EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 12-09-2013, 03:30
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
First of all win2k3 is not supported at all! Maybe it's working but absolutely no guarantee. See readme.txt...
Quote:
OS support:
- WinXP x32
- WinXP WoW64
- Win7 x32
- Win7 WoW64
Other question: Have you installed the necessary libraries? Without that it's 100% sure not gonna do anything...
Quote:
Requirements:
- Microsoft Visual C++ 2010 Redistributable Package (x86)
Quote:
Originally Posted by sendersu View Post
@ferrit.rce
the OllyExt 1.6.1 does not run at all @Win2k3 server x32...
not even any line in log window of Olly201...
http://prntscr.com/290fap
http://prntscr.com/290fih
http://prntscr.com/290g8l
P.S. another v2 plugin OllyDumpEx v1.30 was successfully loaded

any ideas?
Reply With Quote
  #32  
Old 12-09-2013, 03:52
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
I've a test code for this and it's relevant only in some rare circumstances. The user mode debugger can be detected only if a kernel mode debugger is installed, running and the program debugged under the user mode debugger. I've never seen this protection in any protector but I can implement it in no time This will be done in the next release...

Quote:
Originally Posted by s0me0n3 View Post
I have to disagree from what I can see on the pastebin stuff:



and



Tell me where I am wrong.
Reply With Quote
  #33  
Old 12-09-2013, 07:08
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
@sendersu: If you want win2k3 support do the steps in the attached file.
Attached Files
File Type: txt howto_request_new_os_support.txt (746 Bytes, 26 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
sendersu (12-09-2013), Youtoo (12-09-2013)
  #34  
Old 12-12-2013, 05:56
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 826
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 165
Thanks Rcvd at 237 Times in 121 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
@ferrit.rce
Info carefully collected & sent by PM
pls review
Reply With Quote
  #35  
Old 12-14-2013, 03:59
qkumba qkumba is offline
Friend
 
Join Date: Nov 2011
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
qkumba Reputation: 4
Quote:
Originally Posted by ferrit.rce View Post
I've a test code for this and it's relevant only in some rare circumstances. The user mode debugger can be detected only if a kernel mode debugger is installed, running and the program debugged under the user mode debugger. I've never seen this protection in any protector but I can implement it in no time This will be done in the next release...
That's not even quite true. It's not detecting any user-mode debugger. It's detecting that a kernel debugger is running and that the process has the SeDebugPrivilege, which is completely independent of any user-mode debugger.

It's not a reliable detection method.
Reply With Quote
  #36  
Old 01-02-2014, 22:29
GarfieldPower
 
Posts: n/a
Great job as always!
Reply With Quote
  #37  
Old 02-04-2014, 02:44
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
New v1.7 is out. Changes:
Code:
13.01.2014
	- Ini file handling reimplemented( OllyDbg dependecy reduction )

12.01.2014
	- OS detection is completely rewritten because on 8.1 GetVersionEx is deprecated

12.01.2014
	- XED library added as JIT compiler( OllyDbg dependecy reduction )
	- Centralized debugger dependent functionalities

08.01.2014
	- Windows 8 support
	- Windows 8.1 support

07.01.2014
	- Windows Server 2012 support

06.01.2014
	- ProcessDebugObjectHandle and DebugProcessFlags was mixed up in the GUI :)

05.01.2014
	- Windows Server 2008 R2 support
	- Windows Server 2012 R2 support

02.01.2014
	- Target process memory read and write fix

12.12.2013
	- Windows Server 2003 R2 support

08.12.2013
	- NtSystemDebugControl
PLEASE NOTE that there were major changes inside the code! This could break features which were working previously. Please send reports as usual...
Attached Files
File Type: zip OllyExt_1.7.zip (269.0 KB, 43 views)
Reply With Quote
The Following 6 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
ahmadmansoor (02-04-2014), Kla$ (02-04-2014), RedBlkJck (02-04-2014), sendersu (02-09-2014), Wannabe (02-04-2014), Zipdecode (02-05-2014)
  #38  
Old 02-10-2014, 05:47
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
New v1.71 is out to solve some annoying problems. Changes:
Code:
09.02.2014
	- No active debugge in case of protection changes fix
	- Closehandle hook moved to NtClose
	- Lot of internal changes
Attached Files
File Type: zip OllyExt_1.71.zip (404.9 KB, 43 views)
Reply With Quote
The Following 8 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
b30wulf (02-10-2014), copyleft (02-10-2014), JCB (02-11-2014), Loki (02-10-2014), quygia128 (02-10-2014), sendersu (02-10-2014), TQN (02-10-2014), zeuscane (02-10-2014)
  #39  
Old 02-11-2014, 17:16
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 0 Times in 0 Posts
Computer_Angel Reputation: 37
Quote:
Originally Posted by ferrit.rce View Post
New v1.71 is out to solve some annoying problems. Changes:
Code:
09.02.2014
	- No active debugge in case of protection changes fix
	- Closehandle hook moved to NtClose
	- Lot of internal changes
The protectDRX seem broken in this version, my target is in inf loop if this option is checked. Not happen in the prev version (1.6x).
My OS: Win 8.1 x 64
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #40  
Old 02-11-2014, 17:35
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
OK, I'll fix it ASAP...
Reply With Quote
  #41  
Old 02-11-2014, 22:53
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 855
Rept. Given: 496
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 92
Thanks Rcvd at 528 Times in 202 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@ferrit.rce: how do you use XED library? Would it be possible to share a little source snippet, I'm still looking for an assembler for x64_dbg.

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #42  
Old 02-12-2014, 00:02
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
OK, I'll PM you the details...

Quote:
Originally Posted by mr.exodia View Post
@ferrit.rce: how do you use XED library? Would it be possible to share a little source snippet, I'm still looking for an assembler for x64_dbg.

Greetings
Reply With Quote
The Following User Gave Reputation+1 to ferrit.rce For This Useful Post:
mr.exodia (02-12-2014)
  #43  
Old 02-12-2014, 01:11
softgate softgate is offline
Friend
 
Join Date: May 2013
Posts: 15
Rept. Given: 26
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
softgate Reputation: 4
Hi, I'm trying to run it (VMProtect) under Olly2 without being detected:
http://www12.zippyshare.com/v/82220150/file.html

I've read this thread from the top and tried a set of parameters you've mentioned earlier as well as all the OllyExt options enabled, but it still detects the existence of Olly2.

I'm using Win7 x64 and the latest Olly2 and OllyExt (and no other plugins). Olly2's SFX features are all disabled and all exceptions are ignored.

Any help would be much appreciated!

Last edited by softgate; 02-12-2014 at 01:14. Reason: mentioned VMP and Olly2 exception settings
Reply With Quote
  #44  
Old 02-12-2014, 19:21
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 983
Rept. Given: 456
Rept. Rcvd 354 Times in 131 Posts
Thanks Given: 152
Thanks Rcvd at 144 Times in 36 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Quote:
Originally Posted by ferrit.rce View Post
OK, I'll PM you the details...
Quote:
@ferrit.rce: how do you use XED library? Would it be possible to share a little source snippet
Can I have this too ,pls
Thanks
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #45  
Old 02-12-2014, 21:26
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 855
Rept. Given: 496
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 92
Thanks Rcvd at 528 Times in 202 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@ahmadmansoor: Somewhere these days I will start working on an open source asm parser for the XED library. I will add you to the repo when this project is started.

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ahmadmansoor (02-12-2014), ferrit.rce (02-12-2014)
Reply

Tags
anti-anti-debug, anti-debug, ollydbg, ollyext, plugin

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DEF plugin for OllyDbg 2.XX wilson bibe Community Tools 2 07-22-2014 09:01


All times are GMT +8. The time now is 09:12.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX