Debugger Detection Using NtGlobalFlag

This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.

When the process is being debugged the NtGlobalFlag is set to 0x70.


(more…)

IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

[code language=”C”]
/*
* IsDebuggerPresent Example
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: http://osandamalith.wordpress.com
*/

#include <windows.h>

int main() {
MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}
[/code]

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.

View post on imgur.com


[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]
(more…)

Rootme No software breakpoints Cracking Challenge

Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.

View post on imgur.com


Let’s run the file command and see.

% file ch20.bin
ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080

View post on imgur.com

This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂
(more…)

Newbie Keygenning 1

This is a random very old crackme I found when I was bored with assignments, which is pretty easy and thought of sharing with you. Doing crackmes one by one 😀 Download: https://www.mediafire.com/?351rp7o9qmf97js

View post on imgur.com


After opening in Olly and checking the string references we can see the congratulations string.

View post on imgur.com


After following the string we see the following disassembly.

View post on imgur.com


(more…)

How to Turn Your Switch into a Snitch

Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.

This post is all about modifying your existing router firmware to perform cool things.

Hardware and Tools Needed:

For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).

Download Firmware Mod Kit
(more…)

Reverse Engineering 101

This is a very basic tutorial on reverse engineering your first executable in Windows. This is a short application which I’ve written just for this purpose, just a simple program which came to my head.
[code language=”c”]
#include <windows.h>
#include <stdio.h>
/*
Name: Ultra Newbie CrackMe
Copyright: 2014
Author: Osanda Malith
Date: 30/12/14 07:51
Description: This a very basic crack me just for demonstration purposes.
*/

void
enc (char cipher[], int shift) {
int i = 0;
while (*(cipher+i)) {
if ((*(cipher+i) + shift) >= 65 && (*(cipher+i)+ shift) <= 90) *(cipher+i) += shift;
else *(cipher+i) += shift – 25;
i++;
}
}

int
main () {
int i;
char msg[] = {0x53, 0x45, 0x43, 0x52, 0x45, 0x54, ‘\0’}, *in;
int key = 6+3;
enc(msg,key); printf("Coded by Osanda\nhttp://osandamalith.wordpress.com\n\n");
printf("Enter Pass\n");
in = (char *) malloc(20);
scanf("%s", in);
if(!strcmp(in,msg)) MessageBox(NULL,TEXT("Access Granted :)"),TEXT("Info"),MB_OK | MB_ICONASTERISK | MB_RIGHT );
else MessageBox(NULL,TEXT("Try Again"),TEXT("Info"),MB_OK | MB_ICONERROR | MB_RIGHT );
return 0;
}

[/code]
I’ll divide this tutorial in to two tasks. Task one is finding the pass. Task two would be patching the application so that any given user input would trigger the “Access Granted” message box.
Before we start what is reverse engineering? Let me put it in this way. We write applications in high level languages such as C, C++, Delphi, etc. and they are gone through a process called compiling and converted into machine code. We write programs in different languages but regardless, the computer won’t understand any of them. The closest language to the CPU which it would understand after assembling and linking would be the assembly language. Reverse engineering is the process of engineering an application once it is compiled into machine code. This is vastly used in malware analyzing, breaking protections in software, exploit development, adding more functionality into applications. There might be more than these few.

(more…)