I came across against a very strange antidebug trick in an OSX app, while looking for the reson for some misbehaviour of an app by Novell.

They used a ptrace() to fool us fellow reverse enineers into thinking that the app is not debugable and make gdb quit.

Now you say, hey this is nothing new! Well, ptrace() as anti debug trick is widly known. Even Apple is using it in iTunes. But this one is different.

The maker of this app called INT 0×80 directly with the arg 0x1A (23 ptrace() on OSX), which made simply breakpointing it the usale way impossible.

But the ptrace() returncode 55 and the uncommon occurence of a int 80h gave an important hint.

In asm, it looks like that:

push eax

mov eax, 1A

int 80h

pop eax

Took me a few to figure what was going on since the usale b ptrace() in gdb did not work, but hey, nothing is impossible to find if you want it.

Since this is pretty simple, you can even quick put it in nearly any app you want to avoid beeing debugged, but don’t thin it would be hard to find out.

Here some GDB tricks for our fellow code ninjas ;)

Get the args of a call

b *0xCALLOFFSET

than you can:

p $esp p $esp+4

etc. + 4 for each arg.

You will get a memory adress so directly do

x/x $esp x/x $esp+4

etc. after that you can do a:

x/fs 0x0806ffff

or

x/8fx 0x0806ffff

or similar to extract your stuff from memory.