Target.......: Ancient TriJong v?
Download Target Version HERE
Protection...: ActiveMark TryMedia v5.?
Difficulty...: Intermediate (should know about debugging..)
Tools Needed:
1.) Olly Debug v1.08 or better
2.) an open mind
Bypassing ActiveMark TryMedia v5 Debug Check
tutorial by cl0ud
ActiveMark Information:
This tutorial explains how to bypass the debug check in TryMedia, with a decent method..
Trymedia add's the command line, "--MPRMMGVA--", to the EXE path if debugger is detected..
so we will attack at this command line...
Now First..
Disable ALL toggled breakpoints on API.. Trymedia detects these and will terminate the process if any breakpoints are detected.
Check out my Debugging Options as well:
Now, Click the MEMORY MAP button in olly.
You will see there are Alot of sections...
The second to last section in the Trymedia protected EXE is where it reads the command line --MPRMMGVA--
Follow it, in this case its a .TEXT section
when u check the .Text section, you will see
--MPRMMGVA-- user32.dll and the debugger error message :P
Highlight --MPRMMGVA-- and set a memory breakpoint on Access..
EXAMPLE:
Once you have the mem break on access set..
Press SHIFT+F9 once...
And you should break... its reading the command line...
(so maybe it already executed the debug check?)
Now, remember the .TEXT section we went into?
Click the memory map button again..
and the section above the .TEXT section we where in.. .BSS in this case..
Follow the .BSS Section in memory map...
you will see it copied the EXECUTABLE Path to beginning of .BSS section...
if we keep executing with shift f9..
you can clearly see..
it copies --MPRMMGVA-- to the end of this as well.
the .BSS section should be filled in with the EXE Path.
So select the exe path and like 10 Bytes after the EXE path, and set a memory breakpoint on WRITE..
now shift f9..
it will break when it Writes --MPRMMGVA-- to the end of the EXE path.
EXAMPLE:
and we break..
on a
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
This Instruction moves the Byte from ESI into EDI.
Check out your debug registers, you can see the command line, --MPRMMGVA-- in ESI.
its copying it to EDI (the address after the EXE Path in the .BSS section..)
Select EDI in your Registers.. Right click it and click Increment... or to 'add 1' to the current value. ----->
doing this, it will write the command line to an address the EXE will not read.. :P
one byte ahead of teh exe path.. so it wont read the command line :)
seems to bypass debug check :>
alittle info on debug check in trymedia...
this method bypasses debug check here... funny, ive never got the Debugger detected error, it always just crashed without any error message..
it however gives me the error message if i erase that command line from the text section...
so if this method is not working, please let me know, ill study on it alittle more..
Hope you enjoyed this tutorial..
it was made for one simple reason, learn how to bypass debug check in trymedia :)
Sincerly...
cl0ud... / mephist0
ARTeam
---------------------------------------------------------------------------------------
:LEGAL SHIT:
This Tutorial is to NOT BE Abused by ANYONE
The information in this TUTORIAL is for EDUCATiONAL PURPOSES ONLY.
The Application used in this Tutorial is Copyrighted by the author.
All Logos, Files and names ARE Copyrighted of the Authors and are in this tutorial for
EDUCATiONAL PURPOSES ONLY.
For NO REASON, will i, "mephist0" nor the ARTEAM be held responsable for any persons actions with the knowledge held in this Tutorial.
Thanks to everyone whos helped me along the way..
much fun and many greetz to all
