Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, February 19 2019 @ 08:38 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ActiveMark anti-debugging

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
mustanger
Frequent poster
Frequent poster


Joined: 13 Sep 2005
Posts: 64

PostPosted: Fri Nov 17, 2006 3:12 pm    Post subject: ActiveMark anti-debugging Reply with quote

Hi gang:

I've got my heart set on cracking what I think is an activemark protected exe. The tutorials by Condzero and lunarDust are outdated.
The problem I'm having is that Olly won't run the program and if you try attaching at the nag screen the program shuts down.
Im pretty sure the anti debugging trick is one of those I've read about that uses a timing mechanism to determine if the program's being run slower than it should----- as debuggers do. Does anyone know what the code looks like for one of these timing mechanisms? Also, I've been looking around the web for additional tutorials on activemark and can't find them. Does anybody else know of any?

If your curious, you can try it yourself at hxxp://www.solidthinking.com/index_en.htm

Don't forget to switch the xx for tt.
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Sat Nov 18, 2006 11:56 am    Post subject: Reply with quote

Why attaching? What do you want to achieve? Do you want to break on entry point of protection or original of protected file. You can run it within Olly as I remember. Anti-stuff that disturbs olly are numerous threads. Rest is SoftICE tricks, regmon and filemon.
Back to top
View user's profile Send private message
tanatos
Frequent poster
Frequent poster


Joined: 16 Feb 2005
Posts: 68

PostPosted: Mon Nov 20, 2006 9:28 am    Post subject: Reply with quote

try using one the numerous anti-anti-debugging plugins for olly that you can find on tuts4you.com one of thoes should solve your problem...or if not go start breaking on anti-debugging api's (more informations in win32api.hlp) g'luck
Back to top
View user's profile Send private message
mustanger
Frequent poster
Frequent poster


Joined: 13 Sep 2005
Posts: 64

PostPosted: Tue Nov 21, 2006 3:29 pm    Post subject: Reply with quote

If you try to attach at the nag screen the program shuts down. That's consistant with a mechanism where during the nag, the program is looping waiting for a response while constantly timing the loops. When Olly attaches the loops slow down and the program terminates. ( Well it sounds logical to me!) The tuts on activemark tell you to attach at the nag screen in order to find the 2nd level entry point, but I'm beginning to think it's not activemark at all. PEID says its protected with FSG and an overlay. None of the FSG unpacking applications recognize it as FSG though. The Smart ovr plugin for LordPE finds and stores an overlay but it doesn't look like the tryMedia overlays of the tutorials. The code in the application constantly jumps to the overlay code at far positions (0200xxxx) which just tell it to jump back to a position in the real code (004xxxxx). I've been trying to figure out how to modify haggar's script for armadillo which relables the jumps to imports but I'm finding that over my head.

Anyway, the beginning of the code is a lot of obfuscated jumps which occasionally lands on a real instruction. Eventually , it gets to a Call ebx that crashes Olly, the call also has the nag screen. I've been I've been trying to bypass the crash code to get to the nag screen with no luck. None of the Hide Olly patches or plugins are effective. If you have dial up don't bother looking, but otherwise any insight would be appreciated.
Back to top
View user's profile Send private message
Slaughterer
New to the board
New to the board


Joined: 23 Nov 2006
Posts: 1

PostPosted: Fri Nov 24, 2006 5:02 pm    Post subject: Reply with quote

Hi

I've only found bypass tricks for ActiveMark. Removing the registry entries and replacing the changed exe after gameplay (or program use) with the original exe from before the first run. The registry entries by ActiveMark can be found using something like Ashampoo. Replacing the reg entries and the exe and then running the game all using a bat file. I don't like this idea, but I havn't found anything better&simpler yet. The other tricky thing with ActiveMark is that it detects in-memory debuggers/monitors. Will let you know if I find a better solution.
Back to top
View user's profile Send private message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Fri Nov 24, 2006 10:08 pm    Post subject: Reply with quote

On ARTEAM site there is AM loader for all 5.x versions. Coded by condzero.

Funny , on some warez site somebody changed resources in his loader and named loader as his work. But guy don't know why it doesn't work on AM 6 games he he...
Back to top
View user's profile Send private message
Nacho_dj
Frequent poster
Frequent poster


Joined: 03 Jan 2006
Posts: 52

PostPosted: Tue Nov 28, 2006 11:34 am    Post subject: Reply with quote

Hello:

If you are interested in attaching your process without your debugger closing itself before you can do it, just do as follows:

1. Run freely your target.

2. Dump it with any dumper (keeping open the process launched after doing it), like
pupe, choosing alineado option:
hxxp://www.terra.es/personal/guillet/archivos/pupe2002.zip
or Task Manager in Explorer Suite:
hxxp://ntcore.com/Files/Explorer_Suite_Setup.zip

3. Edit with an hexa editor.
Go to the end of the file, then go back carefully several pages in the editor, till you find the strings OLLYDBG and OllyDbg.

4. Patch in the process launched (pupe can do it too) the virtual addresses where are the first L and l of the strings of before.
For instance, let's say we have found OLLYDBG string in 0x84567A offset and OllyDbg in 0x84568D. L is in 0x84567B, and its virtual address is that offset plus the ImageBase (normally 400000) of your process, so the virtual address where the L letter lays should be 0x84567B + 0x400000= 0xC4567B. So, patch this value 0x6C with 0x61, for instance. Do the same with firts l in OllyDbg. The result is you have replaced in your process the OLLYDBG and OllyDbg strings by OALYDBG and OalyDbg ones.

5. Run OllyDbg and attach your process, it will keep open, as there isn't any debugger opened neither with a window name of OALYDBG nor OalyDbg. Smile

I hope you are just now tracing through your target...

Cheers Cool

Nacho_dj

_________________
http://arteam.accessroot.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2019 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.05 seconds