He buscado un poco en google, y según leo en tuts4you hay que usar StrongOD + Phantom con las siguientes configuraciones:
Código:
-StrongOD
---------------------------------
- HidePEB Enable
- *KernelMode Enable
- Break on TLS Enable = Always for VMP
- !*Kill Bad PE Enable
- Skip some EC's Enable
- AdvEnumModule Enable = If target not stop at TLS or EP
- Remove EP OS Enable = Delete one shot EP BP at TLS stop
---------------------------------
- Change Original Drivername into OllyDBG.ini file!
DriverName=newcustom
---------------------------------
---------------------------------
-Phant0m | For XP & Win7 32 Bit
---------------------------------
- Protect DRx Enable
Y otra nota más:
Citar
The only thing you need is the right settings of Olly & StrongOD & PhantOm to get no more detected by almost any protections.The important step is that your strongOD driver will also loaded on your system and if not = see your postet picture.So I had made already video about this how to setup the stuff and how to test.Just check again any first videos of my tutorials / script tutorials there you can see it again.
Also be sure that you changed the drivername in Ollydbg.ini file in the StrongOD lines [fengyue to something else].VMP files using almost always TLS callback entrys so its then important that you also have enabled break on TLS + remove one shot BP in StrongOD.If you load any file then you should stop at TLSC address if used.Now open BP map and see whether also no soft BPs / one-shot are to see anymore.
Only use a Olly + StrongOD + PhantOm.Optional you can also use POISON plugin if you need to patch any other functions in special cases like Enigma + GetStartUp info patches.Do not use any other hide plugins or enable the same patch stuff in other hide plugins too if you have they already enabled in StrongOD etc so it makes no sense if you enable the same stuff in different plugins so there you will get just problems.
Just check my videos again so you can't do something if you follow them with a little attention.So you can also use the latest StrongOD & PhantOm plugin versions so they will also work on Win7 32 Bit correctly.
If you have setup all right then you see this in Olly LOG...
KernelMode Enable!
HookSSDT Successful!
OllyDBG.ini file open and change...
[Plugin StrongOD]
.....
DriverName=Nael <---- enter any name you want before you start Olly
If you now start Olly then you can see the 2 infos in Olly log without to load any file.If you also have any tool which can show you the SSDTable list then you will also see the Nael.sys driver listet.
Also be sure that you changed the drivername in Ollydbg.ini file in the StrongOD lines [fengyue to something else].VMP files using almost always TLS callback entrys so its then important that you also have enabled break on TLS + remove one shot BP in StrongOD.If you load any file then you should stop at TLSC address if used.Now open BP map and see whether also no soft BPs / one-shot are to see anymore.
Only use a Olly + StrongOD + PhantOm.Optional you can also use POISON plugin if you need to patch any other functions in special cases like Enigma + GetStartUp info patches.Do not use any other hide plugins or enable the same patch stuff in other hide plugins too if you have they already enabled in StrongOD etc so it makes no sense if you enable the same stuff in different plugins so there you will get just problems.
Just check my videos again so you can't do something if you follow them with a little attention.So you can also use the latest StrongOD & PhantOm plugin versions so they will also work on Win7 32 Bit correctly.
If you have setup all right then you see this in Olly LOG...
KernelMode Enable!
HookSSDT Successful!
OllyDBG.ini file open and change...
[Plugin StrongOD]
.....
DriverName=Nael <---- enter any name you want before you start Olly
If you now start Olly then you can see the 2 infos in Olly log without to load any file.If you also have any tool which can show you the SSDTable list then you will also see the Nael.sys driver listet.
Bien, pues hago todo lo que pone ahí pero no consigo hacer bypass al debugger-detection de vmprotect hahahaha, que estoy haciendo mal?
Saludos