Results 1 to 3 of 3

Thread: Does asprotect have anti-tracing code???

  1. #1
    padawan
    Guest

    Question Does asprotect have anti-tracing code???

    Hello,

    I'm taking a look at an application protected with Asprotect 1.2/1.2c, looking for the OEP I used the trace function of OllyDbg setting a stop condition of EIP < 900000 just as described in two different tutorials by LaBBa (http://www.woodmann.net/forum/showthread.php?t=4958 and http://www.woodmann.net/forum/showthread.php?t=4614). But this trace stop condition DOES NOT work!! OllyDbg goes past the OEP (which is indeed < 900000) running forever. I repeated this step various times and then gave up thinking that asprotect must have some anti-tracing code.
    But this explaination does not satisfy me especially considering that the specific version of asprotect isn't very recent.

    Can anyone help me understand what is happening or can suggest how I could go investigating this behavior???
    I already found the OEP, so I don't really need this step, still it disturbs me not to understand what is happening.


    padawan

    PS: I search the forum for someone reporting something like this must have come up with nothing.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    The trace into function of olly, for my experience,is not perfect, in many times, crash or step lines easily.

    The better form to trace into work well is starting in the asprotect code, not in a api, and clear all options in DEBUGGING OPTIONS-TRACE.

    if crash the trace, go to the last line before crash ad put a Hardware bpx, and run till this line, step the api, and continue tracing.

    Ricardo

  3. #3
    padawan
    Guest
    thanks Ricardo,

    I was starting tracing from inside ntdll.dll and I had set the option to trace over system DLLs selected. Unfortunately OllyDbg seems to have a bug because in this situation somehow any pause condition (such as EIP<900000) is somehow ignored and tracing goes on forever.

    padawan
    Last edited by padawan; February 23rd, 2004 at 17:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. A cute anti-tracing trick
    By naides in forum The Newbie Forum
    Replies: 7
    Last Post: November 10th, 2007, 03:13
  2. Getting around anti-debugger code
    By REBlog in forum Blogs Forum
    Replies: 0
    Last Post: October 19th, 2007, 20:51
  3. Different papers about SMC, polymorph code and anti trace code...
    By OHPen in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: March 29th, 2007, 15:45
  4. Replies: 10
    Last Post: May 24th, 2003, 14:12
  5. tsehp : small "anti-trace" in asprotect..?
    By nikolatesla20 in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: April 12th, 2002, 18:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •