Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained

Corelan Team (fancy) March 14, 2011
This article has 7,927 views

Introduction:

Aloha,
Again I stumbled upon a nice reverse-me, binary200 from the Codegate 2011 CTF.
And again there are some really interesting anti-debugging tricks implemented, so I decided to produce another video.
The instruction was just "reverse me", which means there should be a key or a flag somewhere in that binary, right?

Let’s check it out………….

Thanks to Codegate and to the creators of the CTF for such a nice challenge!
CODEGATE is an annual IT Security Festival in Seoul since 2008 and it is already one of the biggest IT security events.
http://www.codegate.org/Eng/

 

Notes :

  • My system was a Windows XP SP3 box. So the addresses here may be different to the addresses of your box
  • I named the binary a2.exe
  • Always use a virtual machine when you reverse a unknown binary (you’ll see in a minute why)
  • At the time of producing this video the binary was available here: http://bit.ly/hapL14 / http://bit.ly/eeFMyz / http://bit.ly/hKHjfv

 

Video :


You can view a full screen version here, and you can download the movie here.

 

 

Summary:

Anti-Debugging techniques:

  1. TLS callback:  !bpxep -tls
    Debugging options –> Make first pause at: –> System breakpoint
  2. Check from PEB if Debugger is attached
  3. PEB!NtGlobalFlags
  4. NtQueryInformationProcess
  5. Create new SEH followed by the int 2D anti-debugging technique

Date check

Checking of the current date: the current date should be Sat Feb 26 2005

 

Links:

[1] http://www.symantec.com/connect/articles/windows-anti-debug-reference
[2] http://www.data0.net/?p=183
[3] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[4] http://isc.sans.edu/diary.html?storyid=6655
[5] http://www.openrce.org/reference_library/anti_reversing_view/34/INT%202D%20Debugger%20Detection/
[6] http://www.perturb.org/display/Linux_date.html
[7] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[8] http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
[9] http://jsimlo.sk/docs/cpu/index.php/setz.html



Similar/Related posts:

Default ThumbnailWhy Vista 32bit doesn’t use more than 3Gb of memory, even if you have more RAM installed Default ThumbnailStarting to write Immunity Debugger PyCommands : my cheatsheet Default ThumbnailHappy New Year – here’s my special gift to you, corelanc0d3r Default ThumbnailStr0ke R.I.P. (or alive & kicking ?) Default ThumbnailAnalyzing heap objects with mona.py

Tags:

, , , , , , , ,

© Corelan Consulting BV. All rights reserved. ​The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.

3 thoughts on “Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained”

  1. Pingback: Writeup - CODEGATE 2011 | Les Tutos de Nico

Comments are closed.