Using GDB to capture Key
Before I try to make a key calculation server, I need to find a way to make the program spit out the key. I fired up my GDB in a remote terminal and attached to the "Quicksilver" application. I followed the app along but everytime it started streaming the application would crash with a memory overflow or other random error.
I recalled seeing some code earlier involving "_getpid" and "_sysctl", I thought it was strange that the application would be getting a process ID of another process. Doing some research I found out that there is a snippet of code that involves both of these commands that is used to determine of the current process is being run in a debugger...
This method involves getting the process ID of the running process and then running sysctl on it and looking for the P_TRACED flag set on processInfo.p_flag.
Looking in the code for this type of code, I stumbled upon a fantastic amount of debugger checks in place:
I spent a few hours trying to modify the code to make the P_TRACED flag never be set, but I quickly realized they had some sort of check in place to see if you had modified code in specific locations (probably inside the whitebox).
At this point, I cannot extract the decryption algorithm, I cannot debug, and I cannot override any code in the whitebox.
No comments:
Post a Comment