Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-03-2003, 06:19
yaa
 
Posts: n/a
Question Can someone recognize this code???

Hello,

sorry for posting what is problably a stupid question, but I was wondering if someone can recognize the following code:

00401620 PUSHAD
00401621 MOV EDI,xxxxxxxx.00401000
00401626 MOV ECX,xxxxxxxx.00401FFF
0040162B SUB ECX,EDI
0040162D MOV AL,0CC
0040162F REPNE SCAS BYTE PTR ES:[EDI]
00401631 JNZ SHORT xxxxxxxx.00401644
00401633 MOV EBX,xxxxxxxx.00402005
00401638 ADD BYTE PTR DS:[EBX],1
0040163B MOV ECX,xxxxxxxx.00401FFF
00401640 SUB ECX,EDI
00401642 JMP SHORT xxxxxxxx.0040162F
00401644 MOV EAX,xxxxxxxx.00402005
00401649 CMP BYTE PTR DS:[EAX],3

This code is somehow able to detect the presence of an application level debugger following code step by step. I was wondering if this is some checksum code. Thx.

yaa
Reply With Quote
  #2  
Old 10-03-2003, 07:00
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
?

well with cc in al, 401000 in edi and 1FFF in ecx if I'm not mistaken its checking for an int 3 in code section or maybe I need some zzzz's
Reply With Quote
  #3  
Old 10-03-2003, 07:34
Satyric0n
 
Posts: n/a
Yep, I agree with Jay. It's scanning every byte between 401000 and 401FFF looking for 0xCC, which is the INT3 instruction. So, a simple If statement if it finds a breakpoint.

Last edited by Satyric0n; 10-03-2003 at 07:36.
Reply With Quote
  #4  
Old 10-05-2003, 07:56
yaa
 
Posts: n/a
And if I'm not mistaken debuggers implement step-by-step execution of applications using a int 3 breakpoints. This explains everything.

Thank you.

yaa
Reply With Quote
  #5  
Old 10-05-2003, 18:52
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 412
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
Ollydbg has the ability to use hardware breakpoints to trace and step through code, hence does not need to write 0xCC into any part of the target programs code area, whilst still maintaining full functionality
Reply With Quote
  #6  
Old 10-06-2003, 04:14
yaa
 
Posts: n/a
Hello Squidge,

is I know about the HW breakpointsof OllyDbg (in fact I'm a great fan of Olly) ...

From what you say I deduce that softice indeed (as I read) uses software breakpoint (int 3) as "its" breakpoints.

yaa
Reply With Quote
  #7  
Old 10-06-2003, 04:37
Satyric0n
 
Posts: n/a
SoftICE is capable of setting hardware breakpoints also. The BPM command sets hardware breakpoints (technically, uses debug registers), while BPR, BPX, etc set INT3 breakpoints.

Last edited by Satyric0n; 10-06-2003 at 04:40.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Solved]IDA 5.2 can't recognize XP SP3 symbols WhoCares General Discussion 2 12-01-2009 14:29
IDA can't automatically recognize try/finally structures by Borland compilers WhoCares General Discussion 2 10-09-2004 20:52


All times are GMT +8. The time now is 17:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )