GamerzPlanet - For All Your Online Gaming Needs!! - View Single Post - Rumble Fighters Anti-Anti-Debug

Fovea · 01-18-2009, 04:24 AM

Disclaimer: This article is for the technically inclined. Specifically, those who are amateur reversers/memory editers. If you have no idea what those two previous terms mean, then this is not an article for you.

The Problem: Those that have tried to debug/reverse Rumble Fighters would know, that loading Rumble Fighters in your debugger would cause Rumble Fighters to terminate after the OGPlanet logo dissapears.

Explanation: Rumble Fighters employs one simple anti-debug trick. When your debugger loads the process, the debugger writes entries into a structure called the Process Environment Block. One of those entries is called BeingDebugged (Boolean). Now, just how does Rumble Fighters access the PEB? Rumble Fighters employs two methods. One is calling the API IsDebuggerPresent. The other is a custom function that does the exact same thing as IsDebuggerPresent. So, the most logical way to bypass this trick is to change BeingDebugged. Now, how would one access BeingDebugged?

Code:

 
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
movzx eax, byte ptr ds:[eax+0x2]

Let's examine. The fs:[0x18] refers you to a data structure called the Thread Information Block. Thus, the first line is getting the address of the TIB (One entry inside the TIB is the address of the TIB, aka 0x18). Inside the TIB, at the 30th byte, resides the pointer to the PEB. The second line tells you the address of the PEB. The third line gets the value of BeingDebugged. It is the byte at 0x2 of the PEB. Rumble Fighters checks the value of BeingDebugged, to see if its one. If it is, Rumble Fighters will close itself.

Solution: Luckily, many members of the reversing community have made plugins for most of your favorite debuggers. Search for IsDebuggerPresent bypass plugins/PEB patching plugins. If you absolutely cannot find a plugin for IsDebuggerPresent/PEB patching, you can write your own.

Code:

 
IsDebuggerPresent+0x9:
mov byte ptr ds:[eax+2], 0
xor eax, eax
retn

Code:

 
IsDebuggerPresent+0x9:
db: C6 40 02 00 33 C0 C3

This works because IsDebuggerPresent is called before the custom function. This way we only need to hook the API, because the API changes the value of BeingDebugged. The first example is what you would inline/assemble into a DLL. The second is compatible with Cheat Engine. Make sure to change the memory before Rumble Fighters runs.

Happy Reversing!
Shoutout to Jonyleeson.

01-18-2009, 04:24 AM	#1
Fovea Registered User Last Online: Today 03:03 AM Join Date: Oct 2008 Posts: 87 Rep Power: 2 Rep Points: 14 Feedback: (0) Points: 736.73 Bank: 8,000.00 Total Points: 8,736.73 Donate	Rumble Fighters Anti-Anti-Debug Disclaimer: This article is for the technically inclined. Specifically, those who are amateur reversers/memory editers. If you have no idea what those two previous terms mean, then this is not an article for you. The Problem: Those that have tried to debug/reverse Rumble Fighters would know, that loading Rumble Fighters in your debugger would cause Rumble Fighters to terminate after the OGPlanet logo dissapears. Explanation: Rumble Fighters employs one simple anti-debug trick. When your debugger loads the process, the debugger writes entries into a structure called the Process Environment Block. One of those entries is called BeingDebugged (Boolean). Now, just how does Rumble Fighters access the PEB? Rumble Fighters employs two methods. One is calling the API IsDebuggerPresent. The other is a custom function that does the exact same thing as IsDebuggerPresent. So, the most logical way to bypass this trick is to change BeingDebugged. Now, how would one access BeingDebugged? Code: mov eax, dword ptr fs:[0x18] mov eax, dword ptr ds:[eax+0x30] movzx eax, byte ptr ds:[eax+0x2] Let's examine. The fs:[0x18] refers you to a data structure called the Thread Information Block. Thus, the first line is getting the address of the TIB (One entry inside the TIB is the address of the TIB, aka 0x18). Inside the TIB, at the 30th byte, resides the pointer to the PEB. The second line tells you the address of the PEB. The third line gets the value of BeingDebugged. It is the byte at 0x2 of the PEB. Rumble Fighters checks the value of BeingDebugged, to see if its one. If it is, Rumble Fighters will close itself. Solution: Luckily, many members of the reversing community have made plugins for most of your favorite debuggers. Search for IsDebuggerPresent bypass plugins/PEB patching plugins. If you absolutely cannot find a plugin for IsDebuggerPresent/PEB patching, you can write your own. Code: IsDebuggerPresent+0x9: mov byte ptr ds:[eax+2], 0 xor eax, eax retn Code: IsDebuggerPresent+0x9: db: C6 40 02 00 33 C0 C3 This works because IsDebuggerPresent is called before the custom function. This way we only need to hook the API, because the API changes the value of BeingDebugged. The first example is what you would inline/assemble into a DLL. The second is compatible with Cheat Engine. Make sure to change the memory before Rumble Fighters runs. Happy Reversing! Shoutout to Jonyleeson. Last edited by Fovea; 01-18-2009 at 12:47 PM.