Killing our tools.

[Crudd]

Anyone know any programs or protections that disable our tools? I know there are plenty for SI and i may deal with these later. But for now, i worried about the lesser tools. Anti-(reg/file)mon, anti-olly, anti-smartcheck. Anyone know of others? And how they are carried out or programs that use them?
Crudd [RET]

[Acid_Cool_178]

I have tried to search on google for something, first of all "+anti +ollydbg"
try this page
http://rohanpall.com/ollydbg/index.php? and then search for anti. As i understand ollydbg then it looks on the PE structure hard as hell and bu changing something in there, like UPX tricks then it will work good. It will have some huge problems.

I guess that u know about this page, but I'm only taking up thisone also. http://daemon.anticrack.de/

anticrack.de and check out "Misc. Softwareprotection" "RCE Anti (whatever)r"



http://esca.atomki.hu/paradise/sac/utilprog.html
http://www.techfest.org/Final.pdf
http://www.techfest.org/Final.pdf <-- Anti ProcDump
http://www.krobar.cjb.net/ <-- Other tutorials and u might find something in there.

right now I think that i have done one very small search. Hopefully it might help I have seached on "anti ollydbg" and "anticrack" on google.

[illbrain]

Our beloved, nay sacred Windasm32.

Try loading up 3D Studio Max release 4 into our baby.

Poof.
Poof.
and more Poof!

i've heard of anti - softice tricks, but anti - windasm?
that's not cricket old boy ;-)

Now........... just what they tryin' to hide?

[Will]

Without taking a look at the target I can't say for sure if it's actually a wdasm specific technique, but there are general anti-debugger techniques. Wdasm disassembles binaries in such a way that you can put something like:

jmp _around
[invalid code]
_around:
[valid code]

....and wdasm won't know what to do with the invalid code so it either locks or hangs or poofs on you. Maybe someone else can give a more technical answer.

cheers,
will

[AndreaGeddon]

for windasm I also know a simple trick: you just have to set characteristics of code section to C0000020 (or C0000040) and wdasm will load nothing! This trick also prevent symbol loader from popping on the entry point of the program (when you load an application with symbol loader and press run it will cause softice popup on entry point, at least on win9x, on 2k/xp there is a bug and symbol loader never pops on entry point)
a friend of mine also told me about a program which can cause IDA to crash if disassembled!! Well, I didnt see this program, but i dont really believe it! Do you know something about it? Anti-Ida??
Bye all!!
AndreaGeddon

[Fake51]

When it comes to w32dasm, the only really interesting trick I know of has to do with th .rsrc section in executables. I can't recall much of the trick, but I remember reading something, possibly on tsehp's mirror.

Anyway, the trick is to mess around with the resource directory, if memory serves me right. If w32dasm doesn't find this part the way it wants to, it'll exit.

The trick of setting pe characteristics is not much use - it's easy to change, and has been done a lot. And far as I know, w32dasm happily disassembles jumps past junk code. You would have to find an actual flaw in the disassembly lookup of w32dasm for it to break. To my knowledge, there are no such.

Ofcourse, any dead listing breaks om smc, but that's old news.

Other tools: typical tricks gainst file/regmon include searching for window class or name. One can search for the vxd files too, if memory serves me right.

Fake

[Fake51]

Looked around a bit, and found this thread at the FraviaMB. Has some ok info w32dasm.

http://woodmann.com/upload/showthread.php?...ghlight=w32dasm

[disavowed]

as for crashing ida...
i've been able to crash recent versions (including 4.51 retail) with bogus files as input, although i've never seen ida crash due to a real pe file. in other words, i don't think anyone has found any code to put into an executable that will crash ida

[least]

Hi,
concerning the filemon and regmon (also superbpm...) the easiest way to find them is using meltice trick. But there is another method that could be used - filemon and regmon seems to store some settings in registry, in keys with quite tell tale names. Some app could try to find them this way.
And on the ^DAEMON^'s forum is mentioned trick to fool olly - as far as I can remember the app started itself again as a new process and the old was terminated or something like that.
Anyway good idea Crudd - it is good to know that someone takes care also of the other tools, not only of sice.

[Evilcry]

For ollydbg or other tools like SymbolLoader, I know the fs:[20h] trick
that is used to know if an application is executed by another programm. The fs:[20h] if i remember correctly is used to check if the field DEBUG_CONTEXT
into the TIB, is null.

Code:

 * * *mov *eax,dword ptr fs:[20h]

 * * or * eax,eax

 * * jz * No_Debugger_Found

Another trick that I know is the fs:[30h] trick, used Find the pointer to PEB structure at the offset 0x30 in the TEB.

Code:

 * * * *mov * * eax,fs:[30h] * * * *; pointer to PEB

 * * * *movzx * eax,byte ptr [eax+2h]

 * * * *or * * *al,al

 * * * *jz * * *No_Debugger found

Other implementations of this two tricks can be founded on daemon's site
:wink:


Have a nice day