Only IceExt could bypass its SoftIce detection. But in OllyDbg...
The only possible ways for OllyDbg detection are describied in
Pumqara's article. All of the methods could be bypassed except
APi Redirection of OllyDbg. When I try to set Memory Breakpoint on GetProcAddress, SDProtector detetcs the BP and cuases an exception which OllyDbg could not process it.
When I set Harware Breakpoints, SDProtector caused below exception :
Code:
004EB707 |74 08 JE SHORT PASSWORD.004EB711
004EB709 |D0AB 0A120010 SHR BYTE PTR DS:[EBX+1000120A],1
The address contanis nothing and debugging will be finished. I converted the JE to JMP and execption never occured.
After that, the second exception occured :
Code:
004FBB7A 8038 CC CMP BYTE PTR DS:[EAX],0CC
004FBB7D 74 0A JE SHORT PASSWORD.004FBB89
The first line could not be processed. I tried to NOPed it (before executing), but there was alot this CMP, more than 40 (I became tired to count it
).
After NOPing about 6th of them, program debugged normally. Then a message poped up :
Quote:
|
Don't know how to continue because memory at address 76ADF 3F7 is not readab. Try to change EIP or pass exception to program.
|
After pressing SHIFT+F9, the famous strings of
Debugger detected appeared it STACK WINDOW, without any messagebox.
That was the whole story.
One question is important :
Is there a fixed address in memory which used by OllyDbg for storing breakpoint addresses? How SDProtector detects them?
And I have another question. Please somebody answer me :
Why existing loader generators couldn't grap ProcessID of protected program by SDProtector?
Thanks for reading this damn post.
Please share your information about SDProtector.
Best regards.