ELF x86 - Anti-debug 参考https://re.kv.io/crackme/12.html int 80 系统调用32位下,EAX保存调用号mov eax , 30 utime, utimes - change file last access and modification times
The utime() system call changes the access and modification times of
上面是错的直接弄错
void (*signal(int sig, void (*func)(int)))(int)sys_signal设置一个函数来处理信号,即带有 sig 参数的信号处理程序 sig – 在信号处理程序中作为变量使用的信号码0x5 ==SIGABRT (Signal Abort) 程序异常终止。func – 一个指向函数的指针。它可以是一个由程序定义的函数
int3 would cause a debugger to stop
1 2 3 4 5 6 7 8 9 10 11 12 13 .text:08048063 loc_8048063: ; CODE XREF: start↑j .text:08048063 mov eax, 30 h .text:08048068 mov ebx, 5 .text:0804806 D mov ecx, offset sub_80480E2 .text:08048072 int 80 h ; LINUX - sys_signal .text:08048074 jmp short loc_8048077 .text:08048074 ; --------------------------------------------------------------------------- .text:08048076 db 0 CEh .text:08048077 ; --------------------------------------------------------------------------- .text:08048077 .text:08048077 loc_8048077: ; CODE XREF: start+14 ↑j .text:08048077 int 3 ; Trap to Debugger .text:08048078 jmp short loc_804807B
先设置第一个signal处理函数,在0x08048077处遇到int 3跳到处理函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 .text:080480E2 .text:080480E2 sub_80480E2 proc near ; DATA XREF: start+D↑o .text:080480E2 mov eax, offset sub_8048104 .text:080480E7 jmp short loc_8048101 .text:080480E9 ; --------------------------------------------------------------------------- .text:080480E9 .text:080480E9 loc_80480E9: ; CODE XREF: sub_80480E2:loc_80480FF↓j .text:080480E9 ; sub_80480E2:loc_8048101↓j .text:080480E9 cmp eax, 80482E8 h .text:080480 EE jz short locret_8048103 .text:080480F 0 jmp short loc_80480F3 .text:080480F 0 ; --------------------------------------------------------------------------- .text:080480F 2 db 0E8 h .text:080480F 3 ; --------------------------------------------------------------------------- .text:080480F 3 .text:080480F 3 loc_80480F3: ; CODE XREF: sub_80480E2+E↑j .text:080480F 3 xor dword ptr [eax], 8048F C1h .text:080480F 9 add eax, 4 .text:080480F C jmp short loc_80480FF .text:080480F C ; --------------------------------------------------------------------------- .text:080480F E db 0 EBh .text:080480F F ; --------------------------------------------------------------------------- .text:080480F F .text:080480F F loc_80480FF: ; CODE XREF: sub_80480E2+1 A↑j .text:080480F F jmp short loc_80480E9 .text:08048101 ; --------------------------------------------------------------------------- .text:08048101 .text:08048101 loc_8048101: ; CODE XREF: sub_80480E2+5 ↑j .text:08048101 jmp short loc_80480E9 .text:08048103 ; --------------------------------------------------------------------------- .text:08048103 .text:08048103 locret_8048103: ; CODE XREF: sub_80480E2+C↑j .text:08048103 retn .text:08048103 sub_80480E2 endp
将代码解密出来,然后后面根据signal执行处理代码
1 ' ' .join(map (lambda i: chr(i ^ 0xfc ), [0xA5 , 0xCF , 0x9D , 0xB4 , 0xDD , 0x88 , 0xB4 , 0x95 , 0xAF , 0x95 , 0xAF , 0x88 , 0xB4 , 0xCF , 0x97 , 0xB9 , 0x85 , 0xDD ]))
' '字符串内置函数join()map(fun, iter) 函数fun操作iterlambda 声明为匿名函数,如:
1 map (lambda x: x ** 2 , [1 , 2 , 3 , 4 , 5 ])
r2(一个大佬的解法)oo+ reopen in read-writewox 0xfc @ entry0+625!18 //会写入 将0xfc与后面18个值异或ps @ entry0+625
wa nop write nopcode using asm.arch and asm.bits
1 2 [0x0804060 ]> wa nop @ 0x08048077 [0x0804060 ]> wa mov ecx, 0x80482d1 @ 0x08048167
控制程序流程
sys_write − 1 2 3 4 5 mov edx,4 ; message length mov ecx,msg ; message to write mov ebx,1 ; file descriptor (stdout ) mov eax,4 ; system call number (sys_write) int 0x80 ; call kernel