I'm trying to find ZipCryto Password from this execute, but when I open it in ollydbg and it always return to close programs because IsDebuggerPresent module.
I find the solution on the internet and try to - Use ollydbg plugins (Hide debugger and IsDebugPresent) - Try to NOP in IsDebuggerPresent module - Try to force return 0 in IsDebuggerPresent module
There are not working.
I use signsrch to find where is handled the ZipCrypto password and it say
0041c57c 3052 function where is handled the ZipCrypto password [32.le.12&]
and where is IsDebuggerPresent
00435cd8 2545 anti-debug: IsDebuggerPresent [..17]
Can I bypass IsDebuggerPresent and find ZipCryto password in this execute? Execute Link: https://mega.co.nz/#!PMdAjZab!bTO7VbZ6OjhJ_mgiigJ1BApDAgDeVWK_X-mKl9aMZw8
Sorry for my bad English. Thanks you.
You should open the file in a dissembler, find where it makes the call to IsDebuggerPresent and then ultimately closes the application (or shows an error or what ever), this piece of code you can NOP in order to disable the check.
You can read the ASM code with dissemblers like IDA, although they don't support editing, you can byte-edit the code (just fill the region you want to patch with NOPS) using CFF Explorer.