|
|
|
|
#1
02-12-2005, 03:35
|
|||
|
|||
|
The most powerful tool is FrogsIce - this reports type of antidebugging protection
and EIP address.However, it exists only for Win98 ... regards. Last edited by Janus68; 02-12-2005 at 03:35. Reason: spelling 
|
|
#2
02-12-2005, 04:41
|
||||
|
||||
|
Only IceExt could bypass its SoftIce detection. But in OllyDbg...
The only possible ways for OllyDbg detection are describied in Pumqara's article. All of the methods could be bypassed except APi Redirection of OllyDbg. When I try to set Memory Breakpoint on GetProcAddress, SDProtector detetcs the BP and cuases an exception which OllyDbg could not process it. When I set Harware Breakpoints, SDProtector caused below exception : Code:
004EB707 |74 08 JE SHORT PASSWORD.004EB711 004EB709 |D0AB 0A120010 SHR BYTE PTR DS:[EBX+1000120A],1 After that, the second exception occured : Code:
004FBB7A 8038 CC CMP BYTE PTR DS:[EAX],0CC 004FBB7D 74 0A JE SHORT PASSWORD.004FBB89  ).After NOPing about 6th of them, program debugged normally. Then a message poped up : Quote:
That was the whole story. One question is important : Is there a fixed address in memory which used by OllyDbg for storing breakpoint addresses? How SDProtector detects them? And I have another question. Please somebody answer me : Why existing loader generators couldn't grap ProcessID of protected program by SDProtector? Thanks for reading this damn post. Please share your information about SDProtector. Best regards. Last edited by Newbie_Cracker; 02-12-2005 at 06:04.
|
|
#3
02-12-2005, 06:39
|
||||
|
||||
|
Quote:
Quote:
If you're talking about Hardware BP, I think Olly stores its addresses in a local var, so no fixed address...Ummh!! I know that Registers DR0-DR3 are for debug breakpoints and curiously Olly only can set 4 Hardware BP  . The protection can read and compare this registers. Maybe that uses a code-execute time detection too. Regards Last edited by taos; 02-12-2005 at 06:42.
|
|
#4
02-13-2005, 07:58
|
||||
|
||||
|
Thanks taos.
Quote:
When I set only hardware BP, SDProtector checks the presence of "int 3" ? The above mentioned CMP could not be done and...debugging will be finished. It's unusual ! How could I know where it reads dr0 to dr3 values? There is a jungle of junk codes I red somewhere about fs:[20h] and fs:[30h] tricks used by ACProtect. Maybe SDProtector uses them too. The question is method of finding them. Is it possible using conditional tracing like this ? TC EIP=="some opcodes" Regards.
|
|
#5
02-14-2005, 05:16
|
|||
|
|||
|
today i played with this target.. check if all is OK.
btw, it's marked as SD1.1 at start of 1st section?? original IT restored; OEP bytes restored from 00495C50h; resource restored by PExplorer; there was 7 crypted code blocks, wich decrypted on runtime; .. shit, failed for attach! Last edited by evaluator; 02-14-2005 at 05:24.
|
|
#6
02-14-2005, 06:11
|
|||
|
|||
SDProtector Pro Edition 1.12 unpacking tutorial
at hxxp://www.angelfire.com/indie/zong
EnJoy 
|
|
#7
02-14-2005, 18:50
|
|||
|
|||
|
@newbie_cracker
For Imprec - it looks for file "ImportREC.exe" and for title "Import REConstructor v1.6..." You can easy change title with Customizer or similar program. For LordPE - SDpacker absolutely hates this tool . Apply the same steps as for ImpRec  btw. It shows wrong Image_Size of process ( 0x00036000 ). Use any other tools for dumping . @KaGra I like your tuts , but what would you do if your target is packed with regged version of packer and you don't have intro Nag to attach ?
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to defeat Enigma protector External Files Checkup? | benney | General Discussion | 1 | 08-20-2016 02:13 |
| Help for unknown protector | Newbie_Cracker | General Discussion | 9 | 01-11-2011 17:42 |
| New or Unknown Protector | lordnasty | General Discussion | 0 | 06-19-2006 16:57 |
| Good Protection (Password Reminder) | anorganix | General Discussion | 6 | 11-22-2005 04:42 |
Hybrid Mode
