; ; anti-dumping is REALLY one of the most needed functions to prevent ; applications being cracked by those crackers out there today! ; ; this program here is *PRETTY* good, but everything can be defeated ; @ least this will stop most crackers :) ; ; ; muzic: pascal feos - live @ hessentage 2k1 ; coder: daemon ; lang : assembler ; os : w9x ONLY! .586p .Model Flat extrn ExitProcess : PROC extrn MessageBoxA : PROC extrn LoadLibraryA : PROC extrn GetProcAddress : PROC .Data caption db "DAEMON - ANTI DUMPING",0 text db "now please feel free to dump me :) via procdump, peditor or any other memory dumper",0 text2 db "hooking kernel32!readprocessmemory",0 text3 db "hooked successfully!",0 text5 db "removed api hook - exit now - have a break, have a kitkat!",0 kern32 db "kernel32.dll",0 read_1 db "ReadProcessMemory",0 save_cs dd ? ; save codesegment read_ad dd ? ; save readprocessmemory address here save_k3 dd ? ; save kernel_base .Code api_hook_start: pushad ; check the size of the process to read now! ; cmp dword ptr [esp+020h+010h],05000h jnz let_it_be_read ;mov dword ptr [esp+020h+010h],0h ; set size to dump to 0! mov dword ptr [esp+020h+010h-04h],0h ; kill the base - read process memory returns 0 let_it_be_read: popad buffer db 5h dup (00h) db 068h ; push xxxxxxxx return_to dd ? ; store rva where we are going to return ret ; and return api_hook_end: Main: start: push 0 push offset caption push offset text2 push 0 call MessageBoxA push offset kern32 call LoadLibraryA test eax,eax jz fatal_exit mov save_k3,eax add dword ptr [save_k3],0400h push offset read_1 push eax call GetProcAddress test eax,eax jz fatal_exit mov read_ad,eax push edx sidt [esp-2] pop edx add edx,5*8+4 mov ebx,[edx] mov bx,word ptr [edx-4] lea edi,setup mov [edx-4],di ror edi,16 mov [edx+2],di push ds push es int 5 pop es pop ds mov [edx-4],bx ror ebx,16 mov [edx+2],bx push 0 push offset caption push offset text3 push 0 call MessageBoxA push 0 push offset caption push offset text push 0 call MessageBoxA push edx sidt [esp-2] pop edx add edx,5*8+4 mov ebx,[edx] mov bx,word ptr [edx-4] lea edi,remove mov [edx-4],di ror edi,16 mov [edx+2],di push ds push es int 5 pop es pop ds mov [edx-4],bx ror ebx,16 mov [edx+2],bx push 0 push offset caption push offset text5 push 0 call MessageBoxA fatal_exit: call ExitProcess ;============================================ ; ; CODE TO INSTALL THE API HOOK ; ; code runs @ ring 0 ; ;============================================ setup: pushad mov ecx,05h mov edi,offset buffer mov esi,eax repz movsb mov edi,eax mov eax,save_k3 sub eax,edi sub eax,05h mov byte ptr [edi],0e9h add edi,01 mov dword ptr [edi],eax add edi,04h mov return_to,edi mov ecx,offset api_hook_end - offset api_hook_start mov edi,save_k3 mov esi,offset api_hook_start repz movsb popad iret ;============================================ ; ; REMOVE THE API HOOK ; ;============================================ remove: pushad mov edi,read_ad mov ecx,05h mov esi,offset buffer repz movsb popad iret End Main ;End of code, Main is the entrypoint