A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #27842  by GSnake
 Wed Feb 10, 2016 10:39 am
I'm trying to reverse an application which debugs itself.
It put 0xcc bytes all over the place: I immediately thought it was a common anti-debug technique but this was not the case. As I continued reversing, I discovered the process had a fully working "custom debugger" which modified the EIP upon receiving a breakpoint interrupt in order to make static analysis more complex.

Now: with a common debugger it is not that simple modifying the EIP each time I encounter a 0xcc byte. What do you suggest to do to follow the code flow?

Thank you very much!
 #27854  by GSnake
 Thu Feb 11, 2016 3:03 pm
p1nk wrote:Any chance you can share an MD5 so we can check it out also to provide advice.
It is a security challenge from a website. I don't know if I can post it here since it would spoil the fun for someone doing it.
billbudsocket wrote:Trace the process execution with Pin, Panda, Qira, etc.
A debugger is already attached to the process (which is the process itself), I think I won't be able to attach Pin / the other solutions.
Is it possible to set instructions to be executed when IDA catches a breakpoint interrupt? In this way I could emulate what the "embedded" debugger does.

Thank you!