|
|
|
|
#1
09-02-2004, 01:10
|
|||
|
|||
|
In Olly Exception box, uncheck Memory Access Violation. Hide Is DebuggerPresent, then press Run (F9). After pressing 2 times Shift+F9, you will land here (similar look likes the following codes):
POP DWORD PTR DS:[EAX] POP DWORD PTR FS:[0] ADD ESP,4 PUSHAD/POPAD PUSH EAX PUSH ECX PUSH EBX PUSH EDX then you may use Bp command. Bp detection trick no longer work. kyrios 
|
|
#2
09-02-2004, 02:09
|
|||
|
|||
|
???
I did run Olly without having the Memory Access Violation checked. After one F9 and two SHIFT F9's I end up here:
004978F4 F0:F2: LOCK PREFIX REPNE: ; LOCK prefix is not allowed 004978F6 F9 STC 004978F7 B0 F4 MOV AL,0F4 004978F9 B1 B0 MOV CL,0B0 004978FB B0 B0 MOV AL,0B0 004978FD B0 F0 MOV AL,0F0
|
|
#3
09-02-2004, 05:21
|
|||
|
|||
|
Many packers and protectors checks the first bytes of the API functions to decide whether breakpoints, "INT3" (CCh), are placed.
Thefore, you could defeat the API detector by breaking at the next second or third instructions.
|
|
#4
09-02-2004, 16:21
|
|||
|
|||
|
Not so easy... many protectors use disasm engine (like zombie's xde) and check more than 2-3 instructions.
|
|
#5
09-03-2004, 00:26
|
|||
|
|||
|
Quote:
kyrios
|
|
#6
09-03-2004, 03:47
|
|||
|
|||
|
Quote:
|
|
#7
09-03-2004, 04:10
|
|||
|
|||
|
Hmmm
Thanks for the input, but it doesn't work on my computer. when I hit Shift F9 once more I end up here:
0049F1B1 EC IN AL,DX ; I/O command 0049F1B2 8BF5 MOV ESI,EBP 0049F1B4 2031 AND BYTE PTR DS:[ECX],DH 0049F1B6 3132 XOR DWORD PTR DS:[EDX],ESI If I push Shift F9 once more after this,the program terminates.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| ASPR, ARMA question | sgdt | General Discussion | 3 | 04-09-2006 03:38 |
| About Arma | hobgoblin | General Discussion | 1 | 02-02-2004 19:53 |
Hybrid Mode
