7,507 views
Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained
Introduction:
Aloha,
Again I stumbled upon a nice reverse-me, binary200 from the Codegate 2011 CTF.
And again there are some really interesting anti-debugging tricks implemented, so I decided to produce another video.
The instruction was just "reverse me", which means there should be a key or a flag somewhere in that binary, right?
Let’s check it out………….
Thanks to Codegate and to the creators of the CTF for such a nice challenge!
CODEGATE is an annual IT Security Festival in Seoul since 2008 and it is already one of the biggest IT security events.
http://www.codegate.org/Eng/
Notes :
- My system was a Windows XP SP3 box. So the addresses here may be different to the addresses of your box
- I named the binary a2.exe
- Always use a virtual machine when you reverse a unknown binary (you’ll see in a minute why)
- At the time of producing this video the binary was available here: http://bit.ly/hapL14 / http://bit.ly/eeFMyz / http://bit.ly/hKHjfv
Video :
You can view a full screen version here, and you can download the movie here.
Summary:
Anti-Debugging techniques:
- TLS callback: !bpxep -tls
Debugging options –> Make first pause at: –> System breakpoint - Check from PEB if Debugger is attached
- PEB!NtGlobalFlags
- NtQueryInformationProcess
- Create new SEH followed by the int 2D anti-debugging technique
Date check
Checking of the current date: the current date should be Sat Feb 26 2005
Links:
[1] http://www.symantec.com/connect/articles/windows-anti-debug-reference
[2] http://www.data0.net/?p=183
[3] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[4] http://isc.sans.edu/diary.html?storyid=6655
[5] http://www.openrce.org/reference_library/anti_reversing_view/34/INT%202D%20Debugger%20Detection/
[6] http://www.perturb.org/display/Linux_date.html
[7] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[8] http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
[9] http://jsimlo.sk/docs/cpu/index.php/setz.html
© 2011, Corelan Team (fancy). All rights reserved.
3 Responses to Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained
Corelan Training
Check out our schedules page here and sign up for one of our classes now!
Donate
![](/wp-content/uploads/2014/01/donate_btc_to_corelan_thumb.png)
Your donation will help funding server hosting.
Corelan Team Merchandise
Corelan on Slack
You can chat with us and our friends on our Slack workspace:
Pingback: Writeup - CODEGATE 2011 | Les Tutos de Nico