Log in

View Full Version : Detach OllyDbg Debugger and let's vitim runni

Teerayoot
August 11th, 2004, 00:32
Hi all,
I just finished my project for the program that can make your debugging experian more funny.

How about when you debuged(patched/cracked) it you no want to close the process for some reason.

Look in my tool "Process Memory Manipulator " can be download on www.exetools.com ("http://www.exetools.com") or http://cracking.accessroot.com ("http://cracking.accessroot.com") .
and lot of more functions u can play with.

For you r "Reverser" as i be ,i think you will like it .

Regards,
Teerayoot.
Ricardo Narvaja
August 11th, 2004, 08:47
i try but no sucess, the tool have no explanation, i open a victim in OLLY and open process menipulator 1.0 and click in detach but nothing happens.
Your tool only work with ollydbg named ollydbg.exe, not work in renamed ollydbg with other name?
If you can make work in any olly with any name will be more useful i think.

Ricardo Narvaja
Teerayoot
August 11th, 2004, 12:15
Hi Ricado.
I not sure do you using which version.
My prog are update daily the lasted version (on 10/8/2004) can be download on exetools .

For the stop debugger usage i add two functions
-DebugActiveProcessStop and Detach Parent Debugger

I add two because
First (DebugActiveProcessStop ) right click on Debugger Process(OllyDbg,Parent Armadilo

i can't find the child pid to stop and you need to give pid in inputbox when program asking child pid to stop


the implement of this function come from your explain in OllyDbg long time ago (in GetRight 5.0) Ricado

that just push child pid and call DebugActiveProcessStop
for me just hook that function ,yes it's very stable and will let' vimtim running good and debugger can be kill selfly .

and 2 "Detach Parent Debugger "
in this func just click on child process the parent debugger will be detach and debugger can be kill selfly also.

No plob for the name of debugger,for me it's name "JackDg.exe" it's working fine.

And another things is would be nice for stop the Debugger is
when u map new memory ,OllyDbg can't go to that address (try your self Ctrl+g to new allocate address)
,if so just stop the debugger and debug it again now u can go to that expand address.
Ricardo Narvaja
August 11th, 2004, 13:39
in exetools there are one post and i download the file of this post

Process Memory Manipulator 1.0
Process Memory Manipulator 1.0


***************Hot key***************
-F5 refresh process list
-Alt+F1 Bring window to top(mostly use with alway alltop)


**************Feature****************
-write/restore memory on target process
-allocate/free memory on target process
-raw memory dump
-load/unload modules on target process
-suspend/resume target processs
-view all import/export modules
-Send message to target process
-Debug/Detached debugger process
-Force Kill process
-Window Manipulator
-Set Priority Boost


**************History*****************
11/8/2004
Added Window Manipulator(set (ex)style/width/height/window text/etc)
-Added Set Priority Boost
10/8/2004
Added DebugActiveProcessStop
9/8/2004
Memory patcher bugfixed
Allocate on given memory address(Thank to MaRKuS-DJM )
8/8/2004
Added -Rawdump
Greatly improve on Memory patcher
7/8/2004
-1.0 First release

***************Bug found*************
-Pm/Mail Me


**************Usage Note ****************
Write Process Memory
when you make a patch,the patch is remember per process
so you can switch betwean process and make patch/restore safely.
DebugActiveProcessStop
First select debugger and input the child pid to stop.
Detach Debugger Process
Just select child process (this not work if the a process do not launce by debugger)
Unload Modules
Module lists do not update when process change so make a refresh
when u want to unload/view imports/exports
Allocate Memory
If the start address is 0 ,the start address will choose by system.
Kill process
Beaware when use this cauze of he can kill the critical process

I hope you will like it as i did

Teerayoot@bugsgroup.com
Attached Files
PPM.zip (864.8 KB, 36 views)

i download this file press DETACH PARENT PROCESS nothing happens, press DEBUGACTIVEPROCESS nothing happens, olly is in the desktop, the victim is in the olly and i can continue tracing in ollydbg without changes and nothing happens jeje.

What is the trick?

Ricardo Narvaja
Ricardo Narvaja
August 11th, 2004, 13:41
well appear the window ask me for the pid of the child i put this value (is prewrite) and nothing happens, olly don't close, the victim don't run, and i can beginning the work in olly in the ep of the program how if nothing was applied.

Ricardo
Teerayoot
August 11th, 2004, 15:05
If the parent process not debugging the stop debugger do not work!

Why? The function that i implement do nothing special ,it' just hook the "WaitForDebugEvent" and call DebugActiveProcessStop

if the debugger in oep it don't process that Event not call that "WaitForDebugEvent" .
For stop sucessfull the debuggee have to in running state.

Here take a screen shot ,
After we patched all and run target ,i using NotePad.exe as example

First select OllyDbg(also work for all debugger)
the inputbox will ask you child pid (if some1 can help me on finding chid pid please help) ,input will fill with lower process in process list(it's not alway correct )
http://www.intechhosting.com/~access/Teerayoot/pll.jpg
("http://www.intechhosting.com/~access/Teerayoot/pll.jpg
")

then MessageBox will promtp for sure of child process if the process name message show do not correct debugged child so let fill by hand .

http://www.intechhosting.com/~access/Teerayoot/ask.jpg
("http://www.intechhosting.com/~access/Teerayoot/ask.jpg
")




After that if "enjine.dll" injected and hook "WaitForDebugEvent" sucsessfull MessageBox will show the sucsessfull stop the debugger.

http://www.intechhosting.com/~access/Teerayoot/finished.jpg
("http://www.intechhosting.com/~access/Teerayoot/finished.jpg
")

After child had been stoped debug,the debugger do not close .
We can see OLLY still assume debugged it but he can't acess any memory on target process ,and if we select "execable modules" all modules will unload.

Hey,do it working now?

I can't link to my screen shot.
Ricardo Narvaja
August 11th, 2004, 15:27
i don't understand well you say but this not work for me, the links for images are forbidden.

Forbidden
You don't have permission to access /~access/Teerayoot/pll.jpg on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/1.3.31 Server at www.intechhosting.com ("http://www.intechhosting.com") Port 80

I open a crackme in ollydbg, when stop in the EP, i press detach debug parent, or debugactiveprocess, in one option nothing happen, in other option a window with the correct PID of the crackme appear, i press ok and nothing happens, messagebox of succesful don't appear and olly and the crackme remains untoched and you can continue working with olly debugging the crackme, the tool not realize never action in olly or the crackme.

Ricardo Narvaja