An Anti-Reverse Engineering Guide

1. // READ MORE HERE: http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide
2. ### ------------------------------------------------------------------------------------------------ ###
3. A look into what goes into the area of preventing reverse engineering, and gives developers some functions and ideas about preventing reversing engineering of their programs.
4. ### ------------------------------------------------------------------------------------------------ ###
5.  
6. [Table of Contents]
7. ___________________
8. Breakpoints
9. Int 3
10. Memory
11. Hardware
12. Timing Attacks
13. RDTSC
14. Win32 Timing APIs
15. Windows Internals
16. ProcessDebugFlags
17. Debug Object Handle
18. Thread Hiding
19. BlockInput
20. OutputDebugString
21. Process Exploitation
22. Open Process
23. Parent Processes
24. Self-Debugging
25. UnhandledExceptionFilter
26. NtQueryObject
27. Anti-Dumping
28. Nanomites
29. Stolen Code (Stolen Bytes)
30. SizeOfImage
31. Virtual Machines
32. Guard Pages
33. Removing the PE Header
34. IA-32 Instruction Exploits
35. Interrupt 2D
36. Stack Segment
37. Instruction Prefixes
38. OllyDBG Specific
39. FindWindow
40. OutputDebugString Exploit
41. WinDBG Specific
42. FindWindow
43. Other Techniques
44. Junk Code
45. Native Code Permutations
46.  
47. ### ------------------------------------------------------------------------------------------------ ###
48. Introduction
49. In my previous article, I gave a short introduction into some Anti-Debugging/Debugger Detection techniques that primarily involved the use of Win32 API functions. In this article, I plan to travel a bit deeper into the interesting world of reverse engineering and explore some more intermediate level techniques for annoying reverse engineers. Some comments in my previous article noted that the techniques I presented could, and are most of the time, easily bypassed by intermediate level reversers; one statement I would like to make is that there is an ongoing battle between the coders who develop programs that protect against cracking and reverse engineering and the engineers themselves. Every time the protectors release a new technique, the engineers find a way around that specific method. This is the driving force behind the cracking "scene" and anti-reverse engineering fields. Most of the techniques here can easily be bypassed, and some of the others aren't as easily taken out of the picture; however, all of them can in one way, shape, or form be bypassed. I'm presenting these methods here to share the knowledge, and perhaps inspire others to find ways to apply these methods and utilize them in new and creative ways that challenge contemporary methodology.
50. ### ------------------------------------------------------------------------------------------------ ###
51. Background
52. Anyone who is interested in the field of reverse engineering needs a strong understanding of Assembly language, so if your ASM is a little rusty or if you're just beginning to learn, here are some sites that can assist:
53. ### ------------------------------------------------------------------------------------------------ ###
54. Introduction to Assembly Language
55. IA-32 Instruction Reference
56. Iczelion's Win32 Assembly Homepage
57. ### ------------------------------------------------------------------------------------------------ ###
58. Inline Functions
59. I didn't feel this side note required its own section; however, when reading this article or the attached source, one will notice the functions being marked inline. While this can cause bloat inside an executable, it is important in anti-reverse engineering. If there are very detailed function entries and sections, then the job for the reverse engineer just got much easier. Now, he or she knows exactly what is happening when that function is called. When in-lining, this doesn't happen, and the engineer is left guessing as to what is actually happening.
60. ### ------------------------------------------------------------------------------------------------ ###
61. Breakpoints
62. There are three types of breakpoints available to a reverse engineer: hardware, memory, and INT 3h breakpoints. Breakpoints are essential to a reverse engineer, and without them, live analysis of a module does him or her little good. Breakpoints allow for the stopping of execution of a program at any point where one is placed. By utilizing this, reverse engineers can put breakpoints in areas like Windows APIs, and can very easily find where a badboy message (a messagebox saying you entered a bad serial, for example) is coming from. In fact, this is probably the most utilized technique in cracking, the only competition would be a referenced text string search. This is why breakpoint checks are done over important APIs like MessageBox, VirtualAlloc, CreateDialog, and others that play an important role in the protecting user information process. The first example will cover the most common type of breakpoint which utilizes the INT 3h instruction.
63. ### ------------------------------------------------------------------------------------------------ ###
64. INT 3
65.  
66. INT 3h breakpoints are represented in in the IA-32 instruction set with the opcode CC (0xCC). This is the most common expression of this type of breakpoint; however, it can also be expressed as the byte sequence 0xCD 0x03 which can cause some troubles. Detecting this type of breakpoint is relatively simple, and some source would look like the following sample. However, we should be careful because using this method of scanning can lead to false positives.
67. READ MORE HERE: http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide