OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 19, 2008 21:08 CDT by kcynice .

Here, i can search some anti-debugger tricks here:
http://tuts4you.com/search.php?q=anti-unpacker&r=0&s.x=0&s.y=0&s=Search
But, really, i have a little test program, i want to debug it, it can lead me to unhandled exception in OllyDgb, but if i use Syser, i can debug it as normal. So, I check some anti-debugger tricks in the program as i know, but failed. So, i wish someone would summarize more useful tricks an program would use. Then, i think i can learn more and resolve my problem.
Thanks

neoxfx		May 19, 2008 22:43.32 CDT
read this: [1] anti-debug, http://www.securityfocus.com/infocus/1893 by Nicolas Falliere [2] anti-unpacking, http://pferrie.tripod.com/papers/unpackers.pdf by Peter Ferrie

kcynice		May 19, 2008 23:51.43 CDT
OK. I will have a look at them. There is another question: there is a function's frist piece of code: push -1 push 05A2C8D8 ;//I think this should be the exception handler mov eax,dword ptr fs:[0] push eax mov dword ptr fs:[0],esp sub esp 84h push ebx push esi push edi mov ebx,27h mov eax,dword ptr[ebx] ;//here will get an exception when the exception is raised, the control should goto 05A2C8D8, the first exception handler, right? But it's strange that it goes to another address instead! why?

cod		May 20, 2008 01:29.05 CDT
> kcynice: OK. I will have a look at them. There is another question: > there is a function\'s frist piece of code: > > push -1 > push 05A2C8D8 ;//I think this should be the exception handler but... it's a valid address or no?

arebc		May 20, 2008 17:12.16 CDT
I have always thought 'The Art of Unpacking' by Mark Vincent Yason was a good read: https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf

kcynice		May 20, 2008 20:11.24 CDT
> cod: > > but... it\'s a valid address or no? Of course the new EIP is a valid address. But i can't find it in the SEH chain. it's so strange

neoxfx		May 21, 2008 00:02.33 CDT
can you upload the sample somewhere?

baibhav		May 21, 2008 02:26.09 CDT
It is really very strange ... do dubugger is showing added block in the SEH chain ... if it is the what address is shown in the firt block .... Baibhav Singh

kcynice		May 21, 2008 02:42.26 CDT
in fact, if i load it in Syser, when the exception raised, the control will goto the strange address, but for ollydbg, it goes to the first exception handler, but the program will encounter a fatal error and terminate. what i want to say, the program can run well under syser. So, i think the program should use some tricks ahd has checked my OllyDbg. Because of the rules of the forum, i will not reveal the program, and if anyone would like to have a try, i will send him a pm. Thanks

Note: Registration is required to post to the forums.

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit