Greetings fellow Reversers !!!
First of all...dont go flaming me for my english...im trying as good as i can : )
The problem is:
Most tutorials that deal with packed targets are written for the win98/ME OS.I prefer using NT when reversing coz its a bit more stable then 98/ME. When i follow the tutorials they offten assume that you have some kind of anti antisofticeprotection. I know there is one for NT aswell. The one for NT have not implemented IDT check protection yet so im a bit stuck. What is bothering me is that i preferably want to crack everything manuelly. So my main question is...how can i find these antidebugging protections in the code im debugging. I know how to take care of the meltice and the int68 and so on...but the IDT and how it checks the debugging registers i dont know. Plz....Im verry gratefull for any information in this matter.
My target im trying to crack is a tElock packed version of notepad.
You can find it in www.discompress.com
I know there is a turorial for it ive read it. Its really excellent but it dosn't serve my needs.
plz help me out..

REad more tuts!IT's says it for advance!!


NeO

Greetings NeO!!
Well...ive read allot of tutorials...ive been in the RCE sceen for about 3 years now so packed targets are not unknown for me. What i want to know is how the more advance antidebbuging protections work. But what i say is that the tutorials don't explain in detail how to avoid the more heavy protection without using frogsice or the newer icedump programs to cloak your debugger.
As fas as i see it the more advance checks..the ones that check the IDT and DR registers?(maybe mixing the DR up with motorola : ) ) for bpx and bpm's have to be in ring0. The program in itself usally only dont have right to run in a lower ring. So what they do is to take control of an exception and generate an exception fault. eg div by 0 or something.
hmm..maybe its possibly to get softice to break when a exception occurs.? Maybe Reset the hooked interrupt 3?
Most people that have done packed targets knows the problem when softice refuses to break inside a program..And its hell to step through the code one instruction at time..I dunno...sigh...
Maybe im forced to use an external program that hides my debugger.....

Cheers and Gnite : )

Hi this thread seems dead. I am intested in the basics of how anti-softice things
work. For example, I have a ftp program that does not like softice. Unless I uninstall
softice, it will not run.

I am therefore trying to understand the basics and could not find the right tutorial.

Can someone refer me????

I tried much search in this forum for this and could not find.

Tarz

Hi Tarzan.
Most tuts on Sice anti debug stuff I have seen are somewhat outdated.
Ricardo Narvaja deals a bit with Olly antidebug.
The book by kris kaspersky on debugging dedicates one whole chapter to the issue.

although the kaspersky book was decent, i wasn't that impressed with the anti-debugging chapter.

@naides/disavowed, which Kaspersky book are you referring to? Hacker disassembling uncovered or hacker debugging uncovered?

I'm guessing Part II- Ways of Making software analysis difficult Counteracting Debuggers from the disassembling book as I haven't seen
the debugging book anywhere?

I like the disassembling book, good quality of information, in particular the chapter on identifying key structures is very informative. Worthy of a place on every reversers book shelf IMHO.

5aLIVE

5aLive: I am talking about Debugging uncovered.

The Debugging book is available in Amazon.com and BArnes and Noble for a modest US $29.99.
I THINK it is also available as a 'demo' E-Book somewhere in chinese boards.

Disa: For my low level of sophistication, the antidebugger tricks chapter was informative. Because the intrinisc nature of the beast is impossible for any author to come up with an exhaustive, reference type treatise on the issue.

Thanks naides, I've sent you a PM.

i was talking about the disassembling book. 5alive, i agree about the identifying of key structures.