Archive for September 20, 2008

OllyDBG v1.10 plugin – StrongOD v0.18 [2008.09.18]

OllyDBG v1.10 plugin – StrongOD v0.18
Temptress Moon Shadow by sea [CUG]
================================================== ==================
[2008.09.18 v0.18]
1, to repair the Ctrl G calculation rva, offset when a small BUG
2, when the program is not running the state, Detach before running program
3, restoration of the original data OD zone copy BUG
4, repair od after the CPU running very high occupancy rate BUG
5, you can set it to skip some of the exception handling

[2008.09.02 v0.17]
1, to skip some of the improper handling of the abnormal OD
2, correctly handle the instructions int 2d

[2008.08.31 v0.16]
1, joined the drive to protect the process, the hidden window, over most of the anti-debugging
2, driver support for the custom equipment 000 (ollydbg.ini of DeviceName, equipment were not more than 8 characters)
ollydbg.ini of [StrongOD], you can set up their own

HideWindow = 1 to hide the window
HideProcess = 1 to hide the process
ProtectProcess = 1 protection process
DriverKey =- 82693034 and the key driver of communication
DriverName = fengyue0 who drives (not more than 8 characters)

3, OD will be the creation of the parent process into the process explorer.exe (copied from shoooo code)

////////////////////////////////////////////////// ///////////

The increase in the version of the driver, if a blue screen, set up minidump spread to the Forum, thank you
OllyDbg original use as much as possible, and other generally do not need the anti-anti plugin in conjunction with plug-in (including phant0m)

Od plug-in will be on the plugin directory, run the original od, and then shut down
Ollydbg.ini found in the [Plugin StrongOD] items
Change their look
DriverName – driver file name, the object of equipment
DriverKey – and the key driver of communication
HideWindow – whether hidden window for a hidden, 0 for not hide
HideProcess – whether hidden od process for a hidden, 0 for not hide
ProtectProcess – whether hidden to protect the process of Od, for the protection of 1, 0 for failing to protect

5 above, there is no interface option, you can set your favorite way, if the election does not KernalMode, then the top 5 option null and void

Phant0m driver and the driver compared to the following advantages:

1, in support of a number of OD, can support up to 100 OD, and phant0m only support an OD
2, CloseHandle to close the handle the wrong time to return to STATUS_INVALID_HANDLE, instead of STATUS_SUCCESS
3, xp over the use of NtQueryInformationProcess (hProcess, ProcessDebugObjectHandle ,…) and NtQueryInformationProcess (hProcess, ProcessDebugFlags ,…) anti-debugging
4, OD process ntdll.dll some of the functions (such as: NtOpenProcess) was inline hook when the blue screen

The following are no special note are the original OD add a plug-in plug-in StrongOD operate:

Ollydbg.ini in the first [Plugin StrongOD] the following HideWindow, ProtectProcess into the value of 1, the value of KernelMode turned into a preserve:

1, Themida / WinLicense

Plug-in option to set a minimum

Original run OD, included in the main program Themida v1.9.9.0, stopped at the entrance after the removal of all breakpoints, Shift + F9 up-and-run
2, ExeCryptor v2.4.1

Plug-in option to set a minimum

Original run OD, set up break point on break point in the system to stop
ExeCryptor v2.4.1 included in the main program, stopped at the breakpoint system, according to Alt + B, remove the breakpoint EP
And then Shift + F9, you can
3, TTProtect v1.05 DEMO

Plug-in option to set a minimum

Original run OD, loading TTProtect v1.05 DEMO main program, Shift + F9
4, VMProtect v1.65.2

vmp v1.65 added to the xp system under the OD of the new anti,Plug-in option to set a minimum

Original run OD, loading VMProtect v1.65.2 main program, Shift + F9