OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 15, 2007 18:04 CDT by bodzcount .

In the help of OllyAdvanced it says

NOTE: This will make the plugin NtGlobalFlag which is useful for Execryptor unusuable. Disable it if you deal with Execryptor. This should be only activated in some special cases where Debugger is detected through Registry. Disable it if not REALLY NEEDED!!!

however, the NtGLobalFlag plugin works for me, no matter how i set NtGlobalFlag in ollyadvanced.

Can anybody explain to me why that is?

PS: execryptor apps doent run in olly, when I dont check NtGlobalFlag in ollyadvanced. Why does the help to ollyadvanced say that it should be disabled?

sovietskicpu		October 15, 2007 18:25.26 CDT
because messing with global flags can cause mess

bodzcount		October 15, 2007 18:39.38 CDT
but i have to set the globalflag to 0, otherwise execryptor apps dont run. What mess can happen when i do that?

nezumi		October 15, 2007 18:40.15 CDT
the answer is here and here

bodzcount		October 15, 2007 18:47.49 CDT
nice articles, however they dont say that changing NtGlobalFlag is evil.... Why should is it dangerous to do it?

nezumi		October 15, 2007 19:06.16 CDT
NtGlabalFlag is a field in PEB, and since PEB isn't documented better don't patch it. imagine what happens if PEB will change in the future win-version. however, if it works, everything is fine, don't worry.

anonymouse		October 16, 2007 11:47.06 CDT
any application that is debugged uses DebugHeap Enabled by default and i think (not sure never used it much to check it out fully) ollyadvanced turns off the DebugHeap to null (post initialization of LdrpInitialize() which means only those applications that explicitly check ntglobalflag will be fooled and those application that check the heap for heap length and debugheap tags and its signatures and the ForceFlags Siggnature of debugHeap will not be fooled you can read a few things about the process in this thread http://forum.exetools.com/showthread.php?t=7363 especially the part where the discussion is about HideDebugger Plugin versus NtglobalFlag patching is talked about (some functions explicitly need Debug Functionalities to work properly Like Dbgprint() you can take a look at the sources of the plugin that used this mechanism at this link http://www.reversing.be/article.php?story=20050603193932184 as long as you know what you are doing patching isnt evil :)

Note: Registration is required to post to the forums.

There are 28,631 total registered users.

Recently Created Topics
windbg - olly/immunity	May/14
Reverse a WinRAR pac...	May/13
Add comments to resu...	May/10
can we code script ...	May/09
Type Casting Structu...	May/07
How to Reverse Engin...	May/03
Sulley on OS X (10.7)	May/01
Help me guys	May/01
IDA Resource Viewer ...	Apr/28
How do i use plugins...	Apr/27

Recent Forum Posts
windbg - olly/immunity	blowcheck
Help me guys	Olivier
Reverse a WinRAR pac...	NirIzr
windbg - olly/immunity	anonymouse
Reverse a WinRAR pac...	DriEm
Add comments to resu...	phn1x
IDA Resource Viewer ...	DriEm
Add comments to resu...	qiuhan
IDA Resource Viewer ...	waleeda...
IDA Resource Viewer ...	DriEm

Recent Blog Entries
	waleedassar	Apr/20
OllyDbg NumberOfSections Crash
	icegood	Apr/13
Advanced labels plugin for ...
	waleedassar	Mar/31
GetModuleFileNameEx And Inf...
	waleedassar	Mar/31
OllyDbg v1.10 And Wow64
	waleedassar	Mar/29
OllyDbg Resource Table Pars...
More ...

Recent Blog Comments
	raxen on:	Mar/27
Anti-Dumping
	Dallas on:	Mar/22
ChapljaVM Code Obfuscator
	Dallas on:	Mar/22
Hack stuff, get paid
	Dallas on:	Mar/22
Exe Packer TAGGANT system f...
	Dallas on:	Mar/22
Olly2 SystemTray Plugin
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit