Aldhard Oswine Posted March 16, 2017 Posted March 16, 2017 (edited) I'm learning Anti-RE techniques and I have simple problem with NtGlobalFlag void PEBglobalflags() { BOOL f = FALSE; __asm { xor eax, eax mov eax, fs:[0x30] movzx eax, [eax+0x68] mov f, eax } if (f) { MessageBox(nullptr, L"Dbg", L"", 0); exit(1); } } Using this method can not detect dbgr. eax is always 0, instead of 0x70. Image: https://ibb.co/b89vYv Windows 10 - 86_64, application x86, MSVC 2017, Edited March 16, 2017 by Aldhard Oswine
evlncrn8 Posted March 17, 2017 Posted March 17, 2017 (edited) +0x068 NtGlobalFlag : Uint4B its a dword... so your movzx is probably the issue... try mov eax, dword ptr fs:[0x68] the compiler should have bitched at you anyway for the asm being 'wrong' and its a shitty antidebug method nehows.. theres much better out there.. next time, to fix it yourself, try puting in a DebugBreak() at the start of the function, compile, load it up in olly and trace then you'll see the problem... Edited March 17, 2017 by evlncrn8 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now