OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: December 12, 2008 00:45 CST by ravin .

HI,

I have an application protected with VMProtect. When trying to analyse it in OllyDbg I try to set hardware breakpoint. If I run the program, it keep on poping ot some other addresses sayinf that hardware breakpoint is detected.

Any idea how is it happenning and how can it be bypassed?

Thanks

Soul12		December 12, 2008 16:48.56 CST
When you set a Hardware Breakpoint it affects some Registers , which VMprotect can Read like mov eax,dr0 if(dr0 != 0) { //Hardware BreakPoint Detected } only way to my knowledge..to bypass this ..is to not use hardware breakpoints until after check ;) or patch it out ..im sure there are more tricks ..hope it helps you i wrote a tiny lil article about HW-bp's https://www.openrce.org/repositories/users/Soul12/HardWare%20BreakPoints%20The%20Definitive%20Guide.doc the Intel Manuals are good source of information for getting more knowledge on the subject aswell

cod		December 13, 2008 00:51.15 CST
Hi, you can try to debug with ImmunityDebugger, using the script "hidedebug"

ravin		December 15, 2008 03:22.06 CST
Thanks a lot. I will check these out. > Soul12: When you set a Hardware Breakpoint it affects some Registers , which VMprotect can Read like > > mov eax,dr0 > if(dr0 != 0) > { > //Hardware BreakPoint Detected > } > only way to my knowledge..to bypass this ..is to not use hardware breakpoints until after check ;) or patch it out ..im sure there are more tricks ..hope it helps you > > i wrote a tiny lil article about HW-bp\'s > https://www.openrce.org/repositories/users/Soul12/HardWare%20BreakPoints%20The%20Definitive%20Guide.doc > > the Intel Manuals are good source of information for getting more knowledge on the subject aswell

nezumi		December 18, 2008 07:53.06 CST
how to bypass hardware breakpoints: there are many ways to bypass hardware breakpoints. the most oblivious and well-know way is to use ReadProcessMemory, but it's not portable and easy to hack, so, better to use something else. anything that reads memory from the OS kernel, where debugger is unable to catch debug exceptions. to create portable code use standard write C-function, (don't use fread - it calls memcpy!!!). don't forget to kill memory references unless you want to be hacked with IDA-Pro :-) the following example demonstrates this trick

memger		December 19, 2008 04:29.42 CST
for some source code on how to protect HW breakpoints you might want to have a look at the source code of IDAStealth

nezumi		December 20, 2008 04:43.30 CST
ravin: memger>for some source code on how to protect HW breakpoints memger> you might want to have a look at the source code of IDAStealth IDAStealth is a good example, but it will not help you to defeat VMProtect I just checked VMProtect 1.70.4 Pro and IDA Stealth 1.0. BETA 3 - nothing. Soul12> only way to my knowledge..to bypass this .. Soul12> is to not use hardware breakpoints until after check ;) agreed. PAGE_NOACCESS should help (Olly supports memory breakpointsbased on page attributes - they are buggy a bit, but does not touch DRx at all). however, there are just a few ways to read DRx. user code can't do this directly, so it has to read context via API or rising an exception. both ways are easy to detect. if I remember correctly, VM Protect uses INT 01h to rise the exception and read DRx via the context passed as an argument. cod> you can try to debug with ImmunityDebugger, using the script "hidedebug" no, you can't. at least not for VM Protect. btw, PE-TOOLS allows you to create a dump of VM Protected program. also, you can start soft-ice after unpacking and debug your program w/o problem. to detect soft-ice and Syser VM Protect uses the following trick: hello.vmp.ex \| 0040C031 \| CloseHandle(DEADC0DE) returns: 00000000 hello.vmp.ex \| 004176FF \| CreateFileA(0012FF7C: "\\.\SICE", hello.vmp.ex \| 004177EE \| CreateFileA(0012FF7C: "\\.\SIWVID", hello.vmp.ex \| 0040CAAB \| CreateFileA(0012FF7C: "\\.\NTICE", hello.vmp.ex \| 00417220 \| CreateFileA(0012FF7C: "\\.\ICEEXT", hello.vmp.ex \| 004101E6 \| CreateFileA(0012FF78: "\\.\SYSERBOOT", just set break-point on CreateFileA and return -1 instead of the correct handle. btw, this log was created with kerberos API spy by Rustem Fasihov (http://cracklab.ru/_dl2/centner/022008/kerberos_v1.13.zip). this is my favorite API spy and it works well.

Note: Registration is required to post to the forums.

There are 31,322 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit