Lycosidae - Modern Anti Debug

Lueilwitz · #1 10-17-2019, 21:31

https://github.com/lurumdare/Lycosidae

Bypass ScyllaHide

Features
- Import no leak
- Strings no leak

zeffy · #2 10-19-2019, 14:07

I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?

For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.

Lueilwitz · #3 10-19-2019, 21:15

Quote:

Originally Posted by zeffy

I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?

For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.

If u have free time, welcom to contribute!

gigaman · #4 10-23-2019, 05:28

Quote:

Originally Posted by zeffy

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

If that happened, you could just change the polynomial here (e.g. change CRC32 to CRC32c) and the CRC check would work again...

evlncrn8 · #5 10-23-2019, 05:50

i really dont see whats so fantastic / revolutionary about this at all

Lueilwitz · #6 10-30-2019, 13:15

Need tester for this branch

https://github.com/lurumdare/ScyllaHideDetector/tree/crc32c

Lueilwitz · #7 01-19-2020, 21:32

Updated

https://github.com/lurumdare/Lycosidae2

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
C# Anti-Debug and Anti-Dumping (source code)	Zeokat	Source Code	0	12-29-2021 04:06

The Following 2 Users Say Thank You to Lueilwitz For This Useful Post:
niculaita (10-18-2019), nimaarek (10-29-2019)

The Following 5 Users Say Thank You to zeffy For This Useful Post:
Abaddon (10-19-2019), chessgod101 (10-20-2019), Lueilwitz (10-19-2019), niculaita (10-19-2019), nimaarek (10-29-2019)

The Following User Says Thank You to gigaman For This Useful Post:
Lueilwitz (10-30-2019)

The Following User Says Thank You to Lueilwitz For This Useful Post:
h4sh3m (01-19-2020)