Hi All!
I'm looking for some basic debugger detection.I search here and other
forums and find some global ways for this reason.But when I try to use
some of these tricks,I get some problem that I don't know.
Perhaps someone can help me in these problems:
1-problem with fs:[30h] that i get in masm32 is:
error A2108: use of register assumed to ERROR
I don't know why because I get the full code from daemon.anticrack.de
This error accures on this code:
mov eax,fs:[30h]
then the application can't be Assembled.

2-problem with every direct call of INT command.for example the following
code from CrackZ:

MOV AH, 43h
INT 68h
CMP AX, 0F386h
JZ SoftICE_is_here

this one is fully Linked but the target exe file crashs in windows(XP).
or this code:
xor eax,eax
int 1
inc eax
inc eax
or eax,eax
jz found

Is there anybody who tell me what is the problem?
Question:
If you want to prevent simple debuggers use hook or this detections?

I searched and I don't find anything about this.Don't get mad!
I attach two asm file that I can't compile (one about fs:[30h] and the
other INT1 and need of an include file win32.inc that I can't find).
perhaps you can help me.

Sincerely yours

1.
add: assume fs:nothing

2.
side effect of 1. You need an exception handler. (#1)

Hello,

As stated by Doug, you'll need an SEH to catch the INT. Here's a very good link about SEH and Asm programming on Windows:

http://www.jorgon.freeserve.co.uk/ExceptFrame.htm

You may take a look at the whole Jeremy Gordon site, it deserves it !

Regards, Neitsa

hi,
excuse me, however i think that the right place for this kind of problem is www.masmforum.com... i remember that this issue was already covered.

bye

Most of the big asm programming forums are very resistant to everything even remotely related to cracking, e.g. anti-debugger tricks and such...

hi
thanks for all informations about SEH.
it was very usefull.

At the continue of my tests for finding a simple anti-debugging
trick,I found this simple one:

I get the parent process name of current process.If it is not
"explorer.exe",I say an debugger is running.

but after a while,I said myself what will be happen if debugger
renames itself to "explorer.exe"?I test it with ollydbg110,but
when I rename it to "explorer.exe" it crashs!

why this is happening after renaming?Is this a bug in ollydbg?

sincerely yours

You have to rename the contents of the DLLs as well. You will need a hex editor, and it'll be a little tricky because the word "explorer" is longer than "ollydbg". But, it can be done in about 20 minutes or less (when I got mine to be called explorer, it took about 20 minutes mostly because of all the plug-ins and testing).

Might I suggest something more reliable such as spawning a process that will attatch to you as a debugger and drive your code for something important, or inject some needed fragment or what not? That way, you'll be compatible with some of the after market "explorer" replacements (which, btw, aren't called "explorer.exe", and you won't fall victom to anyone with a hex editor and 20 minutes free time...