Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Team Project: PHP Processor v1.2???
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #17  
Old 02-23-2004, 17:42
padawan
 
Posts: n/a
crusader, sorry, I made a mistake about the tracing stop condition ... the one I used is EIP < 900000 (I corrected the previous post). And although the OEP is indeed < 900000 tracing NEVER stops and just goes on forever!!! As I said, I repeated this step numerous times and then puzzled I just gave up defeated. But I'd like to understand why this is happening.

The tuts I read talk about anti-softice tricks ... they don't mention any other trick to address other tools (ida, w32dasm, ollydbg, procdump, etc.) or any generic (anti-debugger, anti-disassembler) tricks. Could you say something on this? I imagine that different versions may also implement different countermeasures.

As for the exception counting method, it is true that there may be a different number of exceptions generated by different versions BUT can't I just count the number of exceptions for the specific target and stop just one before and then trace to find the OEP????

And no, the tuts I read say nothing as to why exceptions are generated. Is it to verify if the application is being debugged (exceptions in a debugged application are sent to the debugger ... so if an app generates one exception but does not "receive" it it's a sign that the app is being debugged)???? Or is it an API calling technique (exceptions are generated with an index and this is used by the exception handling routine to invoke a given API with the parameters that have been pushed on the stack)????

As for memory breakpoints, well, they do work (haven't tried HW breakpoints)!!
When I was battling with this tracing stop condition not working, arrived at the 19th exception I tried placing a memory breakpoint on the instruction following the OEP to stop ollydbg if the trace stop condition would not work and that breakpoint did stop ollydbg's tracing!! This is one of the tests I made to verify that tracing stop conditions where failing. Could it be that from the 19th exception on asprotect does not check or remove breakpoints anymore (this is done acting on the debug registers, right?).


padawan

PS: around what asprotect version where stolen bytes introduced???
Last edited by padawan; 02-23-2004 at 17:57.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Intel Processor Tracing Computer_Angel General Discussion 3 12-04-2015 03:36
Full version of Project-52 and Project-AVR Yaumen General Discussion 0 08-10-2004 16:27


All times are GMT +8. The time now is 21:58.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )