Reverse engeneering problem

smbogdan · 05/27/2010, 15:07

Hello there, I am trying to hack a MMORPG with OllyDbg but I get an error that says there was detected a debugger... Can someone tell me how to delete the error?

schnewin · 05/27/2010, 15:50

You must learn Assembler, too delete this message.
You can watch Lena151 Assembler tutorials (Language: English)

It's very difficult, but in Step 1-8 you will learn to "delete" this message.
But don't use the string search method, it's not a good way .

smbogdan · 05/27/2010, 15:55

thank you I will try it

smbogdan · 05/27/2010, 16:07

I watched the tutorial from 1 to 8 and I cant do the same things as lena... When I press the "Step over" button or "F8" it doesn't happen anything... And if I search for the text nothing is found

MrSm!th · 05/27/2010, 16:19

Quote:

Originally Posted by schnewin

You must learn Assembler, too delete this message.
You can watch Lena151 Assembler tutorials (Language: English)
It's very difficult, but in Step 1-8 you will learn to "delete" this message.
But don't use the string search method, it's not a good way .

thats totally wrong

if the debugger is detected, it means that there is a copy protection like Themida or any other one.

and you can't simply delete it, to get access to the client.

search for PEid, run it and choose the client, look after a public unpacker for the detected copy protection

smbogdan · 05/27/2010, 16:28

Quote:

Originally Posted by MrSm!th

thats totally wrong

if the debugger is detected, it means that there is a copy protection like Themida or any other one.

and you can't simply delete it, to get access to the client.

search for PEid, run it and choose the client, look after a public unpacker for the detected copy protection

Ok I have PEiD and opened the client with it, now what I need to do?
Unpack the client?
P.S. When I opened the client in PEiD in the box above "Multi Scan" is written: "Nothing found *"

MrSm!th · 05/27/2010, 16:32

hm than you could google what packer is used

if you know it, download an unpacker und unpack it

smbogdan · 05/27/2010, 16:34

But why should I unpack the client?

smbogdan · 05/27/2010, 16:42

I tought that I should add more info... So I made some ss:
The first error I got before editing anything was this :

after this error I get other 2:

and

(this error only says that it's impossible to run the application)
so, the first one I removed it and doesn't bother me anymore but I can't solve/repair/delete/remove the other 2

Bot_interesierter · 05/27/2010, 16:47

@MrSm!th
well, that would be the worst case scenario, but it's possible that the game does just a call to IsDebuggerPresent, something like that would be very trivial to patch.
And if it's infact a recent version of themida or something similar, he won't find public unpackers and I've also experienced that unpackers often don't work well on themida because it's costomizable.
If he really is dealing with Themida he'll probably have to manually unpack it, and I doubt his knowlegde on reversing is sufficent for a rough task like that.

Removing Themida properly and complete is a pain in the *** btw :-)

smbogdan · 05/27/2010, 17:04

Ok I searched if there is any "IsDebuggerPresent" in the client and I found a row that I can't access

the row number is: 76011F8F and I start from row: 77D11000... what can I do?

Bot_interesierter · 05/27/2010, 17:20

smbogdan, IsDebuggerPresent is a windows api, if your target programm is actually using it just do this:
press ctrl+g in olly and enter 'IsDebuggerPresent' now hit return, hit F2 to place a breakpoint, hit F9 to execute the programm, it should now break at your breakpoint, press F2 again to remove the breakpoint, now press ctrl+F9 to execute till return, modify the value of eax to 0 and press F9.
ofc you could also just patch the call to is debugger present and set eax to 0, or you could patch the actual check of the return value.

Lena's Reversing Tutorial for newbies does explain how to do this btw.

smbogdan · 05/28/2010, 14:16

I have a problem

after I replace the EAX to 0 and hit F9 nothing happens...
Question... the EAX that I have to make 0 is the one on the right ?

Bot_interesierter · 05/28/2010, 15:46

I've just seen the pix you posted and I'm sorry but you're dealing with Themida, if you want to reverse anything in that client you'll have to remove themida first, try using PeID or similar to find out which themida version you're dealing with and look for some tutorials or even unpack scripts on tuts4you.com.
But judging from your questions you simply lack the knowlegde to unpack themida, so you'll probably fail if you don't find a public unpacker, but be careful there are a lot of trojans out there...

MrSm!th · 05/28/2010, 16:06

Quote:

Originally Posted by smbogdan

Hello there, I am trying to hack a MMORPG with OllyDbg but I get an error that says there was detected a debugger... Can someone tell me how to delete the error?

Quote:

Originally Posted by smbogdan

But why should I unpack the client?

because you want to attach with olly

btw. I dunno why, but I knew it

It is Themida... and Bot_interessierter:
I don't think that even a simple protection (like a selfmade one) would not really be that trivial to patch.
I think, nobody uses only IsDebuggerPresent