Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-17-2019, 21:31
Lueilwitz Lueilwitz is offline
Friend
 
Join Date: Jul 2019
Location: DNR
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 5
Thanks Rcvd at 13 Times in 5 Posts
Lueilwitz Reputation: 0
Arrow Lycosidae - Modern Anti Debug

https://github.com/lurumdare/Lycosidae

Bypass ScyllaHide

Features
- Import no leak
- Strings no leak
Reply With Quote
The Following 2 Users Say Thank You to Lueilwitz For This Useful Post:
niculaita (10-18-2019), nimaarek (10-29-2019)
  #2  
Old 10-19-2019, 14:07
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Posts: 34
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 125
Thanks Rcvd at 112 Times in 35 Posts
zeffy Reputation: 3
I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?

For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.
Reply With Quote
The Following 5 Users Say Thank You to zeffy For This Useful Post:
Abaddon (10-19-2019), chessgod101 (10-20-2019), Lueilwitz (10-19-2019), niculaita (10-19-2019), nimaarek (10-29-2019)
  #3  
Old 10-19-2019, 21:15
Lueilwitz Lueilwitz is offline
Friend
 
Join Date: Jul 2019
Location: DNR
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 5
Thanks Rcvd at 13 Times in 5 Posts
Lueilwitz Reputation: 0
Quote:
Originally Posted by zeffy View Post
I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?

For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value

Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.

I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.
If u have free time, welcom to contribute!
Reply With Quote
  #4  
Old 10-23-2019, 05:28
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 86
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
gigaman Reputation: 4
Quote:
Originally Posted by zeffy View Post
Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.
If that happened, you could just change the polynomial here (e.g. change CRC32 to CRC32c) and the CRC check would work again...
Reply With Quote
The Following User Says Thank You to gigaman For This Useful Post:
Lueilwitz (10-30-2019)
  #5  
Old 10-23-2019, 05:50
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 174
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 46
Thanks Rcvd at 112 Times in 68 Posts
evlncrn8 Reputation: 54
i really dont see whats so fantastic / revolutionary about this at all
Reply With Quote
  #6  
Old 10-30-2019, 13:15
Lueilwitz Lueilwitz is offline
Friend
 
Join Date: Jul 2019
Location: DNR
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 5
Thanks Rcvd at 13 Times in 5 Posts
Lueilwitz Reputation: 0
Need tester for this branch

https://github.com/lurumdare/ScyllaHideDetector/tree/crc32c
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anti-Debug reference mm10121991 General Discussion 1 03-11-2012 07:43


All times are GMT +8. The time now is 13:42.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX