#1
|
|||
|
|||
1tox latest version
I found some Olly tuts on the net for this one, but the latest version 2.63 seems harder to crack, it wont let me run it in Olly, even if I try to hide it with the Olly "is debugger present" pluggin, checking with Peid, it shows that the protection is Armadillo 1.xx-2.xx & Silicon Realms Toolworks.
What would be the next step to follow from here, I'm keen to try something a little harder now. |
#2
|
|||
|
|||
bpx on IsDebuggerPresent. then force it to return 0.
Might work. |
#3
|
|||
|
|||
Thanks, how do I force it to return 0 exactly.
|
#4
|
|||
|
|||
I thought that was what the Olly pluggin did actually.
|
#5
|
||||
|
||||
the ollydbg plugin does more than that, it actually writes directly into the process information block, so the original IsDebuggerPresent routine is still run.
|
#6
|
|||
|
|||
I see, well the pluggin doesn't work in this case, I've tried fiddling with reversing the conditional jumps around the "isdebuggerpresent" part of the program, and it does run for longer, but then comes up with access errors.
Anyone got any other ideas? Last edited by Pompeyfan; 01-06-2004 at 17:57. |
#7
|
|||
|
|||
You could try to patch Kernel32.DLL:
hxxp://www.addict3d.org/index.php?page=viewarticle&type=security&ID=442 Last edited by Rhodium; 01-06-2004 at 10:23. |
#8
|
|||
|
|||
Very interesting, I have posted a reply there, as my XP pro KERNEL32.DLL has these lines following this method:
77E72740 64A118000000 mov eax, dword ptr fs:[00000018] 77E72746 8B4030 mov eax, dword ptr [eax+30] 77E72749 0FB640002 movzx eax, byte ptr [eax+02] 77E7274D C3 ret So I'm interested to see if anyone can suggest a workaround for this, it is beyond my knowledge at this stage unfortunately. Thanks for posting anyway, I find this very interesting. |
#9
|
|||
|
|||
77E72740 64A118000000 mov eax, dword ptr fs:[00000018]
77E72746 8B4030 mov eax, dword ptr [eax+30] 77E72749 0FB640002 movzx eax, byte ptr [eax+02] 77E7274D C3 ret change the movzx eax, byte ptr [eax+02] to XOR EAX, EAX then fill the rest with nops i did this on my xp, and made the changes perminent. So its always active, if u dont make it perminent, u will need to do it everytime u start the debugger up -Peter |
#10
|
|||
|
|||
So, could you tell me what changes this involves in Hiew?, if that isn't asking to much
|
#11
|
||||
|
||||
The below will not work with everything though, as the byte used in the PIB will still signify that a debugger is present, and so protectors such as Armadillo will still throw up errors as they compare the result of IsDebuggerPresent with this byte. Best thing to do really is to make IsDebuggerPresent overwrite this value with a zero and THEN return 0. Still not perfect however, as some protectors don't even call IsDebuggerPresent and just check the PIB directly, as it can easily be accessed by ofsetting from the FS register.
There are times you want IsDebuggerPresent to return a non-zero value anyway, so I find it easier to just modify the PIB (which indirectly modifies IsDebuggerPresent, as it depends on this value also) whenever I debug a program that checks this. Quote:
|
#12
|
|||
|
|||
Quote:
|
#13
|
|||
|
|||
Will the PIB method always work?
I would also like to know how. Thanks Squidge. |
#14
|
|||
|
|||
Pompey make sure you are not
running another debugger. Hide debugger plugin worked fine on it. I should say that if you are the client app is catching the other debugger. |
#15
|
||||
|
||||
IsDebuggerPresent
77E72740 64A118000000 mov eax, dword ptr fs:[00000018]
77E72746 8B4030 mov eax, dword ptr [eax+30] 77E72749 0FB640002 movzx eax, byte ptr [eax+02] 77E7274D C3 ret In the memory dump window, edit (eax+2] , it's ADD 7FFDF002 and change his value from 1 to 0 ! |
|
|