Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 08-25-2003, 08:48 AM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default well actually...

there is alot of confusion regarding these scarcely documented structures (TIB/TEB/PEB/PDB). partially thanks to the fact that they dont look the same under different windows versions.

in each Thread Environment Block there will be a pointer to the Process DataBase. see the Wine mailing lists for further discussions and information about the PDB. both the TEB and PDB vary slightly between win9x and winNT so you better know which system your code is executing under before you try to access either of these structure's members.

as for NT-based systems this code should work nicely:

Code:
mov * edx, fs:[18h] * * * *; linear address of TEB

mov * eax, [edx+30h] * * * ; pointer to PDB

movzx eax, byte ptr [eax+2]

test *eax, eax

jnz *__debugged
running on win9x, you would need to execute this instead:

Code:
PDB32_DEBUGGED * * equ 0001



mov * edx, fs:[18h] * * * *; linear address of TEB

mov * eax, [edx+34h] * * * ; pointer to PDB

mov * eax, [eax+20h] * * ; 32-bit flags

test *eax, PDB32_DEBUGGED

jnz * __debugged
cheers, sna
Reply With Quote
  #12  
Old 08-25-2003, 08:06 PM
AndreaGeddon AndreaGeddon is offline
Administrator
 
Join Date: Dec 2002
Location: Italy
Posts: 42
Default

about TEB TIB PEB PDB etc
if you need docs just download kdex2x86.dll, !load it into ntsd and then use the command !strct to have mapping af a lot of internal structures
Bye
AndreaGeddon
Reply With Quote
  #13  
Old 12-06-2003, 12:32 PM
doug doug is offline
Junior Member
 
Join Date: Dec 2003
Posts: 1
Default

lame anti-IDA trick (v 4.30)

put junk in the PE header for the "Debug" field. Something that's outside the image.. IDA will crash on this.

I believe that was fixed in later versions.

This trick is used in some protectors, like x-protector.
Reply With Quote
  #14  
Old 12-13-2003, 12:40 PM
+Malik +Malik is offline
Member
 
Join Date: Dec 2003
Posts: 5
Default Killing our tools, well in this case Obscure!

I have to say the strangest Anti olly trick ive ever seen was an application that scrambled the display of Olly, though it done this in such a way it made an uttermess of the display. i think the author could have taken the way he effected the text buffers much further by actualy reading threw the Debug data to find point that are critical to its protection and alter some values, and possibly code to Obscure its self. :shock:

Though Easy to pick up if your like myself and use not to popular straight dissasemblers to take a first peak at a target for any Anti-tool tricks. But it may serve as something that would add a few hours to an new Reversers session with his tools :P


Anyhoo yet another rant ops:


Good Health,
+Malik
__________________
// Fravia = 5 digit IQ? or Drunken Master? //
Reply With Quote
  #15  
Old 12-23-2003, 08:50 PM
Crudd Crudd is offline
Administrator
 
Join Date: Dec 2002
Posts: 22
Default

Well, i had a crash and lost everything i had done on the project, so i gotta start over. Hopefully ill have a new pre-rel within the month. Keep those ideas and thoughts coming guys
Crudd
__________________
Just another freak, in the freak kingdom.
Reply With Quote
  #16  
Old 12-26-2003, 09:25 PM
Ben Ben is offline
Member
 
Join Date: Jun 2003
Posts: 22
Default

Anti-Olly Trick: SMC

Ollydbg litterally Dies when it meets SMC,
it will totally be fucked up, and i mean really fucked up
if u click a line, it won't be focused, clicking other line will select 2 lines..etc hehe very funny
__________________
- Ben -
Reply With Quote
  #17  
Old 12-27-2003, 02:28 PM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default ollydbg and self modifying code

one thing you might want to try is to record a trace history. to do so, select debug->open or clear run trace. now the next time you find yourself in the middle of a block of self modifying code, bring up the trace history to get a better overview (view->run trace). another thing that might help is the command line's AT command; use it to disassemble code starting at an arbitrary address.

i don't see SMC as a very big threat to ollydbg since they're able to coexist quite nicely. the idea described by Malik is far more dangerous if implemented properly.

cheers, sna
Reply With Quote
  #18  
Old 01-04-2004, 12:56 PM
kratorius kratorius is offline
Junior Member
 
Join Date: Sep 2003
Location: Italy
Posts: 1
Default

You can defeat olly also using calls without ret. Olly gives an error message that can confuse the cracker the first time if he steps the call over (pressing F8 ).
If you step the call with F7 you won't get any problem.
Really easy to defeat, as trick, but useful if you want to make the things a bit more difficult to understand.
Reply With Quote
  #19  
Old 01-28-2004, 07:15 PM
andyistic andyistic is offline
Member
 
Join Date: Jan 2004
Location: Los Angeles
Posts: 7
Send a message via ICQ to andyistic Send a message via AIM to andyistic Send a message via MSN to andyistic Send a message via Yahoo to andyistic
Default

I'll just mention this briefly since everyone already covered this.

I use a program which I wrote to launch the target app.
When I do this, the program gives me various information about the app,
including the PID (Process ID) and Window Callback address.
I can also select which API breakpoints I want to set.
After launching the app, I attach to the app with Turbo Debugger (Win32).
The first thing I do with the debugger is to clear the IsDebuggerPresent flag.
After I tell them debugger to resume execution, I can break the app using the previously set breakpoints, as well as force a break with my launcher program.
Other than checking the timing involved in executing blocks of code,
there's no way the app can tell if it's being debugged.

The challenge of course, is to locate the serial/Cd-Key check code and keygen that part.
Reply With Quote
  #20  
Old 08-25-2004, 03:39 PM
Darawk Darawk is offline
Junior Member
 
Join Date: Aug 2004
Posts: 4
Default

Another interesting trick, that i'm sure many of you have seen, is to call a few instructions into an API function.

You could do this for example:

push ebp
mov esp,ebp
call IsDebuggerPresent+3

When you set a breakpoint on an API function, the debugger sets a breakpoint on the first byte of a function, so doing this, will cause any normal API breakpoints not to get executed.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.