7,600 views
Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained
Introduction:
Aloha,
Again I stumbled upon a nice reverse-me, binary200 from the Codegate 2011 CTF.
And again there are some really interesting anti-debugging tricks implemented, so I decided to produce another video.
The instruction was just "reverse me", which means there should be a key or a flag somewhere in that binary, right?
Let’s check it out………….
Thanks to Codegate and to the creators of the CTF for such a nice challenge!
CODEGATE is an annual IT Security Festival in Seoul since 2008 and it is already one of the biggest IT security events.
http://www.codegate.org/Eng/
Notes :
- My system was a Windows XP SP3 box. So the addresses here may be different to the addresses of your box
- I named the binary a2.exe
- Always use a virtual machine when you reverse a unknown binary (you’ll see in a minute why)
- At the time of producing this video the binary was available here: http://bit.ly/hapL14 / http://bit.ly/eeFMyz / http://bit.ly/hKHjfv
Video :
You can view a full screen version here, and you can download the movie here.
Summary:
Anti-Debugging techniques:
- TLS callback: !bpxep -tls
Debugging options –> Make first pause at: –> System breakpoint - Check from PEB if Debugger is attached
- PEB!NtGlobalFlags
- NtQueryInformationProcess
- Create new SEH followed by the int 2D anti-debugging technique
Date check
Checking of the current date: the current date should be Sat Feb 26 2005
Links:
[1] http://www.symantec.com/connect/articles/windows-anti-debug-reference
[2] http://www.data0.net/?p=183
[3] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[4] http://isc.sans.edu/diary.html?storyid=6655
[5] http://www.openrce.org/reference_library/anti_reversing_view/34/INT%202D%20Debugger%20Detection/
[6] http://www.perturb.org/display/Linux_date.html
[7] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[8] http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
[9] http://jsimlo.sk/docs/cpu/index.php/setz.html
© 2011, Corelan Team (fancy). All rights reserved.
3 Responses to Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained
Corelan Training
Check out our schedules page here and sign up for one of our classes now!
Donate
Your donation will help funding server hosting.
Corelan Team Merchandise
Corelan on Slack
You can chat with us and our friends on our Slack workspace:
Pingback: Writeup - CODEGATE 2011 | Les Tutos de Nico