«
»

Please consider donating: https://www.corelan.be/index.php/donate/


7,620 views

Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained

Published March 14, 2011 | By Corelan Team (fancy)

Introduction:

Aloha,
Again I stumbled upon a nice reverse-me, binary200 from the Codegate 2011 CTF.
And again there are some really interesting anti-debugging tricks implemented, so I decided to produce another video.
The instruction was just "reverse me", which means there should be a key or a flag somewhere in that binary, right?

Let’s check it out………….

Thanks to Codegate and to the creators of the CTF for such a nice challenge!
CODEGATE is an annual IT Security Festival in Seoul since 2008 and it is already one of the biggest IT security events.
http://www.codegate.org/Eng/

 

Notes :

  • My system was a Windows XP SP3 box. So the addresses here may be different to the addresses of your box
  • I named the binary a2.exe
  • Always use a virtual machine when you reverse a unknown binary (you’ll see in a minute why)
  • At the time of producing this video the binary was available here: http://bit.ly/hapL14 / http://bit.ly/eeFMyz / http://bit.ly/hKHjfv

 

Video :


You can view a full screen version here, and you can download the movie here.

 

 

Summary:

Anti-Debugging techniques:

  1. TLS callback:  !bpxep -tls
    Debugging options –> Make first pause at: –> System breakpoint
  2. Check from PEB if Debugger is attached
  3. PEB!NtGlobalFlags
  4. NtQueryInformationProcess
  5. Create new SEH followed by the int 2D anti-debugging technique

Date check

Checking of the current date: the current date should be Sat Feb 26 2005

 

Links:

[1] http://www.symantec.com/connect/articles/windows-anti-debug-reference
[2] http://www.data0.net/?p=183
[3] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[4] http://isc.sans.edu/diary.html?storyid=6655
[5] http://www.openrce.org/reference_library/anti_reversing_view/34/INT%202D%20Debugger%20Detection/
[6] http://www.perturb.org/display/Linux_date.html
[7] http://www.cyberciti.biz/faq/convert-epoch-seconds-to-the-current-time-date/
[8] http://msdn.microsoft.com/en-us/library/ms687420(VS.85).aspx
[9] http://jsimlo.sk/docs/cpu/index.php/setz.html

© 2011, Corelan Team (fancy). All rights reserved.

Similar/Related posts:

Default ThumbnailAnti-debugging tricks revealed – Defcon CTF Qualifications 2009: Bin300 Analysis Default ThumbnailBlackHat Europe 2011 / Preview Default ThumbnailHITB 2011 CTF – Reversing Vectored Exception Handling (VEH) Default ThumbnailDebugging Fun – Putting a process to sleep() Default ThumbnailHoneynet Workshop 2011
Posted in 001_Security, Malware and Reversing, Video | Tagged , , , , , , , , , , , , , , , , , , ,

3 Responses to Codegate 2011 CTF – Binary200 – Anti Debugging Techniques Explained

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace

    • Categories

    Mastodon: @corelanc0d3r | @corelan


    Copyright Peter Van Eeckhoutte © 2007 - 2024 | All Rights Reserved | Terms of use