expl0itr's sew3rr4t

Author:
expl0itr

Language:
C/C++

Upload:
2022-12-25 14:28

Download

Platform:
Unix/linux etc.

Difficulty:
4.0

Quality:
4.7

Arch:
x86-64

Downloads:
16

Size:
845.31 KB

Writeups:
0

Comments:
5

Description

I tried to sprinkle some more or less challenging anti-disassembler and anti-debugger techniques :P Have fun!

Comments (5)
Writeups (0)

You must be logged in to post a comment

alexisreen0 on 2023-03-31 14:20: its hard, sprinkle some hints please

expl0itr on 2023-04-02 10:59: Sure, @alexisreen0. The binary is statically linked with stripped symbols. Hence, it would make sense to identify some libc functions first (printf, puts, strcmp etc.) using signatures, for example, and work backwards from there. As for the anti-debugging measures: There is a separate thread checking whether a debugger is attached. Try to prevent this thread from being started. You should rely on dynamic analysis as much as possible because of the stripped symbols and anti-disassembly measures.

expl0itr on 2024-01-09 14:14: Nobody?

dev0 on 2024-10-14 17:12: @expl0itr This is gold! It took a while to figure out the strcmp but I think it finds the optimal function to replace the thunk with based on processor and features. Static linking makes things a bit different and that took me a bit to untangle. I love the thread that checks for debugging. Question though, does the shell get spawned on INT3 after the syscall or on a debugger trapping?

expl0itr on 2024-11-05 19:53: Thank you so much for the feedback, @dev0! Regarding your question, after the ptrace check, the code executes shellcodec, a function pointer to shellcode. This shellcode includes an INT3 instruction, which could cause the shell to spawn under specific debugging traps if the debugger interrupts on INT3. Check the source code for details: https://github.com/juliangrtz/crackmes/blob/main/sew3rr4t/crackme.c#L180

You must be logged in to submit a writeup

crackmes.one

crackmes.one

expl0itr's sew3rr4t