.586
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc

include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib

.data                                       
caption  db "DAEMON",0
normal    db "not debugged!",0
deb      db "u are debugging me :)",0


.Code

Main:
;int 1
         
      mov    eax,fs:[30h]        ; pointer to PEB

      movzx  eax,byte ptr
        or      al,al
        jz      normal_
        push    offset deb
        jmp    out_


normal_: invoke MessageBox,0,addr normal,addr caption,NULL
     
out_:  invoke MessageBox,0,addr deb,addr caption,NULL                 
       

        ret



     

End Main                       



The program doesn't compile showing an error aobut the register......Could someone please help me out ?
Posted on 2005-07-31 16:18:49 by shism2
assume fs:nothing

if you'd like to use fs
Posted on 2005-07-31 17:07:46 by JimmyClif
As JimmyClif said the FS segment register is assumed to ERROR in MASM by default, just use the directive he posted. By the way, there is a large penalty for switching sizes in the Pentium family, in your code...

movzx   eax,byte ptr 
or      al,al
jz      normal_
push    offset deb
jmp    out_


Since you are zero extending the byte into EAX anyway you can just use TEST EAX,EAX, though OR EAX,EAX takes the same number of uOps it has the disadvantage or performing a write after a read which stalls the processor. Not a really important or significant thing in this case as you are just using it to display a message box but something to keep in mind.

movzx   eax,byte ptr 
test    eax,eax
jz      normal_
push    offset deb
jmp    out_


Also there are ways to do the same algo without jumps which are costly...

mov ecx, offset dep
mov edx, offset normal
movzx eax, byte ptr
test eax,eax
cmovz edx, ecx
invoke MessageBox,0,EDX,addr caption,NULL
Posted on 2005-07-31 21:46:09 by donkey
.586
.model flat,stdcall
option casemap:none
assume fs:nothing
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib

.data                                       
caption  db "DAEMON",0
normal    db "not debugged!",0
deb      db "u are debugging me :)",0


.Code

Main:
;int 1
         
        mov    eax,fs:[30h]        ; pointer to PEB

      movzx  eax,byte ptr
        or      al,al
        jz      normal_
        push    offset deb
        jmp    out_


normal_: invoke MessageBox,0,addr normal,addr caption,NULL
   
out_:  invoke MessageBox,0,addr deb,addr caption,NULL               
     

        ret



   

End Main   




This is the updated code... This check's if a debugger is present and displays no or yes if the debugger is present.



I tried using test eax,eax but both messages pop up. I also tried using the alternative to the jump code and it gave me an error about the registers not being valid in the current cpu mode.

I am a noob in asm right now ... If you could fix the code or if I have to change something please tell me. Thanks alot guys for the help so far tho :)

Update : This displays both messages and im not sure why :(
Posted on 2005-07-31 22:03:35 by shism2
Hello shism2,

If your code jumps to the normal_:? tag it falls through and executes the next line.? Put a ret after this line or jump over the next line.




best regards,

czDrillard
Posted on 2005-07-31 23:12:46 by czDrillard
It still executes the 2 messages and makes an error now if I add teh return
Posted on 2005-07-31 23:18:55 by shism2
Hello shism2,

Did you try the jump?

normal_: invoke MessageBox,0,addr normal,addr caption,NULL
jmp @f? ?
out_:? ?invoke MessageBox,0,addr deb,addr caption,NULL? ? ? ? ? ? ? ? ?
@@:? ? ? ?


? ? ? ? ret


Btw, what the push    offset deb instruction accomplishes.

best regards,

czDrillard
Posted on 2005-07-31 23:38:30 by czDrillard
Still alot of unnecessary jumps, the conditional moves are designed for this purpose. The best way to do this is still to write the code without any jumps at all, after all the only thing that changes is the message offset in the messagebox. I always try to reduce the number of jumps as much as possible, keeps the code maintainable and readable. For legibility you might just want to use the .IF/.ENDIF directive in MASM, it generates essentially the exact same code, though personally I use GoAsm and do not use the high level constructs at all (except Invoke)
Posted on 2005-08-01 00:32:29 by donkey
problem fixed



.586
.model flat,stdcall
option casemap:none
assume fs:nothing

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib

.data                                       
caption  db "DAEMON",0
normal    db "not debugged!",0
deb      db "u are debugging me :)",0


.Code

Main:
;int 1
         
      mov    eax,fs:[30h]        ; pointer to PEB

      movzx  eax,byte ptr
      test    eax,eax

      .if eax = eax

Invoke ExitProcess,0
         

      .else
     
jmp normal_


.endif
   







normal_:  invoke MessageBox,0,addr normal , addr caption ,NULL
  ret
out_:  invoke MessageBox,0,addr deb,addr caption,NULL   




     
                       
     

End Main               












This works but if there is anyother way to make it "faster" or what not don't hesitate to tell me... Getting rid of the jumps is hard I tried .... I tried your code also donkey

Now how do I make this work... it gives me an error of syntax.
Posted on 2005-08-01 01:48:59 by shism2

  assume fs:nothing

  mov  eax, fs:[30h]
  movzx eax, BYTE PTR

  .IF eax
    mov eax, OFFSET deb
  .ELSE
    mov eax, OFFSET normal
  .ENDIF

  invoke MessageBox, NULL, eax, ADDR caption, NULL
  invoke ExitProcess, 0


Note that if you move to a .686 (Pentium 2 or higher) you'll have access to the cmovXX instructions which could replace the whole .IF with a mov & cmov.

Mirno
Posted on 2005-08-01 05:12:51 by Mirno
Note that if you move to a .686 (Pentium 2 or higher) you'll have access to the cmovXX instructions which could replace the whole .IF with a mov & cmov.


why the compilers (vc++, delphi) don't use this instruction then?
almost everybody uses pentium 2 or higher.
Posted on 2005-08-01 08:09:13 by Chambao
You'll use at least one more byte when you use the CMOV instruction in this case. Obviously, this is not a place where it matters how many nanoseconds you'll save.

The following is more like what anyone in their right mind would consider:

assume fs:nothing
mov eax,
xor ecx,ecx
cmp byte ptr ,cl
mov eax,offset normal
jz notdebug
add eax,offset deb-offset normal
notdebug:
invoke MessageBox,ecx,eax,addr caption,ecx
ret
Posted on 2005-08-01 15:03:41 by Sephiroth3

why the compilers (vc++, delphi) don't use this instruction then?
almost everybody uses pentium 2 or higher.

because it's very problem full instruction
for an example

invoke IsBadReadPtr,0F0000000h,100h
or eax,eax
cmove eax,dword ptr[0F0000000h] ; BOOM !

this code going to crash because cmovX operation looks like that

Operation
temp ? SRC
IF condition TRUE
THEN
DEST ? temp
FI;
Posted on 2005-08-01 15:07:24 by Criminal2
what about 9x support?

assume fs:nothing
start:
xor ebx,ebx ; Null
mov esi,fs: ; NT_TIB.Self/TIB.Self
mov edi, ; TEB.pPEB/TIB.pParentPDB
invoke GetVersion
xor edx,edx ; BOOL bDetected
.if eax < 80000000h ; if (dwVersion < 0x80000000) // Windows NT
mov dl, ; PEB.BeingDebugged
.else
or edx, ; TIB.DebugContext
mov ecx, ; PDB.flags
or edx, ; PDB.DebuggeeCB
and ecx,1 ; fDebugSingle
or edx,ecx
.endif
mov eax,offset deb? ?
.if !edx ; if not bDetected
mov eax,offset normal
.endif
invoke MessageBox,ebx,eax,ebx,ebx
invoke ExitProcess,ebx
end start
Posted on 2005-08-01 22:22:40 by drizz
Thanks alot everyone and thanks for that code driz
Posted on 2005-08-02 08:56:01 by shism2


.586
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc

include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib



.data
strOllyClsName db "OLLYDBG",0
szOlly db "OLLYDBG.EXE",0
caption? ?db "DAEMON",0
normal? ? db "not debugged!",0
deb? ? ? ?db "u are debugging me :)",0



fwin dd ?



.data?
PrE PROCESSENTRY32<>
temp dd ?
ExitCode dd ?
handle dd ?



.code

Main:








start:



? ? ? mov eax,sizeof PrE
? ? ? ?mov PrE.dwSize,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov temp,eax
invoke Process32First,eax,addr PrE

invoke FindWindow, ADDR strOllyClsName, NULL
? ? ? ? cmp eax, 00000000h
? ? ? ?
.if eax != 0

jmp Bad_Debugger



.else


Invoke ExitProcess,0


.endif





Bugger_Bad:

invoke lstrcmp,addr PrE.szExeFile,addr szOlly
.if eax==0
invoke OpenProcess,PROCESS_ALL_ACCESS,TRUE,PrE.th32ProcessID
mov handle,eax

? ? ?
? invoke TerminateProcess,handle,0
? ?Invoke ExitProcess,0

? ? ? .else

? ? ? invoke Process32Next,temp,addr PrE


? ? ? ? .endif
jmp Bugger_Bad? ? ?


Bad_Debugger:


assume fs:nothing


xor ebx,ebx ; Null
mov esi,fs: ; NT_TIB.Self/TIB.Self
mov edi, ; TEB.pPEB/TIB.pParentPDB
invoke GetVersion
xor edx,edx ; BOOL bDetected

.if eax < 80000000h

; if (dwVersion < 0x80000000) // Windows NT
mov dl, ; PEB.BeingDebugged
.else
or edx, ; TIB.DebugContext
mov ecx, ; PDB.flags
or edx, ; PDB.DebuggeeCB
and ecx,1 ; fDebugSingle
or edx,ecx
.endif

.if ! edx ; if not bDetected
invoke ExitProcess,0


.else

jmp Bugger_Bad

.endif








end Main



















That's my current code and it works pretty well....Does it matter what processor code I use ? ( .586) . I have an amd 64 3400+



Also the current text in .data is pretty obvious....... OllyDbg and OLLYDBG.exe


Im pretty sure I could figure it out in a while but is there anyway of concealing that text?


Let's say a routine I could call to generate those strings then check them?
Posted on 2005-08-02 09:33:03 by shism2