DVRStudioPro terminate Olly maybe a new asprotec version

the_beginner · #1 02-21-2005, 00:15

When i try to attach Olly DVRStudioPro RC04 terminates with exit code E1 (225).
I use HideDebugger v1.2.2, OllyDbg v1.10 and XP (SP1).
I have all Options in HideDebugger enabled.
In Olly all exceptions are enabled.

www.haenlein-software.de

#2 02-21-2005, 02:35

have you tried using Re-Pair or have you considered the possibility
that it may be using the %S%S trick on OutPutDebugString() vulnerability
there is a thread here about it named armadillo crashes ollydbg

MaRKuS-DJM · #3 02-21-2005, 03:06

you don't need to attach. if your olly is hidden well, you can load it and start it then

the_beginner · #4 02-21-2005, 04:06

thanks ,I cant run :-( on olly ,but driverstudio 2.6 with iceext run perfect

dyn!o · #5 02-21-2005, 04:33

Check if it uses NtQueryInformationProcess or ZwYieldExecution APIs. Olly and other ring3 debuggers can be easily detected by using any of them.

Good luck.

#6 02-21-2005, 07:17

Quote:

Originally Posted by dyn!o

ZwYieldExecution

It is known how NtQueryInformationProcess used against ring3 debugger. But how about ZwYieldExecution ? How can it help to catch debugger?

asterix · #7 02-21-2005, 07:50

What packer or protector used in DVRStudioPro?
What PEiD says?

dyn!o · #8 02-21-2005, 17:54

mc707: well, both NtQueryInformationProcess and ZwYieldExecution APIs are just kind of toys for "casual" market (like protectors developers). The hardcore ones are still behind the official knowledge

I am talking about anti-debug methods theoretically not possible to skip. The only metod to skip them is to write own software emulator (like VMWare) with wide CPU emulation ability. Debugger detections like XProtector and Starforce have are still toys (althought XP and SF debugger detection doesn't play so important role - even if you deal with it there is significant decompilation work to perform).

Ehh... these are topics for another threads..

Good luck.

the_beginner · #9 02-22-2005, 19:27

DVRStudioPro RC04 PEID 0.93 -->Asprotect 2.0 but the Version RC03 can i Debug with olly without problem

#10 02-25-2005, 13:20

the only thing 'special' i saw with this particular app is that it uses int41 to detect debuggers.

works like this:

mov eax,04F
int 41
cmp ax,0F386
je debugger_detected

and it kills olly in the int41.

so that may be your problem. this is very easy to overcome, obviously, you can just nop these commands and have it flow the way you want.

the_beginner · #11 02-25-2005, 13:32

hi
thanks but I have found in two case int41 and nop this,the next debugger check is int 68 its very old on this Soft ,can you nop and it's run until RC03 now RC04 not

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Inline patch or loader for Asprotec 1,24-1.3????	the_beginner	General Discussion	22	12-31-2004 02:19
is this possible to vonvert VS .NET DVD Version to CD Version?	NoneForce	General Discussion	1	03-13-2004 11:51