ActiveMark anti-debugging

[mustanger]

Hi gang:

I've got my heart set on cracking what I think is an activemark protected exe. The tutorials by Condzero and lunarDust are outdated.
The problem I'm having is that Olly won't run the program and if you try attaching at the nag screen the program shuts down.
Im pretty sure the anti debugging trick is one of those I've read about that uses a timing mechanism to determine if the program's being run slower than it should----- as debuggers do. Does anyone know what the code looks like for one of these timing mechanisms? Also, I've been looking around the web for additional tutorials on activemark and can't find them. Does anybody else know of any?

If your curious, you can try it yourself at hxxp://www.solidthinking.com/index_en.htm

Don't forget to switch the xx for tt.

[haggar]

Why attaching? What do you want to achieve? Do you want to break on entry point of protection or original of protected file. You can run it within Olly as I remember. Anti-stuff that disturbs olly are numerous threads. Rest is SoftICE tricks, regmon and filemon.

[tanatos]

try using one the numerous anti-anti-debugging plugins for olly that you can find on tuts4you.com one of thoes should solve your problem...or if not go start breaking on anti-debugging api's (more informations in win32api.hlp) g'luck

[mustanger]

If you try to attach at the nag screen the program shuts down. That's consistant with a mechanism where during the nag, the program is looping waiting for a response while constantly timing the loops. When Olly attaches the loops slow down and the program terminates. ( Well it sounds logical to me!) The tuts on activemark tell you to attach at the nag screen in order to find the 2nd level entry point, but I'm beginning to think it's not activemark at all. PEID says its protected with FSG and an overlay. None of the FSG unpacking applications recognize it as FSG though. The Smart ovr plugin for LordPE finds and stores an overlay but it doesn't look like the tryMedia overlays of the tutorials. The code in the application constantly jumps to the overlay code at far positions (0200xxxx) which just tell it to jump back to a position in the real code (004xxxxx). I've been trying to figure out how to modify haggar's script for armadillo which relables the jumps to imports but I'm finding that over my head.

Anyway, the beginning of the code is a lot of obfuscated jumps which occasionally lands on a real instruction. Eventually , it gets to a Call ebx that crashes Olly, the call also has the nag screen. I've been I've been trying to bypass the crash code to get to the nag screen with no luck. None of the Hide Olly patches or plugins are effective. If you have dial up don't bother looking, but otherwise any insight would be appreciated.

[Slaughterer]

Hi

I've only found bypass tricks for ActiveMark. Removing the registry entries and replacing the changed exe after gameplay (or program use) with the original exe from before the first run. The registry entries by ActiveMark can be found using something like Ashampoo. Replacing the reg entries and the exe and then running the game all using a bat file. I don't like this idea, but I havn't found anything better&simpler yet. The other tricky thing with ActiveMark is that it detects in-memory debuggers/monitors. Will let you know if I find a better solution.

[haggar]

On ARTEAM site there is AM loader for all 5.x versions. Coded by condzero.

Funny , on some warez site somebody changed resources in his loader and named loader as his work. But guy don't know why it doesn't work on AM 6 games he he...

[Nacho_dj]

Hello:

If you are interested in attaching your process without your debugger closing itself before you can do it, just do as follows:

1. Run freely your target.

2. Dump it with any dumper (keeping open the process launched after doing it), like
pupe, choosing alineado option:
hxxp://www.terra.es/personal/guillet/archivos/pupe2002.zip
or Task Manager in Explorer Suite:
hxxp://ntcore.com/Files/Explorer_Suite_Setup.zip

3. Edit with an hexa editor.
Go to the end of the file, then go back carefully several pages in the editor, till you find the strings OLLYDBG and OllyDbg.

4. Patch in the process launched (pupe can do it too) the virtual addresses where are the first L and l of the strings of before.
For instance, let's say we have found OLLYDBG string in 0x84567A offset and OllyDbg in 0x84568D. L is in 0x84567B, and its virtual address is that offset plus the ImageBase (normally 400000) of your process, so the virtual address where the L letter lays should be 0x84567B + 0x400000= 0xC4567B. So, patch this value 0x6C with 0x61, for instance. Do the same with firts l in OllyDbg. The result is you have replaced in your process the OLLYDBG and OllyDbg strings by OALYDBG and OalyDbg ones.

5. Run OllyDbg and attach your process, it will keep open, as there isn't any debugger opened neither with a window name of OALYDBG nor OalyDbg.

I hope you are just now tracing through your target...

Cheers

Nacho_dj