PDA

View Full Version : ollydbg, corrupt int3 breakpoint message


stephanie
March 28th, 2012, 06:46
I've tried multiple google searches and really couldn't find any information on this. The only thing I could think of is the program has protection on it.

- Not sure if it is loading or helped but I put Hide Debugger 1.24 in the ollydbg folder
- I don't know how old this is but, I also used ProtectionID_v6.4.0. File appears to have no protection or is using an unknown protection

- I get a lot of the same messages like this and it eventually ends with exception is non-continuable.

Darkelf
March 28th, 2012, 06:58
Hi,

could you please describe a bit more detailed what you did and what you are trying to do.
A (more readable ) screenshot of your breakpoints would be good, too.
Please understand that we all are not very advanced in the art of crystalball reading therefore it's a bit hard to guess what has happened.

Most likely it's just like the messagebox says: self-modifying code (or packed).
This could cause such behavior. You set a breakpoint, let the program run and the CC (int3) Olly has set is overwritten with some other instruction. But as I said, it's nearly impossible to tell that from the information you've provided.

Best regards
darkelf

stephanie
March 28th, 2012, 12:45
Wow, I didn't think when I used the forum code to grab the picture from the url it would be that bad. Sorry! I know this is useless probably for information but decided to upload it anyways.

http://alkaos.com/images/296Untitled.jpg

I have read the faq for this site and I'm not seeing anything against what I'm attempting to do, I am trying to make it so a certain program will accept any registration code. What I would do is run ollydbg as admin and open the programs exe inside and then use the debug/run feature and it would give many window messages like that.

I've attempted the w32dasm plain text approah and I find no messages related to the registration, have tried in ollydbg as well. The next step I figured would be to attempt breakpoint on things like getwindowtext. Even the debugger in w32dasm couldn't open this exe as it would just crash.

Would the next step be to use alternative programs instead of protectionid to verify what it could be protected with? Also some names of those if it would help would be greatful.

evlncrn8
January 6th, 2013, 22:12
if you want, upload the files somewhere and i'll grab them and update protection id

deepzero
January 7th, 2013, 18:53
it`s good to see the words "pid" and "update" in one sentence!