1

I'm trying to find ZipCryto Password from this execute, but when I open it in ollydbg and it always return to close programs because IsDebuggerPresent module.

I find the solution on the internet and try to - Use ollydbg plugins (Hide debugger and IsDebugPresent) - Try to NOP in IsDebuggerPresent module - Try to force return 0 in IsDebuggerPresent module

There are not working.

I use signsrch to find where is handled the ZipCrypto password and it say

0041c57c 3052 function where is handled the ZipCrypto password [32.le.12&]

and where is IsDebuggerPresent

00435cd8 2545 anti-debug: IsDebuggerPresent [..17]

Can I bypass IsDebuggerPresent and find ZipCryto password in this execute? Execute Link: https://mega.co.nz/#!PMdAjZab!bTO7VbZ6OjhJ_mgiigJ1BApDAgDeVWK_X-mKl9aMZw8

Sorry for my bad English. Thanks you.

Improve this question

3 Answers 3

Reset to default
2

suppose your exe file name is a1.exe

do this:

  • press Alt+E to go Executable modules window.
  • Select a1.exe
  • press Ctrl+N
  • find IsDebuggerPresent in importes and select it.
  • right click and click Follow import in Disassembler
  • press F2 on this opcode.
  • Run Program and wait for break point.
  • press some F8 till returning to your code.
  • search for some thing like je or jnz opcodes and change them.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You should open the file in a dissembler, find where it makes the call to IsDebuggerPresent and then ultimately closes the application (or shows an error or what ever), this piece of code you can NOP in order to disable the check.

You can read the ASM code with dissemblers like IDA, although they don't support editing, you can byte-edit the code (just fill the region you want to patch with NOPS) using CFF Explorer.

Improve this answer

8 Comments

It's always close. I think it might have another protection module. Can you help me to find that? I can coding program, but I'm not professional with assembly and bugging.
If you find the call to the IsDebuggerPresent method and just NOP that you'll be fine. You can see that its at 0x00435cd8 (assuming from your main post).
I see in the signsrch window allot of CRC32 calls, CRC stands for Cyclic Redundancy Check and is used to prevent code editing. It probably doesn't kick you out because you didn't NOP the call to the IsDebuggerPresent method but because it detects you've changed it.
Can I find ZipCryto password in another method without bypass IsDebuggerPresent? I'm not well in assembly and debugging. Thanks you :)
Somewhere near 0x41c57c the password is being handled. Although, obtaining this requires some (basic) knowledge in Assembly and Reverse Engineering.
|
0

/GS- on the cl command line will remove this dependency.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.