How to detect breakpoints in C by tscube
1. what is breakpoint detection ?
=================================

How can a programmer know if his program is being debugged ? There are two ways to do that :

1) Check if a debugger (softice for example) is loaded in memory

The most used method is know as 'meltice', but you can read Frogsice documentation to learn others methods to detect softice. The only trouble is you can't know if your program is *really* being traced.

2) Check for breakpoints in your program's code

When you type in softice 'BPX

', softice replaces the byte at

with the value 0xCC which is the opcode of 'int 3'. Of course, you will never see this 'int 3' instruction while looking for the asm code in softice.

If you want to have a proof that this 'int 3' exists do that : put a 'BPX

' somewhere and use Icedump (or any other memory dumper) to dump a bunch of bytes, including of course the address where you put your BPX. Disassemble the dumped file and you'll see a big 'int 3' (or a 0xCC) in the middle of the dead listing.

2. How to detect breakpoints ?
==============================

If you want to prevent a part of code from being BPXed, you just have to count the number of 0xCC bytes in this section : if you find one, then you know someone put a BPX somewhere. (this is not exactly true, but it helps understanding the whole idea)

3. Warning : 0xCC doesn't always mean there is a 'int 3' !
==========================================================

if you got a 'mov eax,CCh' in your protected code, you can easily guess it will introduce a 0xCC byte which will not be a 'int 3'. That means, you have TO KNOW how many 0xCC bytes will be present in your protected code before writing the breakpoint detection.

The algorithm works like this :


begin_0xCC_count_routine :
	Count number of 0xCC bytes present in protected code
	If number > 3 then MessageBox("fuck off") (there is at least a BPX in the code)
end_0xCC_count_routine :

begin_protected_code :
// let's assume there are 3 0xCC bytes in this code :
mov eax,CCh
mov eax,CCh
mov eax,CCh
end_protected_code :

4. How to know how many 0xCC bytes are present in my protected code ?
=====================================================================

that's a good question !

lazy man solution :
-------------------

You can start by assuming there are no 0xCC at all and write : 'if number>0 then MessageBox("fuck off")' If you run your proggy without setting breakpoints, and that you see a "fuck off" MessageBox, then write : 'if number>1 then MessageBox("fuck off")' ...until it works correctly !

other solution :
----------------

disassemble the proggy and count the number of 0xCC in your protected code !

-> The included sources show you a little crackme that uses breakpoint detection to 'protect' the serial check routine. (bpx.zip).

5. How to bypass BPX detection ?
================================

Very easy : use 'BPM

X' instead of 'BPX

' !

6. Conclusion
=============

Of course, DON'T SHOW a messagebox saying : 'hey, I've read TSCube tutorial and I know you put a BPX in my code, lamer !".

Instead of that, crash the proggy, or put random values in the serial check arrays, or do what you want but don't show you know your proggy is being debugged.

I would put a simple 'meltice' at the loading of the proggy saying : "Please disable softice". Now if the cracker doesn't want to listen to this advice, that HIS problem !

7. Final note
=============

Don't use this method in dll's or with self-modifying code, unless you know what you're doing.


    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 29/04/2000