Challenge 1: Anti-Debugger¶
Nowadays, many games use kernel-level anti-cheat systems to prevent cheating. The reason why these anti-cheat systems are implemented in the kernel is that they can monitor and control drivers, hardware, virtual memory of user-space processes or of the kernel.
These anti-cheat systems are too complicated for us (especially for your first challenge). Therefore, the anti-cheat system you will implement could in fact have been implemented in user-space, but you will do it in the kernel using eBPF instead.
The anti-cheat you will implement is an anti-debugging mechanism since debuggers allow attackers to inspect memory, alter program flow, and bypass security checks.
You will thus detect whether the game process is being debugged and terminate it if it is.
Description¶
The game you are going to protect is a very simple terminal-based hangman game.
You guessed e and revealed 0 characters!
**************************************
*****************************\\|//**
**You have 3 guesses left \|/
** |
** ()
** /||\
** //
** _ k i _ i d i
*************************
Guessed letters: a - - d e - - - i - k - - - - p - - - - - - - - - -
Enter a letter here:
The rules are simple: the player has to guess a word letter by letter. If the letter is in the word, it is displayed. If the letter is not in the word, an additional part of the hangman is drawn (in the implementation, the hangman is always drawn, but whatever).
The hangman has 6 parts: head, body, left arm, right arm, left leg, right leg. Therefore, the player can make 6 mistakes before losing the game.
The game developer is worried that some players might try to analyze
or manipulate the game using a debugger such as gdb.
Your task is to detect whether the game process is being debugged. If a debugger has attached to the game process, the game should be immediately terminated.
Setup¶
First, install the gdb debugger:
$ sudo apt update && sudo apt install gdb
Download the files for this challenge using:
$ wget --no-check-certificate https://people.montefiore.uliege.be/~gain/courses/info0940/asset/antidebug.tar.gz
$ tar -xzvf antidebug.tar.gz
The game is located in antidebug/hangman.
Note
The original source code can be found on github. However, we modified it a bit, so please use the provided source code and not the one on github.
You can compile it using the Makefile provided (simply run make
within the hangman directory). Then you can run the game using:
$ ./hangman
To debug the game, you can use the gdb command.
$ gdb ./hangman
This will launch the gdb debugger, and gdb will then in turn
launch the game when you use the run command inside gdb. For
this challenge, debugging is defined as: the game process being
launched and controlled by gdb, which can be approximated by checking
its parent process.
If you want to terminate the game, you can then use Ctrl+C, and to quit
gdb, you can use the quit command.
Note
You don’t actually have to use more than the run and quit
command, but if you are curious, you can use the help command to get a
help message with all the available commands. For more information on how to
use gdb, you can refer to the official documentation:
https://www.gnu.org/software/gdb/documentation/ or via the man gdb
command.
Inside antidebug/src, you will find the same template as in
tutorial 3. Use it to implement the anti-debug system.
What you need to do¶
You are expected to implement a uprobe that hooks into a function of the game in order to detect whether the game process is being debugged [1]. If debugging is detected, the game should be terminated. You must choose a function in the game to attach the probe to such that the game is terminated before the player is asked to enter a letter.
This challenge is quite simple, don’t be surprised if your solution is very short.