http://www.antidebuglib.com

Anyone played with this yet? What led me to this is that the author posted an article here: http://www.codeproject.com/KB/security/antidebuglib.aspx and he states "nobody can crack the software protected by my solution because no debugger can be executed at the same time". His solution is a ring 0 driver and PE encryptor called "Eagle Protector".

Sounds very much like some other protectors that people complain about.

If his antidebug library is as complex as his English, it will be impossible to reverse engineer. Will check it out. Thx for the post.

haha probably some one deBUGGED it out of codeproject

Well, he did seem to have a certain amount of hate mail in the comments section, so maybe an admin deleted it. It was clearly an advert for his site.

I wonder who'll be the first person to write an unpacker

So tell me.. there are several "Awards" from shareware download sites for this protector, 5/5, 5 stars, Editors Pick,... WOW it must be good!

So presumably the Editor from downloadatoz.com for example must have used his crack team of reverse engineers to assess the quality of this product as a protector in order to give it his personal 5 star rating, right? It can't be snake oil else they wouldn't give it that rating, right?

He probably was going to until the author told him "nobody can crack the software protected by this", as which point he decided to just give the software his best award and walk away. After all, it's pointless trying to do the impossible, right?

http://successfulsoftware.net/2007/08/16/the-software-awards-scam/
yeah...

i just made a quick overview, it hooks (inline) some APIs from ntoskrnl.exe and thus blocks the debugger. looks interesting, but IMO it's not unbreakeable

Well, if they think a driver can prevent people from debugging their app, they are rather naive.

I tried to pack a file using their PE eagle whatever, and this file won't run if the driver isn't installed etc.

Then i fired up my debugger, run the file in my packer sandbox (i removed some of the info). Then scripted a little unpacker, and i managed to dump the protected
file and to rebuild it, so it was working without problems, no more protector, imports reconstucted.

So i just hope the Trial version is limited which i sort of doubt, seeing how long it tooks to protect a simple file..
But their hooking didn't affect my debugger.. i could find the entry point of their files too without problems.. then i didn't bother trying to unpack them, since they prolly use the lib which replaces the libc to their own functions.. i don't have time to bother with this, but i wanted to test if the packer is debugger proof, and it's clearly not.

I can debug the file easily.

Now, this packer is based heavily on Yoda's source, if you look at the last exception handler :

.eagle:0101748D
.eagle:0101748D public start
.eagle:0101748D start proc near
.eagle:0101748D
.eagle:0101748D arg_8 = dword ptr 10h
.eagle:0101748D
.eagle:0101748D push ebp
.eagle:0101748E mov ebp, esp
.eagle:01017490 push edi
.eagle:01017491 db 36h
.eagle:01017491 mov eax, [ebp+arg_8]
.eagle:01017495 db 3Eh
.eagle:01017495 mov edi, [eax+0C4h]
.eagle:0101749C db 3Eh
.eagle:0101749C push dword ptr [edi]
.eagle:0101749F xor edi, edi
.eagle:010174A1 pop dword ptr fs:[edi]
.eagle:010174A4 db 3Eh
.eagle:010174A4 add dword ptr [eax+0C4h], 8
.eagle:010174AC db 3Eh
.eagle:010174AC mov edi, [eax+0A4h]
.eagle:010174B3 rol edi, 7
.eagle:010174B6 db 3Eh
.eagle:010174B6 mov [eax+0B8h], edi
.eagle:010174BD mov eax, 0
.eagle:010174C2 pop edi
.eagle:010174C3 leave
.eagle:010174C4 retn
.eagle:010174C4 start endp

You clearly recognize original Yoda cryptor code.. seeing the number of exceptions, it's prolly based on Yoda protector.
They didn't even change the ROL value, nor the register used for that.. C'mon!

Here is a little trace from my debugger:

Packer SandBox
-------------------------------------------
Exception number: 1
Exception at EIP: 7FC06
SEH handler at: 101488E
Exception Code: C0000005
-------------------------------------------
EAX: FFFFFFFF
EBX: FFFFFFFF
ECX: 1014881
EDX: 7C9137D8
ESI: 0
EDI: 0
EIP: 7FC06
ESP: 7FBE8
EFLAGS: 10246
-------------------------------------------
Exception number: 2
Exception at EIP: 7F82C
SEH handler at: 101489B
Exception Code: C0000096
-------------------------------------------
EAX: 1
EBX: 1
ECX: 101488E
EDX: 7C9137D8
ESI: 0
EDI: 0
EIP: 7F82C
ESP: 7F810
EFLAGS: 10202
-------------------------------------------
Exception number: 3
Exception at EIP: 7F45E
SEH handler at: 10148A8
Exception Code: C0000005
-------------------------------------------
EAX: F9
EBX: 1
ECX: 101489B
EDX: 7C9137D8
ESI: 0
EDI: 0
EIP: 7F45E
ESP: 7F440
EFLAGS: 10246
-------------------------------------------
Exception number: 4
Exception at EIP: 7F086
SEH handler at: 10148F0
Exception Code: C0000005
-------------------------------------------
EAX: 0
EBX: 0
ECX: 10148A8
EDX: 7C9137D8
ESI: 0
EDI: 0
EIP: 7F086
ESP: 7F064
EFLAGS: 10246
-------------------------------------------
Exception number: 5
Exception at EIP: 1017731
SEH handler at: 101748D
Exception Code: C0000005
-------------------------------------------
EAX: 0
EBX: 3A0200E7
ECX: 10159D5
EDX: 10159EC
ESI: 1016DFF
EDI: 1016F11
EIP: 1017731
ESP: 7EBAC
EFLAGS: 10246

It's funny I received a spam email from them like a year ago. And already made fun of them with a friend of mine.

The protection is laughable. It only works on XP and Server 2003 (32bit) and it doesn't work with Dlls generated by Visual Studio 2005. Their site is "american style", but if you whois the domain you'll find out that their location is in china, which explains a lot of things.

I don't care what they're stating. They're not selling many protections imho, even with all that spam. But exposing them is not bad, although I don't think it'll be a hard task.

Oh, btw:



Na, these aren't true awards. It's just a link exchange. Those anonymous sites give out their awards to anyone. They just wanna be linked to increase page ranks.

They don't support dll at all i believe. This protector is a joke the only fun features i could see, is replacing the libC with their own lib, but i haven't checked how
they implemented that.

Regarding the awards, he was being sarcastic ;-)

Sorry, I'm a bit in a hurry, I was scamming through the text without reading properly. The page states it supports VC++ 6 Dlls. Maybe it's not true.

As for the libc, check that out. Maybe it's the libc I wrote for codeproject (you can find it there) or maybe Matt Pietrek's one. =)

You are right for the dll, they pretend to support VC++6 dlls. i will have a look at the lib C implementation, i wonder

I imagine it as a code splicing feature, with the same weaknesses anyway.. but i will have a look later

i'm really angry about this shit lib. after reading this thread it installed the lib and started playing with it. since it was not very interesting i stoped playing with it and forget about the lib.
a few days later i continued coding on a project of mine and discovered a strange problem. i was not able to use int3 and int1.

luckily a collegue told be someting about gmer a nice to to detect rootkits and hidden stuff. i scanned my computer with it and i found int3 and int1 hooked by giglly.sys, the driver of antidebuglib.

in my oppinion its really annoying to hook int 1 and int 3 globally without making a difference who is triggering the interrupt.
this library can be dangerous.

blah.

regards,

OHPen

well, such things should be installed on vmware and not your operating system. (i mean if there aren't antivm checks)

But anyway ringzero protections are outofdate and cannot be trusted. No serious software producer would use one.

I wonder if they sold one, and I mean literally one, license of that over-priced buggy unreliable protection. I really would be surprised if they did.

erm.. Starforce uses ring 0 protection.... sure, its got a lot of shit for it but i would consider them a 'serious software producer'...

I meant people who use such a protection. Staforce is a protection not only for PCs, they offer many solutions even for embedded devices. I've never encountered starforce because I don't play games (and I guess it's used mainly for that) and I use x64 systems. Ringzero protections are unlikely to have a x64 compatibility, since things that could be done on x86 (sdt hooking, kernel patching etc.) are no longer possible (if you notice I wrote "outofdate". That's why serious protection makers like the ones who wrote themida abandoned the ringzero idea and focused on other things, like internal virtual machine protection etc. The oreans virtual machine can protect even x64 drivers. The evolution of modern operating systems goes rather in the opposite direction of ringzero protections. It's true, starforce added x64 support, but i wonder how it works and still, does it work on itanium? I don't think so. A protection that limits requirements of an application is to be considered an unprofessional one, imho. It can be only tolerated if the sw has to run only on a very limited number of PCs.

And if you read articles like:

http://www.gamespot.com/news/6147655.html

The biggest client of starforce dumped it due to the problems the customers of their games are having with that protection.

And I quote from wikipedia:



That's exactly what I meant. They're losing their clients because the protection is unprofessional. And come on! Games aren't THAT professional in the first place, even if it's a huge business. We're not talking about Photoshop or things like that.

Yes, gmer is a cool utility. I use it often when researching malwares.

Well, hooking int 1 and int 3, _only_ to block debuggers is naive and only stops wanabies.

a VM would be a lot more effective, considering it took me a couple minutes to debug this and make working dumps.

they are losing their clients because some of their clients ended up getting a class action law suit thrown at them from people who had starforce issues, as a result the clients dropped starforce... if you're going to cite something at least research the full picture... wikipedia isnt always 'accurate'

as for 'games arent that professional', i guess you are unaware of the amount of money the games industry generate... and what defines it being professional?

r0 protection though is hopefully a thing of the past... and it should remain that way...

Yes, and what's the difference? They're not using starforce because game players had problems with it.

I wrote:



Don't really see what's the difference from what I said and you said.

I also said that games are a huge business (have you read that?), but a game is a game. No one's work depends on it. And yes, I think that if I buy a software and this software won't work because of its protection, well to me THAT IS unprofessional. And this is my personal opinion, you might disagree.



And that's the main point. R0 protections are out of date. They can be tolerated only for softwares which run on a limited number of computers. It simply is unacceptable buying something that doesn't work on your system because of its protection.

the difference thing was that the clients dropped starforce because they were advised legally to do so as any further 'partnership' with them could cause problems defending themselves in court against the class action law suit.... so they didnt drop starforce because of the customers having protection, it was a legal 'move'.. not really related to the customers, but to their own defence (ie: create a distance between client and starforce..)..

I see. Thanks for the info.

since he hooks hook int 1 and int 3 globally the debuger doesnt alwasy stop at eop.. reffering to olly ,,,he thinks he can stop debuging


but with a little bypass works :P

just put a jmp eip somewhere, run it, attach your debugger and it should be working, if this is the problem.

I don't know, i didn't use any standard debugger