Hiya folks,
im having troubles understanding the protection of a crackme posted by Blue_Orka on crackmes.de
it uses some antiolly tricks that i couldnt manage to pass.. i cant get to debug the program step by step or do anything..

when loading the target i get an error msg that its not a 32-bit application or something.. p.s: Sice crashs when i run the target so its a common trick between the two debuggers..

i need some help on some known or unpublished tricks.. anti*** or antianti ****
and yeah, pumqara tricks are old ones and not used here.. so, SOS!

tnx

Use Stud_PE or any PE Editor, change the value of NumberOfRvaAndSizes in Optional Header to 0x10 (16).
This is a old trick.

hehe
take a look at honeynet nicolez brulez sotm 33 article or search in rce board for posts by nico

oops why lord pe whats the problem with using ollydbg

f9 when it is running f12 pause view call stack show procedure
when in executable module right click view executable file
right click change display to special
hit ctrl+g and type 12c
you will be here
0000012C 10FF0300 DD 0003FF10 ; NumberOfRvaAndSizes = 3FF10 (261904.)


right click modify integer to 10 save file
open this saved file in ollydbg and it shows up nice


00401044 >PUSH 0 ; /pModule = NULL
00401046 CALL <JMP.&kernel32.GetMod>; &#92;GetModuleHandleA
0040104B MOV DWORD PTR DS:[403360]>
00401050 PUSH 2200 ; /Color = RGB(0.,34.,0.)
00401055 CALL <JMP.&gdi32.CreateSol>; &#92;CreateSolidBrush
0040105A MOV DWORD PTR DS:[403368]>
0040105F PUSH 0 ; /lParam = NULL
00401061 PUSH BKEYME1.0040107C ; |DlgProc = BKEYME1.0040107C
00401066 PUSH 0 ; |hOwner = NULL
00401068 PUSH 65 ; |pTemplate = 65
0040106A PUSH DWORD PTR DS:[403360] ; |hInst = NULL
00401070 CALL <JMP.&user32.DialogBo>; &#92;DialogBoxParamA


oops the cme has a bug on exit

oh me anon, might this method be somewhat safe for other than the crackme of?, ?.

what method ?? you mean changing the pe header info ??
i have changed many things like that including adding a new section details never faced any problems
may be you could elobarate a little so that i can understand what you are asking

for me this protection is a crap, the crackme run perfect in OLLY, if you need reach the Entry Point,
you change in debugging options-events the program stop in SYSTEM BREAKPOINT, when the massagebox of this is a not valid 32 bits bla bla, acept and go to VIEW-MEMORY and put a MEMORY BREAKPOINT ON ACCESS in the section (the only section you can see) and next press f9, and the program stop in the entry point, quit the BPM and press f9 and the program RUN perfect, there are no problem at all.

Ricardo Narvaja

hehe thats too much work Ricardo
well one doesnt even have to change events olly will stop on system breakpoint automatically if it cant find winmain
hit alt+f1 type
bp ZwSetInformationThread and hit ok
hit f9
hit ctrl+f9
f7* you are on oep

*one time if you have options -->debugging options-->trace--->after executing till ret step over ret check box selected
*two times if you dont have the above check box selected


btw if you have ntdll.dll analysed you dont even have to set this breakpoint it will be there everytime if you have set it once