oepfinder vX.Y.Z by deroko/ARTeam

It has been a long time since I've released my first version of oepfinder,
yup it was slow, but I dear you to write multi-threading debugger for big
applications that will be fast!

This time new release have two tracing modes:
1. deroko/ARTeam
2. stealth

yah, both are my engines but they work completely different.

deroko/ARTeam engine:
        - acts like a debugger and create proess with DEBUG_PROCESS + DEBUG_ONLY_THIS_PROCESS
        - hides presence of debugger by clearing PEB.BeingDebugged
        - sets PAGE_GUARD on guessed range and debuggs app
        - on each access to guarded page:
                - checks if eip is in guessed range?
                - yes, set trap flag and infomr user (opcodes are shown in dialog)
                  note: Trap flag is set only if "Trace All" option is selected
                - no, clears PAGE_GUARD and sets int3h after instruction that caused exception
                  this acts like any normal debugger using int3h to step-over instructions.
        - when you find suspicious EIP, click on "Deattach" in dialog and ok on messagebox with
          eip, progy will inform you about stolen bytes, pid and eip. Attach olly to it, or use
          sice to break at "jmp $" :D

stealth mode:
        Stealth mode is very very powerful. It will run in context of target process, avoiding
        all possible debuging checks. 
        
        Once runned app with stealth mode is completely indipendent. small debugging
        code is injected into target process, hooks are set and we are ready to debug app.
        Heh target won't know that it is being debugged.
        
        Default mode:
        - hooks CreateThread to make nonintrusive debugger multithreading safe
        - sets PAGE_GUARD on guessed range and inserts int3h after each instruction that
          caused exception (eg. read/write to page_guard)
        - if eip is in range user will be notified via MessageBoxA (caption : continue?)
          - if you press ok, tracing continues
          - if you press cancel, jmp $ is stored at eip, informing user about stolen bytes
            also at this point TLS callback pointer from DataDirectory.TLS is deleted so
            olly can be attached without problem or run nonintrusive importrec plugins on
            our target.
            
        Extra Fast: 
        - acts like Default mode but no int 3hs after instruction that caused exception.
          Not accurate sometimes, but with execryptor (all protection options on) and
          ASProtect worked without a problem (oep reached in less then 2-3sec)
        
        Don't hook CreateThread:
        - you can choose NOT to hook CreateThread (eg. krypton v0.5) and it will work
          also without a problem but it is not safe always (just theory)
        
Oki there is also one more catch with stealth mode:

If you get "App can not be initialized", I suggest you to make extra copy of oepfinder and 
patch this part:

00402045   . 68 04324000    PUSH oepfinde.00403204                   ; /pOldProtect = oepfinde.00403204
0040204A   . 68 40010000    PUSH 140                                 ; |NewProtect = PAGE_EXECUTE_READWRITE|PAGE_GUARD
0040204F   . FF35 7C394000  PUSH DWORD PTR DS:[40397C]               ; |Size = 0
00402055   . FF35 78394000  PUSH DWORD PTR DS:[403978]               ; |Address = NULL
0040205B   . FF35 2C314000  PUSH DWORD PTR DS:[40312C]               ; |hProcess = NULL
00402061   . E8 EB080000    CALL <JMP.&KERNEL32.VirtualProtectEx>    ; \VirtualProtectEx

Just nop it!

What is the problem?
        I set PAGE_GUARD when primary thread is suspended, no imports are resolved nor anything
        at this point. When we ResumeThread, if IAT is in our guessed range, loader cann't write
        to that address so you get "Cann't initilaize" message. This is case with enigma.exe demo
        version. So if you get this error, just patch copy of oepfinder at above address, and trace
        app without a problem.
        
        
                                                                S verom u Boga, deroko/ARTeam
                                                
http://cracking.accessroot.com
http://deroko.phearless.org


        
                   