Let’s play with Forsaken World.
Some lyrics before we start. When the FW became available I and other people noticed that this client is different than Perfect World. What exactly? Improved protection and tricky anti-debug technique: hooked API, encrypted files etc. OllyDbg will crash or client goes into infinity loop… Sweet.
This is a draft, smattering explanation with some notes regarding FW protection and anti-debug techniques.
Ok. At the beginning we should check our “minefield” with pogo stick…
1. We start Ollydbg and run FW client. FW freezes
2. We start client, run olly and attach debugger to the client… my olly 2 crashed with lots of exceptions; olly 1.10 with Strong plugin stopped here
0D650000 /EB 10 jmp short 0D650012
0D650002 |6A 00 push 0x0
0D650004 |6A FE push -0x2
0D650006 |FF15 0E00650D call dword ptr [0xD65000E] ; ntdll.RtlExitUserThread
0D65000C ^|EB F4 jmp short 0D650002
0D65000E |9B wait
0D65000F |14 96 adc al, 0x96
0D650011 |7C 68 jl short 0D65007B
0D650013 2000 and byte ptr [eax], al
0D650015 65:0D 33C064FF or eax, 0xFF64C033
0D65001B 306489 20 xor byte ptr [ecx+ecx*4+0x20], ah
0D65001F CC int3
=> 0D650020 90 nop
0D650021 ^ EB DF jmp short 0D650002
3. Now we will load game.exe under clean ollydbg and execute it… and will receive message box with some, as I think, good words about our try. Reload game.exe
00DC4325 /> \C645 C8 01 MOV BYTE PTR SS:[EBP-38],1
00DC4329 |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
=> 00DC4330 |. CD 2D INT 2D
00DC4332 |. 33C0 XOR EAX,EAX
00DC4334 |. 83C0 02 ADD EAX,2
00DC4337 |. C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
00DC433E \. EB 14 JMP SHORT 00DC4354
00DC4340 /. B8 01000000 MOV EAX,1
00DC4345 \. C3 RETN
00DC4346 /. 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
00DC4349 |. C645 C8 00 MOV BYTE PTR SS:[EBP-38],0
00DC434D |. C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
00DC4354 |> 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00DC4357 |. 25 FF000000 AND EAX,000000FF
00DC435C |. 85C0 TEST EAX,EAX
00DC435E |. 74 03 JE SHORT 00DC4363
00DC4360 |. 58 POP EAX
00DC4361 |. 5A POP EDX
00DC4362 |. 5E POP ESI
00DC4363 |> 833D 10CD0901 00 CMP DWORD PTR DS:[109CD10],0
00DC436A |. 75 3F JNE SHORT 00DC43AB
=> 00DC436C |. FF15 00D0FC00 CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>] ; [KERNEL32.IsDebuggerPresent
00DC4372 |. 85C0 TEST EAX,EAX
00DC4374 |. 75 1C JNE SHORT 00DC4392
00DC4376 |. E8 D52D0000 CALL 00DC7150
00DC437B |. 25 FF000000 AND EAX,000000FF
00DC4380 |. 85C0 TEST EAX,EAX
00DC4382 |. 75 0E JNE SHORT 00DC4392
00DC4384 |. E8 472E0000 CALL 00DC71D0
00DC4389 |. 25 FF000000 AND EAX,000000FF
00DC438E |. 85C0 TEST EAX,EAX
00DC4390 |. 74 19 JE SHORT 00DC43AB
00DC4392 |> 6A 00 PUSH 0
00DC4394 |. 68 2C610C01 PUSH 010C612C
00DC4399 |. 68 08610C01 PUSH 010C6108
00DC439E |. 6A 00 PUSH 0
our message box => 00DC43A0 |. FF15 48D1FC00 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] 00DC43A6 |. E9 B82C0000 JMP 00DC7063
You can bypass IsDebuggerPresent and INT 2D;
Some words about INT 2D: this instruction can be used as a general purpose debugger detection method, because when executing the instruction, if no debugger is present, an exception will occur. However, if a debugger is present, no exception will occur, and things get interesting based on the debugger you are using. OllyDbg will actually skip a byte in its disassembly and will cause the analysis to go wrong.
you can nop some JNE and make JMP on 00DC4390
00DC4372 |. 85C0 TEST EAX,EAX
00DC4374 90 NOP
00DC4375 90 NOP
00DC4376 |. E8 D52D0000 CALL 00DC7150
00DC437B |. 25 FF000000 AND EAX,000000FF
00DC4380 |. 85C0 TEST EAX,EAX
00DC4382 90 NOP
00DC4383 90 NOP
00DC4384 |. E8 472E0000 CALL 00DC71D0
00DC4389 |. 25 FF000000 AND EAX,000000FF
00DC438E |. 85C0 TEST EAX,EAX
00DC4390 EB 19 JMP SHORT 00DC43AB
Actually, this isn’t interesting or usefulWhen we run game.exe, it recreates itself as a child process and Finita la comedia. If we trace execution routine, after long-long decryption cycles and memory copying parts, we will get
00DC6E04 E8 57C4FFFF call 00DC3260
00DC6E09 83C4 04 add esp, 0x4
00DC6E0C 8B15 04EC0F01 mov edx, dword ptr [0x10FEC04]
00DC6E12 52 push edx
00DC6E13 A1 B00B0901 mov eax, dword ptr [0x1090BB0]
00DC6E18 05 BC3B0000 add eax, 0x3BBC
=> 00DC6E1D FFD0 call eax ; proccess already created
00DC6E1F 8D4D 84 lea ecx, dword ptr [ebp-0x7C]
00DC6E22 51 push ecx
00DC6E23 6A 00 push 0x0
00DC6E25 8B15 14E00801 mov edx, dword ptr [0x108E014]
00DC6E2B 52 push edx
00DC6E2C 68 103FDD00 push 00DD3F10
At this moment child game.exe process is already created and suspended. And now what? Nothing, it was a long prelude…
How to bypass anti-debugger (anti-attach) protection and how does it works when debugger attaching to the debugee? Anytime a debugger is attaching itself to an aim process (debugee), system creates a new thread, which starts at DbgUiRemoteBreakin (ntdll!DbgUiRemoteBreakin) function in debugee's process space.
When the process is about to be debugged, ntdll!DbgUiDebugActiveProcess calls ntdll!DbgUiIssueRemoteBreakin and this one creates a thread that starts at ntdll!DbgUiRemoteBreakin. The new thread is created via a call to ntdll!RtlCreateUserThread. When started, ntdll!DbgUiRemoteBreakin calls ntdll!DbgBreakPoint which is actually just a pair of 2 instructions: int3 and ret.
So, if application hooks the entry point of the function, it can control the flow of the code being executed…
Let’s approve our statement about hooked DbgUiRemoteBreakin by Forsaken World client.
7C94FFE3 > C2 0C00 retn 0xC
7C94FFE6 F8 clc
7C94FFE7 0095 7CE8BCE8 add byte ptr [ebp-0x17431784], dl
7C94FFED FB sti
7C94FFEE FF64A1 18 jmp dword ptr [ecx+0x18]
7C94FFF2 0000 add byte ptr [eax], al
7C94FFF4 008B 40308078 add byte ptr [ebx+0x78803040], cl
7C94FFFA 0200 add al, byte ptr [eax]
7C94FFFC 75 09 jnz short 7C950007
7C94FFFE F605 D402FE7F 0>test byte ptr [0x7FFE02D4], 0x2
7C950005 74 20 je short 7C950027
7C950007 8365 FC 00 and dword ptr [ebp-0x4], 0x0
7C95000B E8 FE11FBFF call DbgBreakPoint
7C950010 EB 11 jmp short 7C950023
Yeah, instead
7C94FFE3 > 6A 08 push 0x8
7C94FFE5 68 3000957C push 7C950030
7C94FFEA E8 BCE8FBFF call 7C90E8AB
we have retn 0xC. Restoring DbgUiRemoteBreakin will give you opportunity to attach debuggers... but this is only one small part of FW protection
How to open FW client under debugger with hooked DbgUiRemoteBreakin…
Let’s debug the debugger… soon (maybe)
Note: If I forgot something, or if someone wants something to add, you are welcome
Note: Any materials only for educational purpose
by Dwar
Results 1 to 10 of 16
-
2011-04-09, 01:16 PM #1VeteranDwar
- Join Date
- 2010 Mar
- Posts
- 2,222
- Thanks
- 211
- Thanks
- 2,230
- Thanked in
- 292 Posts
- Rep Power
- 10
Forsaken World client analyzing, debugging, protection
Please, post your questions on forum, not by PM or mail
I spend my time, so please pay a little bit of your time to keep world in equilibrium
-
-
2011-04-09, 09:48 PM #2New membercoolninja
- Join Date
- 2011 Apr
- Posts
- 10
- Thanks
- 1
- Thanks
- 2
- Thanked in
- 1 Post
- Rep Power
- 0
//My comment below does not help with this thread.
This guide, or shall I say diary, is really organized.
To me, the verbal readability is 95%+, but the theory understandability is 10%.
There is only 2 things I "see" from this thread:
1. cracking new anti-debug/hack techniques is way much interesting than the game itself.
2. summarizing processes/observed properties gives benefits for future revise.
-
2011-04-17, 09:20 AM #3New memberfyyre
- Join Date
- 2011 Apr
- Location
- 0xfe
- Posts
- 21
- Thanks
- 7
- Thanks
- 2
- Thanked in
- 2 Posts
- Rep Power
- 0
Hi,
Good to see someone else is also working on this.
Whatever packer that FW is using, is unknown to me... so far my attempts to unpack it result in a restored IAT and game.exe which does not run... (good for static analysis via IDA, but not much else..) currently I am uncertain as what else I am missing.
With that said, I also encountered the above problems -- since my system is Windows 7 X64, StrongOD is not an option.
Given this I program a simple launcher. It starts game.exe, the flag makes it not a part of a Job (not sure what reason for making both process a Job is... since runs fine without this, who cares =)
After this, we have decrypted game.exe running by himself...Code:CreateProcessA( NULL, "game.exe game:wf", NULL, NULL, FALSE, CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, &si, &pi ); ...etc ParentProcessId = FindParentProcessId( pi.dwProcessId ); if ( ParentProcessId != GetProcessId( NtCurrentProcess() ) ) return 0; ...etc
Inside of launcher, also I added some code to replace the patched DbgUiRemoteBreakin function with original bytes... after this, OllyDbg attachs without any problem. Note, ExitProcess and LoadLibraryA, also are hooked.
Some of threads may be suspended, and require you resume them via Olly to get FW running as normal.
I notice that (occurs for me, at least..) setting software breakpoint causes Ollydbg to silently exit... so I am only able to set hardware breakpoints.
-Fyyre
-
2011-04-17, 01:10 PM #4VeteranDwar
- Join Date
- 2010 Mar
- Posts
- 2,222
- Thanks
- 211
- Thanks
- 2,230
- Thanked in
- 292 Posts
- Rep Power
- 10
Hi, Fyyre
A FW packer looks like an Armadillo mod, but I’m not sure (I’m not a “fan” of Arma). Anyway FW protection uses similar to Arma techniques like parent and child threads, int2, int3 etc. Maybe some kind of private Arma versions.
Hm, making a launcher and patcher is a good idea for me, ‘coz at this moment for debugging I need to proceed following steps:
- Suspend FW threads,
- open olly
- debug first olly by another olly
- Attach debugee olly to FW
- Catch DbgUiRemoteBreakin by second olly
- Patch FW
- Work with FW under Olly
I like FW client, because it's really interesting to analyze game client with unique protection methods. But lack of free time always a bad thing for any progressPlease, post your questions on forum, not by PM or mail
I spend my time, so please pay a little bit of your time to keep world in equilibrium
-
2011-04-18, 06:01 AM #5New memberexplosionsinthe
- Join Date
- 2011 Apr
- Posts
- 16
- Thanks
- 1
- Thanks
- 1
- Thanked in
- 1 Post
- Rep Power
- 0
So even the legendary fyyre is here
Dwar could you explain to me the logic behind suspending threads ? What are you preventing that way ?
-
2011-04-18, 06:56 AM #6New memberfyyre
- Join Date
- 2011 Apr
- Location
- 0xfe
- Posts
- 21
- Thanks
- 7
- Thanks
- 2
- Thanked in
- 2 Posts
- Rep Power
- 0
Hi Dwar,
When I first see how the packer is acting, I too thought perhaps he is some type of custom Armadillo (also I dislike... as I admit to not knowing how to unpack this one by hand, and never cared enough to teach self how, hehe)
Yet... during the close beta, before they add more encryption of strings inside of game.exe, I noticed this:
CheckSum_ThreadFunc <<--google search for this term, will lead you to Chinese blog that has the function code...Code:"Probably IMAGE_REL_BASED_MIPS_JMPADDR, Unsupported pe file,Mail it to Linzhe*** at 163 dot com" <<-- amazingly silly error. "Probably IMAGE_REL_BASED_SECTION(Reserved for future use 6), Unsupported pe file,Mail it to Linzhe*** at 163 dot com" SWBP is found by CheckSum_ThreadFunc
After reading your original post, I debug game.exe starting him from OllyDbg... and also find some packer type strings (long list of asm mnemonics) and some unusual strings...
nothing of much yield good result via google, except for this: '[eip+ilen' <<-- which I found this string in 'demo' function for a Detours like api "mhook" -- ( google for term 'Mhook - CodeFromThe70s dot org' to find this).
So perhaps, this Linzhe*** at 163 dot com is the author of file packer, I never email him and try to find out... yet considering that PWI is a Chinese company, this would make some sense (I suppose).
Anyway, not much of technical information I am writing today... but sharing of some notes made while poking around FW client -- and I do agree the custom protection is quite interesting... also it is refreshing seeing an asian mmo which does not use trivial anticheat (i.e GameGuard, HackShield) .. as for debugging is always more fun than actual game play =)
Legendary? =) *blush* -- yes, usually I am where one may find others working on similar type goals ;)explosionsinthe
So even the legendary fyyre is here
Be Well,
-Fyyre
P.S, it seems second game.exe is created exactly here:
Code:00DC3691 FFD0 CALL EAX ; GetCommandLineA 00DC3693 8B15 E4040901 MOV EDX, DWORD PTR DS:[10904E4] 00DC3699 8D8C24 A4010000 LEA ECX, DWORD PTR SS:[ESP+1A4] 00DC36A0 68 00EC0F01 PUSH game.010FEC00 00DC36A5 51 PUSH ECX 00DC36A6 6A 00 PUSH 0 00DC36A8 6A 00 PUSH 0 00DC36AA 6A 04 PUSH 4 00DC36AC 6A 00 PUSH 0 00DC36AE 6A 00 PUSH 0 00DC36B0 6A 00 PUSH 0 00DC36B2 81C2 261D0000 ADD EDX, 1D26 00DC36B8 FFD2 CALL EDX ; GetCommandLineA 00DC36BA 8B0D C4080901 MOV ECX, DWORD PTR DS:[10908C4] 00DC36C0 50 PUSH EAX 00DC36C1 8B4424 3C MOV EAX, DWORD PTR SS:[ESP+3C] 00DC36C5 81C1 962E0000 ADD ECX, 2E96 00DC36CB 50 PUSH EAX 00DC36CC FFD1 CALL ECX ; CreateProcessInternalA ... follows next is call to GetThreadContext, and DuplicateHandle
Last edited by fyyre; 2011-04-18 at 07:01 AM.
-
2011-04-18, 05:25 PM #7VeteranDwar
- Join Date
- 2010 Mar
- Posts
- 2,222
- Thanks
- 211
- Thanks
- 2,230
- Thanked in
- 292 Posts
- Rep Power
- 10
Awful, I need additional 8th day in week to complete all tasks in my planner… I can’t even finished short tut about debugging FW, so I’ll post different pieces here with less explanation as I wished.
So, attaching debugger to FW. The trick is to catch system thread which created when debugger attached to the aim. We need to bypass DbgUiIssueRemoteBreakin, because this function will create a bp exception to inform debugger that the aim is ready and can be debugged.
What we do:
- Run FW and kill parent process
- Suspend whole FW process. It’s required due to the anti-debug mechanism in FW. If you run debugger, your game client will die in several minutes (explanation below)
- Run ollydbg (olly_a) and load into olly_a another olly instance (olly_b)
- In olly_a we need to set bp on DbgUiDebugActiveProcess or you can set it on DebugActiveProcess and then step-in to the DbgUiDebugActiveProcess
- Now we attach olly_b to suspended FW process and resume FW
- Oops, olly_a stops and point us to the DbgUiDebugActiveProcess bp
- Now we must execute ZwDebugActiveProcess and then jump over the rest instructions.
- Turn back to the olly_b and resume FW threads
- That’s all. We get debugged client
(sorry for messy instructions
Now Forsaken sweets
This isn’t a game client… this is a perfect patient for reversing and analyzing anti-debug techniques. Will be suitable for everyone, who wants to make a collection of different algorithms.
Checking IsDebuggerPresent flag in PEB
00DD2A90 55 push ebp
00DD2A91 8BEC mov ebp, esp
00DD2A93 51 push ecx
00DD2A94 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2A9B 64:A1 30000000 mov eax, dword ptr fs:[0x30]
00DD2AA1 40 inc eax
00DD2AA2 40 inc eax
00DD2AA3 8B00 mov eax, dword ptr [eax]
00DD2AA5 25 FF000000 and eax, 0xFF
00DD2AAA 8945 FC mov dword ptr [ebp-0x4], eax
00DD2AAD 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2AB0 8BE5 mov esp, ebp
00DD2AB2 5D pop ebp
00DD2AB3 C3 retn
Another variant
asm
mov edx, dword PTR FS:[$18]
mov edx, dword PTR [edx + $30]
movzx edx, byte PTR [edx + $02]
end;
and several lines below we have another block
NtGlobalFlags in 0x68 of PEB. If app is debugged the value of NtGlobalFlags != 0
00DD2AC0 55 push ebp
00DD2AC1 8BEC mov ebp, esp
00DD2AC3 51 push ecx
00DD2AC4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2ACB 64:A1 30000000 mov eax, dword ptr fs:[0x30]
00DD2AD1 8B40 68 mov eax, dword ptr [eax+0x68]
00DD2AD4 83E0 70 and eax, 0x70
00DD2AD7 8945 FC mov dword ptr [ebp-0x4], eax
00DD2ADA 8B4D FC mov ecx, dword ptr [ebp-0x4]
00DD2ADD 33C0 xor eax, eax
00DD2ADF 85C9 test ecx, ecx
00DD2AE1 0F95C0 setne al
00DD2AE4 8BE5 mov esp, ebp
00DD2AE6 5D pop ebp
00DD2AE7 C3 retn
and this
another flag in Heap. Normally it should be = 2
00DD2AF0 55 push ebp
00DD2AF1 8BEC mov ebp, esp
00DD2AF3 51 push ecx
00DD2AF4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2AFB 64:A1 30000000 mov eax, dword ptr fs:[0x30]
00DD2B01 8B40 18 mov eax, dword ptr [eax+0x18]
00DD2B04 8B40 0C mov eax, dword ptr [eax+0xC]
00DD2B07 8945 FC mov dword ptr [ebp-0x4], eax
00DD2B0A 8B4D FC mov ecx, dword ptr [ebp-0x4]
00DD2B0D 33C0 xor eax, eax
00DD2B0F 83F9 02 cmp ecx, 0x2
00DD2B12 0F94C0 sete al
00DD2B15 40 inc eax
00DD2B16 8BE5 mov esp, ebp
00DD2B18 5D pop ebp
00DD2B19 C3 retn
and this
When app is debugged the process heap is created with HEAP_TAIL_CHECKING_ENABLED flag.
00DD2B50 55 push ebp
00DD2B51 8BEC mov ebp, esp
00DD2B53 83EC 1C sub esp, 0x1C
00DD2B56 B0 31 mov al, 0x31
00DD2B58 57 push edi
00DD2B59 8845 E4 mov byte ptr [ebp-0x1C], al
00DD2B5C 8845 E5 mov byte ptr [ebp-0x1B], al
00DD2B5F 8845 E6 mov byte ptr [ebp-0x1A], al
00DD2B62 8845 E7 mov byte ptr [ebp-0x19], al
00DD2B65 8845 E8 mov byte ptr [ebp-0x18], al
00DD2B68 8845 E9 mov byte ptr [ebp-0x17], al
00DD2B6B 8845 EA mov byte ptr [ebp-0x16], al
00DD2B6E 8845 EB mov byte ptr [ebp-0x15], al
00DD2B71 8845 EC mov byte ptr [ebp-0x14], al
00DD2B74 8845 ED mov byte ptr [ebp-0x13], al
00DD2B77 8845 EE mov byte ptr [ebp-0x12], al
00DD2B7A 8845 EF mov byte ptr [ebp-0x11], al
00DD2B7D 8845 F0 mov byte ptr [ebp-0x10], al
00DD2B80 8845 F1 mov byte ptr [ebp-0xF], al
00DD2B83 8845 F2 mov byte ptr [ebp-0xE], al
00DD2B86 8845 F3 mov byte ptr [ebp-0xD], al
00DD2B89 8845 F4 mov byte ptr [ebp-0xC], al
00DD2B8C 8845 F5 mov byte ptr [ebp-0xB], al
00DD2B8F 8845 F6 mov byte ptr [ebp-0xA], al
00DD2B92 8845 F7 mov byte ptr [ebp-0x9], al
00DD2B95 8845 F8 mov byte ptr [ebp-0x8], al
00DD2B98 8845 F9 mov byte ptr [ebp-0x7], al
00DD2B9B 8D45 E4 lea eax, dword ptr [ebp-0x1C]
00DD2B9E 66:C745 FA 0000 mov word ptr [ebp-0x6], 0x0
00DD2BA4 8945 FC mov dword ptr [ebp-0x4], eax
00DD2BA7 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2BAA 0FBE48 FE movsx ecx, byte ptr [eax-0x2]
00DD2BAE 0FBF50 F8 movsx edx, word ptr [eax-0x8]
00DD2BB2 2BC1 sub eax, ecx
00DD2BB4 8D3CD0 lea edi, dword ptr [eax+edx*8]
00DD2BB7 B0 AB mov al, 0xAB
00DD2BB9 B1 08 mov cl, 0x8
00DD2BBB 33C0 xor eax, eax
00DD2BBD 5F pop edi
00DD2BBE 8BE5 mov esp, ebp
00DD2BC0 5D pop ebp
00DD2BC1 C3 retn
next
CheckRemoteDebuggerPresent
00DD2BD0 55 push ebp
00DD2BD1 8BEC mov ebp, esp
00DD2BD3 83EC 08 sub esp, 0x8
00DD2BD6 A1 D4040901 mov eax, dword ptr [0x10904D4]
00DD2BDB 68 E4690C01 push 010C69E4 ; ASCII "Kernel32.dll"
00DD2BE0 05 DE1C0000 add eax, 0x1CDE
00DD2BE5 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2BEC FFD0 call eax
00DD2BEE 83F8 FF cmp eax, -0x1
00DD2BF1 75 06 jnz short 00DD2BF9
00DD2BF3 33C0 xor eax, eax
00DD2BF5 8BE5 mov esp, ebp
00DD2BF7 5D pop ebp
00DD2BF8 C3 retn
00DD2BF9 8B0D 64060901 mov ecx, dword ptr [0x1090664]
00DD2BFF 68 C8690C01 push 010C69C8 ; ASCII "CheckRemoteDebuggerPresent"
00DD2C04 50 push eax
00DD2C05 81C1 E6230000 add ecx, 0x23E6
00DD2C0B FFD1 call ecx
00DD2C0D 85C0 test eax, eax
00DD2C0F 8945 F8 mov dword ptr [ebp-0x8], eax
00DD2C12 74 0B je short 00DD2C1F
00DD2C14 50 push eax
00DD2C15 54 push esp
00DD2C16 6A FF push -0x1
00DD2C18 FF55 F8 call dword ptr [ebp-0x8]
00DD2C1B 58 pop eax
00DD2C1C 8945 FC mov dword ptr [ebp-0x4], eax
00DD2C1F 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2C22 8BE5 mov esp, ebp
00DD2C24 5D pop ebp
00DD2C25 C3 retn
next
Abnormal interruption by Int3. If program is not debugging, then the exception will be passed.
00DC8835 50 push eax
00DC8836 64:FF35 0000000>push dword ptr fs:[0]
00DC883D 64:8925 0000000>mov dword ptr fs:[0], esp
00DC8844 33C0 xor eax, eax
00DC8846 C700 00000000 mov dword ptr [eax], 0x0
00DC884C 64:8F05 0000000>pop dword ptr fs:[0]
00DC8853 83C4 04 add esp, 0x4
00DC8856 85C0 test eax, eax
00DC8858 74 39 je short 00DC8893
or
00DD2EE0 55 push ebp
00DD2EE1 8BEC mov ebp, esp
00DD2EE3 68 092FDD00 push 00DD2F09
00DD2EE8 64:FF35 0000000>push dword ptr fs:[0]
00DD2EEF 64:8925 0000000>mov dword ptr fs:[0], esp
00DD2EF6 33C0 xor eax, eax
00DD2EF8 CC int3
00DD2EF9 64:8F05 0000000>pop dword ptr fs:[0]
00DD2F00 83C4 04 add esp, 0x4
00DD2F03 85C0 test eax, eax
00DD2F05 74 19 je short 00DD2F20
next will generate an exception
00DD2F30 66:9C pushfw
00DD2F32 C70424 00010000 mov dword ptr [esp], 0x100
00DD2F39 66:9D popfw
00DD2F3B B8 01000000 mov eax, 0x1
00DD2F40 C3 retn
this is another anti-debug. In my lists I've marked this function as for win7 func (I can't say anything more)
00DD2F80 55 push ebp
00DD2F81 8BEC mov ebp, esp
00DD2F83 51 push ecx
00DD2F84 53 push ebx
00DD2F85 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2F8C 68 BC2FDD00 push 00DD2FBC
00DD2F91 64:FF35 0000000>push dword ptr fs:[0]
00DD2F98 64:8925 0000000>mov dword ptr fs:[0], esp
00DD2F9F 33C0 xor eax, eax
00DD2FA1 CC int3
00DD2FA2 64:8F05 0000000>pop dword ptr fs:[0]
00DD2FA9 83C4 04 add esp, 0x4
00DD2FAC 64:A1 18000000 mov eax, dword ptr fs:[0x18]
00DD2FB2 05 FC0B0000 add eax, 0xBFC
00DD2FB7 8B18 mov ebx, dword ptr [eax]
00DD2FB9 895D FC mov dword ptr [ebp-0x4], ebx
00DD2FBC 8B4424 0C mov eax, dword ptr [esp+0xC]
00DD2FC0 FF80 B8000000 inc dword ptr [eax+0xB8]
00DD2FC6 33C0 xor eax, eax
00DD2FC8 C3 retn
00DD2FC9 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2FCC 5B pop ebx
00DD2FCD 8BE5 mov esp, ebp
00DD2FCF 5D pop ebp
00DD2FD0 C3 retn
and one more
00DD3060 55 push ebp
00DD3061 8BEC mov ebp, esp
00DD3063 51 push ecx
00DD3064 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD306B 33C0 xor eax, eax
00DD306D 99 cdq
00DD306E FF35 9530DD00 push dword ptr [0xDD3095]
00DD3074 64:FF30 push dword ptr fs:[eax]
00DD3077 64:8920 mov dword ptr fs:[eax], esp
00DD307A CC int3
00DD307B 90 nop
00DD307C 90 nop
00DD307D 90 nop
00DD307E 90 nop
00DD307F F7F2 div edx
00DD3081 90 nop
00DD3082 64:8F05 0000000>pop dword ptr fs:[0]
00DD3089 83C4 04 add esp, 0x4
and int2 at the beginning (olly2 will die when reach int 0x2D)
00DC4329 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DC4330 CD 2D int 0x2D
00DC4332 33C0 xor eax, eax
00DC4334 83C0 02 add eax, 0x2
00DC4337 C745 FC FFFFFFF>mov dword ptr [ebp-0x4], -0x1
oh, also detecting HideOD Olly plugin
ok, most of standalone anti-debug functions are somewhere around 00DD2A90PHP Code:00DD3520 81EC 94000000 sub esp, 0x94
00DD3526 56 push esi
00DD3527 57 push edi
00DD3528 B9 24000000 mov ecx, 0x24
00DD352D 33C0 xor eax, eax
00DD352F 8D7C24 0C lea edi, dword ptr [esp+0xC]
00DD3533 C74424 08 94000>mov dword ptr [esp+0x8], 0x94
00DD353B F3:AB rep stos dword ptr es:[edi]
00DD353D A1 D4040901 mov eax, dword ptr [0x10904D4]
00DD3542 68 48640C01 push 010C6448 ; ASCII "ntdll.dll"
00DD3547 05 DE1C0000 add eax, 0x1CDE
00DD354C FFD0 call eax
00DD354E 8B0D 64060901 mov ecx, dword ptr [0x1090664]
00DD3554 68 606A0C01 push 010C6A60 ; ASCII "ZwSetInformationThread"
00DD3559 50 push eax
00DD355A 81C1 E6230000 add ecx, 0x23E6
00DD3560 FFD1 call ecx
00DD3562 85C0 test eax, eax
00DD3564 74 44 je short 00DD35AA
00DD3566 66:8B70 06 mov si, word ptr [eax+0x6]
00DD356A A1 D0020901 mov eax, dword ptr [0x10902D0]
00DD356F 8D5424 08 lea edx, dword ptr [esp+0x8]
00DD3573 05 CC130000 add eax, 0x13CC
00DD3578 52 push edx
00DD3579 FFD0 call eax
00DD357B 837C24 18 02 cmp dword ptr [esp+0x18], 0x2
00DD3580 75 28 jnz short 00DD35AA
00DD3582 8B4424 0C mov eax, dword ptr [esp+0xC]
00DD3586 83F8 04 cmp eax, 0x4
00DD3589 77 0A ja short 00DD3595
00DD358B 75 1D jnz short 00DD35AA
00DD358D 8B4424 10 mov eax, dword ptr [esp+0x10]
00DD3591 85C0 test eax, eax
00DD3593 76 15 jbe short 00DD35AA
00DD3595 66:81FE 0003 cmp si, 0x300
00DD359A 74 0E je short 00DD35AA
00DD359C 5F pop edi
00DD359D B8 01000000 mov eax, 0x1
00DD35A2 5E pop esi
00DD35A3 81C4 94000000 add esp, 0x94
00DD35A9 C3 retn
00DD35AA 5F pop edi
00DD35AB 33C0 xor eax, eax
00DD35AD 5E pop esi
00DD35AE 81C4 94000000 add esp, 0x94
00DD35B4 C3 retn
There are also functions for finding windows and processes of certain name
P.S. If something is wrong, please correct mePlease, post your questions on forum, not by PM or mail
I spend my time, so please pay a little bit of your time to keep world in equilibrium
-
-
2011-04-19, 04:49 AM #8New memberfyyre
- Join Date
- 2011 Apr
- Location
- 0xfe
- Posts
- 21
- Thanks
- 7
- Thanks
- 2
- Thanked in
- 2 Posts
- Rep Power
- 0
Hi Dwar,
Excellent write up!
I am thinking the author of this packer also has read Peter Ferrie's "Anti-Unpacker Tricks" series for Virus Bulletin ;) ... as most of these tricks are detailed in that series.
This one is examine of struct _TEB + 0xBFC which is ptr to unicode string of ntdll, etc.. (0xC00) ... if the process is operating under a debugger, this will be NULL instead of UNICODE_STRING system dll names.this is another anti-debug. In my lists I've marked this function as for win7 func (I can't say anything more)
Is a good thing this packer like most others are oblivious to TEB+WOW32Reserved ;)
-Fyyre
-
The Following User Says Thank You to fyyre For This Useful Post:
-
2011-04-30, 02:15 PM #9New memberAbstract
- Join Date
- 2011 Apr
- Location
- Germany
- Posts
- 5
- Thanks
- 2
- Thanks
- 8
- Thanked in
- 1 Post
- Rep Power
- 0
First of all thank you. I worked around the Interruped 2D and IsDebuggerPresent wasn't hard todo. But i didn't get very far just like you, but you found the idea to attach a debugger ^^.
I am writing a reversing tutorial at the moment. Can i refer to you debugger attach knowledge? You want me to give you credit as Dwar?
Sorry for the questions in exchange i try helping completting the package list on your other thread
-
2011-06-15, 02:21 AM #10New membercoded
- Join Date
- 2011 May
- Posts
- 30
- Thanks
- 10
- Thanks
- 27
- Thanked in
- 8 Posts
- Rep Power
- 0
ugh, I tried suspending the thread but it didn't work. Not sure, if it's the same on XP. It's sucks without a debugger, allocating virtual memory so it could jump into my code to store the registers in an address space. <<. I'll try to do more research on anti debugging and keep trying.
“It's not that I'm so smart , it's just that I stay with problems longer .”
-Albert Einstein
Reply With Quote
