Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Never break on EOP

Found a bug in OllyDbg? Post a report here.
Locked
Newbie_Cracker

Never break on EOP

Post by Newbie_Cracker »

Hi.
Please see the article in the follwing address.
Olly could not break on OEP and directly runs the proggy.

hxxp://www.angelfire.com/indie/zong/DieRing-3.zip

Here is another trick for killing Ring-3 debuggers !!
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Never break on EOP

Post by blabberer »

hehe it has been documented already some where i even have a post about about this phenomena in this forum on some queer post
i think i replied it in regard to 1bitshort's query
and lately this was again pointed out by
nicolez brulez of armadillo (in his paper to honeynet scan of the month 33
results ) he actually thought it will stop olly somehow loading the app
but ollydbg loads the application and executes it without stopping
on ep (the reason he states for his thinking is
about modifiaction to LoaderFlags and Rva Entries in the pe-header

but i beleieve they are not the only problems i have seen apps
which dont have this modification but still execute the said application
:( probably there are more issues out there apart from these modification :(

anyway to counter the above problem one can physically modify the

entry point bytes 0xeb 0xfe (infinte jump)
and load the exe when it has completely loaded (ignore the warning about not valid blah blah )
press f12 and pause the application
it will stop in the infinite jumps :) modify the bytes back to original values
and then you can find all of the string referances and import names all such s***

have fun
Bob

Never break on EOP

Post by Bob »

what is the trick? the url has gone..
Locked