{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 可以哭但决不认输i 的问题《How do I bypass IsDebuggerPresent with OllyDbg?》','https://www.manongdao.com/q-467791.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I don't really understand how to get around IsDebuggerPresent. I think I am supposed to find the registers used for debugging and then set it to 0 to trick IsDebuggerPresent, but I don't know how to do that. I tried searching around Google, and even tried a few solutions but it didn't really work for me. Could someone please explain to me how this should work and how I can bypass this?
相关问题
- ELF Relocation reverse engineering
- Reverse engineer Ceasar cipher
- Reverse Engineering HTTP request
- How to call non-exported functions of a DLL?
- Dump Flash Memory through a single GPIO pin
相关文章
- Laravel generate models, views and controllers fro
- I cannot add views when reverse engineering my dat
- Wrapping Visual C++ in C#
- Find out CRC or CHECKSUM of RS232 data
- How can `kernel32.dll` export an ordinal of 0, whe
- How can I set a breakpoint for a button click usin
- Anyone know of a decent free DB schema reverse eng
- How can I reverse engineer my JavaScript files wit
Inject this code in your process:
This will patch the
PEB.BeingDebuggedflag, ensuringIsDebuggerPresentalways returns0When using x64dbg you can run the
dbhcommand.if you want your application never check it do this:
Alt + eor openExecutable moduleswindow.C:\WINDOWS\system32\kernel32.dlland pressctrl + NIsDebuggerPresentand press enter.f2f8until come back to your code.TEST EAX,EAXand after some thing likejejnzand etc, be careful the output ofIsDebuggerPresentis saved inEAX.nopand if doesn't happen change it tojmp.There are many ways to do it. As you said, it's possible to patch the program's thread block. Here is a tutorial, how to get around IsDebuggerPresent, by simply patching this function so it always returns 0.
1) locate IsDebuggerPresent
In my situation, it is at 7664EFF7, and consist of only three instructions + one RET. It reads the thread block (address is at FS:18), and then locates the byte that says "i am being debugged" and returns it. The returns value is stored in EAX (as for most WINAPI functions). If I modify the function so that at the end it will have EAX = 0, I will have successfully bypassed IsDebuggerPresent.
2) patch it
Now the easiest way to do it is to simply make the function simply do a
MOV EAX, 0instruction and then aRETN:Note that I also filled the rest of the function with NOPs to avoid changing the size of it. It probably is not necessary, you could also just do
MOV EAX, 0and then justRETN.Also you should know, that the modification is only valid for one run of the program. When you restart it, it will load a new copy of kernel32.dll (where IsDebuggerPresent is located) with the original function, and you will have to apply the patch again. If you want to make the patch permanent, you need to modify the launching binary and modify/remove the call to this function. But before you do that you also need to make sure that the binary doesn't check itself for modifications.