View Single Post
  #8  
Old 04-25-2004, 11:17 AM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default

Hi CoDe_InSiDe,

I'm glad you like it. I figured if nothing else it's a good reference to commonly encountered anti-debugging techniques.
You know... it is pretty funny to see how utterly worthless the integration between modules is.

IIRC ACProtect itself uses a technique similar to the one you suggested. I think i had that mentioned in the introductory part of my essay:

Quote:

Code:
__declspec(naked) ulong RDTSC_Randomise(void) {



 *__asm {



 * *PUSH * EDX

 * *RDTSC

 * *RCL * *EAX, 2

 * *ADD * *EAX, 12345678h * * * * * * * * * *// randomiser

 * *ADC * *EAX, ESP

 * *XOR * *EAX, ECX

 * *XOR * *DWORD PTR SS:[EBP+40DED6], EAX * *// patch self

 * *ADD * *EAX, DWORD PTR SS:[ESP-8]

 * *RCL * *EAX, 1

 * *POP * *EDX



 *}



}
Basically, what it does is to create a random value based on time. RDTSC is used to access a time-stamp counter (ReaD Time-Stamp Counter). The instruction is typically used with lax code profiling and is available beginning with the Pentium processor. The internal randomiser is patched so that the next time the code is executed it will be using another randomiser. The intention seems to be to create \"more unique\" values.
Quote:
... And as I previously also mentioned the anti-debugging modules are conditionally activated. The core of it is the RDTSC_Randomise function that we saw earlier. From inside these randomly activated modules it's a call to ShouldNotActivateModule:

Code:
__declspec(naked) bool ShouldNotActivateModule(void) {



 *__asm {



 * *MOV * *EAX, 0Ah

 * *CALL * RandomiseWrapper



 *}



}





ulong __fastcall RandomiseWrapper(ulong divisor) {



 *__asm {



 * *PUSH * EDX

 * *PUSH * ECX

 * *MOV * *EDX, 0

 * *PUSH * EAX

 * *CALL * RDTSC_Randomise

 * *POP * *ECX

 * *DIV * *ECX

 * *XCHG * EAX, EDX * * * * * * * * * * // EAX = random value % 10

 * *POP * *ECX

 * *POP * *EDX



 *}



}
The condition to activate a module is that the random value generated be evenly divisible by 10. Execution of the module is aborted if it is not. The modules are called a number of times in the hope that they will eventually activate themselves. When that happens the module patches a RETN instruction somewhere in the path that lead up to it, to return immediately on sub-sequent calls and thereby \"shutting itself down\".

It should be noted that the RDTSC_Randomise function is also used for other things than module activation.
I would love to get a discussion going about the import table and anti-dumping trick.
Regards, sna
Reply With Quote