Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


5,791 views

Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained

Introduction:

Aloha,
Again I stumbled upon a nice reverse-me, binary200 from the Codegate 2011 CTF.
And again there are some really interesting anti-debugging tricks implemented, so I decided to produce another video.
The instruction was just "reverse me", which means there should be a key or a flag somewhere in that binary, right?

Let’s check it out………….

Thanks to Codegate and to the creators of the CTF for such a nice challenge!
CODEGATE is an annual IT Security Festival in Seoul since 2008 and it is already one of the biggest IT security events.
http://www.codegate.org/Eng/

Notes :

  • My system was a Windows XP SP3 box. So the addresses here may be different to the addresses of your box
  • I named the binary a2.exe
  • Always use a virtual machine when you reverse a unknown binary (you’ll see in a minute why)
  • At the time of producing this video the binary was available here: http://bit.ly/hapL14 / http://bit.ly/eeFMyz / http://bit.ly/hKHjfv

Video :


You can view a full screen version here, and you can download the movie here.

Summary:

Anti-Debugging techniques:

  1. TLS callback: !bpxep -tls
    Debugging options –> Make first pause at: –> System breakpoint
  2. Check from PEB if Debugger is attached
  3. PEB!NtGlobalFlags
  4. NtQueryInformationProcess
  5. Create new SEH followed by the int 2D anti-debugging technique

Date check

Checking of the current date: the current date should be Sat Feb 26 2005

Links:

[1] http://www.symantec.com/connect/articles/windows-anti-debug-reference
[2] http://www.data0.net/?p=183
[3] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[4] http://isc.sans.edu/diary.html?storyid=6655
[5] http://www.openrce.org/reference_library/anti_reversing_view/34/INT%202D%20Debugger%20Detection/
[6] http://www.perturb.org/display/Linux_date.html
[7] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[8] http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
[9] http://jsimlo.sk/docs/cpu/index.php/setz.html


2011, Corelan Team (fancy). All rights reserved.

Related Posts:

3 Responses to Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories