Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 02-10-2003, 04:01 AM
Crudd Crudd is offline
Administrator
 
Join Date: Dec 2002
Posts: 22
Default Killing our tools.

Anyone know any programs or protections that disable our tools? I know there are plenty for SI and i may deal with these later. But for now, i worried about the lesser tools. Anti-(reg/file)mon, anti-olly, anti-smartcheck. Anyone know of others? And how they are carried out or programs that use them?
Crudd [RET]
__________________
Just another freak, in the freak kingdom.
Reply With Quote
  #2  
Old 02-10-2003, 06:43 PM
Acid_Cool_178 Acid_Cool_178 is offline
Member
 
Join Date: Dec 2002
Location: Planet Earth
Posts: 35
Default Some Anti Stuff

I have tried to search on google for something, first of all "+anti +ollydbg"
try this page
http://rohanpall.com/ollydbg/index.php? and then search for anti. As i understand ollydbg then it looks on the PE structure hard as hell and bu changing something in there, like UPX tricks then it will work good. It will have some huge problems.

I guess that u know about this page, but I'm only taking up thisone also. http://daemon.anticrack.de/

anticrack.de and check out "Misc. Softwareprotection" "RCE Anti (whatever)r"



http://esca.atomki.hu/paradise/sac/utilprog.html
http://www.techfest.org/Final.pdf
http://www.techfest.org/Final.pdf <-- Anti ProcDump
http://www.krobar.cjb.net/ <-- Other tutorials and u might find something in there.

right now I think that i have done one very small search. Hopefully it might help I have seached on "anti ollydbg" and "anticrack" on google.
Reply With Quote
  #3  
Old 03-20-2003, 08:16 AM
illbrain illbrain is offline
Junior Member
 
Join Date: Mar 2003
Posts: 3
Default Oh boy, oh yes..

Our beloved, nay sacred Windasm32.

Try loading up 3D Studio Max release 4 into our baby.

Poof.
Poof.
and more Poof!

i've heard of anti - softice tricks, but anti - windasm?
that's not cricket old boy ;-)

Now........... just what they tryin' to hide?
Reply With Quote
  #4  
Old 03-20-2003, 01:02 PM
Will Will is offline
Member
 
Join Date: Mar 2003
Posts: 10
Default

Without taking a look at the target I can't say for sure if it's actually a wdasm specific technique, but there are general anti-debugger techniques. Wdasm disassembles binaries in such a way that you can put something like:

jmp _around
[invalid code]
_around:
[valid code]

....and wdasm won't know what to do with the invalid code so it either locks or hangs or poofs on you. Maybe someone else can give a more technical answer.

cheers,
will
Reply With Quote
  #5  
Old 03-21-2003, 06:00 AM
AndreaGeddon AndreaGeddon is offline
Administrator
 
Join Date: Dec 2002
Location: Italy
Posts: 42
Default

for windasm I also know a simple trick: you just have to set characteristics of code section to C0000020 (or C0000040) and wdasm will load nothing! This trick also prevent symbol loader from popping on the entry point of the program (when you load an application with symbol loader and press run it will cause softice popup on entry point, at least on win9x, on 2k/xp there is a bug and symbol loader never pops on entry point)
a friend of mine also told me about a program which can cause IDA to crash if disassembled!! Well, I didnt see this program, but i dont really believe it! Do you know something about it? Anti-Ida??
Bye all!!
AndreaGeddon
Reply With Quote
  #6  
Old 06-04-2003, 12:51 PM
Fake51 Fake51 is offline
Member
 
Join Date: Jun 2003
Posts: 6
Default

When it comes to w32dasm, the only really interesting trick I know of has to do with th .rsrc section in executables. I can't recall much of the trick, but I remember reading something, possibly on tsehp's mirror.

Anyway, the trick is to mess around with the resource directory, if memory serves me right. If w32dasm doesn't find this part the way it wants to, it'll exit.

The trick of setting pe characteristics is not much use - it's easy to change, and has been done a lot. And far as I know, w32dasm happily disassembles jumps past junk code. You would have to find an actual flaw in the disassembly lookup of w32dasm for it to break. To my knowledge, there are no such.

Ofcourse, any dead listing breaks om smc, but that's old news.

Other tools: typical tricks gainst file/regmon include searching for window class or name. One can search for the vxd files too, if memory serves me right.

Fake
Reply With Quote
  #7  
Old 06-07-2003, 09:33 AM
Fake51 Fake51 is offline
Member
 
Join Date: Jun 2003
Posts: 6
Default

Looked around a bit, and found this thread at the FraviaMB. Has some ok info w32dasm.

http://woodmann.com/upload/showthread.php?...ghlight=w32dasm
Reply With Quote
  #8  
Old 08-03-2003, 10:43 PM
disavowed disavowed is offline
Member
 
Join Date: Dec 2002
Posts: 7
Default

as for crashing ida...
i've been able to crash recent versions (including 4.51 retail) with bogus files as input, although i've never seen ida crash due to a real pe file. in other words, i don't think anyone has found any code to put into an executable that will crash ida
Reply With Quote
  #9  
Old 08-22-2003, 11:56 AM
least least is offline
Junior Member
 
Join Date: Jan 2003
Posts: 1
Default

Hi,
concerning the filemon and regmon (also superbpm...) the easiest way to find them is using meltice trick. But there is another method that could be used - filemon and regmon seems to store some settings in registry, in keys with quite tell tale names. Some app could try to find them this way.
And on the ^DAEMON^'s forum is mentioned trick to fool olly - as far as I can remember the app started itself again as a new process and the old was terminated or something like that.
Anyway good idea Crudd - it is good to know that someone takes care also of the other tools, not only of sice.
Reply With Quote
  #10  
Old 08-24-2003, 01:26 PM
Evilcry Evilcry is offline
Member
 
Join Date: Aug 2003
Location: Italy
Posts: 23
Default

For ollydbg or other tools like SymbolLoader, I know the fs:[20h] trick
that is used to know if an application is executed by another programm. The fs:[20h] if i remember correctly is used to check if the field DEBUG_CONTEXT
into the TIB, is null.

Code:
 * * *mov *eax,dword ptr fs:[20h]

 * * or * eax,eax

 * * jz * No_Debugger_Found
Another trick that I know is the fs:[30h] trick, used Find the pointer to PEB structure at the offset 0x30 in the TEB.

Code:
 * * * *mov * * eax,fs:[30h] * * * *; pointer to PEB

 * * * *movzx * eax,byte ptr [eax+2h]

 * * * *or * * *al,al

 * * * *jz * * *No_Debugger found
Other implementations of this two tricks can be founded on daemon's site
:wink:


Have a nice day
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.