Rumble Fighters Anti-Anti-Debug

Fovea · 01-18-2009, 03:24 AM

Disclaimer: This article is for the technically inclined. Specifically, those who are amateur reversers/memory editers. If you have no idea what those two previous terms mean, then this is not an article for you.

The Problem: Those that have tried to debug/reverse Rumble Fighters would know, that loading Rumble Fighters in your debugger would cause Rumble Fighters to terminate after the OGPlanet logo dissapears.

Explanation: Rumble Fighters employs one simple anti-debug trick. When your debugger loads the process, the debugger writes entries into a structure called the Process Environment Block. One of those entries is called BeingDebugged (Boolean). Now, just how does Rumble Fighters access the PEB? Rumble Fighters employs two methods. One is calling the API IsDebuggerPresent. The other is a custom function that does the exact same thing as IsDebuggerPresent. So, the most logical way to bypass this trick is to change BeingDebugged. Now, how would one access BeingDebugged?

Code:

 
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
movzx eax, byte ptr ds:[eax+0x2]

Let's examine. The fs:[0x18] refers you to a data structure called the Thread Information Block. Thus, the first line is getting the address of the TIB (One entry inside the TIB is the address of the TIB, aka 0x18). Inside the TIB, at the 30th byte, resides the pointer to the PEB. The second line tells you the address of the PEB. The third line gets the value of BeingDebugged. It is the byte at 0x2 of the PEB. Rumble Fighters checks the value of BeingDebugged, to see if its one. If it is, Rumble Fighters will close itself.

Solution: Luckily, many members of the reversing community have made plugins for most of your favorite debuggers. Search for IsDebuggerPresent bypass plugins/PEB patching plugins. If you absolutely cannot find a plugin for IsDebuggerPresent/PEB patching, you can write your own.

Code:

 
IsDebuggerPresent+0x9:
mov byte ptr ds:[eax+2], 0
xor eax, eax
retn

Code:

 
IsDebuggerPresent+0x9:
db C6 40 02 00 33 C0 C3

This works because IsDebuggerPresent is called before the custom function. This way we only need to hook the API, because the API changes the value of BeingDebugged. The first example is what you would inline/assemble into a DLL. The second is compatible with Cheat Engine. Make sure to change the memory before Rumble Fighters runs.

Happy Reversing!

DIEISAIDIE · 01-18-2009, 08:52 AM

Okay man I got all that...but I just don't know how to how to access PEB and stuff...But if I can bypass it...I think I can mess with RF with CE :P...

Now I gotta do some studying XD...thanks though!

Edit: Okay man...I tried editing the stuff...but I can't find the PEB...

I couldn't find a plug in...so I tried looking for the stuff myself...so I opened RF using Olly to try to look for the stuff...couldn't find it among all the coding <_<...

Help would be appreciated ^_^

Fovea · 01-18-2009, 05:56 PM

Seeing that you are using Olly, this will help you. [Only registered and activated users can see links. ]

Majii Guy · 01-18-2009, 06:13 PM

Good job OP - IsDebuggerPresent is probably as basic as it gets for debugging, so I'll be interested in hearing about the new detection methods Rumble Fighter will begin to employ.

Personally, for an anti-debugger plugin, I normally use [Only registered and activated users can see links. ] with a few other tools, depending on the packer and method of detection (Poison won't do for EXECryptor or Themida, hah).

Regards,
Vincent

Fovea · 01-18-2009, 07:11 PM

Personally, I use PhantOm. I agree that IsDebuggerPresent is simple and I doubt they will employ anymore anti-debugging techniques. Anyways, packers are shit, VMs are what irks people.

DIEISAIDIE · 01-19-2009, 01:23 PM

okay I tried to use Poison and the plug in you gave me Fovea. In poison I checked agressive peb hide. Then I attached it to RF which was running at the time. Then I went to CE and clicked find what writes to this address...what usually used to happen was that right then and there RF would shut down, now it tries and says CE failed to attach to the process (error= 87)

... any idea what I do from there? I was trying to find it for the carats btw o.O...

And like...you know how CE has it so you can search for values and it'll spit out the addresses? Can I do that with Olly or no?

Edit: It also freezes when i try to find the pointer using CE.

Sry man I'm a noob at this XD...but this is kinda like my idea of fun o.O...

draine0620 · 02-17-2009, 11:20 AM

can u pls translate it in a way that a 5th grader will understand it...

JiaSen · 02-17-2009, 11:28 AM

You can get banned from the forum from saying that?

OMGZorz · 02-17-2009, 12:46 PM

Quote:

Originally Posted by draine0620

can u pls translate it in a way that a 5th grader will understand it...

Dun get it? Dun use it.

jpownedu · 02-17-2009, 01:20 PM

i kind of get this thread, but theres 1 part i dont get am i suppose to use olly or ce. and how do i find the PEB and API because i cant find those addresses or add them on olly