文件列表:

example (0, 2006-01-17)
example\debugger.asm (5423, 2006-01-17)
example\debugger.EXE (4096, 2006-01-16)
example\test.asm (846, 2006-01-17)
example\test.EXE (4096, 2006-01-16)
execryptor-imprecplugin (0, 2006-01-17)
execryptor-imprecplugin\execryptor.dll (8192, 2006-01-01)
execryptor-imprecplugin\resolved.txt (19584, 2006-01-17)
loader (0, 2006-01-17)
loader\loader.asm (8649, 2006-01-17)
oepfinder (0, 2006-01-17)
oepfinder\extern.inc (883, 2006-01-09)
oepfinder\howtoexecryptor.pdf (172196, 2006-01-09)
oepfinder\oepfinder.asm (37455, 2006-01-18)
oepfinder\oepfinder.exe (20480, 2006-01-18)
oepfinder\oepfinder.res (3948, 2006-01-09)
ARTeam.esfv (572, 2006-01-18)
Unpacking_And_Dumping_ExeCryptor_and_Coding_Loader.pdf (1712796, 2006-01-18)

oepfinder vX.Y.Z by deroko/ARTeam It has been a long time since I've released my first version of oepfinder, yup it was slow, but I dear you to write multi-threading debugger for big applications that will be fast! This time new release have two tracing modes: 1. deroko/ARTeam 2. stealth yah, both are my engines but they work completely different. deroko/ARTeam engine: - acts like a debugger and create proess with DEBUG_PROCESS + DEBUG_ONLY_THIS_PROCESS - hides presence of debugger by clearing PEB.BeingDebugged - sets PAGE_GUARD on guessed range and debuggs app - on each access to guarded page: - checks if eip is in guessed range? - yes, set trap flag and infomr user (opcodes are shown in dialog) note: Trap flag is set only if "Trace All" option is selected - no, clears PAGE_GUARD and sets int3h after instruction that caused exception this acts like any normal debugger using int3h to step-over instructions. - when you find suspicious EIP, click on "Deattach" in dialog and ok on messagebox with eip, progy will inform you about stolen bytes, pid and eip. Attach olly to it, or use sice to break at "jmp $" :D stealth mode: Stealth mode is very very powerful. It will run in context of target process, avoiding all possible debuging checks. Once runned app with stealth mode is completely indipendent. small debugging code is injected into target process, hooks are set and we are ready to debug app. Heh target won't know that it is being debugged. Default mode: - hooks CreateThread to make nonintrusive debugger multithreading safe - sets PAGE_GUARD on guessed range and inserts int3h after each instruction that caused exception (eg. read/write to page_guard) - if eip is in range user will be notified via MessageBoxA (caption : continue?) - if you press ok, tracing continues - if you press cancel, jmp $ is stored at eip, informing user about stolen bytes also at this point TLS callback pointer from DataDirectory.TLS is deleted so olly can be attached without problem or run nonintrusive importrec plugins on our target. Extra Fast: - acts like Default mode but no int 3hs after instruction that caused exception. Not accurate sometimes, but with execryptor (all protection options on) and ASProtect worked without a problem (oep reached in less then 2-3sec) Don't hook CreateThread: - you can choose NOT to hook CreateThread (eg. krypton v0.5) and it will work also without a problem but it is not safe always (just theory) S verom u Boga, deroko/ARTeam http://cracking.accessroot.com http://deroko.headcoders.net

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：