summaryrefslogtreecommitdiff
path: root/md/writeup/linux_antidebug_3.md
blob: b93b5d9152a391c11caba31d7a15bb723c292f04 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
title:Linux antidebug 3
keywords:linux,debug,antidebug

# Linux antidebug 3
Content: Now we will try to make disasm output very unclear.
We make jump with eax register

## Program 1

```asm
main:
    push lbl+1
    pop eax
    jmp eax
lbl:
    db 0xe8
    mov eax, 4
    mov ebx, 1
    mov ecx, msg1
    mov edx, msg1_size
    int 80h
     
    mov eax, 1
    mov ebx, 0
    int 80h
```

Output is same as source. Nothing changes  
Disassembler output 1
```
? ....... ! main:                           ;xref o80482d7     
? ....... !   push        offset_804837d                  
? 8048379 !   pop         eax                       
? 804837a !   jmp         eax                        
? 804837c     db          0e8h                            
? 804837d !                                                   
? ....... ! offset_804837d:                 ;xref o8048374 
? ....... !   mov         eax, 4                       
? 8048382 !   mov         ebx, 1                   
? 8048387 !   mov         ecx, strz_I_am_running__8049568  
? 804838c !   mov         edx, 0eh           
? 8048391 !   int         80h              
? 8048393 !   mov         eax, 1             
? 8048398 !   mov         ebx, 0 
? 804839d !   int         80h
```

Here we add only one instruction. We get jump adress and add 1.
Disasm cannot calculate adress of jmp.

## Program 2
Like in first programm disasm think that we push correct adress and
disasm it. And our byte 0xe9 is used for disasm output. That nice.

```asm
main:
    push lbl
    pop eax
    inc eax
    jmp eax
lbl:
    db 0xe9
    mov eax, 4
    mov ebx, 1
    mov ecx, msg1
    mov edx, msg1_size
    int 80h
     
    mov eax, 1
    mov ebx, 0
    int 80h
```

Disassembler output 2

```
? ....... ! main:                           ;xref o80482d7  
? ....... !   push        offset_804837d 
? 8048379 !   pop         eax           
? 804837a !   inc         eax    
? 804837b !   jmp         eax  
? 804837d !                      
? ....... ! offset_804837d:                 ;xref o8048374 
? ....... !   jmp         804883ah        
? 8048382     add         [ebx+1], bh    
? 8048388     mov         ecx, 8049568h   
? 804838d     mov         edx, 0eh  
? 8048392     int         80h     
? 8048394     mov         eax, 1  
? 8048399     mov         ebx, 0 
? 804839e     int         80h
```

Now we add nop instruction after every line of our code. It doesnt have
any impact on program work.
## Program 3

```asm
main:
    push lbl
    pop eax
    inc eax
    jmp eax
lbl:
    db 0xe9
    mov eax, 4
    nop
    mov ebx, 1
    nop
    mov ecx, msg1
    nop
    mov edx, msg1_size
    int 80h
     
    mov eax, 1
    mov ebx, 0
    jmp lbl2+1
lbl2:
    db 0xe9
    int 80h
```

Disasm output now is very nice. Output isnt very good. For first time
when you view this output it is very unclear about what exactly is done
by this code.

Disassembler output 3 

```
? ....... ! main:                           ;xref o80482d7
? ....... !   push        offset_804837d  
? 8048379 !   pop         eax  
? 804837a !   inc         eax    
? 804837b !   jmp         eax 
? 804837d !               
? ....... ! offset_804837d:                 ;xref o8048374 
? ....... !   jmp         804883ah   
? 8048382     add         [eax+1bbh], dl
? 8048388     add         [eax+49578b9h], dl 
? 804838e     or          [eax+0ebah], dl    
? 8048394     add         ch, cl              
? 8048396     cmp         byte ptr [eax+1], 0bbh  
? 804839d     add         [eax], al  
? 804839f     add         [eax], al 
? 80483a1     jmp         80483a4h
? 80483a3     jmp         98950475h
```

Here is one more way how to make unclear jump to other place. We using
function and inside function we change return address by 1.

## Program 4
Thats also works fine. Disasm dont know real return address ans and
use 0xe8 as he think is better.

```asm
main:
    call fun
    db 0xe8
    mov eax, 4
    mov ebx, 1
    mov ecx, msg1
    mov edx, msg1_size
    int 80h
     
    mov eax, 1
    mov ebx, 0
    int 80h
     
fun:
    pop ebp
    inc ebp
    push ebp
    ret
```

Disassembler output 4

```
? ....... ! main:                           ;xref o80482d7 
? ....... !   call        sub_804839c  
? 8048379 !   call        8048836h  
? 804837e !   add         [ebx+1], bh      
? 8048384 !   mov         ecx, strz_I_am_running__8049568
? 8048389 !   mov         edx, 0eh
? 804838e !   int         80h 
? 8048390 !   mov         eax, 1 
? 8048395 !   mov         ebx, 0
? 804839a !   int         80h 
? 804839c !                       
? ....... ! ;-----------------------    
? ....... ! ;  S U B R O U T I N E   
? ....... ! ;----------------------- 
? ....... ! sub_804839c:                    ;xref c8048374  
? ....... !   pop         ebp     
? 804839d !   inc         ebp     
? 804839e !   push        ebp 
? 804839f !   ret
```

## Download

http://archive.main.lv/files/writeup/linux_antidebug_3/antidebug3.tar.gz