For all Olly and coding GUru's

[NeOXOeN]

Apperently reversing contest by Zero are bad online..SO for everyone which things he can contribute anything or try to make some new tricks..
Check out this url..

http://contests.reverse-engineering.net/


Bye NeO

[dyn!o]

Guys, wait a second.
Don't you see what's it all about? Look at the rules:

- commented sources (for whom?),
- must work on Windows 9x,ME,NT,2K,XP (why NT,2K,XP isn't enough?),
- accepted languages are: asm, C/C++ (why not Delphi?),
- a text file with description of your ideas, explanation of more complicated pieces of code (for whom?).

Think about each one. Do you understand why all of them must be fulfilled?
It's quite clear situation - you will be strengthening some commercial protection.

[nikola]

dyn!o, i think they need to check source out to see that you are its writer and how many flaws it has. Ideas are basic things. I suppose they want to know if we think or we just copy what we read in other tuts. I agree that most things i seen there should work on all OSs, but for any eventual unpacker contest i think they should allow NT systems only.
And i agree with you that Delphi should be allowed too, at least when program is written without VCL.

I dont think they will get anything important from these contests At least till now i didnt see they asked for too many things that'd be usefull for strengthening protections. And i think that people who grade those works have enough skill for excellent protector.

[Crudd[RET]]

This is a quote from one of the mods. He wouldve responded himself, but hes not registered here.

Quote:

What this contest is supposed to be:

There exists alota anti sice tricks out there. But OllyDbg is used more and more. And there arent so many protections against it. Mostly they are just general anti debugger techniques.

We want to see the best anti olly tricks. And this means, really anti olly tricks, no generell protections.

Quote:
- commented sources (for whom?),


For me to understand what you do. I dont have the time to trace every single entry, especially its getting hard if you combine it with basic asm.
The other thing is that users want to see what you do and learn from it.

Quote:
- must work on Windows 9x,ME,NT,2K,XP (why NT,2K,XP isn't enough?),


Cause there are alota guys out there, who still use 9x. And personally I dont like system specific things. What is the sense of a protection technique if you can switch the OS and ignore all those protections.

Quote:
- accepted languages are: asm, C/C++ (why not Delphi?),


Cause those languages are the most common. Thats nothing against Delphi or whatever, but its easier for everyone to have those common languages (except for the author maybe), and we used to keep it that way.

Quote:
a text file with description of your ideas, explanation of more complicated pieces of code (for whom?).


It's nice to see a single file, where the basic ideas are descripted to get an overview. No big textes needed, just a few notes about what your intention was to write this entry!
Next thing are the more complicated pieces of code: Just imagine I have manually encrypted one part of code a few times with several techniques. How do you know what happened there? Again: I dont have the time, and honestly I dont want to trace all this stuff. What for?


Generally:

I dont wanna do a commercial protector out of it. What I am planning is, if those entrys are good, I am thinking about putting all ideas together, and write a paper about it. Sure, just if you want to. This could be published at codebreakers journal, or maybe some higher instance.
I am sure, we get alot of very interesting protections and techniques together, which are really interesting for most people. Thats our imagination of spreading knowledge. We are here to learn and to spread our knowledge.

For me, it would be great to see some entrys from you guys.


DKT

[dyn!o]

I am really impressed (very rare feeling of me) that someone bothered to explain the idea of the discussed contest. I did not really expect that. Thank you.

Unfortunately I will persist in mine opinion (maybe because I rarely change it). I do not mean that you want to develop a protector, I am afraid that the work of enthusiastic hobbyists, like ExeTools members, may be used in some commercial project without their gratification. I have no rights to judge the real intentions of this contest, but I believe you could achieve similar benefits (in the scientific meaning), to the one you claim, by posting a thread on ExeTools and RCE message boards.

My personal note: OllyDbg is a really powerful tool. You are right by saying "OllyDbg is used more and more" but my small suggestion is: detection of OllyDbg as a standalone software is not powerful. Moreover, any detection of a standalone product is weak because:

- you can always modify the product, even if you are not the author (the same is for OllyDbg. I have own, customized version, not detectable so far),
- you can always modify the protection and find the check (I am suggesting that in my humble opinion a debugger prevention should not be based on a single check but a kind of specifc code mixed within protected code).

I am not any expert, but I would suggest a lower level (in the meaning of software architecture). There are many possibilites of killing/detecting all the debuggers (including these not made yet) based on the features of OS and x86 specification. With some invention you can build not only a powerful shield, unimaginable hard to defeat, but also a cross-platform anti-debug protection - stronger than StarForce and XProtector owns (using drivers for ring0 debuggers and exceptions for ring3 tools/debuggers is an outdated idea).

Anyway, I am still impressed with your answer being posted here. Congratulations for bracing up the courage and good luck in your work.

Regards,
dyn!o

[MaRKuS-DJM]

i also believe the contest is just a "mask" in front of a protector. they want to get tricks to stop Olly.

btw dyn!o... did you make this undetectable Olly yourself? i also modified my Olly, but it is detectable through some methods.

All right with everyone in a word dyn!o - any contest - only commercial sh*t secret behind RE.

[dyn!o]

Yes, I modified it while encountering some poor detections based on well known OllyDbg vulnerabilities (as I remember you can find these exploits even on ExeTools) or even so funny "tricks" like OllyDbg executable and/or window name. By "undetectable" I mean the actual methods used by protectors. Theoretically and practically it is still detectable but it seems no developer (protector developer) seriously tries to deal with it, luckily for us.

They just understimate Olly... people (devs) would be surprised seeing how much can be done under ring3... also that was the reason of my first post in this thread (I supposed some developer noticed the possibilities of ring3 and tools like OllyDbg).

[MaRKuS-DJM]

hm... what about Process32First (used by some protectors, but also disallows other pograms to start it), ZwQueryInformationProcess (Used by new VBox HASP SL), and the method used by SDProtector (didn't analyse what it uses)?

all i do is writing tutorials, but not taking part in such contests which helps developing protectors. same as Code-Lock with their "special rulez" you have to explain them more or less how you cracked it (this thread about code-lock was created by you dyn!o )

[dyn!o]

"and the method used by SDProtector "
As I remember SDProtector used ZwQueryInformationProcess, DebugActiveProcess or RDTSC... Ehh, a little mess in my head... all these protectors are almost the same... I cannot remember which one but I vote for ZwQueryInformationProcess. Any problem? I do not think so (not for you) - just go and write small plugin or macro. If you will encounter RDTSC (but I feel it has been used in other protection) the same here - sounds terrible but it is terribly easy (macro or plugin - just check the actual instruction and skip it/them in case of RDTSC).

"Lock with their "special rulez" you have to explain them more or less how you cracked it (this thread about code-lock was created by you dyn!o )"
I remember that pretty well. I asked them if it is not assymetric cryptography key "trick" and to let me get in. They refused.

Good luck.

[MaRKuS-DJM]

it was more than half a year i looked at SDProtector. i didn't look at it again, but going to do so again most things i did through kernel-patching, not in olly itself. i did that because some tools got detected by anti-crack mechanisms and so (through kernel-patch) i fixed it for the whole system. next service pack will kick all the patches

that's the trick about the contests:
you should do what is requested but not like YOU want, you should do how THEY want

[dyn!o]

"it was more than half a year i looked at SDProtector. i didn't look at it again"
similar here.

"most things i did through kernel-patching"
wow, a hardcore. But the problem comes again with each OS update, as you noticed.

"most things i did through kernel-patching"
sure you can but try to patch RDTSC using this way .

"you should do what is requested but not like YOU want, you should do how THEY want"
damn right.

All in all I suggest you to consider taking the advantage of OllyDbg possibilities (macro/plugin) - it is really powerful.

Good luck and regards.

[MaRKuS-DJM]

kernel-patches are system wide and so more comfortable because they take effect to every cracking-software too

"sure you can but try to patch RDTSC using this way"
hehe, that must be really hardcore to do that. there was a reference in CBJ how to pass this but without kernel-patching

[NeOXOeN]

I dont know why ppl are so paranoid.. if they would check privious contests they would see that there was something similar was alredy made .Some Source were also included.

I dont think it will be used for protector since there is a lot of stuff out alredy. Olly isnt nothing special as a tool , that ppl wouldnt think of any anti-tricks for.Best stuff alwasy stays private and hardly sees a light in publick.

There is a lot of tuts alredy write on this subject ,how to detect it,how to make it more annoying to trace and so,,HOw to make Iat hide and so..
IT more or less just contest.


And above all anti-trick dont make protector other code does.Anti-tricks are made so it would kill crackers times.Nothing else nothing more ,you Can alwasy bypass it.

So all ppl which thing can show their knowledge in coding ..or would like to contribute are wellcome to join..


Above ALL there is a RULE In protection's world if you can Run it you Can unpack it.


BYe NEO

code-lock has not been cracked xpert reversers say its crap (maybe or maynot be), but recently Orbital SQL Decryptor v2.1 CODE-LOCK has been cracked by Team DSi, i dont know whether it works or not but version Orbital SQL Decryptor v2.2 is out and ppl can try to crack tht without taking part in any contest where money is involved. Also ASTRO v 1.0.0 is codelocked i guess. So the gist is we reversers have the app which is code-locked to be cracked and we dont have to take part in any contest.