Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    Forsaken World client analyzing, debugging, protection

    Let’s play with Forsaken World.

    Some lyrics before we start. When the FW became available I and other people noticed that this client is different than Perfect World. What exactly? Improved protection and tricky anti-debug technique: hooked API, encrypted files etc. OllyDbg will crash or client goes into infinity loop… Sweet.
    This is a draft, smattering explanation with some notes regarding FW protection and anti-debug techniques.

    Ok. At the beginning we should check our “minefield” with pogo stick…
    1. We start Ollydbg and run FW client. FW freezes
    2. We start client, run olly and attach debugger to the client… my olly 2 crashed with lots of exceptions; olly 1.10 with Strong plugin stopped here
     0D650000   /EB 10              jmp     short 0D650012
    0D650002 |6A 00 push 0x0
    0D650004 |6A FE push -0x2
    0D650006 |FF15 0E00650D call dword ptr [0xD65000E] ; ntdll.RtlExitUserThread
    0D65000C ^|EB F4 jmp short 0D650002
    0D65000E |9B wait
    0D65000F |14 96 adc al, 0x96
    0D650011 |7C 68 jl short 0D65007B
    0D650013 2000 and byte ptr [eax], al
    0D650015 65:0D 33C064FF or eax, 0xFF64C033
    0D65001B 306489 20 xor byte ptr [ecx+ecx*4+0x20], ah
    0D65001F CC int3
    => 0D650020 90 nop
    0D650021 ^ EB DF jmp short 0D650002


    3. Now we will load game.exe under clean ollydbg and execute it… and will receive message box with some, as I think, good words about our try. Reload game.exe
     00DC4325  /> \C645 C8 01        MOV BYTE PTR SS:[EBP-38],1
    00DC4329 |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
    => 00DC4330 |. CD 2D INT 2D
    00DC4332 |. 33C0 XOR EAX,EAX
    00DC4334 |. 83C0 02 ADD EAX,2
    00DC4337 |. C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
    00DC433E \. EB 14 JMP SHORT 00DC4354
    00DC4340 /. B8 01000000 MOV EAX,1
    00DC4345 \. C3 RETN
    00DC4346 /. 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
    00DC4349 |. C645 C8 00 MOV BYTE PTR SS:[EBP-38],0
    00DC434D |. C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
    00DC4354 |> 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
    00DC4357 |. 25 FF000000 AND EAX,000000FF
    00DC435C |. 85C0 TEST EAX,EAX
    00DC435E |. 74 03 JE SHORT 00DC4363
    00DC4360 |. 58 POP EAX
    00DC4361 |. 5A POP EDX
    00DC4362 |. 5E POP ESI
    00DC4363 |> 833D 10CD0901 00 CMP DWORD PTR DS:[109CD10],0
    00DC436A |. 75 3F JNE SHORT 00DC43AB
    => 00DC436C |. FF15 00D0FC00 CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>] ; [KERNEL32.IsDebuggerPresent
    00DC4372 |. 85C0 TEST EAX,EAX
    00DC4374 |. 75 1C JNE SHORT 00DC4392
    00DC4376 |. E8 D52D0000 CALL 00DC7150
    00DC437B |. 25 FF000000 AND EAX,000000FF
    00DC4380 |. 85C0 TEST EAX,EAX
    00DC4382 |. 75 0E JNE SHORT 00DC4392
    00DC4384 |. E8 472E0000 CALL 00DC71D0
    00DC4389 |. 25 FF000000 AND EAX,000000FF
    00DC438E |. 85C0 TEST EAX,EAX
    00DC4390 |. 74 19 JE SHORT 00DC43AB
    00DC4392 |> 6A 00 PUSH 0
    00DC4394 |. 68 2C610C01 PUSH 010C612C
    00DC4399 |. 68 08610C01 PUSH 010C6108
    00DC439E |. 6A 00 PUSH 0
    our message box => 00DC43A0 |. FF15 48D1FC00 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] 00DC43A6 |. E9 B82C0000 JMP 00DC7063


    You can bypass IsDebuggerPresent and INT 2D;
    Some words about INT 2D: this instruction can be used as a general purpose debugger detection method, because when executing the instruction, if no debugger is present, an exception will occur. However, if a debugger is present, no exception will occur, and things get interesting based on the debugger you are using. OllyDbg will actually skip a byte in its disassembly and will cause the analysis to go wrong.

    you can nop some JNE and make JMP on 00DC4390
    00DC4372  |.  85C0              TEST EAX,EAX
    00DC4374 90 NOP
    00DC4375 90 NOP
    00DC4376 |. E8 D52D0000 CALL 00DC7150
    00DC437B |. 25 FF000000 AND EAX,000000FF
    00DC4380 |. 85C0 TEST EAX,EAX
    00DC4382 90 NOP
    00DC4383 90 NOP
    00DC4384 |. E8 472E0000 CALL 00DC71D0
    00DC4389 |. 25 FF000000 AND EAX,000000FF
    00DC438E |. 85C0 TEST EAX,EAX
    00DC4390 EB 19 JMP SHORT 00DC43AB


    Actually, this isn’t interesting or useful When we run game.exe, it recreates itself as a child process and Finita la comedia. If we trace execution routine, after long-long decryption cycles and memory copying parts, we will get
     00DC6E04    E8 57C4FFFF         call    00DC3260
    00DC6E09 83C4 04 add esp, 0x4
    00DC6E0C 8B15 04EC0F01 mov edx, dword ptr [0x10FEC04]
    00DC6E12 52 push edx
    00DC6E13 A1 B00B0901 mov eax, dword ptr [0x1090BB0]
    00DC6E18 05 BC3B0000 add eax, 0x3BBC
    => 00DC6E1D FFD0 call eax ; proccess already created
    00DC6E1F 8D4D 84 lea ecx, dword ptr [ebp-0x7C]
    00DC6E22 51 push ecx
    00DC6E23 6A 00 push 0x0
    00DC6E25 8B15 14E00801 mov edx, dword ptr [0x108E014]
    00DC6E2B 52 push edx
    00DC6E2C 68 103FDD00 push 00DD3F10

    At this moment child game.exe process is already created and suspended. And now what? Nothing, it was a long prelude…

    How to bypass anti-debugger (anti-attach) protection and how does it works when debugger attaching to the debugee? Anytime a debugger is attaching itself to an aim process (debugee), system creates a new thread, which starts at DbgUiRemoteBreakin (ntdll!DbgUiRemoteBreakin) function in debugee's process space.
    When the process is about to be debugged, ntdll!DbgUiDebugActiveProcess calls ntdll!DbgUiIssueRemoteBreakin and this one creates a thread that starts at ntdll!DbgUiRemoteBreakin. The new thread is created via a call to ntdll!RtlCreateUserThread. When started, ntdll!DbgUiRemoteBreakin calls ntdll!DbgBreakPoint which is actually just a pair of 2 instructions: int3 and ret.
    So, if application hooks the entry point of the function, it can control the flow of the code being executed…

    Let’s approve our statement about hooked DbgUiRemoteBreakin by Forsaken World client.
     7C94FFE3 >  C2 0C00         retn    0xC
    7C94FFE6 F8 clc
    7C94FFE7 0095 7CE8BCE8 add byte ptr [ebp-0x17431784], dl
    7C94FFED FB sti
    7C94FFEE FF64A1 18 jmp dword ptr [ecx+0x18]
    7C94FFF2 0000 add byte ptr [eax], al
    7C94FFF4 008B 40308078 add byte ptr [ebx+0x78803040], cl
    7C94FFFA 0200 add al, byte ptr [eax]
    7C94FFFC 75 09 jnz short 7C950007
    7C94FFFE F605 D402FE7F 0>test byte ptr [0x7FFE02D4], 0x2
    7C950005 74 20 je short 7C950027
    7C950007 8365 FC 00 and dword ptr [ebp-0x4], 0x0
    7C95000B E8 FE11FBFF call DbgBreakPoint
    7C950010 EB 11 jmp short 7C950023

    Yeah, instead
     7C94FFE3 >  6A 08           push    0x8
    7C94FFE5 68 3000957C push 7C950030
    7C94FFEA E8 BCE8FBFF call 7C90E8AB

    we have retn 0xC. Restoring DbgUiRemoteBreakin will give you opportunity to attach debuggers... but this is only one small part of FW protection


    How to open FW client under debugger with hooked DbgUiRemoteBreakin…
    Let’s debug the debugger… soon (maybe)


    Note: If I forgot something, or if someone wants something to add, you are welcome
    Note: Any materials only for educational purpose
    by Dwar
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. #2
    coolninja
    coolninja is offline
    New member
    Join Date
    2011 Apr
    Posts
    10
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    2
    Thanked in
    1 Post
    Rep Power
    0
    //My comment below does not help with this thread.

    This guide, or shall I say diary, is really organized.
    To me, the verbal readability is 95%+, but the theory understandability is 10%.
    There is only 2 things I "see" from this thread:
    1. cracking new anti-debug/hack techniques is way much interesting than the game itself.
    2. summarizing processes/observed properties gives benefits for future revise.

  3. #3
    fyyre
    fyyre is offline
    New member fyyre's Avatar
    Join Date
    2011 Apr
    Location
    0xfe
    Posts
    21
    Thanks Thanks Given 
    7
    Thanks Thanks Received 
    2
    Thanked in
    2 Posts
    Rep Power
    0
    Hi,

    Good to see someone else is also working on this.

    Whatever packer that FW is using, is unknown to me... so far my attempts to unpack it result in a restored IAT and game.exe which does not run... (good for static analysis via IDA, but not much else..) currently I am uncertain as what else I am missing.

    With that said, I also encountered the above problems -- since my system is Windows 7 X64, StrongOD is not an option.

    Given this I program a simple launcher. It starts game.exe, the flag makes it not a part of a Job (not sure what reason for making both process a Job is... since runs fine without this, who cares =)

    Code:
    CreateProcessA( NULL, "game.exe game:wf", NULL, NULL, FALSE, CREATE_BREAKAWAY_FROM_JOB, NULL, NULL, &si, &pi );
    
    ...etc
    
    ParentProcessId = FindParentProcessId( pi.dwProcessId );
    if ( ParentProcessId != GetProcessId( NtCurrentProcess() ) )
    return 0;
    
    ...etc
    After this, we have decrypted game.exe running by himself...

    Inside of launcher, also I added some code to replace the patched DbgUiRemoteBreakin function with original bytes... after this, OllyDbg attachs without any problem. Note, ExitProcess and LoadLibraryA, also are hooked.

    Some of threads may be suspended, and require you resume them via Olly to get FW running as normal.

    I notice that (occurs for me, at least..) setting software breakpoint causes Ollydbg to silently exit... so I am only able to set hardware breakpoints.

    -Fyyre

  4. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Hi, Fyyre
    A FW packer looks like an Armadillo mod, but I’m not sure (I’m not a “fan” of Arma). Anyway FW protection uses similar to Arma techniques like parent and child threads, int2, int3 etc. Maybe some kind of private Arma versions.
    Hm, making a launcher and patcher is a good idea for me, ‘coz at this moment for debugging I need to proceed following steps:
    • Suspend FW threads,
    • open olly
    • debug first olly by another olly
    • Attach debugee olly to FW
    • Catch DbgUiRemoteBreakin by second olly
    • Patch FW
    • Work with FW under Olly


    I like FW client, because it's really interesting to analyze game client with unique protection methods. But lack of free time always a bad thing for any progress
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  5. #5
    explosionsinthe
    explosionsinthe is offline
    New member explosionsinthe's Avatar
    Join Date
    2011 Apr
    Posts
    16
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    So even the legendary fyyre is here Dwar could you explain to me the logic behind suspending threads ? What are you preventing that way ?

  6. #6
    fyyre
    fyyre is offline
    New member fyyre's Avatar
    Join Date
    2011 Apr
    Location
    0xfe
    Posts
    21
    Thanks Thanks Given 
    7
    Thanks Thanks Received 
    2
    Thanked in
    2 Posts
    Rep Power
    0

    Post

    Hi Dwar,

    When I first see how the packer is acting, I too thought perhaps he is some type of custom Armadillo (also I dislike... as I admit to not knowing how to unpack this one by hand, and never cared enough to teach self how, hehe)

    Yet... during the close beta, before they add more encryption of strings inside of game.exe, I noticed this:

    Code:
    "Probably IMAGE_REL_BASED_MIPS_JMPADDR, Unsupported pe file,Mail it to Linzhe*** at 163 dot com" <<-- amazingly silly error.
    
    "Probably IMAGE_REL_BASED_SECTION(Reserved for future use 6), Unsupported pe file,Mail it to Linzhe*** at 163 dot com"
    
    SWBP is found by CheckSum_ThreadFunc
    CheckSum_ThreadFunc <<--google search for this term, will lead you to Chinese blog that has the function code...

    After reading your original post, I debug game.exe starting him from OllyDbg... and also find some packer type strings (long list of asm mnemonics) and some unusual strings...

    nothing of much yield good result via google, except for this: '[eip+ilen' <<-- which I found this string in 'demo' function for a Detours like api "mhook" -- ( google for term 'Mhook - CodeFromThe70s dot org' to find this).

    So perhaps, this Linzhe*** at 163 dot com is the author of file packer, I never email him and try to find out... yet considering that PWI is a Chinese company, this would make some sense (I suppose).

    Anyway, not much of technical information I am writing today... but sharing of some notes made while poking around FW client -- and I do agree the custom protection is quite interesting... also it is refreshing seeing an asian mmo which does not use trivial anticheat (i.e GameGuard, HackShield) .. as for debugging is always more fun than actual game play =)

    explosionsinthe
    So even the legendary fyyre is here
    Legendary? =) *blush* -- yes, usually I am where one may find others working on similar type goals ;)

    Be Well,

    -Fyyre

    P.S, it seems second game.exe is created exactly here:
    Code:
    00DC3691	FFD0                           CALL EAX	; GetCommandLineA
    00DC3693	8B15 E4040901            MOV EDX, DWORD PTR DS:[10904E4]
    00DC3699	8D8C24 A4010000        LEA ECX, DWORD PTR SS:[ESP+1A4]
    00DC36A0	68 00EC0F01                PUSH game.010FEC00
    00DC36A5	51                               PUSH ECX
    00DC36A6	6A 00                          PUSH 0
    00DC36A8	6A 00                          PUSH 0
    00DC36AA	6A 04                          PUSH 4
    00DC36AC	6A 00                          PUSH 0
    00DC36AE	6A 00                          PUSH 0
    00DC36B0	6A 00                          PUSH 0
    00DC36B2	81C2 261D0000            ADD EDX, 1D26
    00DC36B8	FFD2                           CALL EDX	; GetCommandLineA
    00DC36BA	8B0D C4080901            MOV ECX, DWORD PTR DS:[10908C4]
    00DC36C0	50                               PUSH EAX
    00DC36C1	8B4424 3C                   MOV EAX, DWORD PTR SS:[ESP+3C]
    00DC36C5	81C1 962E0000            ADD ECX, 2E96
    00DC36CB	50                               PUSH EAX
    00DC36CC	FFD1                           CALL ECX	; CreateProcessInternalA
    
    ...
    
    follows next is call to GetThreadContext, and DuplicateHandle
    Last edited by fyyre; 2011-04-18 at 07:01 AM.

  7. #7
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Awful, I need additional 8th day in week to complete all tasks in my planner… I can’t even finished short tut about debugging FW, so I’ll post different pieces here with less explanation as I wished.

    So, attaching debugger to FW. The trick is to catch system thread which created when debugger attached to the aim. We need to bypass DbgUiIssueRemoteBreakin, because this function will create a bp exception to inform debugger that the aim is ready and can be debugged.
    What we do:
    1. Run FW and kill parent process
    2. Suspend whole FW process. It’s required due to the anti-debug mechanism in FW. If you run debugger, your game client will die in several minutes (explanation below)
    3. Run ollydbg (olly_a) and load into olly_a another olly instance (olly_b)
    4. In olly_a we need to set bp on DbgUiDebugActiveProcess or you can set it on DebugActiveProcess and then step-in to the DbgUiDebugActiveProcess
    5. Now we attach olly_b to suspended FW process and resume FW
    6. Oops, olly_a stops and point us to the DbgUiDebugActiveProcess bp
    7. Now we must execute ZwDebugActiveProcess and then jump over the rest instructions.
    8. Turn back to the olly_b and resume FW threads
    9. That’s all. We get debugged client




    (sorry for messy instructions

    Now Forsaken sweets
    This isn’t a game client… this is a perfect patient for reversing and analyzing anti-debug techniques. Will be suitable for everyone, who wants to make a collection of different algorithms.

    Checking IsDebuggerPresent flag in PEB
    00DD2A90    55              push    ebp
    00DD2A91 8BEC mov ebp, esp
    00DD2A93 51 push ecx
    00DD2A94 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
    00DD2A9B 64:A1 30000000 mov eax, dword ptr fs:[0x30]
    00DD2AA1 40 inc eax
    00DD2AA2 40 inc eax
    00DD2AA3 8B00 mov eax, dword ptr [eax]
    00DD2AA5 25 FF000000 and eax, 0xFF
    00DD2AAA 8945 FC mov dword ptr [ebp-0x4], eax
    00DD2AAD 8B45 FC mov eax, dword ptr [ebp-0x4]
    00DD2AB0 8BE5 mov esp, ebp
    00DD2AB2 5D pop ebp
    00DD2AB3 C3 retn


    Another variant

    asm
    mov edx, dword PTR FS:[$18]
    mov edx, dword PTR [edx + $30]
    movzx edx, byte PTR [edx + $02]
    end;



    and several lines below we have another block
    NtGlobalFlags in 0x68 of PEB. If app is debugged the value of NtGlobalFlags != 0
     00DD2AC0    55              push    ebp
    00DD2AC1 8BEC mov ebp, esp
    00DD2AC3 51 push ecx
    00DD2AC4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
    00DD2ACB 64:A1 30000000 mov eax, dword ptr fs:[0x30]
    00DD2AD1 8B40 68 mov eax, dword ptr [eax+0x68]
    00DD2AD4 83E0 70 and eax, 0x70
    00DD2AD7 8945 FC mov dword ptr [ebp-0x4], eax
    00DD2ADA 8B4D FC mov ecx, dword ptr [ebp-0x4]
    00DD2ADD 33C0 xor eax, eax
    00DD2ADF 85C9 test ecx, ecx
    00DD2AE1 0F95C0 setne al
    00DD2AE4 8BE5 mov esp, ebp
    00DD2AE6 5D pop ebp
    00DD2AE7 C3 retn



    and this
    another flag in Heap. Normally it should be = 2
    00DD2AF0    55              push    ebp
    00DD2AF1 8BEC mov ebp, esp
    00DD2AF3 51 push ecx
    00DD2AF4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
    00DD2AFB 64:A1 30000000 mov eax, dword ptr fs:[0x30]
    00DD2B01 8B40 18 mov eax, dword ptr [eax+0x18]
    00DD2B04 8B40 0C mov eax, dword ptr [eax+0xC]
    00DD2B07 8945 FC mov dword ptr [ebp-0x4], eax
    00DD2B0A 8B4D FC mov ecx, dword ptr [ebp-0x4]
    00DD2B0D 33C0 xor eax, eax
    00DD2B0F 83F9 02 cmp ecx, 0x2
    00DD2B12 0F94C0 sete al
    00DD2B15 40 inc eax
    00DD2B16 8BE5 mov esp, ebp
    00DD2B18 5D pop ebp
    00DD2B19 C3 retn


    and this
    When app is debugged the process heap is created with HEAP_TAIL_CHECKING_ENABLED flag.
    00DD2B50    55              push    ebp
    00DD2B51 8BEC mov ebp, esp
    00DD2B53 83EC 1C sub esp, 0x1C
    00DD2B56 B0 31 mov al, 0x31
    00DD2B58 57 push edi
    00DD2B59 8845 E4 mov byte ptr [ebp-0x1C], al
    00DD2B5C 8845 E5 mov byte ptr [ebp-0x1B], al
    00DD2B5F 8845 E6 mov byte ptr [ebp-0x1A], al
    00DD2B62 8845 E7 mov byte ptr [ebp-0x19], al
    00DD2B65 8845 E8 mov byte ptr [ebp-0x18], al
    00DD2B68 8845 E9 mov byte ptr [ebp-0x17], al
    00DD2B6B 8845 EA mov byte ptr [ebp-0x16], al
    00DD2B6E 8845 EB mov byte ptr [ebp-0x15], al
    00DD2B71 8845 EC mov byte ptr [ebp-0x14], al
    00DD2B74 8845 ED mov byte ptr [ebp-0x13], al
    00DD2B77 8845 EE mov byte ptr [ebp-0x12], al
    00DD2B7A 8845 EF mov byte ptr [ebp-0x11], al
    00DD2B7D 8845 F0 mov byte ptr [ebp-0x10], al
    00DD2B80 8845 F1 mov byte ptr [ebp-0xF], al
    00DD2B83 8845 F2 mov byte ptr [ebp-0xE], al
    00DD2B86 8845 F3 mov byte ptr [ebp-0xD], al
    00DD2B89 8845 F4 mov byte ptr [ebp-0xC], al
    00DD2B8C 8845 F5 mov byte ptr [ebp-0xB], al
    00DD2B8F 8845 F6 mov byte ptr [ebp-0xA], al
    00DD2B92 8845 F7 mov byte ptr [ebp-0x9], al
    00DD2B95 8845 F8 mov byte ptr [ebp-0x8], al
    00DD2B98 8845 F9 mov byte ptr [ebp-0x7], al
    00DD2B9B 8D45 E4 lea eax, dword ptr [ebp-0x1C]
    00DD2B9E 66:C745 FA 0000 mov word ptr [ebp-0x6], 0x0
    00DD2BA4 8945 FC mov dword ptr [ebp-0x4], eax
    00DD2BA7 8B45 FC mov eax, dword ptr [ebp-0x4]
    00DD2BAA 0FBE48 FE movsx ecx, byte ptr [eax-0x2]
    00DD2BAE 0FBF50 F8 movsx edx, word ptr [eax-0x8]
    00DD2BB2 2BC1 sub eax, ecx
    00DD2BB4 8D3CD0 lea edi, dword ptr [eax+edx*8]
    00DD2BB7 B0 AB mov al, 0xAB
    00DD2BB9 B1 08 mov cl, 0x8
    00DD2BBB 33C0 xor eax, eax
    00DD2BBD 5F pop edi
    00DD2BBE 8BE5 mov esp, ebp
    00DD2BC0 5D pop ebp
    00DD2BC1 C3 retn


    next
    CheckRemoteDebuggerPresent
    00DD2BD0    55              push    ebp
    00DD2BD1 8BEC mov ebp, esp
    00DD2BD3 83EC 08 sub esp, 0x8
    00DD2BD6 A1 D4040901 mov eax, dword ptr [0x10904D4]
    00DD2BDB 68 E4690C01 push 010C69E4 ; ASCII "Kernel32.dll"
    00DD2BE0 05 DE1C0000 add eax, 0x1CDE
    00DD2BE5 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
    00DD2BEC FFD0 call eax
    00DD2BEE 83F8 FF cmp eax, -0x1
    00DD2BF1 75 06 jnz short 00DD2BF9
    00DD2BF3 33C0 xor eax, eax
    00DD2BF5 8BE5 mov esp, ebp
    00DD2BF7 5D pop ebp
    00DD2BF8 C3 retn
    00DD2BF9 8B0D 64060901 mov ecx, dword ptr [0x1090664]
    00DD2BFF 68 C8690C01 push 010C69C8 ; ASCII "CheckRemoteDebuggerPresent"
    00DD2C04 50 push eax
    00DD2C05 81C1 E6230000 add ecx, 0x23E6
    00DD2C0B FFD1 call ecx
    00DD2C0D 85C0 test eax, eax
    00DD2C0F 8945 F8 mov dword ptr [ebp-0x8], eax
    00DD2C12 74 0B je short 00DD2C1F
    00DD2C14 50 push eax
    00DD2C15 54 push esp
    00DD2C16 6A FF push -0x1
    00DD2C18 FF55 F8 call dword ptr [ebp-0x8]
    00DD2C1B 58 pop eax
    00DD2C1C 8945 FC mov dword ptr [ebp-0x4], eax
    00DD2C1F 8B45 FC mov eax, dword ptr [ebp-0x4]
    00DD2C22 8BE5 mov esp, ebp
    00DD2C24 5D pop ebp
    00DD2C25 C3 retn


    next
    Abnormal interruption by Int3. If program is not debugging, then the exception will be passed.
    00DC8835    50              push    eax
    00DC8836 64:FF35 0000000>push dword ptr fs:[0]
    00DC883D 64:8925 0000000>mov dword ptr fs:[0], esp
    00DC8844 33C0 xor eax, eax
    00DC8846 C700 00000000 mov dword ptr [eax], 0x0
    00DC884C 64:8F05 0000000>pop dword ptr fs:[0]
    00DC8853 83C4 04 add esp, 0x4
    00DC8856 85C0 test eax, eax
    00DC8858 74 39 je short 00DC8893


    or
    00DD2EE0    55              push    ebp
    00DD2EE1 8BEC mov ebp, esp
    00DD2EE3 68 092FDD00 push 00DD2F09
    00DD2EE8 64:FF35 0000000>push dword ptr fs:[0]
    00DD2EEF 64:8925 0000000>mov dword ptr fs:[0], esp
    00DD2EF6 33C0 xor eax, eax
    00DD2EF8 CC int3
    00DD2EF9 64:8F05 0000000>pop dword ptr fs:[0]
    00DD2F00 83C4 04 add esp, 0x4
    00DD2F03 85C0 test eax, eax
    00DD2F05 74 19 je short 00DD2F20



    next will generate an exception
    00DD2F30    66:9C           pushfw
    00DD2F32 C70424 00010000 mov dword ptr [esp], 0x100
    00DD2F39 66:9D popfw
    00DD2F3B B8 01000000 mov eax, 0x1
    00DD2F40 C3 retn



    this is another anti-debug. In my lists I've marked this function as for win7 func (I can't say anything more)
    00DD2F80    55              push    ebp
    00DD2F81 8BEC mov ebp, esp
    00DD2F83 51 push ecx
    00DD2F84 53 push ebx
    00DD2F85 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
    00DD2F8C 68 BC2FDD00 push 00DD2FBC
    00DD2F91 64:FF35 0000000>push dword ptr fs:[0]
    00DD2F98 64:8925 0000000>mov dword ptr fs:[0], esp
    00DD2F9F 33C0 xor eax, eax
    00DD2FA1 CC int3
    00DD2FA2 64:8F05 0000000>pop dword ptr fs:[0]
    00DD2FA9 83C4 04 add esp, 0x4
    00DD2FAC 64:A1 18000000 mov eax, dword ptr fs:[0x18]
    00DD2FB2 05 FC0B0000 add eax, 0xBFC
    00DD2FB7 8B18 mov ebx, dword ptr [eax]
    00DD2FB9 895D FC mov dword ptr [ebp-0x4], ebx
    00DD2FBC 8B4424 0C mov eax, dword ptr [esp+0xC]
    00DD2FC0 FF80 B8000000 inc dword ptr [eax+0xB8]
    00DD2FC6 33C0 xor eax, eax
    00DD2FC8 C3 retn
    00DD2FC9 8B45 FC mov eax, dword ptr [ebp-0x4]
    00DD2FCC 5B pop ebx
    00DD2FCD 8BE5 mov esp, ebp
    00DD2FCF 5D pop ebp
    00DD2FD0 C3 retn


    and one more
    00DD3060    55              push    ebp
    00DD3061 8BEC mov ebp, esp
    00DD3063 51 push ecx
    00DD3064 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
    00DD306B 33C0 xor eax, eax
    00DD306D 99 cdq
    00DD306E FF35 9530DD00 push dword ptr [0xDD3095]
    00DD3074 64:FF30 push dword ptr fs:[eax]
    00DD3077 64:8920 mov dword ptr fs:[eax], esp
    00DD307A CC int3
    00DD307B 90 nop
    00DD307C 90 nop
    00DD307D 90 nop
    00DD307E 90 nop
    00DD307F F7F2 div edx
    00DD3081 90 nop
    00DD3082 64:8F05 0000000>pop dword ptr fs:[0]
    00DD3089 83C4 04 add esp, 0x4


    and int2 at the beginning (olly2 will die when reach int 0x2D)
    00DC4329    C745 FC 0000000>mov     dword ptr [ebp-0x4], 0x0
    00DC4330 CD 2D int 0x2D
    00DC4332 33C0 xor eax, eax
    00DC4334 83C0 02 add eax, 0x2
    00DC4337 C745 FC FFFFFFF>mov dword ptr [ebp-0x4], -0x1


    oh, also detecting HideOD Olly plugin
    PHP Code:
    00DD3520    81EC 94000000   sub     esp0x94
    00DD3526    56              push    esi
    00DD3527    57              push    edi
    00DD3528    B9 24000000     mov     ecx
    0x24
    00DD352D    33C0            
    xor     eaxeax
    00DD352F    8D7C24 0C       lea     edi
    dword ptr [esp+0xC]
    00DD3533    C74424 08 94000>mov     dword ptr [esp+0x8], 0x94
    00DD353B    F3
    :AB           rep     stos dword ptr es:[edi]
    00DD353D    A1 D4040901     mov     eaxdword ptr [0x10904D4]
    00DD3542    68 48640C01     push    010C6448                         ASCII "ntdll.dll"
    00DD3547    05 DE1C0000     add     eax0x1CDE
    00DD354C    FFD0            call    eax
    00DD354E    8B0D 64060901   mov     ecx
    dword ptr [0x1090664]
    00DD3554    68 606A0C01     push    010C6A60                         ASCII "ZwSetInformationThread"
    00DD3559    50              push    eax
    00DD355A    81C1 E6230000   add     ecx
    0x23E6
    00DD3560    FFD1            call    ecx
    00DD3562    85C0            test    eax
    eax
    00DD3564    74 44           je      short 00DD35AA
    00DD3566    66
    :8B70 06      mov     siword ptr [eax+0x6]
    00DD356A    A1 D0020901     mov     eaxdword ptr [0x10902D0]
    00DD356F    8D5424 08       lea     edxdword ptr [esp+0x8]
    00DD3573    05 CC130000     add     eax0x13CC
    00DD3578    52              push    edx
    00DD3579    FFD0            call    eax
    00DD357B    837C24 18 02    cmp     dword ptr 
    [esp+0x18], 0x2
    00DD3580    75 28           jnz     short 00DD35AA
    00DD3582    8B4424 0C       mov     eax
    dword ptr [esp+0xC]
    00DD3586    83F8 04         cmp     eax0x4
    00DD3589    77 0A           ja      short 00DD3595
    00DD358B    75 1D           jnz     short 00DD35AA
    00DD358D    8B4424 10       mov     eax
    dword ptr [esp+0x10]
    00DD3591    85C0            test    eaxeax
    00DD3593    76 15           jbe     short 00DD35AA
    00DD3595    66
    :81FE 0003    cmp     si0x300
    00DD359A    74 0E           je      short 00DD35AA
    00DD359C    5F              pop     edi
    00DD359D    B8 01000000     mov     eax
    0x1
    00DD35A2    5E              pop     esi
    00DD35A3    81C4 94000000   add     esp
    0x94
    00DD35A9    C3              retn
    00DD35AA    5F              pop     edi
    00DD35AB    33C0            
    xor     eaxeax
    00DD35AD    5E              pop     esi
    00DD35AE    81C4 94000000   add     esp
    0x94
    00DD35B4    C3              retn 
    ok, most of standalone anti-debug functions are somewhere around 00DD2A90

    There are also functions for finding windows and processes of certain name

    P.S. If something is wrong, please correct me
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  8. The Following 2 Users Say Thank You to Dwar For This Useful Post:


  9. #8
    fyyre
    fyyre is offline
    New member fyyre's Avatar
    Join Date
    2011 Apr
    Location
    0xfe
    Posts
    21
    Thanks Thanks Given 
    7
    Thanks Thanks Received 
    2
    Thanked in
    2 Posts
    Rep Power
    0
    Hi Dwar,

    Excellent write up!

    I am thinking the author of this packer also has read Peter Ferrie's "Anti-Unpacker Tricks" series for Virus Bulletin ;) ... as most of these tricks are detailed in that series.


    this is another anti-debug. In my lists I've marked this function as for win7 func (I can't say anything more)
    This one is examine of struct _TEB + 0xBFC which is ptr to unicode string of ntdll, etc.. (0xC00) ... if the process is operating under a debugger, this will be NULL instead of UNICODE_STRING system dll names.

    Is a good thing this packer like most others are oblivious to TEB+WOW32Reserved ;)

    -Fyyre

  10. The Following User Says Thank You to fyyre For This Useful Post:


  11. #9
    Abstract
    Abstract is offline
    New member
    Join Date
    2011 Apr
    Location
    Germany
    Posts
    5
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    8
    Thanked in
    1 Post
    Rep Power
    0
    First of all thank you. I worked around the Interruped 2D and IsDebuggerPresent wasn't hard todo. But i didn't get very far just like you, but you found the idea to attach a debugger ^^.

    I am writing a reversing tutorial at the moment. Can i refer to you debugger attach knowledge? You want me to give you credit as Dwar?

    Sorry for the questions in exchange i try helping completting the package list on your other thread

  12. #10
    coded
    coded is offline
    New member coded's Avatar
    Join Date
    2011 May
    Posts
    30
    Thanks Thanks Given 
    10
    Thanks Thanks Received 
    27
    Thanked in
    8 Posts
    Rep Power
    0
    ugh, I tried suspending the thread but it didn't work. Not sure, if it's the same on XP. It's sucks without a debugger, allocating virtual memory so it could jump into my code to store the registers in an address space. <<. I'll try to do more research on anti debugging and keep trying.
    “It's not that I'm so smart , it's just that I stay with problems longer .”

    -Albert Einstein

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •