<name title="Breakpoint detection in C" author="tscube">
<font ns>
<font name verdana height 22 color 1>
<center>How to detect breakpoints in C by tscube</center><br>

<font name verdana height 12 color 0>

1. what is breakpoint detection ?<br>
=================================<br>
<br>

How can a programmer know if his program is being debugged ?
There are two ways to do that :<br>
<br>

1) Check if a debugger (softice for example) is loaded in memory<br>
<br>

The most used method is know as 'meltice', but you can read Frogsice documentation to learn 
others methods to detect softice. The only trouble is you can't know if your program is *really*
being traced.<br>
<br>

2) Check for breakpoints in your program's code<br>
<br>

When you type in softice 'BPX <address>', softice replaces the byte at <address> with the value
0xCC which is the opcode of 'int 3'. Of course, you will never see this 'int 3' instruction 
while looking for the asm code in softice.<br>
<br>

If you want to have a proof that this 'int 3' exists do that : put a 'BPX <address>' somewhere 
and use Icedump (or any other memory dumper) to dump a bunch of bytes, including of course the
address where you put your BPX. Disassemble the dumped file and you'll see a big 'int 3' (or a
0xCC) in the middle of the dead listing.<br>
<br><br>


2. How to detect breakpoints ?<br>
==============================<br>
<br>

If you want to prevent a part of code from being BPXed, you just have to count the number of 0xCC 
bytes in this section : if you find one, then you know someone put a BPX somewhere. (this is
not exactly true, but it helps understanding the whole idea) <br>
<br>

3. Warning : 0xCC doesn't always mean there is a 'int 3' !<br>
==========================================================<br>
<br>

if you got a 'mov eax,CCh' in your protected code, you can easily guess it will introduce a
0xCC byte which will not be a 'int 3'. That means, you have TO KNOW how many 0xCC bytes will be 
present in your protected code before writing the breakpoint detection.<br>
<br>

The algorithm works like this :<br>
<br>

<pre><font name terminal height 12 color 3>
begin_0xCC_count_routine :
	Count number of 0xCC bytes present in protected code
	If number > 3 then MessageBox("fuck off") (there is at least a BPX in the code)
end_0xCC_count_routine :
</pre><font name verdana height 12 color 0><br>

begin_protected_code :<br>
// let's assume there are 3 0xCC bytes in this code :<br>
mov eax,CCh<br>
mov eax,CCh<br>
mov eax,CCh<br>
end_protected_code :<br>
<br><br>


4. How to know how many 0xCC bytes are present in my protected code ?<br>
=====================================================================<br>
<br>

that's a good question !<br>
<br>

lazy man solution :<br>
-------------------<br>
<br>

You can start by assuming there are no 0xCC at all and write :
'if number>0 then MessageBox("fuck off")' If you run your proggy without
setting breakpoints, and that you see a "fuck off" MessageBox,
then write : 'if number>1 then MessageBox("fuck off")'
...until it works correctly !<br>
<br>

other solution :<br>
----------------<br>
<br>

disassemble the proggy and count the number of 0xCC in your protected code !<br>
<br>

-> The included sources show you a little crackme that uses breakpoint detection to 'protect' 
the serial check routine. (bpx.zip).<br>
<br>


5. How to bypass BPX detection ?<br>
================================<br>
<br>

Very easy : use 'BPM <address> X' instead of 'BPX <address>' !<br>
<br>


6. Conclusion<br>
=============<br>
<br>

Of course, DON'T SHOW a messagebox saying : 'hey, I've read TSCube tutorial and I know you put a 
BPX in my code, lamer !".<br>
<br>

Instead of that, crash the proggy, or put random values in the serial check arrays, or do what 
you want but don't show you know your proggy is being debugged.<br>
<br>

I would put a simple 'meltice' at the loading of the proggy saying : "Please disable softice".
Now if the cracker doesn't want to listen to this advice, that HIS problem !<br>
<br>



7. Final note<br>
=============<br>
<br>

Don't use this method in dll's or with self-modifying code, unless you know what you're doing.<br>
<br>

<pre><font name terminal height 12 color 0>
    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 29/04/2000
</pre><font name verdana height 12 color 0><br>

www.tscube.cjb.net<br>
<br>

thx to : andox<br>
<br>

-TSCube<br>
<br>
