Software anti-cracking method Daquan isdebuggerpresent

Do cracker know the location of the attack better? So let me talk about the software protection method. This article is based on Borland C ++ 6.0 debugging. You 'd better understand inline assembly. If any error occurs, let me know. I have no Internet access at home, and I only have Borland help documentation (which is actually quite good) on hand ).
The first is anti OD.
1. isdebuggerpresent
Bool isdebuggerpresent (void)
This function is believed to be the most widely used. But it is useless. It can be done at will.
Microsoft said:
If the current process is running in the context of a debugger, the return value is nonzero.
If the current process is not running in the context of a debugger, the return value is zero.
The translation is:
If the current application runs in the debugger, the return value is not 0. If the application does not run in the debugger, the return value is 0.
Generally, we can write as follows:
Bool isdebuggeron;
Isdebuggeron = isdebuggerpresent ();
If (isdebuggeron)
{......
}
Ellipsis indicates the code you want. Of course, this is what a fool writes. When debugging with OD, we can see the isdebuggerpresent in the input function. The function of isdebuggerpresent is only used to find the debugger. Therefore, this item cannot appear in the input function list.
There are many ways to make it not displayed in the input table. I will introduce an uncommon one.
We use IDA to analyze kernel32.dll. Find the isdebuggerpresent as follows:
; Bool isdebuggerpresent (void)
. Text: 7c812e03 public isdebuggerpresent
. Text: 7c812e03 isdebuggerpresent proc near; Code xref:. Text: loc_7c874fb1 P
. Text: 7c812e03 mov eax, large FS: 18 h
. Text: 7c812e09 mov eax, [eax + 30 h]
. Text: 7c812e0c movzx eax, byte PTR [eax + 2]
. Text: 7c812e10 retn
. Text: 7c812e10
. Text: 7c812e10 isdebuggerpresent endp
Then we will write a function for my isdebuggerpresent.
Bool my isdebuggerpresent ()
{
_ ASM
{
MoV eax, large FS: 18 h
MoV eax, [eax + 30 h]
Movzx eax, byte PTR [eax + 2]
}
}
This is our own isdebuggerpresent, and isdebuggerpresent will no longer appear in the input table!
Simple and practical!
2. findwindow
Hwnd findwindow (

Maid, // pointer to class name
Lptstr lpwindowname // pointer to window name
);

Parameters

Lpclassname

Points to a null-terminated string that specifies the class name or is an atom that identifies the class-name string. if this parameter is an atom, it must be a global atom created by a previous call to the globaladdatom function. the atom, a 16-bit value, must be placed in the low-order word of lpclassname; the high-order word must be zero.

Lpwindowname

Points to a null-terminated string that specifies the window name (the window's title). If this parameter is null, all window names match.

Return values
If the function succeeds, the return value is the handle to the window that has the specified class name and window name.
If the function fails, the return value is null. To get extended error information, call getlasterror.
The above is very simple English.
The lpclassname is a pointer to a class name string.
Lpwindowname is the title of the window. If the value of this parameter is null, all class names will be detected.
Return value. If the function is called successfully, the handle of the window is returned. If it fails, null is returned.
We can use the OD plug-in window tool to know that its class name is ollydbg. We can pass in NULL for lpwindowname.
Char * STR = "ollydbg ";
H_od = findwindow (STR, null );
If (h_od)
{
......
}
You can write it in this way. If OD is on, we can find it.
3. gettickcount
This is an old detection method. Old, but classic.
We can pause too much time in some places compared to the original direct loading during debugging. Therefore, you can guess whether debugging is performed based on the length of time. I set 1 s here.
Int T1, T2;
T1 = gettickcount ();
......
T2 = gettickcount ();
If (t2-t1> 1000)
{
......
}

The above are the simplest and most commonly used three.

We have heard of virtual machines. It doesn't sound like a simple method that cainiao can implement. In fact, sometimes we underestimate ourselves too much. The most common practice of virtual machines is to implement an instruction in another way.
When designing an algorithm, we can first compile the advanced language of the algorithm, and then replace the commands in the Assembly with these functions. Of course, we have some of our own principles.
1. Complicated Logic Relationships
2. What cracker can admire after reading
3. Waste of code and inefficiency
4. Slow execution speed
I thought for a week. Finally, I came up with a bit of code that can be seen. So I will post it for you to see.
We know
0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0

0 and 0 = 0
0 and 1 = 0
1 and 0 = 0
1 and 1 = 1

0 or 0 = 0
0 or 1 = 1
1 or 0 = 1
1 or 1 = 1
Come up with a law: XOR + and = or.
INT and _ (int A, int B)
{
_ ASM
{
MoV eax,
MoV EBX, eax
Or eax, B
Xor ebx, B
Sub eax, EBX
}
}

Int or _ (int A, int B)
{
_ ASM
{
MoV eax,
MoV EBX, eax
And eax, B
Or EBX, B
Add eax, EBX
}
}

Int XOR _ (int A, int B)
{
_ ASM
{
MoV eax,
MoV EBX, eax
Or eax, B
And EBX, B
Sub eax, EBX
}
}

In the above example, XOR, And, or is implemented through logical link simulation. Let's write some functions according to their definition.
Binary:
If and is the same as 1, it is 1. Otherwise, it is 0.
Int myand (int A, int B)
{
_ ASM
{
MoV eax,
MoV EBX, B
MoV ECx, 32
XOR edX, EDX
L4:
SHL edX, 1
SHL eax, 1
JC L1
Shl ebx, 1
JMP L3
L1:
Shl ebx, 1
ADC edX, 0
L3:
Dec ECx
Jnz L4
MoV eax, EDX
}
}
The code quality of this item is normal, but in order to comply with the code above, I give up some efficiency for ease of coding. A little explanation. We shift A and B to the left one in sequence. If both of them have overflow, EDX = edX + 1; otherwise, EDX = edX + 0. In turn, shift edX to the left. If you need to understand the above Code, you cannot have little knowledge about Assembly commands. For example, if you understand the ADC, The SHL command will have an impact on the flag registers, and the knowledge of them can be understood.
It is too hard to write this thing. Or and XOR are not written.