hehe corrupting new installation
i said i used an alien computer in cafe
with the non admin account with least previlages let you corrupt system
anyway here is how i enable debug strings
options--->debugging options-->events-->change radio button to system breakpoint
checkmark the event break on debug strings
f9 the app
olly will stop on system break which is a retn statement
Code:
77F9F9DF > CC INT3
77F9F9E0 C3 RETN <---- here
f7 once and you will see it is accessing the NtGlobalFlag aka peb-->NtGlobalFlag aka fs:[30h]+68h
Code:
77F992CF MOV AL,BYTE PTR DS:[ESI+68] ; esi = fs:[30]
77F992D2 AND AL,2 ; check for LDR_SHOW_SNAPS
77F992D4 MOV BYTE PTR DS:[77FCE6F0],AL ; save flag
if you had enabled options-->debuggingoptions-->register-->decode registers for any ip
you will see this in the information pane
Code:
DS:[7FFDF068]=70 ('p')
AL=02
select the ds: and right click --> modify data
make it 72
that is all
and if you now f9
olly will automatically stop on the next debug string
viz
Code:
Log data, item 0
Address=77F9FA77
Message=Debug string: LDR: Real INIT LIST
Log data, item 0
Address=77F9FA77
Message=Debug string: C:\WINNT\system32\KERNEL32.dll init routine 77e8c3d8
and so on btw since this topic deals with antidebugging tricks i would broach on one more undocumented antidebugging trick
i ve not seen it being used anywhere
take a look at the html page in attachment it comes with app in a zip
for those who just prefer code
Code:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\advapi32.inc
includelib \masm32\lib\advapi32.lib
.data
forma db "GlobalFlag in fs:[30]+68 is equal to %08x",13,10,"GlobalFlag in registry is equal to %08x",0
forma1 db "GlobalFlag in fs:[30]+68 is equal to %08x",13,10,"GlobalFlag in registry is equal to %08x",0
tite db "goodguy you are not running inside debugger",0
tite1 db "badguy you are running this under debugger",0
subkeyname db "SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER",0
valuename db "GLOBALFLAG",0
.DATA?
buffer db 120h dup (?)
buffer1 db 120h dup (?)
buffer2 db 120h dup (?)
buffer3 db 120h dup (?)
buffer4 dd ?
.CODE
start:
mov buffer4,45h
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,ADDR subkeyname,NULL,KEY_ALL_ACCESS,addr buffer1
invoke RegQueryValueEx,dword ptr ds:[buffer1],addr valuename,NULL,addr buffer2,addr buffer3,addr buffer4
assume fs:nothing
mov eax,fs:[30h]
mov eax,[eax+68h]
.if dword ptr ds:[buffer3]==eax
invoke wsprintf,addr buffer,addr forma1,eax,dword ptr ds:[buffer3]
invoke MessageBox,NULL,offset buffer,offset tite,NULL
.elseif
invoke wsprintf,addr buffer,addr forma1,eax,dword ptr ds:[buffer3]
invoke MessageBox,NULL,offset buffer,offset tite1,NULL
.endif
invoke RegCloseKey,dword ptr ds:[buffer1]
invoke ExitProcess,NULL
end start