Anti BPX

Introduction

Any software can be analyzed step-by-step from a debugger! A debugger is a valid instrument in order to discover bugs, but most times it is used by the hackers/crackers in order to alter the routines of protection of our programs, or worse, in order to reverse engineer an entire algorithm!

Background

It is present, in Windows systems, an API function called IsDebuggerPresent (contained in kernel32.dll). It serves to verify the presence of a debugger. This function does not exist in Windows 95. It is also interesting to see using Pointers from VB.NET!

Example code (VB.NET):

Declare Function IsDebuggerPresent Lib "kernel32" () As Integer

Dim chkDebug as Integer = IsDebuggerPresent

chkDebug = 0 --> not debugged
chkDebug = 1 --> debugged

Using the code

It is supposed, in this demonstration, to use the SoftIce debugger.

It seems all simple, I can stop a hacker! Unfortunately, the truth is very different as our adversary can behave itself:

1. Starts the debugger;
2. It presses ctrl+d;
3. It writes BPX IsDebuggerPresent;
4. Presses F5 in order to send in execution of the program, and magically a window similar to this appears (code assembler x86):

   001B:77E52740    64A118000000    MOV    EAX, FS:[00000018] 
   001B:77E52746    8B4030          MOV    EAX, [EAX+30] 
   001B:77E52749    0FB64002        MOVZX  EAX, BYTE PTR [EAX+02] 
   001B:77E5274D    C3              RET

Therefore, it does not have to make other changes than to modify the value of return of the function and/or to make the patch directly for the library kernel32.dll:

001B:77E52749    0FB64002        MOVZX  EAX, BYTE PTR [EAX+02]

It becomes:

001B:77E52749    33C0            XOR    EAX, EAX    ;return always 0 !

001B:77E5274B    90              NOP                ;nothing

001B:77E5274C    90              NOP

Our adversary is a good reverser! But from that what can we make? We can make a check on the BPX presence. BPX means to virtually put the value hex 0CCh in a determined memory area. In order to resolve this problem, we gain the address of the memory that interests us (in this case, on my WinXP home) 77E52740h, and verifies if it exists, in one of the 14 bytes, an equal value to 0CCh! It seems all very simple.

We use the APIs:

Declare Function LoadLibrary Lib "kernel32" Alias _
      "LoadLibraryA" (ByVal lpLibFileName As String) As Integer
Declare Function FreeLibrary Lib "kernel32" Alias _
      "FreeLibrary" (ByVal hLibModule As Integer) As Integer
Declare Function GetProcAddress Lib "kernel32" Alias _
      "GetProcAddress" (ByVal hModule As Integer, _
      ByVal lpProcName As String) As Integer

And we proceed as follows:

1. We load in memory the library kernel32.dll;
2. We find with GetProcAddress the address of the API IsDebuggerPresent;
3. We analyze the memory area.

Example code (VB.NET):

Dim hLib As Integer = LoadLibrary("kernel32") 'address base

Dim apiaddress as integer = GetProcAddress(hLib, _
                "IsDebuggerPresent") 'return value: 77E52740h

Dim memdebug(13) As Byte 'lenght 14-1

'<<<

Marshal.Copy(IntPtr.op_Explicit(apiaddress), _
        memdebug, _
        0, _
        memdebug.Length) 'read to memory pointer

'+++

Dim bFlag as Boolean = False
Dim ij As Integer
For ij = 0 To memdebug.Length - 1
    If memdebug(ij) = &HCC Then
            '[i] no bpx please

        bFlag = True
        Exit For
    End If
Next ij
FreeLibrary(hLib) 'release library

'+++

If bFlag Then
    '[i] some actions: reset, hd format ;-p, ...your creativity!

End If

Clearly, this is only an example! You can analyze and check any portion of memory to leave from its address.

Points of Interest

Stopping the Reverse engineering of our programs puts in difficulty hackers/crackers...at least those who are not too much good!

Other articles from the author:

• Poly-Engine Crypt String: Hide (crypt) string with a polymorphic dynamic code ("game" with the class Stack!).

For other information, please visit my web site (in continuous modernization).

History

September 2004: First public release. (Sorry for my bad English...I'm Italian.)