Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Lycosidae - Modern Anti Debug (https://forum.exetools.com/showthread.php?t=19349)

Lueilwitz 10-17-2019 21:31

Lycosidae - Modern Anti Debug
 
https://github.com/lurumdare/Lycosidae

Bypass ScyllaHide

Features
- Import no leak
- Strings no leak

zeffy 10-19-2019 14:07

I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?

For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.

Lueilwitz 10-19-2019 21:15

Quote:

Originally Posted by zeffy (Post 118480)
I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?

For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.

If u have free time, welcom to contribute! :o

gigaman 10-23-2019 05:28

Quote:

Originally Posted by zeffy (Post 118480)
Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

If that happened, you could just change the polynomial here (e.g. change CRC32 to CRC32c) and the CRC check would work again...

evlncrn8 10-23-2019 05:50

i really dont see whats so fantastic / revolutionary about this at all

Lueilwitz 10-30-2019 13:15

Need tester for this branch

https://github.com/lurumdare/ScyllaHideDetector/tree/crc32c

Lueilwitz 01-19-2020 21:32

Updated

https://github.com/lurumdare/Lycosidae2


All times are GMT +8. The time now is 21:22.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX