The "Prefetch Instruction Queue" idea
(A possible addendum to the "our protections" section)
by Camel Eater, 13 August 1997
Courtesy of Fravia's page
of reverse engineering
Well, an interesting idea. This trick has
been already used, though: it is one of the main "anti-debugger" measures
used by higher protections. Yet shareware programmers should take note:
it could let Micro$oft's "Steal-tank" eat dust! (They are not so good, when
it comes to tackle such tricks as we are :-)
Prefetch Instruction Queue or PIQ
This method could be used to fool any debugger, or at least
any process that executes one operation at a time. The PIQ
reads instructions in advance so that they are already in the
CPU when its time to execute them rather than executing an
instruction and then waiting for the next one.
The length of the PIQ was around only 4 or 6 in old computers,
but is much longer in newer ones.
What the protectionist could do is change the instruction after
itself into something unwishful. While debugging the instruction
will be modified before it is read, but when run normally, it will
be changed afterwards.
;Example program for Prefetch Instruction Queue Manipulation
;This example is a modification of a 'Hello world!' program...
;Program by Camel Eater
;Assemble with TASM
Ideal ; Ideal Mode
P386 ; 386 CPU
Model Tiny ; Model for *.COM files
DataSeg ; Data Segment
MSG DB "Hello world!$" ; Message to print if no debugger is
CodeSeg ; Code Segment
mov bx,offset BitToChange ; BX = address to change
mov dx,offset MSG ; offset of message
mov [bx+1],4c00h ; set to function 4ch
mov ax,0900h ; function to print text
int 21h ; interrupt
mov ax,4c00h ; exit program
If you are not using a debugger than writing 4c00h to
BitToChange+1 (mov [bx+1],4c00h) has no effect, as the part
being changed is already in the Prefetch Instruction Queue.
If the program is running inside a debugger, on the countrary,
it will change the line before it is loaded and so the program
will quit earlier as it should.
In the case of our program, if it will be run under a debugger
then it just quits back out to dos, otherwise it writes
'Hello World!', first.
Some Final Notes.
I dont know if this works at all in any Windoze, I've tested it
in DOS and it worked, under windoze it may suicide, but then...
it might not. Im not sure of how windows handles task swapping
and stuff like that, but it would probably still work.
Well that is all I wanted to write about the Prefetch Instruction
Queue. So goodbye for now,
(c) Camel Eater, 1997. All rights reserved
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Is reverse engineering illegal?