Recently, I have mentioned that one can detect the debugger presence through the DR7 debug register, now we’ll take a look at the DR0 to DR3 debug registers, which contains debug breakpoints.
This technique is one of the few ways to discover debug breakpoints, and it makes it possible to delete them without stopping the application […]
You can also use the debug registers with x86 processors to determine whether a debugger is active. Debug register 7 (DR7) is the most important one for you in this trick. If there is no debugger in memory, DR7 will be default to 400h. If there is a debugger, it will have a different value.
mov […]
A different technique is to search for the presence of a breakpoint. It’s based on CRC calculation for the particular program and the checks that run during the course of the program. A program’s current CRC is found at the CRC label. The CRC label changes with alterations in the program, and is therefore adjusted […]
This trick uses the LOCK CMPXCHG8B instruction to make any debugger (SoftICE, OllyDBG, IDA, etc…) detect an error and stop.
The instruction CMPXCHG8B is used for 64−bit values. It compares a value in the EDX:EAX registers with the 64−bit value saved in the address determined by the pointer in the EAX register. If the values are […]
Recently I been playing around with some anti-debugging tricks. Most of them have showed some effective results. I’ll post more news about them once I get finished.
Recently I was given a problem to solve, which was a marble problem. A Marble Game is played with M marbles on a square board. The board is divided into NxN unit squares, and M of those unit squares contain holes. Marbles and holes are numbered from 1 to M. The goal of the Marble […]