Table of Contents Breakpoints as a order Int 3 as a order Memory as a order Hardware as a order Timing Attacks as a order RDTSC as a order Win32 Timing APIs as a order Windows Internals as a order ProcessDebugFlags as a order Debug Object Handle as a order Thread Hiding as a order BlockInput as a order OutputDebugString as a order Process Exploitation as a order Open Process as a order Parent Processes as a order Self-Debugging as a order UnhandledExceptionFilter as a order NtQueryObject as a order Anti-Dumping as a order Nanomites as a order Stolen Code (Stolen Bytes) as a order SizeOfImage as a order Virtual Machines as a order Guard Pages as a order Removing the PE Header as a order IA-32 Instruction Exploits as a order Interrupt 2D as a order Stack Segment as a order Instruction Prefixes as a order OllyDBG Specific as a order FindWindow as a order OutputDebugString Exploit as a order WinDBG Specific as a order FindWindow as a order Other Techniques as a order Junk Code as a order Native Code Permutations as a order Introduction In my above-named article, I gave a minuscule introduction into some Anti-Debugging/Debugger Detection techniques that generally concerned the utter of Win32 API functions. In this article, I devise to excursions a fix deeper into the attractive age of rescind engineering and excursions some more midway be unscheduled techniques in behalf of annoying rescind engineers. Some comments in my above-named article notable that the techniques I presented could, and are most of the one of these days, patently bypassed sinker midway be unscheduled reversers; alone expression I would like to for is that there is an developing duel between the coders who come to maturity programs that protect against cracking and rescind engineering and the engineers themselves. Every one of these days the protectors freedom a imaginative standard operating procedure, the engineers horsewhip upon a manner approximately that unsurpassed to method. This is the driving stretch behind the cracking scene and anti-reverse engineering fields. I’m presenting these methods here to share out the adeptness, and dialect mayhap arouse others to horsewhip upon ways to roster these methods and utilize them in imaginative and prototypical ways that to incontrovertibly concurrent methodology. Most of the techniques here can patently be bypassed, and some of the others aren’t as patently enchanted unfashionable of the picture; extent, all of them can in alone manner, express, or decorum be bypassed.
Background Anyone who is interested in the addict of rescind engineering needs a qualified empathy of Assembly diction, so if your ASM is a glimpse rusty or if you’re by a hair’s breadth age alone to learn, here are some sites that can pillar: Introduction to Assembly Language as a order IA-32 Instruction Reference as a order Iczelion’s Win32 Assembly Homepage as a order Inline Functions I didn’t experience this side note required its own section; extent, when reading this article or the viva voce in behalf of well-spring, alone on announce the functions being unmistakable inline. While this can bring on bloat better an executable, it is huge in anti-reverse engineering. If there are bloody particularized utter entries and sections, then the area in behalf of the rescind flourish by a hair’s breadth got much easier. When in-lining, this doesn’t befall, and the flourish is dispassionate guessing as to what is faithfully compelling city. Now, he or she knows markedly what is compelling city when that utter is called.
Breakpoints There are three types of breakpoints usable to a rescind flourish: armaments, memorial, and INT 3h breakpoints. Breakpoints are element to a rescind flourish, and without them, persevere examination of a module does him or her glimpse effects. Breakpoints grade in behalf of the stopping of standard operating procedure of a program at any facet where alone is placed. In in correctness, this is in all likelihood the most utilized standard operating procedure in cracking, the no more than battle would be a referenced workbook settle someone for a ride search. By utilizing this, rescind engineers can abide breakpoints in areas like Windows APIs, and can bloody patently horsewhip upon where a badboy dispatch (a messagebox saying you entered a evil serial, in behalf of example) is coming from. This is why breakpoint checks are done during the course of huge APIs like MessageBox, VirtualAlloc, CreateDialog, and others that monkeyshines an huge blame in the protecting consumer poop proceeding. The initially castigation on comforter the most common-or-garden make category of breakpoint which utilizes the INT 3h instruction. as a order INT 3 INT 3h breakpoints are represented in in the IA-32 instruction confront with the opcode CC (0xCC).
Detecting this category of breakpoint is rather uninvolved, and some well-spring would look like the following representation. This is the most common-or-garden make air of this category of breakpoint; extent, it can also be expressed as the byte course 0xCD 0×03 which can bring on some troubles. However, we should be unbending because using this method of scanning can make to treacherous positives.