i Use OllyDbg: Bypass detect debugger – IsDebuggerPresent – All things in moderation

Use OllyDbg: Bypass detect debugger – IsDebuggerPresent

When you want to debug a program but it has Detect Debug mechanism so we have to do to be able to continue?
In this post, we will solve that problem. Now let’s go!
In this post, we will use crackme wirtten by RadASM. You can download it in here.
Check crackme:
I use ExeInfoPE v0.0.3.5.

We can see, it not packed and code with assembly language. You can run crackme to see more detailed information. Go to Help -> About

Load crackme to Ollydbg(in this post i use OllgDbg v2.01):
File -> Open -> Choose crackme

Try run Crackme. At the main screen of Ollydbg, press F9 to run the program. And result:

As you can see here, crackme not run and it ist terminate. Now restart OllyDbg and find out why we are terminate.
There is a very popular and commonly used method detect debugger is using the IsDebuggerPresent API, so we will focus on the suspect at this function.
We will try searching the list of APIs that crackme uses. Right-click and choose Search for > Name(or use Ctrl+N).

And result:

Right-click the IsDebuggerPresent **API and select **Find references(Ctrl+R):

Result:

So we know where to place the call to the IsDebuggerPresent API. Proceed to place a BP at IsDebuggerPresent. Use Plugin CommandBar.

Run crackme by press F9, Olly will break in here:

Continue to press F8 and we will be here:

For more information on IsDebuggerPresent API, we will use the Microsoft® Win32® Programmer’s Reference library for reference.
To view information about this API. We will proceed with the installation by selecting the Win32.hlp file path.
Option -> Option… -> Directories -> Location of API help file

To see the information of a function we do the following:
Right-click and select Help on API funtion.

Result:

Click Display:

Read all the information above, you will understand more about how the function works IsDebuggerPresent. It is a function exported from Kernel32.dll, used to indicate a the program is being debugged by the debugger. If it is debugged, this function returns a nonzero value, otherwise return value is zero. Continue for Olly to execute this API and stop at the RETN command by pressing Ctrl + F9:

Result:

You can see that the contents of the EAX register have changed by looking at the registers window.

As result of EAX by 1, this crack has been confirmed to be debugged by the debugger. As we explained earlier, if you fix the EAX value by 0, the crack will be debugged and not teminated. I will try it.

Change done. Press F9 to execute.

The program was executed normally and not terminate. To find out more about rebooting Olly, then run the program until the Olly break and stop at the mov command value into the EAX register:

Press F8 to RETN command to position EAX register value change. Observe the EAX register:

After stopping at RETN the value of EAX equals 1. Continue to press F8 to return to the main code of crackme:

The OR here is the purpose to check whether EAX is 0 or 1. Because the EAX register is set to 1, the result of this OR will be 1 and the ZF flag will be 0. When the ZF flag has a price value 0, the JZ jump command below can not be executed:

When the above JZ command is not executed, the JMP command below will be executed.

What is the PostQuitMessage function? We need more information about it.

This function sends a message, WM_QUIT, to the terminate request. F8 to execute the JMP command and trace to the preparation code to execute this function for observation:

You can see the ExitProcess function called.

If we continue, the program will terminate. That’s the problem. Do you understand? We will modify so that the JMP command is not executed.

I will edit this JZ to JNZ or JMP. In this post, we will edit JZ to JMP. 😀

After the patch is complete you can save to another file. Then F9 to check whether the patch is successful or not:

So I finished the tutorial. As you can see in this article, I have introduced two ways to bypass the detect debugger:
1. Edit the value of EAX to 0(we will have to do it every time debug).
2. Patch JZ into JMP(or JNZ) and save as new file(just do it once).

There is an easier way than all that is to use the plugin to bypass. About the mechanism of operation of the plugin I will mention in another post.
Thank you for read my post. Please leave your comments in the comments section so that the article gets better.

One Response

  1. jonny May 23, 2019

Leave a Reply