echo "0xHat Security"

This is Part 3 of the Anti Reverse Engineering Mechanism Series. Here we will discuss about FindWindow API and how we can bypass the check. https://msdn.microsoft.com/en-us/library/windows/desktop/ms633499(v=vs.85).aspx This function retrieves the top window level handle whose classname and window name match any specified string. So if the name matches it returns a handle, else it returns null. There is a tool called WinLister which you can find out the ClassName, Handler , Location , etc. So if you have Ollydbg already running this is what you would see So if I would start Immunity Debugger and IDA Pro , this is what you would see as well .. So the code to detect these we can write a code like this which tells if there is a debugger attached or not Now let us have a look behind the scene by loading in OllyDdb. At first we will investigate what is going inside the FindWindowAPI , so let us step inside the function call Next we will do investigation insi

This Part 2 of the Anti Reverse Engineering Mechanism Series. Here we will discuss about CheckRemoteDebuggerPresent API and how we can bypass the check. Let us have a look at the implementation So checkRemoteDebuggerAPI return a Non Zero Value if successful else it returns a Zero if no debugger detected. if(IsDbgPresent) => True => Non Zero Value => Debugger Found! if(IsDbgPresent) => False=> Zero => No Debugger Found! So to bypass this we need to do the following 1. Give a breakpoint at CheckRemoteDebuggerPresent 2. Now we will step inside the code of CheckRemoteDebuggerApi 3. Now we will change instruction at 23. We will convert the CMP instruction to MOV instruction. I will explain it later why I will change it. Please note while we are doing this change the EAX value is 0 because in line 22 we are doing a XOR EAX, EAX, So here is the modification. OLD =   7C85AB26 3945 08 CMP DWORD PTR SS : [ EBP + 8 ], EAX NEW =  7C85AB26

It is possible to understand the workflow and behaviour of the application by using a hooking the application to a debugger. To ensure that someone cannot perform these kind of activities anti-reverse engineering mechanism are being used. In these series of blog posts we will see what are the various kinds of anti reverse engineering mechanism that are available and how we can bypass those mechanism and patch those applications. IsDebuggerPresent() This function is used to check if a debugger is attached to a current process that is running. Lets see a simple code that can be used to implement this api call. So if you run this code without any debugger attached it would return a value 0  and if you attach a debugger to executable and use it , then it would return 1. Let us load the process in our Debugger and find how the code works internally Now we will examine the disassembled code of the API call IsDebuggerPresent() So what is basically happening o