Results 1 to 7 of 7

Thread: Anti ****

  1. #1
    Xacker
    Guest

    Anti ****

    Hiya folks,
    im having troubles understanding the protection of a crackme posted by Blue_Orka on crackmes.de
    it uses some antiolly tricks that i couldnt manage to pass.. i cant get to debug the program step by step or do anything..

    when loading the target i get an error msg that its not a 32-bit application or something.. p.s: Sice crashs when i run the target so its a common trick between the two debuggers..

    i need some help on some known or unpublished tricks.. anti*** or antianti ****
    and yeah, pumqara tricks are old ones and not used here.. so, SOS!

    tnx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    Anti ****

    Use Stud_PE or any PE Editor, change the value of NumberOfRvaAndSizes in Optional Header to 0x10 (16).
    This is a old trick.

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15

    Anti ****

    hehe
    take a look at honeynet nicolez brulez sotm 33 article or search in rce board for posts by nico

    oops why lord pe whats the problem with using ollydbg

    f9 when it is running f12 pause view call stack show procedure
    when in executable module right click view executable file
    right click change display to special
    hit ctrl+g and type 12c
    you will be here
    0000012C 10FF0300 DD 0003FF10 ; NumberOfRvaAndSizes = 3FF10 (261904.)


    right click modify integer to 10 save file
    open this saved file in ollydbg and it shows up nice


    00401044 >PUSH 0 ; /pModule = NULL
    00401046 CALL <JMP.&kernel32.GetMod>; &#92;GetModuleHandleA
    0040104B MOV DWORD PTR DS:[403360]>
    00401050 PUSH 2200 ; /Color = RGB(0.,34.,0.)
    00401055 CALL <JMP.&gdi32.CreateSol>; &#92;CreateSolidBrush
    0040105A MOV DWORD PTR DS:[403368]>
    0040105F PUSH 0 ; /lParam = NULL
    00401061 PUSH BKEYME1.0040107C ; |DlgProc = BKEYME1.0040107C
    00401066 PUSH 0 ; |hOwner = NULL
    00401068 PUSH 65 ; |pTemplate = 65
    0040106A PUSH DWORD PTR DS:[403360] ; |hInst = NULL
    00401070 CALL <JMP.&user32.DialogBo>; &#92;DialogBoxParamA


    oops the cme has a bug on exit

  4. #4
    bud_gd
    Guest

    Anti ****

    oh me anon, might this method be somewhat safe for other than the crackme of?, ?.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15

    Anti ****

    what method ?? you mean changing the pe header info ??
    i have changed many things like that including adding a new section details never faced any problems
    may be you could elobarate a little so that i can understand what you are asking

  6. #6

    Anti ****

    for me this protection is a crap, the crackme run perfect in OLLY, if you need reach the Entry Point,
    you change in debugging options-events the program stop in SYSTEM BREAKPOINT, when the massagebox of this is a not valid 32 bits bla bla, acept and go to VIEW-MEMORY and put a MEMORY BREAKPOINT ON ACCESS in the section (the only section you can see) and next press f9, and the program stop in the entry point, quit the BPM and press f9 and the program RUN perfect, there are no problem at all.

    Ricardo Narvaja

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15

    Anti ****

    hehe thats too much work Ricardo
    well one doesnt even have to change events olly will stop on system breakpoint automatically if it cant find winmain
    hit alt+f1 type
    bp ZwSetInformationThread and hit ok
    hit f9
    hit ctrl+f9
    f7* you are on oep

    *one time if you have options -->debugging options-->trace--->after executing till ret step over ret check box selected
    *two times if you dont have the above check box selected


    btw if you have ntdll.dll analysed you dont even have to set this breakpoint it will be there everytime if you have set it once

Similar Threads

  1. Linux Anti Anti Debugging Techniques
    By JMI in forum Linux RCE
    Replies: 2
    Last Post: July 17th, 2005, 12:10
  2. Anti Smartcheck
    By SiGiNT in forum The Newbie Forum
    Replies: 7
    Last Post: March 11th, 2005, 00:05
  3. Anti Bpx
    By zero1 in forum OllyDbg Support Forums
    Replies: 1
    Last Post: February 28th, 2005, 10:04
  4. Anti-trace/Anti-debug techniques
    By foxthree in forum Advanced Reversing and Programming
    Replies: 30
    Last Post: September 4th, 2002, 11:15
  5. Strong Anti-debugging, Anti-FrogsIce
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: November 30th, 2000, 04:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •