Jump to content
Tuts 4 You

[crackme] Interesting Antidebug Trick?

rendari

By rendari
in CrackMe

 Share

Recommended Posts

rendari

rendari

Posted
Posted

Hello all,

I stumbled upon this antidebug trick on my 64 bit windows 7. I now want to see if it works in 32 bit on any other OS. Can you guys please download and run this exe in and out of a debugger and tell me if it detects your or not? I would like to see if this antidebug trick is platform specific or not :)

Thanks!

-rendariAntidebug_Test.zip

mactwo1

mactwo1

Posted
Posted (edited)

Hello all,

I stumbled upon this antidebug trick on my 64 bit windows 7. I now want to see if it works in 32 bit on any other OS. Can you guys please download and run this exe in and out of a debugger and tell me if it detects your or not? I would like to see if this antidebug trick is platform specific or not :)

Thanks!

-rendariAntidebug_Test.zip

Running on 32 bit windows xp sp3

All Good :) in and out of debugger

Not detected

Hope info helps

Edited by mactwo1
Teddy Rogers

Teddy Rogers

Posted
Posted

The [crackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

deepzero

deepzero

Posted
Posted

Is there supposed to be anything special except for IsDebuggerPresent?

metr0

metr0

Posted
Posted

Tested it on 7 x64 out of curiosity (having the default antidbg options enabled, PEB stuff as well), didn't detect me though. Just thought you'd like to know.

revert

revert

Posted
Posted

Did detect me on Win7 x64. It seems to detect my "Protect DRX" option in Stealth64.

Interesting ;)

rendari

rendari

Posted
  • Author
Posted

Did detect me on Win7 x64. It seems to detect my "Protect DRX" option in Stealth64.

Interesting ;)

Yep, that's it :) Thanks!
Is there supposed to be anything special except for IsDebuggerPresent?
The IsDebuggerPresent is there to confuse! You should dig into AddHook (the first call) and see what is happening :)

Thanks all,

-rendari

jensma

jensma

Posted
Posted

Windows7, 32bit gets detected for me :)

rendari

rendari

Posted
  • Author
Posted

^With or without debugger?

Deathway

Deathway

Posted
Posted (edited)

Detect my Debugger with Phant0m all enabled

OS: Windows XP SP3 32bit

Using a default olly with just IsDebuggerPresent bypassed, no detection :D

Without debugger, 'All Good' message :)

Edited by Deathway
Peter Ferrie

Peter Ferrie

Posted
Posted

Detect my Debugger with Phant0m all enabled

OS: Windows XP SP3 32bit

Using a default olly with just IsDebuggerPresent bypassed, no detection :D

Without debugger, 'All Good' message :)

IsDebuggerPresent code should not even be reached. The vectored exception handler receives two exceptions (breakpoint and single-step), so it bypasses the code both times.

When the breakpoint is hit, the handler sets a hardware breakpoint, which triggers the single-step.

It should work on a 32-bit OS, too, since there's nothing undocumented happening here.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...