Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Tuesday, December 27 2011 00:25.13 CST  
Printer Friendly ...
A new Anti-Olly trick.
Author: waleedassar # Views: 4574

It is a buffer overflow in ollydbg v1.10. It occurs when olly tries to find the .sym file for the being-loaded module.



POC:
http://ollytlscatch.googlecode.com/files/trick.exe
https://docs.google.com/document/d/1T5LPY3qDkxmR1XVgxnsKW42lggS5iSjtQwFXOtNfqMM/edit

Further details:
http://waleedassar.blogspot.com/2011/12/new-ollydbg-anti-debug-trick.html


http://www.virustotal.com/file-scan/report.html?id=97f2c22d3fde1db56aaef4e555e32927d0a0087e7e92d369093ac5ac749e83d9-1324964958


Blog Comments
PeterFerrie Posted: Tuesday, December 27 2011 10:04.17 CST
This bug was known since 2008.
I even described it publicly in Virus Bulletin.
http://pferrie.host22.com/papers/unpackers21.pdf

waleedassar Posted: Tuesday, December 27 2011 15:42.56 CST
It is different from those mentioned in your really wonderful paper. This one is in ollydbg.exe, not dbghelp.dll.



Add New Comment
Comment:









There are 31,041 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit