Hello there, I am trying to hack a MMORPG with OllyDbg but I get an error that says there was detected a debugger... Can someone tell me how to delete the error?
Reverse engeneering problem
05/27/2010 15:07
smbogdan#1
05/27/2010 15:50
schnewin#2
You must learn Assembler, too delete this message.
You can watch Lena151 Assembler tutorials (Language: English) [Only registered and activated users can see links. Click Here To Register...]
It's very difficult, but in Step 1-8 you will learn to "delete" this message.
But don't use the string search method, it's not a good way . ;)
You can watch Lena151 Assembler tutorials (Language: English) [Only registered and activated users can see links. Click Here To Register...]
It's very difficult, but in Step 1-8 you will learn to "delete" this message.
But don't use the string search method, it's not a good way . ;)
05/27/2010 15:55
smbogdan#3
thank you I will try it :)
05/27/2010 16:07
smbogdan#4
I watched the tutorial from 1 to 8 and I cant do the same things as lena... When I press the "Step over" button or "F8" it doesn't happen anything... And if I search for the text nothing is found :(
05/27/2010 16:19
MrSm!th#5
thats totally wrong ;)Quote:
You must learn Assembler, too delete this message.
You can watch Lena151 Assembler tutorials (Language: English) [Only registered and activated users can see links. Click Here To Register...]
It's very difficult, but in Step 1-8 you will learn to "delete" this message.
But don't use the string search method, it's not a good way . ;)
if the debugger is detected, it means that there is a copy protection like Themida or any other one.
and you can't simply delete it, to get access to the client.
search for PEid, run it and choose the client, look after a public unpacker for the detected copy protection
05/27/2010 16:28
smbogdan#6
Ok I have PEiD and opened the client with it, now what I need to do?Quote:
if the debugger is detected, it means that there is a copy protection like Themida or any other one.
and you can't simply delete it, to get access to the client.
search for PEid, run it and choose the client, look after a public unpacker for the detected copy protection
Unpack the client?
P.S. When I opened the client in PEiD in the box above "Multi Scan" is written: "Nothing found *"
05/27/2010 16:32
MrSm!th#7
hm than you could google what packer is used ;)
if you know it, download an unpacker und unpack it
if you know it, download an unpacker und unpack it
05/27/2010 16:34
smbogdan#8
But why should I unpack the client?
05/27/2010 16:42
smbogdan#9
I tought that I should add more info... So I made some ss:
The first error I got before editing anything was this :
[Only registered and activated users can see links. Click Here To Register...]
after this error I get other 2:
[Only registered and activated users can see links. Click Here To Register...]
and
[Only registered and activated users can see links. Click Here To Register...] (this error only says that it's impossible to run the application)
so, the first one I removed it and doesn't bother me anymore but I can't solve/repair/delete/remove the other 2 :(
The first error I got before editing anything was this :
[Only registered and activated users can see links. Click Here To Register...]
after this error I get other 2:
[Only registered and activated users can see links. Click Here To Register...]
and
[Only registered and activated users can see links. Click Here To Register...] (this error only says that it's impossible to run the application)
so, the first one I removed it and doesn't bother me anymore but I can't solve/repair/delete/remove the other 2 :(
05/27/2010 16:47
Bot_interesierter#10
@MrSm!th
well, that would be the worst case scenario, but it's possible that the game does just a call to IsDebuggerPresent, something like that would be very trivial to patch.
And if it's infact a recent version of themida or something similar, he won't find public unpackers and I've also experienced that unpackers often don't work well on themida because it's costomizable.
If he really is dealing with Themida he'll probably have to manually unpack it, and I doubt his knowlegde on reversing is sufficent for a rough task like that.
Removing Themida properly and complete is a pain in the ass btw :-)
well, that would be the worst case scenario, but it's possible that the game does just a call to IsDebuggerPresent, something like that would be very trivial to patch.
And if it's infact a recent version of themida or something similar, he won't find public unpackers and I've also experienced that unpackers often don't work well on themida because it's costomizable.
If he really is dealing with Themida he'll probably have to manually unpack it, and I doubt his knowlegde on reversing is sufficent for a rough task like that.
Removing Themida properly and complete is a pain in the ass btw :-)
05/27/2010 17:04
smbogdan#11
Ok I searched if there is any "IsDebuggerPresent" in the client and I found a row that I can't access :( the row number is: 76011F8F and I start from row: 77D11000... what can I do?
05/27/2010 17:20
Bot_interesierter#12
smbogdan, IsDebuggerPresent is a windows api, if your target programm is actually using it just do this:
press ctrl+g in olly and enter 'IsDebuggerPresent' now hit return, hit F2 to place a breakpoint, hit F9 to execute the programm, it should now break at your breakpoint, press F2 again to remove the breakpoint, now press ctrl+F9 to execute till return, modify the value of eax to 0 and press F9.
ofc you could also just patch the call to is debugger present and set eax to 0, or you could patch the actual check of the return value.
Lena's Reversing Tutorial for newbies does explain how to do this btw.
press ctrl+g in olly and enter 'IsDebuggerPresent' now hit return, hit F2 to place a breakpoint, hit F9 to execute the programm, it should now break at your breakpoint, press F2 again to remove the breakpoint, now press ctrl+F9 to execute till return, modify the value of eax to 0 and press F9.
ofc you could also just patch the call to is debugger present and set eax to 0, or you could patch the actual check of the return value.
Lena's Reversing Tutorial for newbies does explain how to do this btw.
05/28/2010 14:16
smbogdan#13
I have a problem :( after I replace the EAX to 0 and hit F9 nothing happens...
Question... the EAX that I have to make 0 is the one on the right ?
Question... the EAX that I have to make 0 is the one on the right ?
05/28/2010 15:46
Bot_interesierter#14
I've just seen the pix you posted and I'm sorry but you're dealing with Themida, if you want to reverse anything in that client you'll have to remove themida first, try using PeID or similar to find out which themida version you're dealing with and look for some tutorials or even unpack scripts on tuts4you.com.
But judging from your questions you simply lack the knowlegde to unpack themida, so you'll probably fail if you don't find a public unpacker, but be careful there are a lot of trojans out there...
But judging from your questions you simply lack the knowlegde to unpack themida, so you'll probably fail if you don't find a public unpacker, but be careful there are a lot of trojans out there...
05/28/2010 16:06
MrSm!th#15
Quote:
because you want to attach with olly :rolleyes:Quote:
btw. I dunno why, but I knew it :D It is Themida... and Bot_interessierter:
I don't think that even a simple protection (like a selfmade one) would not really be that trivial to patch.
I think, nobody uses only IsDebuggerPresent