什么是你最喜欢的反调试把戏? [英] What is your favourite anti-debugging trick?

查看:189
本文介绍了什么是你最喜欢的反调试把戏?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在我的previous的雇主,我们使用了第三方组件基本上仅仅是一个DLL和一个头文件。特定模块中的Win32处理打印。然而,取得该组件的公司去bankcrupt,所以我可以不报告我已经发现了一个错误。

At my previous employer we used a third party component which basically was just a DLL and a header file. That particular module handled printing in Win32. However, the company that made the component went bankcrupt so I couldn't report a bug I'd found.

所以我决定修复bug自己并推出调试器。我很惊讶地发现反调试code几乎无处不在,通常的 IsDebugger present ,但引起我注意的东西是这样的:

So I decided to fix the bug myself and launched the debugger. I was surprised to find anti-debugging code almost everywhere, the usual IsDebuggerPresent, but the thing that caught my attention was this:

    ; some twiddling with xor 
    ; and data, result in eax 
    jmp eax 
    mov eax, 0x310fac09 
    ; rest of code here

第一眼我刚跨过这是所谓的例行两次,然后事情就气得要命。过了一会儿,我意识到位摆弄结果总是相同的,即JMP EAX总是跳进右转入 MOV EAX,0x310fac09 指令。
我解剖的字节,它就在那里, 0f31 ,这是用来测量一些之间花费的时间 RDTSC 指令调用该DLL。

At the first glance I just stepped over the routine which was called twice, then things just went bananas. After a while I realized that the bit twiddling result was always the same, i.e. the jmp eax always jumped right into the mov eax, 0x310fac09 instruction. I dissected the bytes and there it was, 0f31, the rdtsc instruction which was used to measure the time spent between some calls in the DLL.

所以我的问题是SO?什么是你最喜欢的反调试把戏

So my question to SO is: What is your favourite anti-debugging trick?

推荐答案

我最喜欢的诀窍是写一个简单的指令模拟器一个不起眼的微处理器。

My favorite trick is to write a simple instruction emulator for an obscure microprocessor.

然后复制保护和一些核心功能将编为微处理器(GCC这里是一个很大的帮助),并链接到程序作为一个二进制数据。

The copy protection and some of the core functionality will then compiled for the microprocessor (GCC is a great help here) and linked into the program as a binary blob.

这背后的想法是,该复制保护不普通86 code和这样不能拆卸存在。你不能删除整个模拟器或者是因为这会从计划中删除核心功能。

The idea behind this is, that the copy protection does not exist in ordinary x86 code and as such cannot be disassembled. You cannot remove the entire emulator either because this would remove core functionality from the program.

破解程序中的唯一的机会就是逆向工程微处理器仿真器做什么。

The only chance to hack the program is to reverse engineer what the microprocessor emulator does.

我已经用于模拟MIPS32,因为它是那么容易模仿(仅用了500简单的C code线)。为了让事情更隐晦我没有使用的原料MIPS32运codeS。相反,每个运算code的异或与它自己的地址。

I've used MIPS32 for emulation because it was so easy to emulate (it took just 500 lines of simple C-code). To make things even more obscure I didn't used the raw MIPS32 opcodes. Instead each opcode was xor'ed with it's own address.

复制保护的二进制看起来像垃圾数据。

The binary of the copy protection looked like garbage-data.

强烈推荐!花了6个月以上前一条缝出来了(它是一个游戏项目)。

Highly recommended! It took more than 6 month before a crack came out (it was for a game-project).

这篇关于什么是你最喜欢的反调试把戏?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆