User forums > Help
Crash when executing a piece of code in C::B (not in another IDE or at runtime)
mandrav:
--- Quote from: skirby ---In fact, the forum interpretes [ i ] characters like italic.
--- End quote ---
That's your fault because you used [ quote ] instead of [ code ] tags for your code :)
skirby:
Hello mandrav,
Yes, you are absolutly right.
Shame on me :)
thomas:
--- Quote from: skirby on July 04, 2006, 04:59:36 pm ---In fact, I would like to access my function at runtime in order to detect if a breakpoint (INT 3) has been placed.
I need to detect any 0xCC opcode in the function that's why I have written this piece of code.
What is the best way ?
--- End quote ---
In my opinion, there is absolutely no excuse for reading from or writing to executable data, except if someone is writing a debugger or an executable packer (both of these obviously don't work otherwise).
Looking for 0xcc is probably meant to be an anti-cracking measure, but you can rest assured that you are wasting your time with this. Don't expect this will delay any halfway serious cracker for more than 2 minutes.
Also, x86 instructions are variable length, so unless you write a fully-fledged realtime disassembler, you will have a hard time, as you don't necessarily know whether a byte at some random position is an opcode, or maybe an offset or an immediate. The byte 0xcc can, in principle, appear in many completely harmless places throughout your code (something like mov eax, [ebx + 204]?). Thus, be prepared to see false positives.
If you think that you absolutely must make sure your code is unmodified, you should calculate one or several checksums (CRC32 or MD5, whatever) and make code in a different place depend on this checksum (do not check the value, but use it). Such things are are hard to track and hard to tamper, if you are only a little bit creative.
However, even then you should have no illusions about your ingenuity. Code that cannot be cracked does not exist. It is only a matter of how much time someone is willing to invest.
thomas:
By the way... what makes you think that len = (int)(&f2 - &f1); produces any significant, usable, and meaningful value?
The compiler can arrange functions any way it happens to feel like at the time of compilation. f1 may appear before f2 or after it, and 250 other functions might be in between.
You don't even know whether they are placed in the same segment and on the same memory page. This may be the case, but it may as well not be.
skirby:
Thank you very much thomas.
I will try to follow your advices.
Otherwise, I absolutely know that checking for 0xCC opcode isn't enough to stop a cracker.
In fact, I try to do that above all for the knowledge.
So, if you know some good and pretty simple anti debugging technics to code I would be happy to try to implement them.
Thanks ans have a nice day.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version