我正在开发一个简单的破解程序,可以下载here,目的是找到密码,根据我的理解,程序正在修改自己,然后将输入的密码与真实的。
当我在没有GDB的情况下运行程序时,它可以工作。
当我启动gdb时,将ptrace替换为我自己的set environment LD_PRELOAD ./ptrace.so之一并运行它运行的程序。
当我在第一次读取后添加一个断点并逐步进行stepi时,它以段错误结束。让我解释一下我是如何做到的。
这是read语句后面的程序集(我输入了我的密码):
0x8048563: mov esp,ebp
0x8048565: mov edx,eax
0x8048567: dec edx
0x8048568: mov BYTE PTR [eax+0x80484a0],0x0
0x804856f: mov esi,0x80485a4 <- gets the code at this address
0x8048574: mov edi,esi
0x8048576: mov ecx,0x15
0x804857b: lods al,BYTE PTR ds:[esi]
0x804857c: xor al,0xaa <-- XORs the code with something
0x804857e: call 0x8048583 <-- I dont understand what is the purpose of calling something that is executed right after but that is not the point
0x8048583: pop ebx
0x8048584: add ebx,0x7
0x8048587: jmp ebx
0x8048589: call 0x8d9cc30e
0x804858e: add al,0x8
0x8048590: int3
0x8048591: jne 0x8048595
0x8048593: inc al
0x8048595: stos BYTE PTR es:[edi],al
0x8048596: loop 0x804857b
0x8048598: mov esi,0x80484a1
0x804859d: mov edi,0x80485ae
0x80485a2: mov ecx,edx
0x80485a4: push es <--- Code being modified
0x80485a5: xchg BYTE PTR [eax+0x4880df04],ch
0x80485ab: push edx
0x80485ac: inc ecx
0x80485ad: mov eax,ds:0xcefedefb
0x80485b2: out dx,eax
0x80485b3: cdq
0x80485b4: int3
0x80485b5: retf
设置断点后,我一步一步地运行程序,直到我退出代码修改循环并显示asm代码:
0x8048598: mov esi,0x80484a1
0x804859d: mov edi,0x80485ae
0x80485a2: mov ecx,edx
0x80485a4: lods eax,DWORD PTR ds:[esi] <---final real code
0x80485a5: sub eax,0x2b760403
0x80485aa: jecxz 0x80485a5
0x80485ac: in al,dx <-- Here the code crashes and stops working for some reason
0x80485ad: or al,0x52
0x80485af: jne 0x8048606
0x80485b1: gs
0x80485b2: inc esi
0x80485b3: xor al,0x67
0x80485b5: bound esi,QWORD PTR [ebx]
0x80485b7: arpl WORD PTR [ecx],ax
0x80485b9: mov ebp,esp
0x80485bb: sub esp,0x4
0x80485be: and esp,0xfffffff0
0x80485c1: add esp,0x4
0x80485c4: push 0x80485ef
0x80485c9: call 0x8048350
0x80485ce: mov esp,ebp
0x80485d0: xor eax,eax
0x80485d2: jmp 0x80485ee
0x80485d4: mov ebp,esp
0x80485d6: sub esp,0x4
0x80485d9: and esp,0xfffffff0
0x80485dc: add esp,0x4
0x80485df: push 0x80485f7
0x80485e4: call 0x8048340
0x80485e9: mov esp,ebp
0x80485eb: xor eax,eax
0x80485ed: inc eax
0x80485ee: ret
现在运行stepi给了我:
Program received signal SIGSEGV, Segmentation fault.
[--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------registers---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------]
b'\x1b[;32mEAX\x1b[0m: 0x8bc662e \n\x1b[;32mEBX\x1b[0m: \x1b[;34m0x804858a\x1b[0m --> 0x85983d80 \n\x1b[;32mECX\x1b[0m: 0x9 (b\'\\t\')\n\x1b[;32mEDX\x1b[0m: 0x9 (b\'\\t\')\n\x1b[;32mESI\x1b[0m: \x1b[;34m0x80484a5\x1b[0m ("56789")\n\x1b[;32mEDI\x1b[0m: \x1b[;34m0x80485ae\x1b[0m ("RuUeF4gb3c\\001\\211\\345\\203", <incomplete sequence \\354>...)\n\x1b[;32mEBP\x1b[0m: \x1b[;35m0xffffd5fc\x1b[0m --> \x1b[;31m0xf7e34a83\x1b[0m (<__libc_start_main+243>:\tmov DWORD PTR [esp],eax)\n\x1b[;32mESP\x1b[0m: \x1b[;35m0xffffd5fc\x1b[0m --> \x1b[;31m0xf7e34a83\x1b[0m (<__libc_start_main+243>:\tmov DWORD PTR [esp],eax)\n\x1b[;32mEIP\x1b[0m: \x1b[;34m0x80485ac\x1b[0m --> 0x75520cec'
[-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------code-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------]
0x80485a4: lods eax,DWORD PTR ds:[esi]
0x80485a5: sub eax,0x2b760403
0x80485aa: jecxz 0x80485a5
=> 0x80485ac: in al,dx
0x80485ad: or al,0x52
0x80485af: jne 0x8048606
0x80485b1: gs
0x80485b2: inc esi
[----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------stack-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------]
00:0000| ebp esp 0xffffd5fc --> 0xf7e34a83 (<__libc_start_main+243>: mov DWORD PTR [esp],eax)
01:0004| 0xffffd600 --> 0x1
02:0008| 0xffffd604 --> 0xffffd694 --> 0xffffd7d7 ("/root/current/c"...)
03:0012| 0xffffd608 --> 0xffffd69c --> 0xffffd7f0 ("XDG_SESSION_ID="...)
04:0016| 0xffffd60c --> 0xf7feacea (add ebx,0x12316)
05:0020| 0xffffd610 --> 0x1
06:0024| 0xffffd614 --> 0xffffd694 --> 0xffffd7d7 ("/root/current/c"...)
07:0028| 0xffffd618 --> 0xffffd634 --> 0xf92bd643
[--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------]
Legend: stack, code, data, heap, rodata, value
Stopped reason: SIGSEGV
0x080485ac in ?? ()
有什么我做得不好吗?使用断点运行代码有什么区别?我在一篇文章中看到这是一种奇怪的行为,破解我的制造者没有这个问题。
感谢您的帮助。
编辑:在0x8048598没有断点的情况下,程序完成而不会崩溃。
答案 0 :(得分:0)
使用GDB设置断点添加一条指令,在代码修改之前设置的指令移动了所有指令地址,因此修改后的代码不同,并且调试它会导致未定义的行为。