In my previous tutorial1 on HASP SL (6.41.95) I demonstrated how to easily find the OEP, dumping and rebuilding of the target application. The main goal of this tutorial is to do a little more in-depth analysis, how to manually bypass the anti-debug feature and finding out what version you are dealing with etc. Also this tutorial includes a flash-movie of the manual handy work described in this tutorial. Dodging the anti-debug, finding OEP, dumping and rebuilding. All done in about 2.5 minutes! So are you ready? Got your gear?
Alrighty then.. Let’s go!
2. Acquiring The Target Application
The example target can be downloaded from the minitab site:
3. Manually Dodging The Anti-Debug Tricks
Ok, to make things a little more of a ‘sport’ I will not use any anti-debug plug-ins but rather dodge them manually using some tricks. Right, if we where to load our executable into Olly and run it, we will get something like this:
Figure 1.1 Ugly “Badboy, keep your debugger out, please”-screen (for you Lena )
Obviously our attempt to look into the code has stirred up some angry feelings of certain protector developers. Setting a breakpoint on IsDebuggerPresent will do the trick here, wont it? Let’s try!
Ok, we break all right. And EAX is 1 (debugger present)