View Full Version : Immunity of SoftIce Breakpoints???
Bubbleman
February 17th, 2001, 19:29
Hi,
is it possible, that a program is resistent against Breakpoints, set in Softice??? I try to crack a program that does this. I can only break for Api Calls Like hmemcpy, but when I step into the program code by pressing the F12 key a couple of times and put a breakpoint at this position, this breakpoint does not break. Although it is absulutely sure, that the software reaches this address again, it does not break. In the Debugger, that is included in Win32Dasm, the breakpoints break. But I need a Softice breakpoint, that breaks.
Thanks
Clandestiny
February 17th, 2001, 20:33
Hi Bubbleman,
Its interesting that you should bring this topic up
...I've had a couple of questions along those lines myself recently. After some research, I do believe that its possible to hide breakpoints (but don't take my word as gospel on this
. Actually, I recently found an interesting little article entitled "BPX detection and tricking" by duelist which discusses scanning for INT3 in the import table to detect breakpoints that have been set as well as the use of IAT hooking for breakpoint detection. There is also some example source code with the file as well. Both of these examples show resulting General Protection Faults when the bpx is detected rather than just "hiding" the breakpoint and preventing it from breaking. This is currently all the info I've found on the topic, but I too am interested to learn more.
If you're interested, the url for the page with the tuts is: http://neudump.cjb.net
Regards
Clandestiny
?ferret
February 18th, 2001, 18:40
if you can detect the int 3 you can change it...the trick would be for the program to know what bytes were supposed to be in a given location...maybe wrapped the int 3 check in with a CRC.
Simply crashing a program upon finding an int 3 is easy, changing it back to the original byte would be a bit harder to accomplish (but still theoretically possible).
?ferret
February 18th, 2001, 18:41
oh & btw.....have you tried BPM instead of BPX?
Lord Soth
February 18th, 2001, 20:11
Also, don't forget that SI has backdoors. Some programs use them to detect SI while others can even go on and execute some commands.
Among these they can of course manipulate BPs. a bc* would solve the program's problems altogether heh
LS
Quote:
Bubbleman (02-17-2001 08:29):
Hi,
is it possible, that a program is resistent against Breakpoints, set in Softice??? I try to crack a program that does this. I can only break for Api Calls Like hmemcpy, but when I step into the program code by pressing the F12 key a couple of times and put a breakpoint at this position, this breakpoint does not break. Although it is absulutely sure, that the software reaches this address again, it does not break. In the Debugger, that is included in Win32Dasm, the breakpoints break. But I need a Softice breakpoint, that breaks.
Thanks |
Brtascher
February 19th, 2001, 16:11
Is the program we are talking about available on the Net?
I would like to take a look.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.