-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlevel26.ts
More file actions
53 lines (48 loc) · 9.84 KB
/
level26.ts
File metadata and controls
53 lines (48 loc) · 9.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import { Level } from './types';
export const level26: Level = {
id: 26,
title: "RDTSC Anti-Debug: The Chronos Trap",
description: "Application employs RDTSC (Read Time-Stamp Counter) instruction-based timing validation - prevalent anti-debugging technique in game protection (Denuvo Anti-Tamper, StarForce, SecuROM), malware anti-analysis (Zeus, Emotet, TrickBot packers), and competitive anti-cheat (ESEA, FACEIT kernel drivers). RDTSC reads CPU Time-Stamp Counter (monotonically increasing cycle count since processor reset) via x86 instruction 0x0F31, storing 64-bit value in EDX:EAX registers. Protection workflow: Record TSC_START before critical section, execute protected code, record TSC_END after, calculate DELTA = TSC_END - TSC_START, compare DELTA against THRESHOLD. Normal execution: DELTA = 50-500 cycles (microsecond range). Debugger present: Breakpoint triggers INT3 trap, context switch to kernel, debugger UI interaction adds milliseconds (100,000+ cycles). Detection triggers process termination or integrity violation. Real implementations: Denuvo validates decryption routine timing (legitimate run <1ms, debugger step-through >50ms). Malware packers detect analysis environments (sandboxes, debuggers) via timing anomalies. ESEA anti-cheat hooks RDTSC at kernel level to detect emulation. Your scenario: Authentication system uses RDTSC timing guard. Four validation stages: TSC_START capture, critical auth code execution, TSC_END measurement, threshold comparison. Current state: THRESHOLD=1000 cycles (1 microsecond tolerance). Any pause/breakpoint exceeds limit, sets DEBUG_DETECTED=1 (denies access). Target: Bypass timing validation, achieve ADMIN_ACCESS=1. Bypass techniques: (1) Patch threshold comparison (CMP EAX, 1000 → CMP EAX, 0xFFFFFFFF, always passes), (2) NOP timing check (replace JG debug_trap with NOP sled), (3) Hook RDTSC instruction (return fake constant values via INT1 handler), (4) Virtualization detection (RDTSC returns different results in VM, adjust accordingly), (5) Direct flag manipulation (Memory Scanner: DEBUG_DETECTED=0). Educational: RDTSC instruction format (0F 31), CPU cycle precision (nanosecond accuracy on modern CPUs), context switch overhead (kernel debugger transitions cost 10,000+ cycles), anti-anti-debug (hardware breakpoints avoid INT3 overhead, RDTSC emulation via hypervisor trap, timing attack fingerprinting). Real-world case: Researchers bypass Denuvo by patching RDTSC comparison thresholds in protected executable, allowing debugger attachment without detection. Zeus malware detects sandboxes via Sleep(1000) + RDTSC validation (sandbox fast-forwards time, RDTSC shows inconsistency).",
requiredSkill: "RDTSC Timing Attack Evasion & Anti-Debug Bypass",
objective: (s) => {
const timingValid = s.sortValue1 < 1000; // CPU_CYCLES (must stay <1000 to avoid detection)
const debugBypassed = s.debugDetected === false; // DEBUG_DETECTED (0 = not detected)
const adminGranted = s.isAdmin === true; // ADMIN_ACCESS (1 = granted)
return timingValid && debugBypassed && adminGranted;
},
hint: "Three-stage timing bypass. CPU measures cycles via RDTSC instruction. Normal execution: <1000 cycles. Debugger breakpoint: >100,000 cycles (context switch overhead). Set CPU_CYCLES<1000 (sortValue1). Set DEBUG_DETECTED=0 (debugDetected, false). Set ADMIN_ACCESS=1 (isAdmin, true). Use Memory Scanner to modify all three values.",
tutorPersona: "The Time Lord: RDTSC is CPU's heartbeat. Every instruction, every cycle counted. Assembly: RDTSC instruction opcode 0x0F31. Execution: CPU loads Time-Stamp Counter (64-bit) into EDX:EAX registers. EDX holds high 32 bits, EAX holds low 32 bits. Typical usage: RDTSC → MOV [tsc_start], EAX → <critical code> → RDTSC → SUB EAX, [tsc_start] → CMP EAX, threshold → JG debug_detected. Why? Instructions execute in nanoseconds. ADD EAX, EBX takes 1 cycle (0.3ns on 3GHz CPU). Simple function executes in 50-500 cycles (microseconds). Debugger breakpoint triggers software interrupt INT3 (opcode 0xCC), kernel traps exception, debugger process awakens, UI renders, user clicks 'Step' button, kernel resumes target process. Overhead: 100,000-500,000 cycles (milliseconds). Timing delta exposes debugger presence. Real-world examples: Denuvo Anti-Tamper protects game executables. Encrypted code sections decrypt at runtime. Decryption function wrapped in RDTSC checks. Legitimate execution: Decrypt() completes in 0.5ms (1,500 cycles @ 3GHz). Debugger step-through: 50ms+ (150,000+ cycles). Detection → Process termination via TerminateProcess() or corrupted decryption (game crash). StarForce CD protection uses RDTSC + CPUID timing (CPU instruction latency fingerprinting). SecuROM validates disc read timing (physical CD read time vs virtual drive timing mismatch). Malware anti-analysis: Zeus banking trojan checks Sleep(100) accuracy via RDTSC before/after. Sandbox fast-forwards Sleep(), RDTSC shows <100ms elapsed → malware detects VM, refuses to unpack payload. Emotet checks IsDebuggerPresent() + RDTSC correlation (debugger returns false but timing anomaly reveals truth). TrickBot packer uses RDTSC loop (executes RDTSC 1000 times, measures average latency). Hypervisor/VM causes VM-exit on each RDTSC (privileged instruction in some configs), massive overhead → malware detects virtualization. Bypass techniques: Option 1 (Patch threshold): Find CMP EAX, 3E8h (1000 decimal) in disassembly. Replace with CMP EAX, FFFFFFFFh (4 billion, impossible to exceed). Timing check always passes. Option 2 (NOP timing validation): Locate timing check block. Disassembly: RDTSC; MOV ECX, EAX; <code>; RDTSC; SUB EAX, ECX; CMP EAX, 3E8h; JG loc_debug_trap. NOP the entire block (0x90 opcode), code never checks timing. Option 3 (Hook RDTSC): Set trap flag or use INT1 handler. Intercept RDTSC execution, return fake constant values (EAX=1000, EDX=0 always). Application sees zero delta, passes check. Risky: Some protections hash RDTSC instruction bytes, detect modification. Option 4 (Hardware breakpoints): Software breakpoints (INT3/0xCC) cause timing overhead. Hardware debug registers (DR0-DR3) trigger on memory access without INT3. Set DR0=critical_function address, DR7=breakpoint enabled. CPU traps silently, minimal timing impact. May evade RDTSC check. Option 5 (Direct memory patch): Use Memory Scanner to find DEBUG_DETECTED flag memory location (offset 0x800). Change value from 1 to 0. Find ADMIN_ACCESS flag (offset 0x30). Change from 0 to 1. Bypass validation entirely. Use ExploitWorkshop tools: Memory Scanner shows DEBUG_DETECTED (bool @ 0x800), ADMIN_ACCESS (bool @ 0x30), CPU_CYCLES (current delta), THRESHOLD_VALUE (comparison limit), TSC_START (initial timestamp). Hex Editor allows direct byte patching at offsets. Debugger tab shows assembly with RDTSC instructions (0F 31 opcode bytes visible in disassembly). Set CPU_CYCLES <1000 to simulate normal execution timing. Set THRESHOLD_VALUE to expected 1000 cycles. Set DEBUG_DETECTED to 0 (false). Set ADMIN_ACCESS to 1 (true). Advanced: Modern CPUs have RDTSCP instruction (0F 01 F9) which reads TSC + processor ID, prevents out-of-order execution timing tricks. Intel SGX enclaves use RDTSC inside trusted execution environment (cannot be hooked from outside). Kernel-mode anti-cheat drivers hook IDT (Interrupt Descriptor Table) entry for INT3, measure timing of exception handler dispatch. RDTSC in user-mode vs kernel-mode shows timing delta (mode switching costs cycles). Hypervisors can trap RDTSC via CPU virtualization extensions (Intel VT-x EPT, AMD-V NPT), emulate instruction return, add random jitter to prevent VM detection via timing side channels. Countermeasures: Use QueryPerformanceCounter() instead (Windows high-resolution timer, harder to manipulate). Multi-layer timing (RDTSC + QPC + GetTickCount cross-validation). Timing obfuscation (add random delays, make threshold dynamic). Hardware-based: Intel TDT (Threat Detection Technology) monitors timing anomalies at silicon level. Practical exploitation: Open ExploitWorkshop Debugger. Disassemble authentication function. Find RDTSC pair. Identify threshold comparison (CMP or SUB followed by conditional jump JG/JA). Patch comparison or set flags directly. Modern bypass: ScyllaHide plugin for x64dbg hooks RDTSC, returns fake values. TitanHide kernel driver hides debugger from PEB flags + timing checks. GDB-peda Python scripts automate RDTSC patching. Remember: CPU doesn't lie. Cycles are truth. Debugger makes you slow. Timing exposes all. Patch the clock or patch the check. Choose wisely.",
memoryLayout: [
{ key: 'health', label: 'TSC_START', type: 'int', offset: 0x10 },
{ key: 'sortValue1', label: 'CPU_CYCLES', type: 'int', offset: 0xA0 },
{ key: 'sortValue2', label: 'THRESHOLD_VALUE', type: 'int', offset: 0xA4 },
{ key: 'debugDetected', label: 'DEBUG_DETECTED', type: 'bool', offset: 0x800 },
{ key: 'isAdmin', label: 'ADMIN_ACCESS', type: 'bool', offset: 0x30 }
],
initialState: {
health: 1234567890, // TSC_START (arbitrary initial timestamp)
sortValue1: 150000, // CPU_CYCLES (current delta - way over threshold, indicating debugger)
sortValue2: 1000, // THRESHOLD_VALUE (1000 cycles = 1 microsecond @ 1GHz)
debugDetected: true, // DEBUG_DETECTED (1 = debugger detected via timing)
isAdmin: false // ADMIN_ACCESS (0 = access denied due to debug detection)
},
update: (s) => {
const cycles = s.sortValue1 || 150000;
const threshold = s.sortValue2 || 1000;
// Simulate timing check: if CPU_CYCLES exceeds THRESHOLD, set DEBUG_DETECTED
if (cycles >= threshold) {
return {
debugDetected: true,
isAdmin: false
};
}
// If timing is valid and debug flag cleared, grant access
if (cycles < threshold && s.debugDetected === false) {
return {
isAdmin: true
};
}
return {};
},
platforms: [{ id: 'p1', x: 0, y: 280, width: 800, height: 40, type: 'static' }]
};