Page 5 of 6 FirstFirst 123456 LastLast
Results 61 to 75 of 83

Thread: Armadillo for dummies (vol 2) english

  1. #61

    softice

    the new armadillos detect softice installed, if you have softice installed, parheps not run the program refuses to run.

    Ollydbg is more easy to use, use hidebebugger 1.2 and the program run prefect in ollydbg,donīt use bp use hardware breakpoints and work perfect, only armadillo 4 has a special feature for protect against ollydbg is a known and documented buffer underrun, she pass to the buffer a large string for make ollydbg crash

    The OutputDebugString function sends a string to the debugger for the current application.

    VOID OutputDebugString(

    LPCTSTR lpOutputString // pointer to string to be displayed
    );

    to this api is pased a large string and make ollydbg crash, but is easy intercept knowing how it work jeje.

    Ricardo Narvaja

  2. #62
    OK, I DO have softice installed, do I need to rename it, or move it or something?

    I downloaded hidedebugger 1.2, and used the "Detatch" option of it to "hide" olly, and I still get the "For security purposes" messagebox. Also, I have NO breakpoints set, I'm just trying to get the program to run AT ALL under olly.

  3. #63
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by FrankRizzo
    OK, I DO have softice installed, do I need to rename it, or move it or something?
    Try IceExt first. Read the instructions: IceExt does not HIDE Sice automatically, you need to explicitly type the !protect command in sice

  4. #64
    OK, I got IceExt 0.65, installed it, and did a "!protect on", and it listed all the items as "ON". Loaded olly, "detached" the debugger, and ran it. Same response.. :-\

  5. #65
    Timbo
    Guest
    chad always likes to play but try evals hint:

    at start of ntice's INT0E handler you will meet instuction:
    8164240CFFFFFEFF = AND dword[esp+0C],0FFFEFFFF
    so try change byte FE to FF, which avoids RF removal.

    metioned here:
    http://www.woodmann.net/forum/showthread.php?t=5514
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #66

    OK...HOW?

    I read the message you linked to, but have NO idea how to do that in Soft-Ice. Any links on how to do that? (I assume that when you edit it manually you have to adjust some sorta checksum, as I made the change in ntice.sys, and it refused to load after that).

  7. #67
    Did you perhaps notice in the thread referenced above, that at that time, ARMA was also checking the registry for the presence of IceExt?????

    Regards,
    JMI

  8. #68
    Yeah, thanks JMI.. I just tried that also..

    Guys, I promise, I'm not a newbie idiot, I'm just having a hard time with this.

  9. #69
    THAT is what keeps it interesting. If it were all easy, no one would do it.

    Regards,
    JMI

  10. #70
    I agree! I tend to lose interest in things that are TOO simple.. My problem with this, is that I have been "lead" so far into it, that I'm not sure where I am.

  11. #71
    As +Orc would have said: "You are in the dark codewoods."

    Regards,
    JMI

  12. #72
    Absolutely! I'm trying to FEEL the code now, "Zen-like" as he would have also suggested, but I'm getting no where.

  13. #73
    Have you considered looking at your program in IDA and trying to find where the message is coming from and then trying to break on the part of the code which invokes this message to see what it is choking on?

    Regards,
    JMI

  14. #74
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,106
    Blog Entries
    5
    Quote Originally Posted by FrankRizzo
    (I assume that when you edit it manually you have to adjust some sorta checksum, as I made the change in ntice.sys, and it refused to load after that).
    Hi, Yes you do have to adjust the checksum. Use LordPE. ntice.sys should load.

    Kayaker

  15. #75
    Tried IDA, LOTS of trash.. Leading me to believe that I have to stop it somewhere along the way, dump it out, and THEN disassemble it.. (Is there some sorta IDA plug-in that makes this it do a better job of disassembling this?) I get VERY little code, and large blobs of data. I changed the sections from data to code that were obvious, 58, 59, and the like.. Also, I looked for strings, and the strings are either encrypted, or built on the fly..

Similar Threads

  1. IDA for dummies
    By book in forum The Newbie Forum
    Replies: 9
    Last Post: September 26th, 2006, 01:04
  2. PUPE now in english
    By swoop in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: February 13th, 2004, 15:11
  3. Armadillo & nanomites (2š part) english
    By S3ri@l CoDe9x in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: August 25th, 2003, 04:42
  4. Armadillo for dummies (vol 1) english
    By S3ri@l CoDe9x in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 19th, 2003, 01:15
  5. help dummies
    By fido_sr in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: September 12th, 2001, 09:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •