MetaEditor is used as an IDE integrated into MetaTrader. The binary is statically obfuscated, for which the below section are used:
.cod0.cod1.cod2.reloc
The executable is standalone, only loads system DLLs initially.
I'm using x32dbg.
Register and download MetaTrader 4 and remove ASLR from metaeditor.exe binary for ease of use.
- Set a conditional breakpoint in the obfucated code loop:
| RVA | Condition |
|---|---|
| 0xD75F91 | $breakpointcounter==E8F5 |
Wow64Transitiongets called at 0x77A38A90 (win32u.dll).- Message box appears at 0x779A7000:
A debugger has been found running in your system.
Please, unload it from memory and restart your program.
Although IsDebuggerPresent is in the import list, it does not get called until this point.