Interest Problem.

I tried to run the new skw from crapkey and tried to attach with ollydbg once the program was running.

I get unable to attach?? tried version 1.08 no difference.

Any ideas

peterg

I thought I had the latest crapkey SDK, but it doesn't do anything like you described in this and previous messages - is there somewhere I can get the SKW from you so I can take a look at this? It seems quite interesting than before. I don't want the sdk, just the SKW exe and any of it's support files it requires. I'll PM you an email if that's better than www/ftp addy.

Ok, I now know why you can't attach to a running Crypkey 6 Stealth app. It's because it's already being debugged. By itself

Yup, the loader code creates a spin-off process, and calls it with it's own process id. This process then takes over the parent using DebugActiveProcess, but runs the parent as normal. Of course, now the parent is being "debugged", it can't be accessed by any other app !

OllyDbg tries to attach to the process using the same call, but this will fail because it's allready being debugged.

Naturally, this also means you can't run any Crypkey stealthed app in a debugger, as the spin-off process will not be able to gain control of it's parent as your debugging it, so the program will simply exit with an error message from the child.

Not sure how deeply nested this goes - whether I can simply strip all the debug code from a stelthed app, or it actually uses it for something useful. If I just get rid of the DebugActiveProcess call, I can find the OEP of the original process, but the import addresses are mashed, so the program simply crashes. Dumping it and examining the import table gives a valid table, but with corrupted DLL names and function names.

It's about time Crypkey gave us something new to get our teeth into I wonder who designed it for them.... <G>