diff options
Diffstat (limited to 'md/writeup/linux_antidebug_3.md')
-rw-r--r-- | md/writeup/linux_antidebug_3.md | 205 |
1 files changed, 205 insertions, 0 deletions
diff --git a/md/writeup/linux_antidebug_3.md b/md/writeup/linux_antidebug_3.md new file mode 100644 index 0000000..b93b5d9 --- /dev/null +++ b/md/writeup/linux_antidebug_3.md @@ -0,0 +1,205 @@ +title:Linux antidebug 3 +keywords:linux,debug,antidebug + +# Linux antidebug 3 +Content: Now we will try to make disasm output very unclear. +We make jump with eax register + +## Program 1 + +```asm +main: + push lbl+1 + pop eax + jmp eax +lbl: + db 0xe8 + mov eax, 4 + mov ebx, 1 + mov ecx, msg1 + mov edx, msg1_size + int 80h + + mov eax, 1 + mov ebx, 0 + int 80h +``` + +Output is same as source. Nothing changes +Disassembler output 1 +``` +? ....... ! main: ;xref o80482d7 +? ....... ! push offset_804837d +? 8048379 ! pop eax +? 804837a ! jmp eax +? 804837c db 0e8h +? 804837d ! +? ....... ! offset_804837d: ;xref o8048374 +? ....... ! mov eax, 4 +? 8048382 ! mov ebx, 1 +? 8048387 ! mov ecx, strz_I_am_running__8049568 +? 804838c ! mov edx, 0eh +? 8048391 ! int 80h +? 8048393 ! mov eax, 1 +? 8048398 ! mov ebx, 0 +? 804839d ! int 80h +``` + +Here we add only one instruction. We get jump adress and add 1. +Disasm cannot calculate adress of jmp. + +## Program 2 +Like in first programm disasm think that we push correct adress and +disasm it. And our byte 0xe9 is used for disasm output. That nice. + +```asm +main: + push lbl + pop eax + inc eax + jmp eax +lbl: + db 0xe9 + mov eax, 4 + mov ebx, 1 + mov ecx, msg1 + mov edx, msg1_size + int 80h + + mov eax, 1 + mov ebx, 0 + int 80h +``` + +Disassembler output 2 + +``` +? ....... ! main: ;xref o80482d7 +? ....... ! push offset_804837d +? 8048379 ! pop eax +? 804837a ! inc eax +? 804837b ! jmp eax +? 804837d ! +? ....... ! offset_804837d: ;xref o8048374 +? ....... ! jmp 804883ah +? 8048382 add [ebx+1], bh +? 8048388 mov ecx, 8049568h +? 804838d mov edx, 0eh +? 8048392 int 80h +? 8048394 mov eax, 1 +? 8048399 mov ebx, 0 +? 804839e int 80h +``` + +Now we add nop instruction after every line of our code. It doesnt have +any impact on program work. +## Program 3 + +```asm +main: + push lbl + pop eax + inc eax + jmp eax +lbl: + db 0xe9 + mov eax, 4 + nop + mov ebx, 1 + nop + mov ecx, msg1 + nop + mov edx, msg1_size + int 80h + + mov eax, 1 + mov ebx, 0 + jmp lbl2+1 +lbl2: + db 0xe9 + int 80h +``` + +Disasm output now is very nice. Output isnt very good. For first time +when you view this output it is very unclear about what exactly is done +by this code. + +Disassembler output 3 + +``` +? ....... ! main: ;xref o80482d7 +? ....... ! push offset_804837d +? 8048379 ! pop eax +? 804837a ! inc eax +? 804837b ! jmp eax +? 804837d ! +? ....... ! offset_804837d: ;xref o8048374 +? ....... ! jmp 804883ah +? 8048382 add [eax+1bbh], dl +? 8048388 add [eax+49578b9h], dl +? 804838e or [eax+0ebah], dl +? 8048394 add ch, cl +? 8048396 cmp byte ptr [eax+1], 0bbh +? 804839d add [eax], al +? 804839f add [eax], al +? 80483a1 jmp 80483a4h +? 80483a3 jmp 98950475h +``` + +Here is one more way how to make unclear jump to other place. We using +function and inside function we change return address by 1. + +## Program 4 +Thats also works fine. Disasm dont know real return address ans and +use 0xe8 as he think is better. + +```asm +main: + call fun + db 0xe8 + mov eax, 4 + mov ebx, 1 + mov ecx, msg1 + mov edx, msg1_size + int 80h + + mov eax, 1 + mov ebx, 0 + int 80h + +fun: + pop ebp + inc ebp + push ebp + ret +``` + +Disassembler output 4 + +``` +? ....... ! main: ;xref o80482d7 +? ....... ! call sub_804839c +? 8048379 ! call 8048836h +? 804837e ! add [ebx+1], bh +? 8048384 ! mov ecx, strz_I_am_running__8049568 +? 8048389 ! mov edx, 0eh +? 804838e ! int 80h +? 8048390 ! mov eax, 1 +? 8048395 ! mov ebx, 0 +? 804839a ! int 80h +? 804839c ! +? ....... ! ;----------------------- +? ....... ! ; S U B R O U T I N E +? ....... ! ;----------------------- +? ....... ! sub_804839c: ;xref c8048374 +? ....... ! pop ebp +? 804839d ! inc ebp +? 804839e ! push ebp +? 804839f ! ret +``` + +## Download + +http://archive.main.lv/files/writeup/linux_antidebug_3/antidebug3.tar.gz + + |