Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-22-2013, 18:18
daujones daujones is offline
Friend
 
Join Date: Feb 2013
Posts: 4
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
daujones Reputation: 0
OllyDbg - invisible process

Hello Folks,

sorry for asking a probably noob question.

I am trying to debug an installer, but ollydbg crashes when starting it from inside ollydbg.

So I tried to attach the running process - but its not in my list of processes to attach on. It seems invisible.

Can you help me?
Reply With Quote
  #2  
Old 02-22-2013, 22:57
[hepL3r] [hepL3r] is offline
Friend
 
Join Date: Aug 2011
Posts: 23
Rept. Given: 5
Rept. Rcvd 30 Times in 13 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
[hepL3r] Reputation: 30
What's the install maker?
scan it with ProtectionID and put the output here
and for hiding between processes ,maybe it's using SSDT hooks to hide itself,so take a look at ssdt hooks ,have you tried to load it in olly with StrongOD and Phantom ?
Reply With Quote
  #3  
Old 03-01-2013, 22:33
daujones daujones is offline
Friend
 
Join Date: Feb 2013
Posts: 4
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
daujones Reputation: 0
Quote:
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2473840 (025BF70h) Byte(s)
-> File Appears to be Digitally Signed @ Offset 025AA00h, size : 01570h / 05488 byte(s)
[File Heuristics] -> Flag : 00000000000001001001000000000100 (0x00049004)
[!] Possible CD/DVD-Key or Serial Check -> ActivationCode
[!] Possible License Protection String -> CheckLicense
[!] File appears to have no protection or is using an unknown protection
Sorry, what is strongOD/Phantom? Plugin for Olly?
Reply With Quote
  #4  
Old 03-02-2013, 02:37
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 492
Rept. Given: 489
Rept. Rcvd 439 Times in 180 Posts
Thanks Given: 853
Thanks Rcvd at 176 Times in 112 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
I think it's s better you unpack this installer with Universl Extractor, or other unpacker that you have, some times more than two temporay pastes are open in the temp windows in the doccuments and settings when you run the any installer. Try this, maybe your question will be resolved.
Regards
Reply With Quote
  #5  
Old 03-02-2013, 05:52
Dreamer's Avatar
Dreamer Dreamer is offline
Family
 
Join Date: May 2012
Posts: 604
Rept. Given: 613
Rept. Rcvd 659 Times in 257 Posts
Thanks Given: 117
Thanks Rcvd at 170 Times in 128 Posts
Dreamer Reputation: 38
i am think you have installer password protected becouse of that you want to debug him to reverse and skip password otherwise i am dont know why you want to debug installer if its not password protected
Reply With Quote
  #6  
Old 03-02-2013, 10:53
N0P's Avatar
N0P N0P is offline
Friend
 
Join Date: Aug 2003
Location: Brno[CzechRepublic]
Posts: 90
Rept. Given: 19
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 12
Thanks Rcvd at 26 Times in 17 Posts
N0P Reputation: 11
Quote:
Originally Posted by daujones View Post
Sorry, what is strongOD/Phantom? Plugin for Olly?
http://tuts4you.com/download.php?view.2028
http://tuts4you.com/download.php?view.1276
Reply With Quote
The Following User Gave Reputation+1 to N0P For This Useful Post:
daujones (03-03-2013)
  #7  
Old 03-02-2013, 22:24
daujones daujones is offline
Friend
 
Join Date: Feb 2013
Posts: 4
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
daujones Reputation: 0
Quote:
Originally Posted by wilson bibe View Post
I think it's s better you unpack this installer with Universl Extractor, or other unpacker that you have, some times more than two temporay pastes are open in the temp windows in the doccuments and settings when you run the any installer. Try this, maybe your question will be resolved.
Regards
First thing I did was to uniExtract the exe, yes. But I only got this:

pic.png

With both OllyDBG plugins I still can't debug the process.
Reply With Quote
  #8  
Old 03-02-2013, 22:39
Dreamer's Avatar
Dreamer Dreamer is offline
Family
 
Join Date: May 2012
Posts: 604
Rept. Given: 613
Rept. Rcvd 659 Times in 257 Posts
Thanks Given: 117
Thanks Rcvd at 170 Times in 128 Posts
Dreamer Reputation: 38
@daujones send me file on pm to look
Reply With Quote
  #9  
Old 03-03-2013, 03:51
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 492
Rept. Given: 489
Rept. Rcvd 439 Times in 180 Posts
Thanks Given: 853
Thanks Rcvd at 176 Times in 112 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
When this happens(your picture), look in the temporary temp windows in the doccuments and settings(XP X86) when the setup.exe file is running, you will see the .msi package installation file or files for this APP. Copy this file(s) to a any paste (when the setup in running), made this, unpack it(the .msi file(s)), with 7ZIP or any msi unpacker, if you find files in this .msi package with extensions .cab maybe you have a hasp or sentinel protect file, if you find any password you maybe can remove it using this APP's(wise solutions, InstallShield 2010 Premier or Install Shield Password Finder tw).
Regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OllyDbg long process Module debug Vulnerability elephant General Discussion 1 04-04-2005 21:49
What to do when Ollydbg can't attach to a process? ycloud General Discussion 0 04-24-2004 19:10


All times are GMT +8. The time now is 23:52.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )