Okay, pretty new to this. It's my first attempt to do this myself.

The app itself runs fine when executed in OllyDbg 2.00

I found a plugin I need to use for 1.10 so I downloaded OlyDbg 1.10
Even before I installed the plugin I tried running the app within Ollydbg and it just crashed Ollydbg.

I'm not really sure what other information I can give you to help since it's a basic function.
But anything else I can provide just ask.

Thanks,

Kenny

OS: Windows XP SP3

DO NOT POST THE NAME OF THE SOFTWARE COMPANY THAT MAKES THE PROGRAM.DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem. DO NOT POST THE NAME OF THE SOFTWARE COMPANY AND THE NAME OF THE TARGET. DO NOT POST THE NAME OF THE SOFTWARE COMPANY AND THE NAME OF THE PROTECTION. DO NOT POST THE NAME OF THE SOFTWARE COMPANY, THE NAME OF THE TARGET AND THE NAME OF THE PROTECTION. DO NOT POST ANY VARIATION OF THE AFORMENTIONED RULES.

sorry

edited the above post
I did run a search but I admit I hadn't read the FAQ yet...well until now lol

Kenny

Hi Kenny.
This is something i would explore: There are some anti-olly tricks that your program may be using. At least 2 that I know of. The implementation of your program may be effective in Olly 1.10 but may have been patched/solved in Olly 2.0. Search for anti-olly tricks, there are plug-ins and countermeaures designed for Olly 1.10.

Well it may be an olly (1.x specific) antidebugging trick, is the exe packed/crypted somehow ?
Some deadlisting to identify nasty API?

EDIT: well despite the same posting time, naides been faster

Also, you could run one of the protection identifiers, and see if it tells you what the protection is. That'll help US, help YOU.

Looks like this one has the info you want

Thanks again,

Kenny



I'll see if I can find that Armegeddon, hopefully it's pretty simple to run

okay I found armageddon 1.6.

1) I run the app with no options it comes up.

2) I run the with debug blocker selected.


While I can see the processes are running, the application never shows up on the screen.
I'm able to attach to the process in Olly but since I can't use the app it doesn't really do anything.

Any ideas?

Thanks,

Kenny

I tried the analyze nanomite option and it said none were found.

hmm I have had this problem to on my laptop..but it isnt happening with any module that has any protections..its happening on ntdll...which is strang cause it worked before..my issue happens during analysis and it crashes and olly 2.0 pops up..ive yet to find a suitable fix for this..if any has any pointers or ideas to fix this id like to here them..

@BanMe:
One thing that I would try: Open Olly either 2.0 or 1.10 within Olly (2.0??) Now within the "inner" olly open the program in question. You may be able to isolate the piece of code inside your program or within Olly that is fucking things up.

I found a modified version of Olly 1.10 called "shadow edition", it had the no debug plug in.
Opened up the exe no problem and the no bebug plug-in worked perfectly.

I need to read over the rules again but just to be safe I'll PM you the link instead of posting it.

-Kenny

Now my only problem is armadillo RDG says 3.75C PEiD says 5.4.

But anyway, I've found a bunch of walkthroughs to do it manually, or for ArmaGeddon 1.0

Does anyone have a walkthrough for Armageddon 1.7 But I've been trying to use ArmaGeddon 1.7 to remove it.
I think I've almost got it but I seem to be missing a few steps.

Thanks,

Kenny

Armageddon wont dump Arma that spawns a child process, it will detach it for you and tell you what bytes to restore, admittedly, I've not used this excellent tool that much, (too busy trying to keep my head above water), so I may be incorrect, if I am then I would love to know about it! - Arma also frequently masks the version it is, so most packer detectors wont agree - there are custom versions floating around out there and that complicates the version detection process even more.

SiGiNT