The other day when I opened one of the programs on my computer, it said that I was running a debugger and the program won't open until I close it. I was surprised to know it found out*. I was curious about it, so I tried to put it through a disassembler. The disassembler said that the program was self extracting or self modifying so it's not really possible to disassemble the program accurately.

How is this done? How can I make my programs 'anti-crack' like this?

*I was debugging one of MY applications, when I had to open an IDE. It is this IDE software that said I had a debugger running. No harmful intentions here.

Let me see if I can dig up the discussion. I actually saw partook in a similar discussion on the alt.lang.asm newsgroup (with Randal Hyde) a few years ago.

** Edit **
Sorry, I can't find it. I do remember reading how it's able to detect the disassembler & then it runs tedious loops constantly, never allowing actual code to run.

For do that you can implement the necessary code to check if a debugger is active.
The most used method is using the IsDebuggerPresent() API call in kernel32.dll with some inline assembly protection code, but there are some ways to bypass this

This post has been edited by Salv0: 8 Oct, 2008 - 01:45 AM

As the endless army of hackers getting past GameGuard and plaguing MapleStory almost instantly even after it updates to the point where a server side measure had to be implemented, it reminds me that I shouldn't bog the user's machine down with DRM and anti-reverse engineering systems.

Gah, stupid copy protection, I had to no-cd patch a game I legally own, just because it wouldn't open due to an error that said 'A required security module is missing.' The solution was to delete some registry entries (apparently it was to do with virtual CD drives), but now, I have no virtual CD drive software, and the registry keys don't exist, but it STILL won't work. The thing is, really advanced anti-debugging/anti-copying software just delays the inevitable crack, and annoys honest users more.

But for the original question, I've never heard of such things.

Hey,

I've seen some programs that detect is SoftIce and other debuggers are present. A more detailed example/explanation can be found http://www.honeynet.org/papers/bots/botnet-code.html, but in short (specifically for softice) "This method is used by a lot of crypters/compresors it uses INT 41, this interrupt is used by Windows debugging interface to detect if a debugger is present. Only works under Windows." The other methods are variations on this type of technique, doing something that is idiosyncronatic of a specific debugger and seeing if anything happens that would indicate the debuggers involvement.

And in regards to implementing them in your code, you will need to work with assembler,so first you'll have to convert your IL to real machine code, which locks it down to a specific architecture and all the rest that goes with abandoning the .Net platform. It is probably possible to work with ASM in unsafe code within C# (C can do it), but not in a way that will be effective as an anti-crack method.

Of course, as dawmail333 has stated (and it is my opinion as well), anti-piracy implementations to date have done nothing to stop crackers (it only delays them mildly) but annoy rightful owners and cause people that have bought legitimate copies problems. This is probably even evident to you based on your own experience, you couldn't open your IDE (which you obtained legitimately) while a dissassembler (that you were using completely legitimately) was running.

If you do insist on invasive copy protection though, the link in the first paragraph should be helpful.

If you are just looking at it from an academic point of view I highly recommend checking it out.

Um, a bit off topic, but how can you compile IL to machine code? http://www.gocosmos.org/ does it, but I'd like to know how. Even if just to make non-monoable software run on Linux through wine. Also, not requiring the .Net framework would be nice!