Anti Debug Techniques

zemtex · January 22, 2011, 03:28:55 PM

Howdy.

I know a few techniques, but they are very basic, I have not spent too much time in this field. I have a few ideas but they are not tested yet. I would like to hear about good, but not too complex a-nti d-ebugging techniques that you guys use, if you are up to sharing them.

redskull · January 22, 2011, 03:44:45 PM

There's only one sure-fire way to prevent people from debugging your programs: remove all bugs before shipment

zemtex · January 22, 2011, 04:17:37 PM

Another good technique is to bring frequent updates. People will lose patience if they debug your programs themselves, and they see that new versions pop up all the time. But this is more philosophy, not so much technical. You have to think about newbies too, we dont want to create complex code to remove debuggers, we just want to make it as hard as possible with as little code as possible to filter newbie olly users and similar.

oex · January 22, 2011, 06:06:19 PM

If microsoft, apple, sony etc etc arent successful neither will you be :lol.... The best protection is not code but common sense in all other aspects of your distribution....

You can try and defeat Olly but someone who cant work around Olly will unlikely be stealing any worthwhile code anyways.... The assumption that there is a magic bullet that you will find on any forum is rather comical :lol....

redskull · January 22, 2011, 06:08:28 PM

A better question is why do you care if people debug your code? Criminals will steal your program, non-criminals will buy it. No amount of programming will change that. Unless you've developed a new way to factor large primes, your efforts are better spent making your program cooler, so more non-crimanals want it. Other than that, IsDebuggerPresent() is a good place to start.

zemtex · January 22, 2011, 06:44:23 PM

IsDebuggerPresent is hopelessly easy and is the first anti debug trick a lamer will use. I was hoping for something a little bit more complex than that. :lol

You are aware that debuggers override that system function, so it is ineffective?

zemtex · January 22, 2011, 06:46:38 PM

Quote from: oex on January 22, 2011, 06:06:19 PM
If microsoft, apple, sony etc etc arent successful neither will you be :lol.... The best protection is not code but common sense in all other aspects of your distribution....

You can try and defeat Olly but someone who cant work around Olly will unlikely be stealing any worthwhile code anyways.... The assumption that there is a magic bullet that you will find on any forum is rather comical :lol....

Being successful in preventing debuggers from reversing your code is the easy part, the hard part is finding a short piece of code that works well to filter newbies well without adding too much overhead to the program.

I didnt say I was looking for a magic bullet, I said I was looking for techniques for filtering newbies. If you havent read any of my posts, I suggest you stick to a different thread.

Thirdly, microsoft, apple or sony isnt trying to be successful, they are compromising, just like I am looking to do. Btw, there have been many successful stories there, you could use virtual bytecodes (in extreme cases), I know of such a program and it remained unreversed for 7 months.

Your pessimism isnt welcomed in here.

jj2007 · January 22, 2011, 07:05:16 PM

Quote from: redskull on January 22, 2011, 03:44:45 PM
There's only one sure-fire way to prevent people from debugging your programs: remove all bugs before shipment

I love that one, red :U

Besides, there is an excellent example of anit-debug programming style at \masm32\examples\exampl10\slickhuh\slickhuh.asm

zemtex · January 22, 2011, 07:24:15 PM

I sort of liked his statement too, but it was sort of filled with ideas that your code isnt worth something, thats the main reason I didnt like it very much myself.

zemtex · January 22, 2011, 07:26:05 PM

Btw, it doesnt have to bee to darn complex. Just a few very nice (preferably uncommon methods), just to give the general olly user a little bit worries, thats all. :U (To show them that we still care for our code :bdg)

vanjast · January 22, 2011, 07:58:21 PM

The games and other industries have also tried various methods to make their code 'crackproof'.. nothing had worked and a lot of the time the cracked code appears before the release, if not very soon after.

There are many ways to counter this, and for most code the best method is pricing and to rely on the honest user. This culture has to be cultivated
There will always be the pirates and thieves, the more honesty is cultivated the better for all of us.
:bg

zemtex · January 22, 2011, 08:10:36 PM

The main reason games get cracked is not because they tried otherwise, its because they hire developers who are used to develope programs, they are not trained to think reversing. They are trained to code algorithms for games and design menu buttons.

If you look at any game today, the "hypermodern" techniques they use to hide variables is to add two zeros to the variable in order to hide it. You have to understand that these "guys" dont know anything about reverse engineering, they are developer.

If you peak into any game today, youll see that its so obvious and easy that even your grandmother is capable of reversing it. They are not trying to make it safe, not at all and they dont have people that is smart enough to do that. I dont think people are aware how little developers know today. Just because they fail at this point doesnt mean they tried their best or had capacity to do so.

I have been into alot of games, and im the guy behind many of these, I can tell you right here and now, those who made these games dont know jack about anything, certainly nothing about assembly.

Every time im done with a game, I think to myself "This cant be true, the developers is trying to fool me, it cant be this obvious or easy". But after the day is gone, it really was that easy. :bdg

To say that anti debug techniques is not worth it just because "Bob who can code c++" is not knowing what he is doing is just ridiculous.

zemtex · January 22, 2011, 08:19:20 PM

The general understanding here is that.

1: Bob is a c++ expert and he doesnt know jack about reversing.

2: Lamers is able to crack bob's code, because bob is so stupid.

3: Therefore anti debugging is a waste of time?

:cheekygreen:

zemtex · January 22, 2011, 08:36:00 PM

... content removed ...

BogdanOntanu · January 22, 2011, 09:09:32 PM

Quote from: zemtex on January 22, 2011, 08:10:36 PM

''''
I have been into alot of games, and im the guy behind many of these, I can tell you right here and now, those who made these games dont know jack about anything, certainly nothing about assembly.

Every time im done with a game, I think to myself "This cant be true, the developers is trying to fool me, it cant be this obvious or easy". But after the day is gone, it really was that easy. :bdg

...

We do not allow this kind of actions here... locked

Besides the exact same techniques can be used for the wrong purposes... for example "protecting" VX from AV scanning.
In consequence we avoid talking about this kind of techniques here.

Also from my experience: the more you protect an application the more honest clients you will loose. And you will NOT stop an experienced reverser no matter what you do.

News:

Anti Debug Techniques