Anyone know any programs or protections that disable our tools? I know there are plenty for SI and i may deal with these later. But for now, i worried about the lesser tools. Anti-(reg/file)mon, anti-olly, anti-smartcheck. Anyone know of others? And how they are carried out or programs that use them?
Crudd [RET]

I have tried to search on google for something, first of all "+anti +ollydbg"
try this page
http://rohanpall.com/ollydbg/ and then search for anti. As i understand ollydbg then it looks on the PE structure hard as hell and bu changing something in there, like UPX tricks then it will work good. It will have some huge problems.

I guess that u know about this page, but I'm only taking up thisone also. http://daemon.anticrack.de/

anticrack.de and check out "Misc. Softwareprotection" "RCE Anti (whatever)r"



http://esca.atomki.hu/paradise/sac/utilprog.html
http://www.techfest.org/Final.pdf
http://www.techfest.org/Final.pdf <-- Anti ProcDump
http://www.krobar.cjb.net/ <-- Other tutorials and u might find something in there.

right now I think that i have done one very small search. Hopefully it might help I have seached on "anti ollydbg" and "anticrack" on google.

Our beloved, nay sacred Windasm32.

Try loading up 3D Studio Max release 4 into our baby.

Poof.
Poof.
and more Poof!

i've heard of anti - softice tricks, but anti - windasm?
that's not cricket old boy ;-)

Now........... just what they tryin' to hide?

Without taking a look at the target I can't say for sure if it's actually a wdasm specific technique, but there are general anti-debugger techniques. Wdasm disassembles binaries in such a way that you can put something like:

jmp _around
[invalid code]
_around:
[valid code]

....and wdasm won't know what to do with the invalid code so it either locks or hangs or poofs on you. Maybe someone else can give a more technical answer.

cheers,
will

for windasm I also know a simple trick: you just have to set characteristics of code section to C0000020 (or C0000040) and wdasm will load nothing! This trick also prevent symbol loader from popping on the entry point of the program (when you load an application with symbol loader and press run it will cause softice popup on entry point, at least on win9x, on 2k/xp there is a bug and symbol loader never pops on entry point)
a friend of mine also told me about a program which can cause IDA to crash if disassembled!! Well, I didnt see this program, but i dont really believe it! Do you know something about it? Anti-Ida??
Bye all!!
AndreaGeddon

When it comes to w32dasm, the only really interesting trick I know of has to do with th .rsrc section in executables. I can't recall much of the trick, but I remember reading something, possibly on tsehp's mirror.

Anyway, the trick is to mess around with the resource directory, if memory serves me right. If w32dasm doesn't find this part the way it wants to, it'll exit.

The trick of setting pe characteristics is not much use - it's easy to change, and has been done a lot. And far as I know, w32dasm happily disassembles jumps past junk code. You would have to find an actual flaw in the disassembly lookup of w32dasm for it to break. To my knowledge, there are no such.

Ofcourse, any dead listing breaks om smc, but that's old news.

Other tools: typical tricks gainst file/regmon include searching for window class or name. One can search for the vxd files too, if memory serves me right.

Fake

Looked around a bit, and found this thread at the FraviaMB. Has some ok info w32dasm.

http://woodmann.com/upload/showthread.php?...ghlight=w32dasm (http://woodmann.com/upload/showthread.php?threadid=3779&highlight=w32dasm)

as for crashing ida...
i've been able to crash recent versions (including 4.51 retail) with bogus files as input, although i've never seen ida crash due to a real pe file. in other words, i don't think anyone has found any code to put into an executable that will crash ida

Hi,
concerning the filemon and regmon (also superbpm...) the easiest way to find them is using meltice trick. But there is another method that could be used - filemon and regmon seems to store some settings in registry, in keys with quite tell tale names. Some app could try to find them this way.
And on the ^DAEMON^'s forum is mentioned trick to fool olly - as far as I can remember the app started itself again as a new process and the old was terminated or something like that.
Anyway good idea Crudd - it is good to know that someone takes care also of the other tools, not only of sice.

For ollydbg or other tools like SymbolLoader, I know the fs:[20h] trick
that is used to know if an application is executed by another programm. The fs:[20h] if i remember correctly is used to check if the field DEBUG_CONTEXT
into the TIB, is null.



* * *mov *eax,dword ptr fs:[20h]

* * or * eax,eax

* * jz * No_Debugger_Found



Another trick that I know is the fs:[30h] trick, used Find the pointer to PEB structure at the offset 0x30 in the TEB.



* * * *mov * * eax,fs:[30h] * * * *; pointer to PEB

* * * *movzx * eax,byte ptr [eax+2h]

* * * *or * * *al,al

* * * *jz * * *No_Debugger found





Other implementations of this two tricks can be founded on daemon's site
:wink:


Have a nice day

there is alot of confusion regarding these scarcely documented structures (TIB/TEB/PEB/PDB). partially thanks to the fact that they dont look the same under different windows versions.

in each Thread Environment Block there will be a pointer to the Process DataBase. see the Wine mailing lists for further discussions and information about the PDB. both the TEB and PDB vary slightly between win9x and winNT so you better know which system your code is executing under before you try to access either of these structure's members.

as for NT-based systems this code should work nicely:



mov * edx, fs:[18h] * * * *; linear address of TEB

mov * eax, [edx+30h] * * * ; pointer to PDB

movzx eax, byte ptr [eax+2]

test *eax, eax

jnz *__debugged





running on win9x, you would need to execute this instead:



PDB32_DEBUGGED * * equ 0001



mov * edx, fs:[18h] * * * *; linear address of TEB

mov * eax, [edx+34h] * * * ; pointer to PDB

mov * eax, [eax+20h] * * ; 32-bit flags

test *eax, PDB32_DEBUGGED

jnz * __debugged





cheers, sna

about TEB TIB PEB PDB etc
if you need docs just download kdex2x86.dll, !load it into ntsd and then use the command !strct to have mapping af a lot of internal structures :)
Bye ;)
AndreaGeddon

lame anti-IDA trick (v 4.30)

put junk in the PE header for the "Debug" field. Something that's outside the image.. IDA will crash on this.

I believe that was fixed in later versions.

This trick is used in some protectors, like x-protector.

I have to say the strangest Anti olly trick ive ever seen was an application that scrambled the display of Olly, though it done this in such a way it made an uttermess of the display. i think the author could have taken the way he effected the text buffers much further by actualy reading threw the Debug data to find point that are critical to its protection and alter some values, and possibly code to Obscure its self. :shock:

Though Easy to pick up if your like myself and use not to popular straight dissasemblers to take a first peak at a target for any Anti-tool tricks. But it may serve as something that would add a few hours to an new Reversers session with his tools :P


Anyhoo yet another rant :oops:


Good Health,
+Malik

Well, i had a crash and lost everything i had done on the project, so i gotta start over. Hopefully ill have a new pre-rel within the month. Keep those ideas and thoughts coming guys :)
Crudd

Anti-Olly Trick: SMC

Ollydbg litterally Dies when it meets SMC,
it will totally be fucked up, and i mean really fucked up ;)
if u click a line, it won't be focused, clicking other line will select 2 lines..etc hehe very funny ;)

one thing you might want to try is to record a trace history. to do so, select debug->open or clear run trace. now the next time you find yourself in the middle of a block of self modifying code, bring up the trace history to get a better overview (view->run trace). another thing that might help is the command line's AT command; use it to disassemble code starting at an arbitrary address.

i don't see SMC as a very big threat to ollydbg since they're able to coexist quite nicely. the idea described by Malik is far more dangerous if implemented properly.

cheers, sna

You can defeat olly also using calls without ret. Olly gives an error message that can confuse the cracker the first time if he steps the call over (pressing F8 ).
If you step the call with F7 you won't get any problem.
Really easy to defeat, as trick, but useful if you want to make the things a bit more difficult to understand.

I'll just mention this briefly since everyone already covered this.

I use a program which I wrote to launch the target app.
When I do this, the program gives me various information about the app,
including the PID (Process ID) and Window Callback address.
I can also select which API breakpoints I want to set.
After launching the app, I attach to the app with Turbo Debugger (Win32).
The first thing I do with the debugger is to clear the IsDebuggerPresent flag.
After I tell them debugger to resume execution, I can break the app using the previously set breakpoints, as well as force a break with my launcher program.
Other than checking the timing involved in executing blocks of code,
there's no way the app can tell if it's being debugged.

The challenge of course, is to locate the serial/Cd-Key check code and keygen that part.

Another interesting trick, that i'm sure many of you have seen, is to call a few instructions into an API function.

You could do this for example:

push ebp
mov esp,ebp
call IsDebuggerPresent+3

When you set a breakpoint on an API function, the debugger sets a breakpoint on the first byte of a function, so doing this, will cause any normal API breakpoints not to get executed.