Page 3 of 3
Posted: Fri Dec 31, 2004 7:18 am
by PB
> i found and changed a small piece of Anti Tracking code to pb [snip]
@TheFool: Is there a way to modify your ASM anti-tracking code so that it
sets a global variable instead of jumping to a label? I'd rather just set a
variable so my app knows when it's being debugged, but I don't know any
ASM to modify your code. Also, is there a way to change your code so that
I don't need to enable the Inline ASM Compiler Option? I think it's done with
the ! character but it doesn't work if I insert it before the commands...
Posted: Fri Dec 31, 2004 11:10 am
by thefool
Ok here you go. why do you want it to be without the "use inline assembler" ?
then it needs more changes as you cant just mov track,1
well this works. If you really need it ill take a look at it. NOt that its a hard thing to do, but i havent eaten breakfast yet
But this is just one way to do it. and
it should be protected more. ATM im playin with some way to
decrypt a procedure at runtime! If i get that working, these 2
things would be way more powerfull and cracksecute..
[actually, i know how to decrypt it. i just need a way to encrypt it.
Dont worry, im working on it
]
Code: Select all
track.l=1
PUSH AX
POP AX
DEC SP
DEC SP
POP BX ;BX should point to the pushed AX.
CMP AX,BX
JNE l_ctrack
MOV track,0
ctrack:
;Normal code here.If track=1 then debugger is here!
btw: i dunno if this works with all debuggers.
atm im playin with this guide i just found 5 minutes ago:
http://sandsprite.com/CodeStuff/Build_y ... ypter.html
Posted: Fri Dec 31, 2004 3:52 pm
by newbie
Sounds very interesting, I just whish I knew ASM to play with
Just one question : is these "crypter" are in fact just "packers" such as UPX ?
I often use packers because the executable is smaller and loaded faster in memory, but there is no protection at all, everyone can unpack it.
Is a crypter somehow protect the executable ?
Posted: Fri Dec 31, 2004 4:03 pm
by thefool
Yup.
Well this guide just tells how to make a simple cryptor.
It just XOR's every byte in the exe file, adds an unencrypter stub, that will unencrypt the rest of the program on runtime.
Also the protectors we talked about do this, so no one can see the actual code without decrypting it. And for protecting against that, they also incorporate other protections and disasembler and debugger protections. And of course also memory dump protection. (a common way to protect against dumping is to only unencrypt a small bit of the exe when its used instead of the whole thing. The sad thing about that, is that there probaly is a slight speed loss when doing that, if it needs to decrypt a lot.)
Posted: Fri Dec 31, 2004 4:44 pm
by newbie
very interesting
If at least you can do a very basic protector, even if it's just a XOR without any anti debugger and anti dumping protection, it would be really nice (if it is commented and explained).
Your link is interesting, and it would be great to see an application to purebasic.
Why not start "thefool cryptor" project ?
For now I'm still trying to understand your anti debugger ASM code :roll:
Posted: Fri Dec 31, 2004 8:51 pm
by thefool
hehe
well dont take the anti debugger code as very good. im not even 100% sure it works on all debuggers.
but i know various disassembler tricks.
But year "Thefools Crypter"
but its not goin to be right now. maybe later when i have looked more at the topic .
Posted: Sat Jan 01, 2005 12:11 am
by PB
> why do you want it to be without the "use inline assembler" ?
I just hate going to the Compiler Options and ticking it. I'm lazy!
Posted: Sat Jan 01, 2005 2:41 am
by thefool
I just hate going to the Compiler Options and ticking it. I'm lazy!
THAT is what i call lazy
Posted: Sat Jan 01, 2005 4:29 am
by PB
> THAT is what i call lazy
Let me explain myself: I usually paste code into PureBasic and then try to
compile, but I get error messages like
'ax' is not a valid operator, so then
I have to go into the Compiler Options to enable ASM support... it's a hassle.
It's better to use
! so anyone can paste-and-compile immediately, without
having to enable ASM first (IMO).
@Fred: If I leave ASM enabled all the time, but don't use ASM in my code,
is there any added bloat to my executable at compilation time? Because if
not, I'll just leave ASM enabled permanently...
Posted: Sat Jan 01, 2005 5:16 am
by sec
it was?
Code: Select all
a.l
b.l
!mov eax, 1
!push eax
!pop eax
!mov [v_a], eax
!mov eax, [esp-4]
!mov [v_b], eax
; if a <> b : debug "track" : endif
Debug a
Debug b
MessageRequester("","a="+Str(a)+";b="+Str(b))
Posted: Sat Jan 01, 2005 11:55 am
by thefool
doesnt work...
btw another nice trick:
Jump from RET's..
If you push an address of a label to a stack, and execute the
RET command, it will jump to the address. This is actually harder to see
in a disassembler, and will often confuse it.
for demonstrating i programmed a nice little crackme this morning..
i post the source here, but if you want to try it, compile it without looking. btw: its NOT using any debugger protections, so dont use one...
Not much of commentaries, but ask if you have a question..
Protections: Encrypted text[with own lame encryption scheme
], Code executed in unusual order, junk code.
Code: Select all
;**********************************************************************
;*Crackme number 2 *
;*It uses some rets and pushes to make it execute in a non-normal way.*
;*Also uses some junk code, and encrypted text ;) *
;*Coded by Daniel Middelhede [thefool] *
;**********************************************************************
Goto afterproc
TheEnd:
End
Procedure.s dEnc(string.s,pass.s)
If string.s=""
ProcedureReturn ""
Else
For a=1 To Len(pass.s)
charval=Asc(Mid(pass.s,i,1))
myarr=myarr+charval
Next a
For i=1 To Len(string.s)
myenc=Asc(Mid(string.s,i,1)) ! myarr
mystr.s=mystr.s+Chr(myenc)
Next i
ProcedureReturn mystr
EndIf
EndProcedure
afterproc:
ad=?getpw ;Push the adress of the GetPW thingy
PUSH ad
serial.s=dEnc("B^SPYYZDYU]E","6")
RET
;JunkCodeSection. will also disturb older disassemblers
If password.s="quatrofobic"
MessageRequester("","Correct!")
Else
MessageRequester("","Nope, im sorry :(")
EndIf
;EndofJunk!
wrong:
MessageRequester("",dEnc("E@]\UBSAAE]@V","2"))
Goto TheEnd
right:
MessageRequester("",dEnc("r^_VCPED]PEX^_BcXVYEAPBBF^CU","1"))
Goto TheEnd
testing:
If userinput.s=serial.s
ad=?right
Else
ad=?wrong
EndIf
PUSH ad
RET
getpw:
userinput.s=InputRequester("",dEnc("2[ W[","crackme 2"),"")
PUSH l_testing
RET
i know its messy