I get it?
Otherwise, I am sure that my level in anti debug is not sufficient. Which tutorials you advise to me?

Quote:

Originally Posted by djneo

Thank you to answer!

I have the plugin IsDebuggerPresent but not the other, where can I get it?
Otherwise, I am sure that my level in anti debug is not sufficient. Which tutorials you advise to me?

http://biw.rult.at/tuts/pum_detectolly.zip?PHPSESSID=50221ff7540dcf7a322af132d720ba4e

if link is dead google for this file: pum_detectolly.zip

b/r
.McS.

^^ That link above is for documentation about how to detect olly. That exception SetUnhandledExceptionFilter is mentioned there

you can get the olly plugin for SetUnhandledExceptionFilter here
http://community.anticrack.de/viewtopic.php?t=3440

Thank you for your link.

But I think my problem is not a debugger detection, but utilisation of exceptions and Ollydbg is lost.

Ollydbg can't find the good address exception?

maybe you could let us know about the target if it's not against the board rule?

The sofware is vx30 Encoder.

www.vx30.com

I hope to have allow to give link