rendari Posted May 19, 2010 Share Posted May 19, 2010 Hello all, I stumbled upon this antidebug trick on my 64 bit windows 7. I now want to see if it works in 32 bit on any other OS. Can you guys please download and run this exe in and out of a debugger and tell me if it detects your or not? I would like to see if this antidebug trick is platform specific or not Thanks! -rendariAntidebug_Test.zip Link to comment Share on other sites More sharing options...
mactwo1 Posted May 19, 2010 Share Posted May 19, 2010 (edited) Hello all, I stumbled upon this antidebug trick on my 64 bit windows 7. I now want to see if it works in 32 bit on any other OS. Can you guys please download and run this exe in and out of a debugger and tell me if it detects your or not? I would like to see if this antidebug trick is platform specific or not Thanks! -rendariAntidebug_Test.zip Running on 32 bit windows xp sp3 All Good in and out of debugger Not detected Hope info helps Edited May 19, 2010 by mactwo1 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted May 19, 2010 Share Posted May 19, 2010 The [crackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply] Link to comment Share on other sites More sharing options...
deepzero Posted May 19, 2010 Share Posted May 19, 2010 Is there supposed to be anything special except for IsDebuggerPresent? Link to comment Share on other sites More sharing options...
metr0 Posted May 19, 2010 Share Posted May 19, 2010 Tested it on 7 x64 out of curiosity (having the default antidbg options enabled, PEB stuff as well), didn't detect me though. Just thought you'd like to know. Link to comment Share on other sites More sharing options...
revert Posted May 19, 2010 Share Posted May 19, 2010 Did detect me on Win7 x64. It seems to detect my "Protect DRX" option in Stealth64. Interesting Link to comment Share on other sites More sharing options...
rendari Posted May 19, 2010 Author Share Posted May 19, 2010 Did detect me on Win7 x64. It seems to detect my "Protect DRX" option in Stealth64. Interesting Yep, that's it Thanks!Is there supposed to be anything special except for IsDebuggerPresent? The IsDebuggerPresent is there to confuse! You should dig into AddHook (the first call) and see what is happening Thanks all, -rendari Link to comment Share on other sites More sharing options...
jensma Posted May 20, 2010 Share Posted May 20, 2010 Windows7, 32bit gets detected for me Link to comment Share on other sites More sharing options...
rendari Posted May 20, 2010 Author Share Posted May 20, 2010 ^With or without debugger? Link to comment Share on other sites More sharing options...
Deathway Posted May 22, 2010 Share Posted May 22, 2010 (edited) Detect my Debugger with Phant0m all enabled OS: Windows XP SP3 32bit Using a default olly with just IsDebuggerPresent bypassed, no detection Without debugger, 'All Good' message Edited May 22, 2010 by Deathway Link to comment Share on other sites More sharing options...
Peter Ferrie Posted May 26, 2010 Share Posted May 26, 2010 Detect my Debugger with Phant0m all enabled OS: Windows XP SP3 32bit Using a default olly with just IsDebuggerPresent bypassed, no detection Without debugger, 'All Good' message IsDebuggerPresent code should not even be reached. The vectored exception handler receives two exceptions (breakpoint and single-step), so it bypasses the code both times. When the breakpoint is hit, the handler sets a hardware breakpoint, which triggers the single-step. It should work on a 32-bit OS, too, since there's nothing undocumented happening here. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now