Anti-debugging tricks revealed – Defcon CTF Qualifications 2009: Bin300 Analysis

Corelan Team (fancy) February 27, 2011
This article has 8,587 views

Introduction

A while ago I stumbled upon an awesome write-up of a very nice CTF challenge created by sapheads:
http://hackerschool.org/DefconCTF/17/B300.html

I love cartoons, and I love reversing, so I decided to play a little bit with that binary (b300.exe) which was a lot of fun.

Because some interesting anti-debugging tricks were implemented into the binary, I decided to make a short video about the reversing process.

First of all, thanks to KorUPt and Sapheads (http://www.sapheads.org) for the awesome cartoon.
At the time of creating this video, the binary and KOrUPt’s write-up are available here:
http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=2736

Finally, thanks to Defcon and DDTek for this great challenge !

Enjoy!

 

Video

You can view a full screen version here

You can download the movie here



Similar/Related posts:

Default ThumbnailHappy New Year – here’s my special gift to you, corelanc0d3r Default ThumbnailWhy Vista 32bit doesn’t use more than 3Gb of memory, even if you have more RAM installed Default ThumbnailStr0ke R.I.P. (or alive & kicking ?) Default ThumbnailCorelan T-Shirt contest – Derbycon 2012 Default ThumbnailOffensive Security Exploit Weekend

Tags:

, , , , ,

© Corelan Consulting BV. All rights reserved. ​The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.

3 thoughts on “Anti-debugging tricks revealed – Defcon CTF Qualifications 2009: Bin300 Analysis”

  1. Nice…I learned of a few new anti-debug techniques. Doesn’t Immunity’s !hidedebug option patch for these?

    1. Nice, thanks.
      Unfortunately hidedebug doesn’t help here.

      1. int3 : it is the debuggers way to set software breakpoints, so it’s a legitimate code. The debugger cannot determine if it is meant for sth. else – the debugger always thinks it’s a software breakpoint.

      2. int 2D: since its exception value is used later to form the start address of the execption handler, there’s no way for patching too. For OllyDbg there is a plugin called StrongOD which claims to “correctly handle the instructions int 2d” but I’m not aware of if it can help in this case. I would say

  2. Ok good to know…I’ll have to study this more closely in case I run into it in the field.

    Thanks again.

Comments are closed.