hey ppl, just a quick question here, looking for input on anti-smartcheck routines in Visual Basic, my target , upon loading into smartcheck produces the following error:

The Instruction at 0X73DD1351 referenced memory at 0x00000004. the memory could not be 'read'

does anyone have any suggestions on what method(s) are being used to prevent me from loadin the app in Smartcheck?

Usually they will look for the SmartCheck window, or the SmartCheck window class. ALso they could check for SmartCheck's exe running in the process list, or even to see if they are being run by a "parent" process.

All of these items can be defeated.

-nt20

ok, for the window class and ok for the running process ... but nikolatesla20 what do you mean by the window or the parent process (you mean that the application is being run by a parent process or is the same context)???
Once you change the application's name and the name of the window class that gets registered I believe there should be no other way to detect it

yaa

i've hacked my smartcheck to make a window class of Booyah00 and the title of the app is Oloron, i even changed the exe's filename so process watchers would not see it, but still no luck, this program was previously packed/crypted by y0da cryptor 1.2, i uncrypted it with a tool from the web , and rebuilt the iat with imprec 1.6 to get it to run again, but still no luck running in sc, is this residue from the packer? if so how can i find/remove it?

Why don't you try tracing the app in a normal debugger and see what it does just before it exits? If it's a residue from some packer, the detection will most likely be done in pure asm and also be executed before any messy VB djungle.

Also, you can easily see if uses any "parent detection tricks" by executing it standalone, while Smartcheck is running in the background. Will it still exit in this case? If not, it's probably using some parent detection trick or debugger API for the detection.

Smartcheck can be detected with a call to IsDebuggerPresent or the equivalent asm code ...

But there may be no anti smartcheck stuff at all. Smartcheck is easily confused. Use OllyDbg to see if it will run under an application debugger.

ZD

Yep, that's what I meant with debugger API...

ran under olly, the program ran just fine, no breaks on IsDebuggerPresent that was ruled out a while back, ran the program on its own with smartcheck running as a seperate process, nothing, the app ran fine. i'm at a loss.

its hard for me to figure out how to get teh program to jump into its 'defensive' mode, where this anti-sc code is at, i can't reproduce the situation in a debugger as it only happens in smartcheck, i have come across problems with rebuilt apps before, mostly the first section has C0000040 characteristics, but in this its E0000020 , so all is good as far as a debugger is concerned..

which smartcheck version you got??? try to handle the settings /configuration maybe you're missing something

to permanently kill Isdebugger present you can also patch the kernel32.dll

at the ordinal export call at the beggining of the code in my Win98SE i patched with 90 from BFF946F6 to BFF94701 the rest will be 33C0C3 which tell the system no debugger is present... means return eax with value=0

if you can handle it, go and patch but only if you're sure how to do it.

Regards

smartcheck 6.03 1103 is my build of sc, there is no IsDebuggerPresent as i have run it through Olly and no break on that api

i have the same trouble the original app runs well in smart check, but the unpacked app, don't run in smart check, and run in olly and run alone perfectly, I think is a trouble with the header of the unpacked file.

Try the packed app if run in smartcheck, if there are isdebugpresent check, you can activate the error report and when stops if you are in XP, use PUPE and in the process put the byte of 7FFDF002 from 1 to 0, and run, if the original app run well, is a trouble with the unpacked app only (header trouble i think)

Ricardo

Ricardo, could you please explain better. Also, what does PUPE do?

yaa

My english is very bad sorry


the fact is this

i have original programs running well in smart check, but the unpacked program not run in smart check, after the manual unpacking process, the dumped not run in smart check, out of smart check runs well.

PUPE is a tool for patch execution process.

With this tool you can open the original program in smart check, and when stop in and error, open pupe and change the byte 7ffdf002 from 1 to 0, this is the byte checked in the api IsDebugPresent, and with this the program can run in Smart check if not run for this byte.
And not only with the api is checked this byte, the program can check directly this byte, with no access to the api, for this reason is better change in memory directly with pupe.

Ricardo