How to debug Safedisc in OllyDbg

I have already asked this in another forum and they have said that this is impossible, because Safedisc has an own Debugger and can detect other Ring3-Debugger. I have cracked all Debugger-checks but Olly doesn't breakt at the OEP

Is there maybe a possibility for Olly?



Best Regards, DeeYeah

[SystemeD]

Hi,
I tried to do that for long time and now I believe that it's really impossible.
The problem is that Safedisc modifies some bytes of the original program (let's call them stolen bytes) with instructions as int3, ud2, sgdt xxx, etc... and it needs to correct them at runtime, doing some kind of "debugging".
When you load the program in Olly, Safecast fails to start this process and hangs on a WaitForSingleObject.
If you change the value that is pushed before this call, with one of an existing object, you will be able to continue your stepping, to reach the OEP and to dump the full unpacked original program.
In this way you can rebuild completely the IAT with Olly, but for recovering the stolen bytes you still need to use SoftIce and step into the routine that patch them.
That was my experience...
Regards,
SystemeD

[SiNTAX]

Quote:

Originally Posted by DeeYeah

I have cracked all Debugger-checks but Olly doesn't breakt at the OEP
Is there maybe a possibility for Olly?

Guess you didn't find them all then!

You _did_ patch secdrv too, right?

[SystemeD]

Quote:

Originally Posted by SiNTAX

You _did_ patch secdrv too, right?

Do you mean that patching secdrv.sys will allow you to debug a 'full working' debugee with Olly?
If yes, patching what?
Thanks,
SystemeD

load your safedisc protected app into olly then set a bpx on DebugActiveProcess with softice and start your protected app with olly.softice will break so step out of DebugActiveProcess in softice and look at the return value it's FALSE.this means safedisc can't start debugging the app because it's already debugged by olly.one app can only be debugged by one ring3 debugger as far as i know ...it's as simple as that.