现在我正在为MIPS32二进制文件编写一个简单的代码加密器。加密是可以的 - 它很简单,但是当我想将解密器的代码注入加密的二进制文件时,一切都会出错。启动后,程序退出并出现Segmentation fault Error。 我将代码注入第一个LOAD段的最后一部分 - 所有代码都在原始代码和数据之后注入。 我已经这样做了只注入返回原始代码条目的命令,但是每一个都保持不变。 我检查了地址 - 它似乎是正确的。
以下是我的代码的一部分:
prepare_code(int* old_code_size, char *old_code, unsigned int original_entry, unsigned int code_entry)
{
char* code = NULL;
unsigned int add_code_size = 8;
short diff = original_entry - (code_entry + *old_code_size);
if( diff < 0x7fff);
{
int code_size = *old_code_size;
code = realloc(old_code, code_size + add_code_size);
//branch on original entry point
code[code_size + 0] = 0x10; code[code_size + 1] = 0x00; code[code_size + 2] = (diff & 0xFF00) >> 8; code[code_size + 3] = diff & 0x00FF;
code[code_size + 4] = 0x00; code[code_size + 5] = 0x20; code[code_size + 6] = 0x08; code[code_size + 7] = 0x25; //nop
code[code_size + 8] = 0x00; code[code_size + 9] = 0x20; code[code_size + 10] = 0x08; code[code_size + 11] = 0x25; //nop
*old_code_size += add_code_size;
}
return code;
}
Strace日志:
execve("./output", ["./output"], [/* 14 vars */]) = 0
brk(0) = 0x9f9000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x77cc3000
uname({sys="Linux", node="debian-mips", ...}) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=14227, ...}) = 0
old_mmap(NULL, 14227, PROT_READ, MAP_PRIVATE, 3, 0) = 0x77cbf000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/mips-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\1s\344\0\0\0004"..., 512) = 512
lseek(3, 760, SEEK_SET) = 760
read(3, "\0\0\0\4\0\0\0\20\0\0\0\1GNU\0\0\0\0\0\0\0\0\2\0\0\0\6\0\0\0\32", 32) = 32
fstat64(3, {st_mode=S_IFREG|0755, st_size=1636356, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x77cbe000
old_mmap(NULL, 1621648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x77b06000
mprotect(0x77c74000, 65536, PROT_NONE) = 0
old_mmap(0x77c84000, 45056, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16e000) = 0x77c84000
old_mmap(0x77c8f000, 11920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x77c8f000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x77cbd000
set_thread_area(0x77cc4490) = 0
mprotect(0x77c84000, 36864, PROT_READ) = 0
mprotect(0x77cc4000, 4096, PROT_READ) = 0
munmap(0x77cbf000, 14227) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
一切都会有所帮助!