Codegate CTF ReverseMe 200pts Write-up

by mohamed ali MRABET

This task is really challenging as it contains some anti-reversing related stuff.\nI grabbed the binary and threw it in olly and .....Ooops ..it just quits immediatly .\n\n At first , I was stuck for minutes .because the binary is supposed to be landing on the entry point .\nThen after googling up , I figured out that the moment when the debugger attaches to it the binary purposefully hits the ret instructions because of the TLS callback .\n\nWell TLS stands for Thread Local Storage , it is section that resides in an executable that contains data variables particular to each thread and addresses of some functions (callbacks ) .\nThe windows loader ensures that the TLS section gets executed before it reaches the OEP of the program . Due to the fact that TLS gets executed first , task author managed to add some anti-debugging code in it ,therefore the debugger will not have a chance to hit the entry point .\n\nTo work this out , we need to use TLScatch plugin by waleed assar , which is used to set a breakpoints on TLS callbacks ,so that the debugger would be able to stop on the callback functions.\n\nI re-opened the binary in olly and to started to check its behaviour .I noticed the presence of some anti-debugging techniques have been implemented in it .\n\n\nAt first , It gets the PEB (Process Environment Block) structure as it contains a value that indicates whether the binary is being debugged or not .\nWe can simply bypass it by setting EAX value to zero . So let's carry on and see the next anti-debug trick .\n\n\nAfter stepping out some instructions , I figured out that it does a manual import of "NtqueryInformationProcess" API with the help of LoadLibrary and GetProcAdress api's .\n Well , a well trained eye will know that these consecutive calls is an indication of an anti-debug mechanism that will set SYSTEM_INFORMATION_CLASS parameter to ProcessDebugPort value.\nOnce again , just change the value of EAX in order to get over it .\n\n\nThis is yet another anti-debug technique was made . It obtains the value of NtglobalFlag by getting the PEB through TIB(Thread Information Block ).\n\n After reaching the code section we will see a bunch of CALL instructions was created for obfuscation puposes , one of them is really interesting (0x00401070) which seems to print a string with a xor-decryption loop .\n\n\nHaving executed that function , 0x004010C0 routine displayed the Flag .\n\n\n\n\nFLAG is : "http://forensic-proof.com/archives/552" .\n\n