Re: TLS Callback Entry in Assembly (win32)This is a discussion on Re: TLS Callback Entry in Assembly (win32) within the ASM x86 ASM 370 forums in Programming Languages category; There are some people on EFnet #cracking4newbies (IRC) who have solved the second challenge. You can try asking there. "bwaichu @ yahoo.com" <spamtrap @ crayne.org> wrote in message news:c9a15bce-0b29-4d8e-850d-6e8114c69936 @ f63g2000hsf.googlegroups.com... > I'm working on the second file for a contest, and I'm struggling with > the anti-debugging techniques used. In the second file for the > contest, the file uses a tls callback to set PEB[2] to 2. Now, the > value is supposed to be a boolean 1 or 0 since it is set to a 1 when a > debugger is being used. I have to modify ... | ||||||||
| | ||||||||
| ||||||||
| Register | FAQ | Calendar | Search | Today's Posts | Mark Forums Read |
|
#1
08-09-2008, 12:08 PM
| |||
| |||
 Re: TLS Callback Entry in Assembly (win32) There are some people on EFnet #cracking4newbies (IRC) who have solved the second challenge. You can try asking there. "bwaichu@yahoo.com" <spamtrap@crayne.org> wrote in message news:c9a15bce-0b29-4d8e-850d-6e8114c69936@f63g2000hsf.googlegroups.com... > I'm working on the second file for a contest, and I'm struggling with > the anti-debugging techniques used. In the second file for the > contest, the file uses a tls callback to set PEB[2] to 2. Now, the > value is supposed to be a boolean 1 or 0 since it is set to a 1 when a > debugger is being used. I have to modify the memory, so that I won't > fault later or be detected with a call to IsDebuggerPresent. The > functions in this file are loaded with calls to GetProcAddress calls, > so it's not as easy as just NOPing out the instructions. Then, eax is > just called or the value of eax is put into memory or onto the stack > and called. > > Here's the snip of the code with the explanations I have so far: > > TlsCallback_0 proc near ; DATA XREF: UPX2:TlsCallbacks > UPX2:004080D7 > UPX2:004080D7 arg_4 = dword ptr 8 > UPX2:004080D7 > UPX2:004080D7 nop > UPX2:004080D8 cmp [esp+arg_4], 1 <-- not > sure what the value should be when entering? > UPX2:004080E0 jnz short locret_4080FB > UPX2:004080E2 mov eax, large fs:18h <-- go to the > TEB structure > UPX2:004080E8 mov eax, [eax+30h] <-- go to the > PEB structure > UPX2:004080EB add word ptr [eax+2], 1 <-- change > the BeingDebugged to 2; s/b 1 or 0 > UPX2:004080F1 push 61736D38h <-- not sure if this > is a checksum > UPX2:004080F6 call sub_406F9E > UPX2:004080FB > UPX2:004080FB locret_4080FB: ; CODE XREF: > TlsCallback_0+9j > UPX2:004080FB retn > UPX2:004080FB TlsCallback_0 endp ; sp = -4 > > The contest is all ready over, but I'm taking this opportunity to > improve my coding skills. Here's a link to the contest: > > http://www.khallenge.com/ > > This is the second file. The first one was pretty straight forward. > This one is tough as it also uses pretty tough encryption to hide the > key. > > Can someone tell me more about how TLS Callbacks are entered and what > the stack is supposed to look like? This isn't a normal entry, and I > did not detect the TLS Callback entry in Ollydbg. > > Thanks, > > Brian >  |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
All times are GMT -5. The time now is 02:28 AM.
