trolling with break point detection, and binary obfuscation

A place to submit all custom code, scripts, and programs.
Forum rules
Do NOT post malicious code or programs. Please review all code posted in this forum before downloading or running any of the code or programs here.

trolling with break point detection, and binary obfuscation

Post by MadM0use on Fri Jan 30, 2015 6:30 pm
([msg=86520]see trolling with break point detection, and binary obfuscation[/msg])

Code: Select all

// play like this lol:
// $ gcc -fno-stack-protector -z execstack lol.c -o lol
/////////////////////////////////////////////////////////
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//; I SPEAK TEH TRUFF
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//_start:
//      xor eax, eax
//      mov al, 0x1
//      xor rdi, rdi
//      ret
//
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//; decoder foo
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//_start:
//      mov rcx, rsi    ; move size argument into rcx for the loop
//      mov rsi, rdi    ; move the the text pointer to rsi
//      xor rax, rax    ; clear out registers
//      xor rdi, rdi
//decode:                               ; decode text
//      xor byte [rsi], 0xFF
//      inc rsi
//loop decode
//      xor rax, rax
//      ret
//
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//; breakpoints huh?
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//_start:
//   mov rcx, rsi   ; move size argument into rcx for the loop
//   mov rsi, rdi   ; move the the text pointer to rsi for printing
//   xor rax, rax   ; clear out registers
//   xor rdi, rdi
//scan:
//   cmp byte [rsi], 0xCC ; check for break point
//   je fuck_you
//   inc rsi
//loop scan
//   xor rdi, rdi
//   ret
//fuck_you:
//   xor rdi, rdi
//   mov al, 1
//   ret
//
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//; printfoo
//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
//;_start:
//;   mov rcx, rsi   ; move size argument into rcx for the loop
//;   mov rsi, rdi   ; move the the text pointer to rsi for printing
//;   xor rax, rax   ; clear out registers
//;   xor rdx, rdx
//;   xor rdi, rdi
//;   push rsi      ; push the text for decoder
//;   push rcx      ; push the size for decoder
//;   push rsi      ; push the text for ecoder
//;   push rcx      ; push the size for encoder
//;decode:            ; decode text
//;   xor byte [rsi], 0xFF
//;   inc rsi
//;loop decode
//;   pop rcx         ; pop size
//;   pop rsi         ; pop text
//;   mov al, 0x1      ; write stuff to stdout
//;   mov dil, al
//;   mov dl, cl
//;   syscall
//;   xor rax, rax
//;   pop rcx         ; pop size
//;   pop rsi         ; pop text
//;encode:            ; encode text
//;   xor byte [rsi], 0xFF
//;   inc rsi
//;loop encode
//;   ret


typedef unsigned char by;


main(m,k)
{
    // functional shellcode that takes
    // encrypted shellcode and encodes / decodes it
   m = \
   "\x48\x89\xf1\x48\x89\xfe\x48\x31\xc0"\
   "\x48\x31\xd2\x48\x31\xff\x80\x36\xff"\
   "\x48\xff\xc6\xe2\xf8\xc3";

   // encrypted opaque predicate
   by e[] = "\xce\x3f\x4f\xfe\xb7\xce\x00\x3c";
   
    // encrypted breakpoint detector   
   by b[] = \
   "\xb7\x76\x0e\xb7\x76\x01\xb7\xce\x3f"\
   "\xb7\xce\x00\x7f\xc1\x33\x8b\xf6\xb7"\
   "\x00\x39\x1d\x09\xb7\xce\x00\x3c\xb7"\
   "\xce\x000\x4f\xfe\x3c";
   
   // encrypted string printer
   k = \
   "\x48\x89\xf1\x48\x89\xfe\x48\x31\xc0"\
   "\x48\x31\xd2\x48\x31\xff\x56\x51\x56"\
   "\x51\x80\x36\xff\x48\xff\xc6\xe2\xf8"\
   "\x59\x5e\xb0\x01\x40\x88\xc7\x88\xca"\
   "\x0f\x05\x48\x31\xc0\x59\x5e\x80\x36"\
   "\xff\x048\xff\x0c6\xe2\xf8\x0c3";

        // decode e, check for always true, and re encode the shellcode
        if(((int(*)(void*,int))m)(e,8)+((int(*)())e)()+((int(*)(void*,int))m)(e,8))
        {
           // encrypted message
           by message[] = \
           "\xb6\xdf\x8c\x8f\x9e\x9a\x94\xdf\x8b"\
           "\x9a\x97\xdf\x8b\x8d\x8a\x99\x99\xf5";
         // decrypt breakpoint detector
         ((int(*)(void*,int))m)(b,32);
         if(!((int(*)(void*,int))b)(k,18)) // check for breakpoints
            // if none are found print encrypted message
            ((void(*)(void*,int))k)(message,18);
        }
        else
           puts("This NEVER happens, ever lol");
}
Last edited by MadM0use on Fri Jan 30, 2015 8:26 pm, edited 2 times in total.
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)


Re: trolling with break point detection, and binary obfuscation

Post by cyberdrain on Fri Jan 30, 2015 6:50 pm
([msg=86522]see Re: trolling with break point detection, and binary obfuscation[/msg])

This only detects software breakpoints (0xCC), right? Is it possible to detect hardware breakpoints and if so, how do you do that?
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: trolling with break point detection, and binary obfuscation

Post by MadM0use on Fri Jan 30, 2015 7:15 pm
([msg=86523]see Re: trolling with break point detection, and binary obfuscation[/msg])

cyberdrain wrote:This only detects software breakpoints (0xCC), right? Is it possible to detect hardware breakpoints and if so, how do you do that?


lol, finally someone who understands this :D however, on intel systems, they are encoded the same. I HAVE run across a few RISC architectures that encode it in memory differently. here is a memory dump if you are interested

// no breakpoint
0x48 0x89 0xe5 0x53 0x48 0x81 0xec 0x88 0x00
0x00 0x00 0x89 0xbd 0x7c 0xff 0xff 0xff 0x89
0xb5 0x78 0xff 0xff 0xff 0xba 0x32 0x00 0x00
0x00 0xbe 0x01 0x00 0x00 0x00 0xbf 0xd5 0x05
0x40 0x00 0xe8 0x7c 0xff 0xff 0xff 0x85 0xc0
0x74 0x0a 0xbf 0xbe 0x07

// breakpoint
0x48 0x89 0xe5 0x53 0x48 0x81 0xec 0x88 0x00
0x00 0x00 0x89 0xbd 0x7c 0xff 0xff 0xff 0x89
0xb5 0x78 0xff 0xff 0xff 0xba 0x32 0x00 0x00
0x00 0xbe 0x01 0x00 0x00 0x00 0xbf 0xd5 0x05
0x40 0x00 0xe8 0x7c 0xff 0xff 0xff 0x85 0xc0
0xcc 0x0a 0xbf 0xbe 0x07


either way, this is how you do both methods, however looking for software breakpoints is a little pointless on intel machines lol

If you want, my next post could be about detecting ARM memory breakpoints :D THOSE were fun when i had to reverse engineer the encoding in memory because i couldnt find the documentation. took a LOT of autistic determination on my part lol and i would be happy to clean up the code, write two examples and post them later tonight :D



MadM0use wrote:
cyberdrain wrote:This only detects software breakpoints (0xCC), right? Is it possible to detect hardware breakpoints and if so, how do you do that?


lol, finally someone who understands this :D however, on intel systems, they are encoded the same. I HAVE run across a few RISC architectures that encode it in memory differently. here is a memory dump if you are interested

// no breakpoint
0x48 0x89 0xe5 0x53 0x48 0x81 0xec 0x88 0x00
0x00 0x00 0x89 0xbd 0x7c 0xff 0xff 0xff 0x89
0xb5 0x78 0xff 0xff 0xff 0xba 0x32 0x00 0x00
0x00 0xbe 0x01 0x00 0x00 0x00 0xbf 0xd5 0x05
0x40 0x00 0xe8 0x7c 0xff 0xff 0xff 0x85 0xc0
0x74 0x0a 0xbf 0xbe 0x07

// breakpoint
0x48 0x89 0xe5 0x53 0x48 0x81 0xec 0x88 0x00
0x00 0x00 0x89 0xbd 0x7c 0xff 0xff 0xff 0x89
0xb5 0x78 0xff 0xff 0xff 0xba 0x32 0x00 0x00
0x00 0xbe 0x01 0x00 0x00 0x00 0xbf 0xd5 0x05
0x40 0x00 0xe8 0x7c 0xff 0xff 0xff 0x85 0xc0
0xcc 0x0a 0xbf 0xbe 0x07


If you want, my next post could be about detecting ARM memory breakpoints :D THOSE were fun when i had to reverse engineer the encoding in memory because i couldnt find the documentation. took a LOT of autistic determination on my part lol and i would be happy to clean up the code, write two examples and post them later tonight :D



OH, and PS: i also have MIPS and ALPHA examples I will put together, I dont know yet whether i will do this in multiple posts or just the one, but they will all be posted tonight lol



oh, also if you are referring to hypervisor based debugging and what have you, you can use timing checks between instructions using the rtdsc instructions and checking for extreme timing differences, if you want an example of that I plan to do a tutorial on that as well soon :D
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)



Return to Custom Code

Who is online

Users browsing this forum: No registered users and 0 guests