About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Tuesday, December 27 2011 00:25.13 CST  
Printer Friendly ...
A new Anti-Olly trick.
Author: waleedassar # Views: 1282

It is a buffer overflow in ollydbg v1.10. It occurs when olly tries to find the .sym file for the being-loaded module.



POC:
http://ollytlscatch.googlecode.com/files/trick.exe
https://docs.google.com/document/d/1T5LPY3qDkxmR1XVgxnsKW42lggS5iSjtQwFXOtNfqMM/edit

Further details:
http://waleedassar.blogspot.com/2011/12/new-ollydbg-anti-debug-trick.html


http://www.virustotal.com/file-scan/report.html?id=97f2c22d3fde1db56aaef4e555e32927d0a0087e7e92d369093ac5ac749e83d9-1324964958


Blog Comments
PeterFerrie Posted: Tuesday, December 27 2011 10:04.17 CST
This bug was known since 2008.
I even described it publicly in Virus Bulletin.
http://pferrie.host22.com/papers/unpackers21.pdf

waleedassar Posted: Tuesday, December 27 2011 15:42.56 CST
It is different from those mentioned in your really wonderful paper. This one is in ollydbg.exe, not dbghelp.dll.



Add New Comment
Comment:









There are 28,631 total registered users.


Recently Created Topics
windbg - olly/immunity
May/14
Reverse a WinRAR pac...
May/13
Add comments to resu...
May/10
can we code script ...
May/09
Type Casting Structu...
May/07
How to Reverse Engin...
May/03
Sulley on OS X (10.7)
May/01
Help me guys
May/01
IDA Resource Viewer ...
Apr/28
How do i use plugins...
Apr/27


Recent Forum Posts
windbg - olly/immunity
blowcheck
Help me guys
Olivier
Reverse a WinRAR pac...
NirIzr
windbg - olly/immunity
anonymouse
Reverse a WinRAR pac...
DriEm
Add comments to resu...
phn1x
IDA Resource Viewer ...
DriEm
Add comments to resu...
qiuhan
IDA Resource Viewer ...
waleeda...
IDA Resource Viewer ...
DriEm


Recent Blog Entries
waleedassar
Apr/20
OllyDbg NumberOfSections Crash
icegood
Apr/13
Advanced labels plugin for ...
waleedassar
Mar/31
GetModuleFileNameEx And Inf...
waleedassar
Mar/31
OllyDbg v1.10 And Wow64
waleedassar
Mar/29
OllyDbg Resource Table Pars...
More ...


Recent Blog Comments
raxen on:
Mar/27
Anti-Dumping
Dallas on:
Mar/22
ChapljaVM Code Obfuscator
Dallas on:
Mar/22
Hack stuff, get paid
Dallas on:
Mar/22
Exe Packer TAGGANT system f...
Dallas on:
Mar/22
Olly2 SystemTray Plugin
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit