|
#1
|
|||
|
|||
Lycosidae - Modern Anti Debug
https://github.com/lurumdare/Lycosidae
Bypass ScyllaHide Features - Import no leak - Strings no leak |
#2
|
|||
|
|||
I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?
For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented. I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already. |
The Following 5 Users Say Thank You to zeffy For This Useful Post: | ||
Abaddon (10-19-2019), chessgod101 (10-20-2019), Lueilwitz (10-19-2019), niculaita (10-19-2019), nimaarek (10-29-2019) |
#3
|
|||
|
|||
Quote:
|
#4
|
|||
|
|||
If that happened, you could just change the polynomial here (e.g. change CRC32 to CRC32c) and the CRC check would work again...
|
The Following User Says Thank You to gigaman For This Useful Post: | ||
Lueilwitz (10-30-2019) |
#5
|
|||
|
|||
i really dont see whats so fantastic / revolutionary about this at all
|
#6
|
|||
|
|||
Need tester for this branch
https://github.com/lurumdare/ScyllaHideDetector/tree/crc32c |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Anti-Debug reference | mm10121991 | General Discussion | 1 | 03-11-2012 07:43 |