Updated 6 more articles from html to md

1 files changed, 205 insertions, 0 deletions

diff --git a/md/writeup/linux_antidebug_3.md b/md/writeup/linux_antidebug_3.md
new file mode 100644
index 0000000..b93b5d9
--- /dev/null
+++ b/md/writeup/linux_antidebug_3.md
@@ -0,0 +1,205 @@
+title:Linux antidebug 3
+keywords:linux,debug,antidebug
+
+# Linux antidebug 3
+Content: Now we will try to make disasm output very unclear.
+We make jump with eax register
+
+## Program 1
+
+```asm
+main:
+    push lbl+1
+    pop eax
+    jmp eax
+lbl:
+    db 0xe8
+    mov eax, 4
+    mov ebx, 1
+    mov ecx, msg1
+    mov edx, msg1_size
+    int 80h
+     
+    mov eax, 1
+    mov ebx, 0
+    int 80h
+```
+
+Output is same as source. Nothing changes  
+Disassembler output 1
+```
+? ....... ! main:                           ;xref o80482d7     
+? ....... !   push        offset_804837d                  
+? 8048379 !   pop         eax                       
+? 804837a !   jmp         eax                        
+? 804837c     db          0e8h                            
+? 804837d !                                                   
+? ....... ! offset_804837d:                 ;xref o8048374 
+? ....... !   mov         eax, 4                       
+? 8048382 !   mov         ebx, 1                   
+? 8048387 !   mov         ecx, strz_I_am_running__8049568  
+? 804838c !   mov         edx, 0eh           
+? 8048391 !   int         80h              
+? 8048393 !   mov         eax, 1             
+? 8048398 !   mov         ebx, 0 
+? 804839d !   int         80h
+```
+
+Here we add only one instruction. We get jump adress and add 1.
+Disasm cannot calculate adress of jmp.
+
+## Program 2
+Like in first programm disasm think that we push correct adress and
+disasm it. And our byte 0xe9 is used for disasm output. That nice.
+
+```asm
+main:
+    push lbl
+    pop eax
+    inc eax
+    jmp eax
+lbl:
+    db 0xe9
+    mov eax, 4
+    mov ebx, 1
+    mov ecx, msg1
+    mov edx, msg1_size
+    int 80h
+     
+    mov eax, 1
+    mov ebx, 0
+    int 80h
+```
+
+Disassembler output 2
+
+```
+? ....... ! main:                           ;xref o80482d7  
+? ....... !   push        offset_804837d 
+? 8048379 !   pop         eax           
+? 804837a !   inc         eax    
+? 804837b !   jmp         eax  
+? 804837d !                      
+? ....... ! offset_804837d:                 ;xref o8048374 
+? ....... !   jmp         804883ah        
+? 8048382     add         [ebx+1], bh    
+? 8048388     mov         ecx, 8049568h   
+? 804838d     mov         edx, 0eh  
+? 8048392     int         80h     
+? 8048394     mov         eax, 1  
+? 8048399     mov         ebx, 0 
+? 804839e     int         80h
+```
+
+Now we add nop instruction after every line of our code. It doesnt have
+any impact on program work.
+## Program 3
+
+```asm
+main:
+    push lbl
+    pop eax
+    inc eax
+    jmp eax
+lbl:
+    db 0xe9
+    mov eax, 4
+    nop
+    mov ebx, 1
+    nop
+    mov ecx, msg1
+    nop
+    mov edx, msg1_size
+    int 80h
+     
+    mov eax, 1
+    mov ebx, 0
+    jmp lbl2+1
+lbl2:
+    db 0xe9
+    int 80h
+```
+
+Disasm output now is very nice. Output isnt very good. For first time
+when you view this output it is very unclear about what exactly is done
+by this code.
+
+Disassembler output 3 
+
+```
+? ....... ! main:                           ;xref o80482d7
+? ....... !   push        offset_804837d  
+? 8048379 !   pop         eax  
+? 804837a !   inc         eax    
+? 804837b !   jmp         eax 
+? 804837d !               
+? ....... ! offset_804837d:                 ;xref o8048374 
+? ....... !   jmp         804883ah   
+? 8048382     add         [eax+1bbh], dl
+? 8048388     add         [eax+49578b9h], dl 
+? 804838e     or          [eax+0ebah], dl    
+? 8048394     add         ch, cl              
+? 8048396     cmp         byte ptr [eax+1], 0bbh  
+? 804839d     add         [eax], al  
+? 804839f     add         [eax], al 
+? 80483a1     jmp         80483a4h
+? 80483a3     jmp         98950475h
+```
+
+Here is one more way how to make unclear jump to other place. We using
+function and inside function we change return address by 1.
+
+## Program 4
+Thats also works fine. Disasm dont know real return address ans and
+use 0xe8 as he think is better.
+
+```asm
+main:
+    call fun
+    db 0xe8
+    mov eax, 4
+    mov ebx, 1
+    mov ecx, msg1
+    mov edx, msg1_size
+    int 80h
+     
+    mov eax, 1
+    mov ebx, 0
+    int 80h
+     
+fun:
+    pop ebp
+    inc ebp
+    push ebp
+    ret
+```
+
+Disassembler output 4
+
+```
+? ....... ! main:                           ;xref o80482d7 
+? ....... !   call        sub_804839c  
+? 8048379 !   call        8048836h  
+? 804837e !   add         [ebx+1], bh      
+? 8048384 !   mov         ecx, strz_I_am_running__8049568
+? 8048389 !   mov         edx, 0eh
+? 804838e !   int         80h 
+? 8048390 !   mov         eax, 1 
+? 8048395 !   mov         ebx, 0
+? 804839a !   int         80h 
+? 804839c !                       
+? ....... ! ;-----------------------    
+? ....... ! ;  S U B R O U T I N E   
+? ....... ! ;----------------------- 
+? ....... ! sub_804839c:                    ;xref c8048374  
+? ....... !   pop         ebp     
+? 804839d !   inc         ebp     
+? 804839e !   push        ebp 
+? 804839f !   ret
+```
+
+## Download
+
+http://archive.main.lv/files/writeup/linux_antidebug_3/antidebug3.tar.gz
+
+