Log in

View Full Version : heh, on the subject of anti debugging....


Lord Soth
November 29th, 2000, 18:58
I've read the anti debugging thread that
kayaker started very thoroughly, and it was
interesting i might say.
Anyway, I've recently encountered a good CD
protection. What do I mean by good ?
Well, aside from the obvious digital signiature that is used to decrypt the file,
this protection makes use of SMC extensively
and when I say extensively I mean you can
hardly figure anything out untill it happens!
BTW, the protection is one of the latest
TTR DiscGuards. I've been fiddling with it
a bit (time constraints) but I wasn't able
to overcome the anti debugging stuff.
There are several simple anti debugging stuff going on,
like trying to load siwvid (i hope i spelled
that right hehe) and an int 68h and a meltice..
However, there is one other thing that also
affects TRW2K. The program will not complain
about a debugger present, but will just
rather crash itself. Now this doesn't happen
when you don't have a debugger running, so
I assume there is some anti-D check I'm not
aware, one that Frogsice might possibly missed (I dread the thought... heh).
Now, due to the nature of the SMC in the program,
it's very very hard to actually trace through
code, hence making the use of clever BPs
a necessity. I'll figure it out eventually,
hopefully, unless my brain overloads and fries first
OK, enough rambling, go back to doing whatever
you were doing heh

LS

PS.
How do you guys put those symbols in the body
of the post as well ? I know it's dumb, but
that's the way I am after all :-)
(don't nobody dare quote me on this one hehe)

Cyas

risc
November 30th, 2000, 00:15
did you say discguard? tell us the name of the game please.

nothing follows which will be of any help to you. i apologise now for the crap i speak :\

i experianced discguard once on colin mcrae rally. never figured out the anti debugging code.. it would go into a almost continous loop checking the cd if debugger was present, then crash about 60 seconds later (after bypassing the 'regular' softice checks)

but all this crap was done in one call, which if i stepped over without executing it, would bypass the detection/crash and program would run fine.. (well, almost fine as it didnt like my 36x cd rom and always rekoned i had a pirate cd)

Kayaker
November 30th, 2000, 02:09
And a good subject it is

There's a Delphi Anti-debugging component called ADP Component I was wondering if anyone has come across, available at
http://Antidebug.ifrance.com

The author says it "defeat most debuggers & monitors as WDasm32, SoftIce, TRW 2000, Turbo Debugger, Sourcer, FileMon, ExeSpy, ResSpy, RegMon, Win-eXpose-Registry, Universal unpacker Procdump.

Improved Antidebugging Tricks & Anti SoftIce improved
- Added Anti-FrogsICE
- Added some Anti-Monitors (as FileMon, RegMon,ExeSpy,ResSpy,Windows Detective,...)
- Added some Anti-MemEditors (as Memory Doctor, Memory Editor, MemSpy, MemMonitor)
- Added Property Anti_Procdump (Protect your soft against Procdump Unpacker, for register users)
- Added Property Kill_Debuger (When ADP found debugger in memory, halt it)
- Added Property Stop_Execution (If a debugger or monitor is in memory, your program is stopped)
- Added Eventment If_DebugerFound (You can make false Keygen for wrong way for Cracker)
- Added Eventment If_Monitor_Found (Enter false informations in registry for example)

Now this guy's even saying his component is Anti-FrogsICE!!

Are we going to stand for this ? ^_^

Actually, if anyone HAS Delphi 3, 4 or 5 and can program a little Crack-me with it, even if it still includes the shareware registration nag, it might make a fun project...

(Shhh! He might be reading this right now)

Regards,

Kayaker

Spath.
November 30th, 2000, 04:11
> There's a Delphi Anti-debugging component called ADP Component
> I was wondering if anyone has come across, available at

Yes, this component is just a collection of old tricks,
and the author has quite bad manners (he almost got banned
from some borland newsgroups for advertising spam).
Last time we checked, FrogsICE was able to handle it
without any problem.

Regards,

Spath.

Kayaker
November 30th, 2000, 04:49
That's interesting Spath (and good to hear). By any chance do you know of any specific program which might use this protection? Purely out of academic interest of course you understand

Spath.
November 30th, 2000, 18:52
I have never seen it used in a real program,
some guy made a crackme for us. Try asking
FP if he still has it.

Spath.

Lord Soth
November 30th, 2000, 18:59
Let me share something with ya.
I've cracked discguard once as well, but it
was fairly a lame crack. The game i cracked
back then is IAF (israeli air force).
It did check for the original CD, but you
could fool it somehow. It seeked all CD drives
in the machine and tried the verification on
each.
What I did was let it think that the HD is
in fact a CD (changing the getdrivetype return value from 5 to 3 hehe),
and it automatically returned an error saying
there was no CD (hence i skipped the big
delay..).
Then I was presented with a dialog with the
error code telling me to ask the company
what to do (and get an activation code..)
I decided to try my luck with the dialog,
and surely enough the code verification
routine was stupid. heh, I even managed to
remove the dialog completely making it think
I entered the right code.
Apparently as it seemed, the digital sig on
the CD was never required for the game to
run, but this is not the case with my new
project.
BTW, the anti-D trick that was used back then
was Meltice with CreateFileA, plain and simple.
Now I don't know if you'll recognize this
new game, but it's something called :
Play with the Teletubbies.
LOL
It's a BBC production, and the CD was made
in Israel too, as the prog is in hebrew.
(no, i'm not doing this for myself, I don't
know the 1st thing about those damn tubbies)
;-)
Now, what is happening in this one is the
whole DLL the code is executing in, is
totally encrypted and self modifying.
For example, if it wants to call an API,
doesn't matter which, it'll take some bytes
off someplace, do some calculations on them,
push it to the stack and ret. I found this
to be an API because the value pushed on the
stack looked suspicious. Programs don't usualy do a ret in order to jump to someplace
at bfffxxxx and above
It also features many many junk jumps so that you'll have to trace forever.
In any case, I've tried all Frogsice's AD
options to find out why it crashes when a
debugger is present (no matter which), and
not when a debugger is not present.
I'm basically clueless at this point, but
I might have an idea or two soon and I'll
probly go in and do some exploratory surgery

In the meantime, have fun all

Soth

PS.
risc, if you're really interested in this,
mail me.