Discussion:
TLS Callback Entry in Assembly (win32)
(too old to reply)
bwaichu@yahoo.com
2008-08-09 02:28:23 UTC
Permalink
I'm working on the second file for a contest, and I'm struggling with
the anti-debugging techniques used. In the second file for the
contest, the file uses a tls callback to set PEB[2] to 2. Now, the
value is supposed to be a boolean 1 or 0 since it is set to a 1 when a
debugger is being used. I have to modify the memory, so that I won't
fault later or be detected with a call to IsDebuggerPresent. The
functions in this file are loaded with calls to GetProcAddress calls,
so it's not as easy as just NOPing out the instructions. Then, eax is
just called or the value of eax is put into memory or onto the stack
and called.

Here's the snip of the code with the explanations I have so far:

TlsCallback_0 proc near ; DATA XREF: UPX2:TlsCallbacks
UPX2:004080D7
UPX2:004080D7 arg_4 = dword ptr 8
UPX2:004080D7
UPX2:004080D7 nop
UPX2:004080D8 cmp [esp+arg_4], 1 <-- not
sure what the value should be when entering?
UPX2:004080E0 jnz short locret_4080FB
UPX2:004080E2 mov eax, large fs:18h <-- go to the
TEB structure
UPX2:004080E8 mov eax, [eax+30h] <-- go to the
PEB structure
UPX2:004080EB add word ptr [eax+2], 1 <-- change
the BeingDebugged to 2; s/b 1 or 0
UPX2:004080F1 push 61736D38h <-- not sure if this
is a checksum
UPX2:004080F6 call sub_406F9E
UPX2:004080FB
UPX2:004080FB locret_4080FB: ; CODE XREF:
TlsCallback_0+9j
UPX2:004080FB retn
UPX2:004080FB TlsCallback_0 endp ; sp = -4

The contest is all ready over, but I'm taking this opportunity to
improve my coding skills. Here's a link to the contest:

http://www.khallenge.com/

This is the second file. The first one was pretty straight forward.
This one is tough as it also uses pretty tough encryption to hide the
key.

Can someone tell me more about how TLS Callbacks are entered and what
the stack is supposed to look like? This isn't a normal entry, and I
did not detect the TLS Callback entry in Ollydbg.

Thanks,

Brian
comrade
2008-08-09 16:08:56 UTC
Permalink
There are some people on EFnet #cracking4newbies (IRC) who have solved the
second challenge. You can try asking there.
Post by ***@yahoo.com
I'm working on the second file for a contest, and I'm struggling with
the anti-debugging techniques used. In the second file for the
contest, the file uses a tls callback to set PEB[2] to 2. Now, the
value is supposed to be a boolean 1 or 0 since it is set to a 1 when a
debugger is being used. I have to modify the memory, so that I won't
fault later or be detected with a call to IsDebuggerPresent. The
functions in this file are loaded with calls to GetProcAddress calls,
so it's not as easy as just NOPing out the instructions. Then, eax is
just called or the value of eax is put into memory or onto the stack
and called.
TlsCallback_0 proc near ; DATA XREF: UPX2:TlsCallbacks
UPX2:004080D7
UPX2:004080D7 arg_4 = dword ptr 8
UPX2:004080D7
UPX2:004080D7 nop
UPX2:004080D8 cmp [esp+arg_4], 1 <-- not
sure what the value should be when entering?
UPX2:004080E0 jnz short locret_4080FB
UPX2:004080E2 mov eax, large fs:18h <-- go to the
TEB structure
UPX2:004080E8 mov eax, [eax+30h] <-- go to the
PEB structure
UPX2:004080EB add word ptr [eax+2], 1 <-- change
the BeingDebugged to 2; s/b 1 or 0
UPX2:004080F1 push 61736D38h <-- not sure if this
is a checksum
UPX2:004080F6 call sub_406F9E
UPX2:004080FB
TlsCallback_0+9j
UPX2:004080FB retn
UPX2:004080FB TlsCallback_0 endp ; sp = -4
The contest is all ready over, but I'm taking this opportunity to
http://www.khallenge.com/
This is the second file. The first one was pretty straight forward.
This one is tough as it also uses pretty tough encryption to hide the
key.
Can someone tell me more about how TLS Callbacks are entered and what
the stack is supposed to look like? This isn't a normal entry, and I
did not detect the TLS Callback entry in Ollydbg.
Thanks,
Brian
Tim Roberts
2008-08-10 21:50:01 UTC
Permalink
Post by ***@yahoo.com
UPX2:004080F1 push 61736D38h <-- not sure if this
is a checksum
Nope. It's a signature. Those are the ASCII characters 'asm8'.
--
Tim Roberts, ***@probo.com
Providenza & Boekelheide, Inc.
bwaichu@yahoo.com
2008-08-11 03:51:43 UTC
Permalink
UPX2:004080F1                 push    61736D38h  <-- not sure if this
is a checksum
Nope.  It's a signature.  Those are the ASCII characters 'asm8'.
--
Providenza & Boekelheide, Inc.
Thanks. I have dug some more and have spent the better part of the
weekend
reading about exe packers. This one is upx, which can be seen in any
hex
viewer and in the IDA disassembly. The TLS Callback just increments
the
debugger piece, so that plugins that reduce it back to zero have no
effect.

That part above pushes the first part of the e-mail address used, so
the work around
is a little tricky. Basically, this contest really has me looking at
the
workings of the PE format, unpacking, and anti-debugging tricks.

To complete it, I just downloaded uat and unpacked it. But I still
need to
better understand manual unpacking.

I have been pointed to chimprec, which replaces lordpe/imprec for
dumping
the exe after reaching the original entry point, and rebuilding the
IAT.
I have a lot more to learn about how windows exe files are built.

Right now, I'm trying to build a program that runs the TLS Callback,
puts
a message saying that the program is in the callback, runs the start
entry point
and prints out a message staying the program arrived in start. But
I'm struggling
to do this in NASM. Is there a way to do this without editing the PE
header
after linking the file in NASM, or do I have to write this in MASM32?

What is interesting is that the callback occurs in the data segment,
not the text
segment.

I think, at some point, I need to write a basic exe packer in assembly
to see
how they are written.

Thanks.

Loading...