live_dont_exist
October 20th, 2013, 19:09
I was playing a CTF which had a binary (PE32 exec) in which there's a hidden flag. There's quite a few anti-debug/disasm/logic things in there.. which make life difficult. I got a few of them but am now stuck
. As in... I can keep poking and have not tried all possibilities but wanted to check with you guys if this was a common technique. I'll try and explain.
There's a lot of self modifying code in there which I kinda managed to unpack, I think. It extracts itself into memory in the 370000 range. Here there are a few more problems:
a) I can see an entire PE Exec in memory. So I tried Binary copy in Olly from MZ till the last byte before 00 00 00 starts. But that flopped and Olly said .. 'This is not an EXE want to load it anyway? And opened a terminal with ntvdm.exe... whatever that means (Not yet Googled
). Tried dumping using a couple of plugins...but must be doing something wrong. What's the best way to proceed? It's all in memory mind you... so bit of a pain to unpack each each time by setting 1 million breakpoints and F8 little by little.
b) If then seems to dump an address onto the stack as follows and use that address as the 2nd argument to VirtualAlloc later on. Then it tries MOV to this address + 3C or something... which is non existent... so I NOP'd that. Then there is the VirtualAlloc call which succeeds..
.... but after that there is a REP MOV EDI ESI type instruction and it tries to copy a huge huge number of bytes into the newly allocated memory. Eventually I get an access violation error. I tried playing with the sizes and NOPping bits out .. and patching EAX, EDX etc at runtime but it keeps failing at different points. So the question is... is this a common anti-debugging technique too? And if yes.. what's the best way to approach it .. apart from F8
There's a while to go for the CTF to end.. so I can't yet upload the binary...but I will once it's over. Before that.. any help you guys can give would be great.
I attached a screenshot of what I see as teh value of ECX just before the Copy of the unpacked code. The number is insanely huge; I tried looking at memory...calculating the size and using that size instead..by patching ECX before the REP.. but that caused the VirtualAlloc to fail. This was the code.
I'll keep trying and update you all if I find a solution. In the meanwhile ..
Thanks
2822

There's a lot of self modifying code in there which I kinda managed to unpack, I think. It extracts itself into memory in the 370000 range. Here there are a few more problems:
a) I can see an entire PE Exec in memory. So I tried Binary copy in Olly from MZ till the last byte before 00 00 00 starts. But that flopped and Olly said .. 'This is not an EXE want to load it anyway? And opened a terminal with ntvdm.exe... whatever that means (Not yet Googled

b) If then seems to dump an address onto the stack as follows and use that address as the 2nd argument to VirtualAlloc later on. Then it tries MOV to this address + 3C or something... which is non existent... so I NOP'd that. Then there is the VirtualAlloc call which succeeds..
Code:
VirtualAlloc(0,37079E,3000,40)
.... but after that there is a REP MOV EDI ESI type instruction and it tries to copy a huge huge number of bytes into the newly allocated memory. Eventually I get an access violation error. I tried playing with the sizes and NOPping bits out .. and patching EAX, EDX etc at runtime but it keeps failing at different points. So the question is... is this a common anti-debugging technique too? And if yes.. what's the best way to approach it .. apart from F8

There's a while to go for the CTF to end.. so I can't yet upload the binary...but I will once it's over. Before that.. any help you guys can give would be great.
I attached a screenshot of what I see as teh value of ECX just before the Copy of the unpacked code. The number is insanely huge; I tried looking at memory...calculating the size and using that size instead..by patching ECX before the REP.. but that caused the VirtualAlloc to fail. This was the code.
Code:
VirtualAlloc(0,9cbb,3000,40)
I'll keep trying and update you all if I find a solution. In the meanwhile ..

Thanks
2822