| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Sat Dec 01, 2007 10:14 am Post subject: Themida |
 |
|
| How does Themida protect from olly dbg???
|
|
| Back to top |
|
 |
goldengold
Grandmaster Cheater Supreme
![]() Reputation: -1
Joined: 11 Nov 2006
Posts: 1841
Location: -.-
|
| Posted: Sat Dec 01, 2007 10:21 am Post subject: |
|
|
this topic would be better if you posted it in the crack me's
_________________
|
|
| Back to top |
|
|
appalsap
Moderator
 Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Sat Dec 01, 2007 10:26 am Post subject: |
|
|
It does nothing to "protect" itself, it just detects ollydbg and shuts down (if it couldn't crash ollydbg using some lame bug).
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Dec 01, 2007 6:59 pm Post subject: |
|
|
| How does it crash olly dbg???
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 01, 2007 7:12 pm Post subject: |
|
|
| dnsi0 wrote: | | How does it crash olly dbg??? |
Any programs that were compiled by Borland C++ (1999 I believe) have a problem handling very large floating point numbers. If the decompiler comes across one of these numbers, it just sort of crashes.
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Dec 01, 2007 7:22 pm Post subject: |
|
|
lol. thats how I crash flash debuggers/decompiler...
I use the _byte("A Riddiculously large number") over and over again in the first frame.
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 01, 2007 7:26 pm Post subject: |
|
|
Here, I assembled something for you to try. The program runs fine, but try opening it in Olly. 
(Refresh if you cannot see the attachment)
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Dec 01, 2007 7:28 pm Post subject: |
|
|
| How did you achive this???
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 01, 2007 7:47 pm Post subject: |
|
|
| dnsi0 wrote: | | How did you achive this??? |
By (ab)using the same bug that Themida (ab)uses to crash Olly.
Last edited by Flyte on Sat Dec 01, 2007 7:48 pm; edited 1 time in total |
|
| Back to top |
|
|
appalsap
Moderator
Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Sat Dec 01, 2007 7:48 pm Post subject: |
|
|
interesting, flyte, your program is detected as Win32/Statik
_________________
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 01, 2007 7:53 pm Post subject: |
|
|
| appalsap wrote: | | interesting, flyte, your program is detected as Win32/Statik |
Interesting, appalsap, virustotal says it is fine.
| Code: | AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 -
Authentium 4.93.8 2007.12.01 -
Avast 4.7.1074.0 2007.12.01 -
AVG 7.5.0.503 2007.12.01 -
BitDefender 7.2 2007.12.02 -
CAT-QuickHeal 9.00 2007.12.01 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.12.02 -
DrWeb 4.44.0.09170 2007.12.01 -
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5340 2007.11.30 -
Ewido 4.0 2007.12.01 -
FileAdvisor 1 2007.12.02 -
Fortinet 3.14.0.0 2007.12.01 -
F-Prot 4.4.2.54 2007.11.30 -
F-Secure 6.70.13030.0 2007.11.30 -
Ikarus T3.1.1.12 2007.12.02 -
Kaspersky 7.0.0.125 2007.12.02 -
McAfee 5175 2007.11.30 -
Microsoft 1.3007 2007.12.02 -
NOD32v2 2696 2007.11.30 -
Norman 5.80.02 2007.11.30 -
Panda 9.0.0.4 2007.12.02 -
Prevx1 V2 2007.12.02 -
Rising 20.20.52.00 2007.12.02 -
Sophos 4.23.0 2007.12.01 -
Sunbelt 2.2.907.0 2007.12.01 -
Symantec 10 2007.12.02 -
TheHacker 6.2.9.147 2007.12.01 -
VBA32 3.12.2.5 2007.12.01 -
VirusBuster 4.3.26:9 2007.12.01 -
Webwasher-Gateway 6.6.2 2007.12.01 Win32.Malware.gen!94 (suspicious) |
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Dec 01, 2007 7:54 pm Post subject: |
|
|
| Code please?
|
|
| Back to top |
|
|
appalsap
Moderator
Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Sat Dec 01, 2007 7:59 pm Post subject: |
|
|
| Flyte wrote: | | Interesting, appalsap, virustotal says it is fine. |
virustotal uses nod32 v2 I use nod32 v3
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Dec 01, 2007 8:03 pm Post subject: |
|
|
| How can you change the assembly with olly dbg and make it detected to olly?
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 01, 2007 8:06 pm Post subject: |
|
|
| dnsi0 wrote: | | How can you change the assembly with olly dbg and make it detected to olly? |
With a hex editor or a different debugger.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
