Handling INT 2D anti-debugger technique in IDA Pro

Question

I'm analyzing a PE file using IDA Pro that is using int 2Dh technique as anti debugging:

CODE:00455050 push    ebp
CODE:00455051 mov     ebp, esp
CODE:00455053 push    ecx
CODE:00455054 push    ebx
CODE:00455055 push    esi
CODE:00455056 push    edi
CODE:00455057 xor     eax, eax
CODE:00455059 push    ebp
CODE:0045505A push    offset loc_455076
CODE:0045505F push    dword ptr fs:[eax]
CODE:00455062 mov     fs:[eax], esp
CODE:00455065 int     2Dh             ; Windows NT - debugging services: eax = type
CODE:00455067 inc     eax
CODE:00455068 mov     [ebp+var_1], 1
CODE:0045506C xor     eax, eax
CODE:0045506E pop     edx
CODE:0045506F pop     ecx
CODE:00455070 pop     ecx
CODE:00455071 mov     fs:[eax], edx
CODE:00455074 jmp     short loc_455084

How should I config IDA Pro to handle this interrupt/exception in dynamic analyzing?
I'm Using the local win32 debugger

Answer 1

The code is expecting an exception to occur, which will happen in the absence of a debugger. If a debugger is present, the breakpoint exception will usually be suppressed by the debugger, and execution will continue at either 0x455067 or 0x455068, depending on the debugger.

You have two simple choices: one choice is that you could just let execution reach 0x455084 and then change var_1 back to zero (or whatever value that it had originally). What you don't want is for it to have the value of "1".

The other choice is to change the byte at 0x455065 from 0xCD to 0xFF (for example) and then let that execute. This sequence will cause an exception to occur, which is really what you want to happen (note that the exception code won't be correct, so you'll need to watch if the code checks for a 0x80000003, and take that code path). The execution will be transferred to the handler at 0x455076, at which point you can change the byte at 0x455065 back to 0xCD (in case the code is self-checking), and then resume debugging.