Hi guys,

I'm trying to follow one of the crackmes solved by tiga, I'm using ida pro for linux for static analysis and trying to debug the thing with gdb while running it under wine.

The problem is that once wine creates a new process gdb seems to freeze, I'm trying with set follow-fork-mode child and set detach-on-fork off, with the default values of those the program finishes without debugging.

I've tried to set a catchpoint in the fork and attach a new instance of gdb to the new proccess but it can't be attached even running as root, any ideas?

Debian lenny, gdb 6.7.1-debian, linux 2.6.21.1

Which crackme are you talking about?
Just to be sure, was it a Windows or Linux crackme?

My guess would be a Windows crackme on Linux since you mentioned Wine.
There's a paper on that called "The Alien Autopsy" made in the times of IDA 4.7 or 4.3, before remote debugging.

I have a simpler method if the crackme runs under Wine, simply run the IDA Windows server under Wine (or a Windows VM) and remote debug from the Linux version of IDA.

TiGa

It is the one from the video solution for br0ken crackme, it's a windows crackme.

I've read that paper but it relies on a breakpoint at PROCESS_InitWine symbol that doesn't exist anymore (at least I can't find it) and I guess previous wine versions didn't create a new process because the paper don't talk about that.

I would like to solve the multi process debugging problem under gdb, I know ida under wine is a possibility but that would be avoiding the problem I'm willing to solve (with you help I hope)

Is that the "Alien Autopsy: Reverse Engineering Win32 Trojans on Linux" by Joe Steward?

Yes, that's the paper that I was talking about.
http://www.secureworks.com/research/articles/alien

The paper is starting to get a little dated as it was made with IDA 4.1 in 2002.

I made an updated version in video using the method that I described previously.
http://rapidshare.com/files/130047662/AlienAutopsy2008.rar.html

If you set a BP on the EntryPoint in IDA or GDB, you shouldn't get lost in the WINE code.

I should really start my own Video-On-Demand channel.

TiGa

Thanks TiGa it's a great video as usual

I think I'll try your way and post a question about multi process debugging at the gdb mailing list, and count on my subscription to the video on demand channel

Thanks TiGa for the video, I'll check it out, and if you come out with a ondemand channel let us know. I'll subscribe to it.

By the way, congratulations for becoming a crew member on ARteam. I meant to post something there but I forgot what was my handle or the password I used. I will eventually remember it. Anyway, congratulations.

yeah, what do you use to make those fancy screencasts? those are great

Damn! my mouse don't work with idal and it's getting on my nerves, I wonder why those borland geniuses didn't use shift-TAB to go back, there must be a key for that

Thank you, I used Instant Demo to make the video but Camtasia Studio gives a more professional result.

ESC to go back?

Can't say much about the mouse problem.
IDA for Linux is kind of evil, yes, that's why I prefer to use remote debugging from Windows instead.

TiGa

I mean when you cycle through options with tab and you want to cycle back you can't use shift-tab in the borland ide, anyway I have the mouse working now.

I don't have windows installed on my computer and until now I didn't have any reason to install it, but I admit ida is a good reason.