Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page ? Question about Asprotect 1.2 degbugger detection
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-02-2004, 05:23
zambuka42
 
Posts: n/a
? Question about Asprotect 1.2 degbugger detection
Hello all,
this is my first post here

I have never done any manual unpacking before. So the answer may be easy.. or maybe considered too indepth for the likes of me.

There is a program I'm "working" on that is protected by "ASProtect 1.23 RC4 - 1.3.08.24". None of the unpackers I've seen have been able to unpack it. I have found a couple of tutorials for manually unpacking Asprotect, however they both use ollydbg. That would be fine except for the fact that this program can detect debuggers and keeps me from following the directions in the tutorial.

This is not important enough for me to accomplish if it will require spending lots of time finding and stripping this debugger protection or using softice.

I guess this post is just a question of "Does anyone know of a quick way around the debugger detection (without using softice)?"

Thanks for your time. -b
Last edited by zambuka42; 09-02-2004 at 05:26.
Reply With Quote
  #2  
Old 09-02-2004, 05:31
goggles99 goggles99 is offline
Friend
  
Join Date: Aug 2004
Posts: 62
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
goggles99 Reputation: 0
Lightbulb
Get the IsDebuggerPresent plugin from here hxxp://ollydbg.win32asmcommunity.net/stuph/

Furthermore... don't use hardware breakpoints, because ASProtect detects them...
Reply With Quote
  #3  
Old 09-02-2004, 12:26
JMI JMI is offline
Leader
  
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 98 Times in 96 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
And read the FAQ Forum at the top of the list, so you'll know the Rule about posting "Thank You" type posts before you have 10 Posts of some substance. But he already knows you are greatful anyway.

regards,
__________________
JMI
Reply With Quote
  #4  
Old 09-11-2004, 05:04
Michel Michel is offline
Friend
  
Join Date: Sep 2004
Location: France
Posts: 66
Rept. Given: 2
Rept. Rcvd 6 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Michel Reputation: 6
Hi zambuka,

I am french, so excuse my bad english....

When you run a prog protected by ASProtect 1.23 RC4 - 1.3.08.24, there is an other small .exe witch is created and located in the temp folder.

This file is very temporary because it create a .bat file, "del.bat", in order to delete itself and finally delete himself too.

You can found the exact name and location of this .exe looking at the runnig threads with procdump, ollydbg or what you want.
Windows don't allow you to copy this file, but, on XP, if you set his properties to "read only", it will not be deleted by del.bat nor overwrited by the main prog next time you run it, and this is more important

Thus, you can close the main prog and disassemble the temp .exe witch is not crypted : you will see that the main use of this file is to detect a few knowed debuggers : you can patch that easily, but don't forget to leave the patched file in "read only" state before runnig the main app.

I hope this can help you...
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable VM detection? te$ter General Discussion 3 05-16-2015 17:06
Unknown ASProtect Version / AIP Question. Acido General Discussion 0 08-21-2008 16:26
Different Detection Methods OHPen General Discussion 0 10-21-2003 10:11


All times are GMT +8. The time now is 21:35.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )