你最喜欢的反调试技巧是什么? [英] What is your favourite anti-debugging trick?
问题描述
所以我决定自己修复bug并启动调试器。我很惊讶地发现几乎无处不在的反调试代码,通常的 IsDebuggerPresent ,但引起我注意的事情是这样的:
;有些与xor
混合;和数据,导致eax
jmp eax
mov eax,0x310fac09
;其余的代码在这里
乍一看,我刚刚过了被称为两次的例程,然后事情刚刚去香蕉过了一会儿,我意识到这个微妙的结果总是相同的,即jmp eax总是跳到 mov eax,0x310fac09 指令中。
我解剖了这些字节,其中有 0f31 ,用于测量的$ code> rdtsc 指令在DLL中的某些调用之间花费的时间。
所以我的问题是:你最喜欢的反调试技巧是什么?
我最喜欢的技巧是为一个模糊的微处理器写一个简单的指令模拟器。
然后将复制保护和一些核心功能为微处理器(GCC是一个很大的帮助)编译,并作为二进制blob链接到程序中。 p>
背后的想法是,复制保护在普通的x86代码中不存在,因此无法拆解。您不能删除整个仿真器,因为这将从程序中删除核心功能。
只有这样才能对微处理器仿真器进行逆向工程。 / p>
我已经使用MIPS32进行仿真,因为它很容易模拟(只需要500行简单的C代码)。为了使事情更加模糊,我没有使用原始的MIPS32操作码。相反,每个操作代码都是自己的地址。
副本保护的二进制文件看起来像垃圾数据。
强烈推荐!在破解之前花费了6个多月(这是一个游戏项目)。
At my previous employer we used a third party component which basically was just a DLL and a header file. That particular module handled printing in Win32. However, the company that made the component went bankcrupt so I couldn't report a bug I'd found.
So I decided to fix the bug myself and launched the debugger. I was surprised to find anti-debugging code almost everywhere, the usual IsDebuggerPresent, but the thing that caught my attention was this:
; some twiddling with xor
; and data, result in eax
jmp eax
mov eax, 0x310fac09
; rest of code here
At the first glance I just stepped over the routine which was called twice, then things just went bananas. After a while I realized that the bit twiddling result was always the same, i.e. the jmp eax always jumped right into the mov eax, 0x310fac09 instruction.
I dissected the bytes and there it was, 0f31, the rdtsc instruction which was used to measure the time spent between some calls in the DLL.
So my question to SO is: What is your favourite anti-debugging trick?
My favorite trick is to write a simple instruction emulator for an obscure microprocessor.
The copy protection and some of the core functionality will then compiled for the microprocessor (GCC is a great help here) and linked into the program as a binary blob.
The idea behind this is, that the copy protection does not exist in ordinary x86 code and as such cannot be disassembled. You cannot remove the entire emulator either because this would remove core functionality from the program.
The only chance to hack the program is to reverse engineer what the microprocessor emulator does.
I've used MIPS32 for emulation because it was so easy to emulate (it took just 500 lines of simple C-code). To make things even more obscure I didn't used the raw MIPS32 opcodes. Instead each opcode was xor'ed with it's own address.
The binary of the copy protection looked like garbage-data.
Highly recommended! It took more than 6 month before a crack came out (it was for a game-project).
这篇关于你最喜欢的反调试技巧是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
