Debugme — HackTheBox

Description

A developer is experimenting with different ways to protect their software. They have sent in a windows binary that is supposed to be super secure and really hard to debug. Debug and see if you can find the flag.

Files:

• debugme.exe - PE32 executable (console) Intel 80386, for MS Windows (MinGW compiled, 81377 bytes)

Analysis

Initial Reconnaissance

file debugme.exe
# PE32 executable (console) Intel 80386, for MS Windows

strings debugme.exe | grep -i flag
# "I heard you like bugs so I put bugs in your debugger so you can have bugs while you debug!!!"
# "Seriously though try and find the flag, you will find it in your debugger!!!"

The binary contains DWARF debug sections (.debug_info, .debug_line, .debug_aranges, .debug_abbrev, .debug_frame, .debug_loc, .debug_ranges), compiled with GNU C 4.7.0 (MinGW).

Entry Point Hijacking

Disassembly with objdump -d debugme.exe revealed a critical feature:

1. Function _main (0x401620) contains garbage/encoded data — many 0x5c (\) bytes, int3 instructions, unreadable code
2. _mainCRTStartup (0x4010f9) starts with jmp 0x408904 — jump to __DTOR_LIST__+0x1c section

This means the real entry point is 0x408904, not the standard CRT startup.

Anti-Debug Checks (0x408904)

The code in __DTOR_LIST__ performs three checks:

1. PEB.BeingDebugged — checking fs:[0x30]+0x02 (debugger flag)
2. PEB.NtGlobalFlag — checking fs:[0x30]+0x68 (debug heap flags)
3. RDTSC timing check — two rdtsc calls, if difference > 1000 cycles — debugger detected

Self-Modifying Code

If all checks pass:

• Code at address 0x408973 XORs bytes from 0x401620 to 0x401791 with key 0x5C
• This decodes the real _main function from what appeared to be garbage
• The abundance of 0x5C (\) bytes in encoded data is the XOR key visible in encrypted form

...