Awful, I need additional 8th day in week to complete all tasks in my planner… I can’t even finished short tut about debugging FW, so I’ll post different pieces here with less explanation as I wished.
So, attaching debugger to FW. The trick is to catch system thread which created when debugger attached to the aim. We need to bypass DbgUiIssueRemoteBreakin, because this function will create a bp exception to inform debugger that the aim is ready and can be debugged.
What we do:
- Run FW and kill parent process
- Suspend whole FW process. It’s required due to the anti-debug mechanism in FW. If you run debugger, your game client will die in several minutes (explanation below)
- Run ollydbg (olly_a) and load into olly_a another olly instance (olly_b)
- In olly_a we need to set bp on DbgUiDebugActiveProcess or you can set it on DebugActiveProcess and then step-in to the DbgUiDebugActiveProcess
- Now we attach olly_b to suspended FW process and resume FW
- Oops, olly_a stops and point us to the DbgUiDebugActiveProcess bp
- Now we must execute ZwDebugActiveProcess and then jump over the rest instructions.
- Turn back to the olly_b and resume FW threads
- That’s all. We get debugged client
(sorry for messy instructions
Now Forsaken sweets
This isn’t a game client… this is a perfect patient for reversing and analyzing anti-debug techniques. Will be suitable for everyone, who wants to make a collection of different algorithms.
Checking IsDebuggerPresent flag in PEB
00DD2A90 55 push ebp
00DD2A91 8BEC mov ebp, esp
00DD2A93 51 push ecx
00DD2A94 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2A9B 64:A1 30000000 mov eax, dword ptr fs:[0x30]
00DD2AA1 40 inc eax
00DD2AA2 40 inc eax
00DD2AA3 8B00 mov eax, dword ptr [eax]
00DD2AA5 25 FF000000 and eax, 0xFF
00DD2AAA 8945 FC mov dword ptr [ebp-0x4], eax
00DD2AAD 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2AB0 8BE5 mov esp, ebp
00DD2AB2 5D pop ebp
00DD2AB3 C3 retn
Another variant
asm
mov edx, dword PTR FS:[$18]
mov edx, dword PTR [edx + $30]
movzx edx, byte PTR [edx + $02]
end;
and several lines below we have another block
NtGlobalFlags in 0x68 of PEB. If app is debugged the value of NtGlobalFlags != 0
00DD2AC0 55 push ebp
00DD2AC1 8BEC mov ebp, esp
00DD2AC3 51 push ecx
00DD2AC4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2ACB 64:A1 30000000 mov eax, dword ptr fs:[0x30]
00DD2AD1 8B40 68 mov eax, dword ptr [eax+0x68]
00DD2AD4 83E0 70 and eax, 0x70
00DD2AD7 8945 FC mov dword ptr [ebp-0x4], eax
00DD2ADA 8B4D FC mov ecx, dword ptr [ebp-0x4]
00DD2ADD 33C0 xor eax, eax
00DD2ADF 85C9 test ecx, ecx
00DD2AE1 0F95C0 setne al
00DD2AE4 8BE5 mov esp, ebp
00DD2AE6 5D pop ebp
00DD2AE7 C3 retn
and this
another flag in Heap. Normally it should be = 2
00DD2AF0 55 push ebp
00DD2AF1 8BEC mov ebp, esp
00DD2AF3 51 push ecx
00DD2AF4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2AFB 64:A1 30000000 mov eax, dword ptr fs:[0x30]
00DD2B01 8B40 18 mov eax, dword ptr [eax+0x18]
00DD2B04 8B40 0C mov eax, dword ptr [eax+0xC]
00DD2B07 8945 FC mov dword ptr [ebp-0x4], eax
00DD2B0A 8B4D FC mov ecx, dword ptr [ebp-0x4]
00DD2B0D 33C0 xor eax, eax
00DD2B0F 83F9 02 cmp ecx, 0x2
00DD2B12 0F94C0 sete al
00DD2B15 40 inc eax
00DD2B16 8BE5 mov esp, ebp
00DD2B18 5D pop ebp
00DD2B19 C3 retn
and this
When app is debugged the process heap is created with HEAP_TAIL_CHECKING_ENABLED flag.
00DD2B50 55 push ebp
00DD2B51 8BEC mov ebp, esp
00DD2B53 83EC 1C sub esp, 0x1C
00DD2B56 B0 31 mov al, 0x31
00DD2B58 57 push edi
00DD2B59 8845 E4 mov byte ptr [ebp-0x1C], al
00DD2B5C 8845 E5 mov byte ptr [ebp-0x1B], al
00DD2B5F 8845 E6 mov byte ptr [ebp-0x1A], al
00DD2B62 8845 E7 mov byte ptr [ebp-0x19], al
00DD2B65 8845 E8 mov byte ptr [ebp-0x18], al
00DD2B68 8845 E9 mov byte ptr [ebp-0x17], al
00DD2B6B 8845 EA mov byte ptr [ebp-0x16], al
00DD2B6E 8845 EB mov byte ptr [ebp-0x15], al
00DD2B71 8845 EC mov byte ptr [ebp-0x14], al
00DD2B74 8845 ED mov byte ptr [ebp-0x13], al
00DD2B77 8845 EE mov byte ptr [ebp-0x12], al
00DD2B7A 8845 EF mov byte ptr [ebp-0x11], al
00DD2B7D 8845 F0 mov byte ptr [ebp-0x10], al
00DD2B80 8845 F1 mov byte ptr [ebp-0xF], al
00DD2B83 8845 F2 mov byte ptr [ebp-0xE], al
00DD2B86 8845 F3 mov byte ptr [ebp-0xD], al
00DD2B89 8845 F4 mov byte ptr [ebp-0xC], al
00DD2B8C 8845 F5 mov byte ptr [ebp-0xB], al
00DD2B8F 8845 F6 mov byte ptr [ebp-0xA], al
00DD2B92 8845 F7 mov byte ptr [ebp-0x9], al
00DD2B95 8845 F8 mov byte ptr [ebp-0x8], al
00DD2B98 8845 F9 mov byte ptr [ebp-0x7], al
00DD2B9B 8D45 E4 lea eax, dword ptr [ebp-0x1C]
00DD2B9E 66:C745 FA 0000 mov word ptr [ebp-0x6], 0x0
00DD2BA4 8945 FC mov dword ptr [ebp-0x4], eax
00DD2BA7 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2BAA 0FBE48 FE movsx ecx, byte ptr [eax-0x2]
00DD2BAE 0FBF50 F8 movsx edx, word ptr [eax-0x8]
00DD2BB2 2BC1 sub eax, ecx
00DD2BB4 8D3CD0 lea edi, dword ptr [eax+edx*8]
00DD2BB7 B0 AB mov al, 0xAB
00DD2BB9 B1 08 mov cl, 0x8
00DD2BBB 33C0 xor eax, eax
00DD2BBD 5F pop edi
00DD2BBE 8BE5 mov esp, ebp
00DD2BC0 5D pop ebp
00DD2BC1 C3 retn
next
CheckRemoteDebuggerPresent
00DD2BD0 55 push ebp
00DD2BD1 8BEC mov ebp, esp
00DD2BD3 83EC 08 sub esp, 0x8
00DD2BD6 A1 D4040901 mov eax, dword ptr [0x10904D4]
00DD2BDB 68 E4690C01 push 010C69E4 ; ASCII "Kernel32.dll"
00DD2BE0 05 DE1C0000 add eax, 0x1CDE
00DD2BE5 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2BEC FFD0 call eax
00DD2BEE 83F8 FF cmp eax, -0x1
00DD2BF1 75 06 jnz short 00DD2BF9
00DD2BF3 33C0 xor eax, eax
00DD2BF5 8BE5 mov esp, ebp
00DD2BF7 5D pop ebp
00DD2BF8 C3 retn
00DD2BF9 8B0D 64060901 mov ecx, dword ptr [0x1090664]
00DD2BFF 68 C8690C01 push 010C69C8 ; ASCII "CheckRemoteDebuggerPresent"
00DD2C04 50 push eax
00DD2C05 81C1 E6230000 add ecx, 0x23E6
00DD2C0B FFD1 call ecx
00DD2C0D 85C0 test eax, eax
00DD2C0F 8945 F8 mov dword ptr [ebp-0x8], eax
00DD2C12 74 0B je short 00DD2C1F
00DD2C14 50 push eax
00DD2C15 54 push esp
00DD2C16 6A FF push -0x1
00DD2C18 FF55 F8 call dword ptr [ebp-0x8]
00DD2C1B 58 pop eax
00DD2C1C 8945 FC mov dword ptr [ebp-0x4], eax
00DD2C1F 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2C22 8BE5 mov esp, ebp
00DD2C24 5D pop ebp
00DD2C25 C3 retn
next
Abnormal interruption by Int3. If program is not debugging, then the exception will be passed.
00DC8835 50 push eax
00DC8836 64:FF35 0000000>push dword ptr fs:[0]
00DC883D 64:8925 0000000>mov dword ptr fs:[0], esp
00DC8844 33C0 xor eax, eax
00DC8846 C700 00000000 mov dword ptr [eax], 0x0
00DC884C 64:8F05 0000000>pop dword ptr fs:[0]
00DC8853 83C4 04 add esp, 0x4
00DC8856 85C0 test eax, eax
00DC8858 74 39 je short 00DC8893
or
00DD2EE0 55 push ebp
00DD2EE1 8BEC mov ebp, esp
00DD2EE3 68 092FDD00 push 00DD2F09
00DD2EE8 64:FF35 0000000>push dword ptr fs:[0]
00DD2EEF 64:8925 0000000>mov dword ptr fs:[0], esp
00DD2EF6 33C0 xor eax, eax
00DD2EF8 CC int3
00DD2EF9 64:8F05 0000000>pop dword ptr fs:[0]
00DD2F00 83C4 04 add esp, 0x4
00DD2F03 85C0 test eax, eax
00DD2F05 74 19 je short 00DD2F20
next will generate an exception
00DD2F30 66:9C pushfw
00DD2F32 C70424 00010000 mov dword ptr [esp], 0x100
00DD2F39 66:9D popfw
00DD2F3B B8 01000000 mov eax, 0x1
00DD2F40 C3 retn
this is another anti-debug. In my lists I've marked this function as for win7 func (I can't say anything more)
00DD2F80 55 push ebp
00DD2F81 8BEC mov ebp, esp
00DD2F83 51 push ecx
00DD2F84 53 push ebx
00DD2F85 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD2F8C 68 BC2FDD00 push 00DD2FBC
00DD2F91 64:FF35 0000000>push dword ptr fs:[0]
00DD2F98 64:8925 0000000>mov dword ptr fs:[0], esp
00DD2F9F 33C0 xor eax, eax
00DD2FA1 CC int3
00DD2FA2 64:8F05 0000000>pop dword ptr fs:[0]
00DD2FA9 83C4 04 add esp, 0x4
00DD2FAC 64:A1 18000000 mov eax, dword ptr fs:[0x18]
00DD2FB2 05 FC0B0000 add eax, 0xBFC
00DD2FB7 8B18 mov ebx, dword ptr [eax]
00DD2FB9 895D FC mov dword ptr [ebp-0x4], ebx
00DD2FBC 8B4424 0C mov eax, dword ptr [esp+0xC]
00DD2FC0 FF80 B8000000 inc dword ptr [eax+0xB8]
00DD2FC6 33C0 xor eax, eax
00DD2FC8 C3 retn
00DD2FC9 8B45 FC mov eax, dword ptr [ebp-0x4]
00DD2FCC 5B pop ebx
00DD2FCD 8BE5 mov esp, ebp
00DD2FCF 5D pop ebp
00DD2FD0 C3 retn
and one more
00DD3060 55 push ebp
00DD3061 8BEC mov ebp, esp
00DD3063 51 push ecx
00DD3064 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DD306B 33C0 xor eax, eax
00DD306D 99 cdq
00DD306E FF35 9530DD00 push dword ptr [0xDD3095]
00DD3074 64:FF30 push dword ptr fs:[eax]
00DD3077 64:8920 mov dword ptr fs:[eax], esp
00DD307A CC int3
00DD307B 90 nop
00DD307C 90 nop
00DD307D 90 nop
00DD307E 90 nop
00DD307F F7F2 div edx
00DD3081 90 nop
00DD3082 64:8F05 0000000>pop dword ptr fs:[0]
00DD3089 83C4 04 add esp, 0x4
and int2 at the beginning (olly2 will die when reach int 0x2D)
00DC4329 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
00DC4330 CD 2D int 0x2D
00DC4332 33C0 xor eax, eax
00DC4334 83C0 02 add eax, 0x2
00DC4337 C745 FC FFFFFFF>mov dword ptr [ebp-0x4], -0x1
oh, also detecting HideOD Olly plugin
PHP Code:
00DD3520 81EC 94000000 sub esp, 0x94
00DD3526 56 push esi
00DD3527 57 push edi
00DD3528 B9 24000000 mov ecx, 0x24
00DD352D 33C0 xor eax, eax
00DD352F 8D7C24 0C lea edi, dword ptr [esp+0xC]
00DD3533 C74424 08 94000>mov dword ptr [esp+0x8], 0x94
00DD353B F3:AB rep stos dword ptr es:[edi]
00DD353D A1 D4040901 mov eax, dword ptr [0x10904D4]
00DD3542 68 48640C01 push 010C6448 ; ASCII "ntdll.dll"
00DD3547 05 DE1C0000 add eax, 0x1CDE
00DD354C FFD0 call eax
00DD354E 8B0D 64060901 mov ecx, dword ptr [0x1090664]
00DD3554 68 606A0C01 push 010C6A60 ; ASCII "ZwSetInformationThread"
00DD3559 50 push eax
00DD355A 81C1 E6230000 add ecx, 0x23E6
00DD3560 FFD1 call ecx
00DD3562 85C0 test eax, eax
00DD3564 74 44 je short 00DD35AA
00DD3566 66:8B70 06 mov si, word ptr [eax+0x6]
00DD356A A1 D0020901 mov eax, dword ptr [0x10902D0]
00DD356F 8D5424 08 lea edx, dword ptr [esp+0x8]
00DD3573 05 CC130000 add eax, 0x13CC
00DD3578 52 push edx
00DD3579 FFD0 call eax
00DD357B 837C24 18 02 cmp dword ptr [esp+0x18], 0x2
00DD3580 75 28 jnz short 00DD35AA
00DD3582 8B4424 0C mov eax, dword ptr [esp+0xC]
00DD3586 83F8 04 cmp eax, 0x4
00DD3589 77 0A ja short 00DD3595
00DD358B 75 1D jnz short 00DD35AA
00DD358D 8B4424 10 mov eax, dword ptr [esp+0x10]
00DD3591 85C0 test eax, eax
00DD3593 76 15 jbe short 00DD35AA
00DD3595 66:81FE 0003 cmp si, 0x300
00DD359A 74 0E je short 00DD35AA
00DD359C 5F pop edi
00DD359D B8 01000000 mov eax, 0x1
00DD35A2 5E pop esi
00DD35A3 81C4 94000000 add esp, 0x94
00DD35A9 C3 retn
00DD35AA 5F pop edi
00DD35AB 33C0 xor eax, eax
00DD35AD 5E pop esi
00DD35AE 81C4 94000000 add esp, 0x94
00DD35B4 C3 retn
ok, most of standalone anti-debug functions are somewhere around 00DD2A90
There are also functions for finding windows and processes of certain name
P.S. If something is wrong, please correct me