Hello,

I'm taking a look at an application protected with Asprotect 1.2/1.2c, looking for the OEP I used the trace function of OllyDbg setting a stop condition of EIP < 900000 just as described in two different tutorials by LaBBa (http://www.woodmann.net/forum/showthread.php?t=4958 and http://www.woodmann.net/forum/showthread.php?t=4614). But this trace stop condition DOES NOT work!! OllyDbg goes past the OEP (which is indeed < 900000) running forever. I repeated this step various times and then gave up thinking that asprotect must have some anti-tracing code.
But this explaination does not satisfy me especially considering that the specific version of asprotect isn't very recent.

Can anyone help me understand what is happening or can suggest how I could go investigating this behavior???
I already found the OEP, so I don't really need this step, still it disturbs me not to understand what is happening.


padawan

PS: I search the forum for someone reporting something like this must have come up with nothing.

The trace into function of olly, for my experience,is not perfect, in many times, crash or step lines easily.

The better form to trace into work well is starting in the asprotect code, not in a api, and clear all options in DEBUGGING OPTIONS-TRACE.

if crash the trace, go to the last line before crash ad put a Hardware bpx, and run till this line, step the api, and continue tracing.

Ricardo

thanks Ricardo,

I was starting tracing from inside ntdll.dll and I had set the option to trace over system DLLs selected. Unfortunately OllyDbg seems to have a bug because in this situation somehow any pause condition (such as EIP<900000) is somehow ignored and tracing goes on forever.

padawan