Win32 Debug Protection Idea

Goal: Stop out program being debuged by ollydebug (or other win32 debuger).
Method: My idea for this is simple... yet sometimes complex to explain it goes as follows (psudo code):

Code:

BEGIN
  IF IsDebuggerPresent() THEN
      WaitForSingleEvent(SomeEvent);
      GOTO Normal Program;
  ELSE
       CreateProcess();
       DebugActiveProcess(SomePID);
       CreateEvent(SomeEvent);
       
       LOOP WaitForDebugEvent(&DebugEv, INFINITE); 
          <Debug Loop Code>
          ContinueDebugEvent(DebugEv.dwProcessId, DebugEv.dwThreadId, dwContinueStatus); 

       DO
   END IF

Somthing along those lines.

When combined with other anti olly tricks and good program design and algorythm it should make vey annoying to debug.

Basicly it works on the fact that an exe can only be debuged by one parent, and it uses IsDebuggerPresent creativly so if someone just blindly says there is no debuger the program will malfunction. or if there is a debugger and its not its self, it will hang because there is no event.

very easy to just make the even your self but the point is its somthing differnt and a little tricky.

expansions on this idea are very welcome as well as easy work arounds..

anyone know of someone using this idea?

p.s

hxxp://msdn.microsoft.com/library/enus/debug/base/creating_a_basic_debugger.asp

Nice example and information on the win32 debugging apis.

If you want it to be effective, you'd have to hide the debugger api calls,
and make the main program communicate with the parent process more
than just that waitforsingleobject. This is what arma does.
And BTW, against Sice it is completely unusefull

And if I'd like to get over it, I'd bpm address checked by IsDebuggerPresent,
and then just jump over the waitforsingleobject.
Expansions - look at arma nanomites, AsProtect RaiseException and so on...
Anyway, good try.
Regards,
least

[ricnar456]

armadillo with copymem2 make this trick and was defeated with ollydbg.

Ricardo Narvaja

damn people inventing things before i do! lol
of course more interproc comunication would be done... maybe even decryption of code while running. (both ways child<>parent).
Dynamicly loading the api calls and then checking there address's for breakpoints before calling them would make it a tiny bit harder.

some extra anti debug things could be added too.

Anyone have more ideas?

(just for the record this is not going to be used in any protection i am making.. well maybe a crackme in the future... i am just interested in protection and not trooling for ideas... i wouldnt give away my secrets if i were :P)

If you want more ideas, study commercial packers like arma, aspr, and alike - they have lots tricks inside and some of them are really interesting. If you'd like to make it a little bit harder, try also utilize SEH - then it is real fun.
One interesting idea from one crackme I've heared of is this - it used SEH with singlestep exception; executed one instruction, overwrited the place with another one, executed it, then overwrited it with third,... quite messy to debug I think There are unlimited posibilities...
Good luck,
least

PS. look to the ^DAEMON^'s cave, here are loads of tricks...

i'm am rather happy with my current solotion... i don't want my crackme to be all just anti junk i am more looking for good ideas and less anti everything hehe.

right now i am working on a key system, i am thinking i will go with key files and ECC crypto but there are very few practical tutorials on writing a key system and the ones that are around are very poor and very easy to keygen.

reversing other peoples projects is a great source of ideas, but i am more on the protection side of the fence, just because i see my self as being more creative, so my reversing is not great.. but it gets me by.. you gotta ride the fence to get good at ether side aye.

offtopic:
(dont wanna create a new topic)

has anyone seen any interesting crackmes using public key encryption? (good examples... not like the old keygenable armadillo system which seemed useless)

Armadillo uses Public Key Kryptosystem from 3.61 and v10 Keys Version only.

[Darren]

http://www.certicom.com/index.php?action=ecc_tutorial,home

might help you get some understanding of ECC

- Darren

[SiNTAX]

Quote:

Originally Posted by least

One interesting idea from one crackme I've heared of is this - it used SEH with singlestep exception; executed one instruction, overwrited the place with another one, executed it, then overwrited it with third,... quite messy to debug I think There are unlimited posibilities...

Hardly a new idea.. (I remember Rob Northern Copylock on Amiga used that, back in 1990 or maybe even earlier)

Getting around that isn't that hard either.. ie if you patch the decryption routine to store the unencrypted code copy somewhere else and then dump it to have a look at it. (or use a tracer that can trace through it)

I think the best way would be to use Ring 0 code to change the INT 1/3 handlers (by patching the IDT) to something in your own code. No debugger can possibly avoid this.

Best regards,
Alex Ionescu
http://www.relsoft.net

[2late]

Hi,

Attached is a lille crackme written by a mate. Since I use SoftIce 95% of the time it had no effect. Only later, when went through the whole lot I realised that he wanted to play with Olly.

Simple stuff, and just like all other similar efforts, is quite futile against determined reversers. Tricks, at their best, can hinder only less experienced users. Temporarily, until they seek and get help on various boards and other places.

Regards

name:
FORUMEXETOOLSCOM

code:
#3%9[=?f+2810752424757A282B

Quote:

Originally Posted by evaluator

name:
FORUMEXETOOLSCOM

code:
#3%9[=?f+2810752424757A282B

Oh, no, Our musician should not play with such easy stuff, xprotector is more suitable for the veteran such as evaluator.