HASP Protection
Hello,
i am not well versed in anti-debugging techniques and i have an application i am trying to get working that is protected by a usb hasp key. i have a license and a key, but no matter what i do the damn thing detects a debugger even when they are not running. i have no issue with requiring the hardware key, but the anti-debugger checks are annoying to the point it has recently BSOD the computer while i was working. Of course the company won't remove the protection, their solution being to run the application on a secondary machine accessing things remotely, which i am doing for the moment. But the damn thing is a library i am programming with so testing everything remotely is just a pain at times. i have been looking into the application in hopes of finding the main entry point past the anti debugger checks, but this thing seems to use every anti-debugging trick i have been able to search for on the internet, and also inspects the starting bytes of imported functions to check for 0xCC and other common patches. So far i have not been able to get it to not detect that visual studio is present, much less the more advanced ida.
Almost all functions are manually accessed through GetModuleHandle and GetProcAddress calls.
IsDebuggerPresent
NtQuerySystemInformation
CloseHandle
GlobalFree
CreateToolHelp32Snapshot
...And i don't know how many other methods are being used. i am just trying to find information on getting around these. It doesn't help that the program code is swizzled all to hell with "self-modifying" jumps, etc, so i can't even determine which anti debugging technique is actually being successful.
Do you know of anything that might help me in this area? Or am i just doomed to have their tech support on speed dial (not that that helps since they are in an entirely different time-zone!!...arg!)?
Thanks in advance.
HASP Protection
You have to be aware that I cannot help you in "cracking" a protection/application. On the other hand, IDAStealth cannot deal with anti-debugging measures implemented at kernel level since it (mostly) consists of a user mode components. You should probably reverse the driver used by HASP and spot the kernel mode anti-debugging mechanism and start from there.
Btw: IDAStealth should work even if anti-debugging APIs are accessed indirectly via GetProcAddress.
my apologies if i worded
my apologies if i worded things incorrectly. i was merely more interested in the method of detecting the anti-debugging measures implemented. Although i am not sure, i can speculate that Aladdin is most thorough in their checks and as such could quite possibly be doing non-user mode checks. Oh well. i really hate some of the methods used. Wouldn't be so bad if it was just checking whether or not its application was being debugged, and not just that one was present. Probably doesn't even effect the ones who are skilled enough to circumvent this stuff, whereas i have to sit here and deal with random application exits and the inability to even properly run the damn thing even though red the light on my usb key is staring back at me. Well i guess that's a rant for another day. Guess i will have to wait and see if their programmers are up to the task of solving the issue, heh.
Though i will probably still continue to look into this information anyway, as this appears to be very interesting stuff.
Thanks anyway.