Hidden ptrace()
From Hax0rpedia
I came across against a very strange antidebug trick in an OSX app, while looking for the reson for some misbehaviour of an app by Novell.
They used a ptrace() to fool us fellow reverse enineers into thinking that the app is not debugable and make gdb quit.
Now you say, hey this is nothing new! Well, ptrace() as anti debug trick is widly known. Even Apple is using it in iTunes. But this one is different.
The maker of this app called INT 0x80 directly with the arg 0x1A (23 ptrace() on OSX), which made simply breakpointing it the usale way impossible.
But the ptrace() returncode 55 and the uncommon occurence of a int 80h gave an important hint.
In asm, it looks like that:
push eax
mov eax, 1A
int 80h
pop eax
Took me a few to figure what was going on since the usale b ptrace() in gdb did not work, but hey, nothing is impossible to find if you want it.
Since this is pretty simple, you can even quick put it in nearly any app you want to avoid beeing debugged, but don't thin it would be hard to find out.
