Arma question (again...)

Hi,

I had the same problem some time ago. When i set a bp on WriteProcessMemory, the app kept running in an endless loop.

It seems the new Arma detect bp's. I used he instead.
"HE WriteProcessMemory" worked without any problems, but only after I renamed every "OllyDbg" to something else.

Hope this helps.



Regards,

sTfN0X

[hobgoblin]

I can't get he breakpoints to work either on this one. But memory on access on the api WriteProcessMemory worked.:-)
Still can't get a dump though. Somehow I run into problems with the child process after detaching it. Even if I rename Olly (in addition I used windowsjuggler). Well, guess I have to dig deeper....

hobgoblin

[Kyrios]

In Olly Exception box, uncheck Memory Access Violation. Hide Is DebuggerPresent, then press Run (F9). After pressing 2 times Shift+F9, you will land here (similar look likes the following codes):
POP DWORD PTR DS:[EAX]
POP DWORD PTR FS:[0]
ADD ESP,4
PUSHAD/POPAD
PUSH EAX
PUSH ECX
PUSH EBX
PUSH EDX

then you may use Bp command. Bp detection trick no longer work.

kyrios

[hobgoblin]

I did run Olly without having the Memory Access Violation checked. After one F9 and two SHIFT F9's I end up here:

004978F4 F0:F2: LOCK PREFIX REPNE: ; LOCK prefix is not allowed
004978F6 F9 STC
004978F7 B0 F4 MOV AL,0F4
004978F9 B1 B0 MOV CL,0B0
004978FB B0 B0 MOV AL,0B0
004978FD B0 F0 MOV AL,0F0

Many packers and protectors checks the first bytes of the API functions to decide whether breakpoints, "INT3" (CCh), are placed.

Thefore, you could defeat the API detector by breaking at the next second or third instructions.

Not so easy... many protectors use disasm engine (like zombie's xde) and check more than 2-3 instructions.

[Kyrios]

Quote:

I did run Olly without having the Memory Access Violation checked. After one F9 and two SHIFT F9's I end up here:

Then u another Shift+F9 pressing till you meet the similar codes i type above. Because i set some custom exceptions in "Ignore also following custom exceptions or ranges".

kyrios