-
-
[原创]手写fuzzer实现anti-debugging趣味实验 XD
-
发表于: 2019-1-6 14:05
-
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[])
{
if(argc==2)
{
if (strcmp("CORRECT_SERIAL", argv[1])==0)
{
printf("Accessed!\n");
}
else
{
printf("Denied!\n");
}
}
else
{
printf("Usage %s [serial_number]\n", argv[0]);
}
}
#/bin/python3!
import os
import random
def alter_byte(bytes_in):
i = random.randint(0, len(bytes_in))
c = chr(random.randint(0,255))
return bytes_in[:i] + c.encode()+ bytes_in[i+1:]
def alter_file():
with open("secret", 'rb') as f_obj, open("secret_tmp", 'wb') as new_f:
f_content = f_obj.read()
new_content = alter_byte(f_content)
new_f.write(new_content)
def cmp_out_file(f_1, f_2):
with open(f_1, 'rb') as f_1_obj, open(f_2, 'rb') as f_2_obj:
return f_1_obj.read() == f_2_obj.read()
def check_normal():
cmd = "(./secret_tmp; ./secret_tmp CORRECT_SERIAL; ./secret_tmp WRONG_SERIAL) > normal_tmp.txt"
os.system(cmd)
return cmp_out_file("std_output.txt", "normal_tmp.txt")
def check_gdb():
os.system("echo disassemble main | gdb secret_tmp > gdb_tmp.txt")
return cmp_out_file("gdb.txt", "gdb_tmp.txt")
def check_r2():
os.system("echo 'aaa\rs main\rpdf' | radare2 secret_tmp > r2_tmp.txt")
return cmp_out_file("r2_tmp.txt", "r2.txt")
if __name__ == '__main__':
os.system("cp secret secret_tmp")
os.system("echo disassemble main | gdb secret_tmp > gdb.txt")
os.system("(./secret_tmp; ./secret_tmp CORRECT_SERIAL; ./secret_tmp WRONG_SERIAL) > std_output.txt")
os.system("echo 'aaa\rs main\rpdf' | radare2 secret_tmp > r2.txt")
while True:
alter_file()
if check_normal() and not check_gdb() and not check_r2():
print("************* Found possible solution ************")
os.system("rm gdb.txt r2_tmp.txt r2.txt gdb_tmp.txt normal_tmp.txt std_output.txt")
exit()1. fuzzing前后直接运行对比:
修改后的文件都能够正常实现应有的功能。
2. fuzzing前后gdb调试对比:
3. fuzzing前后radare2 调试对比:
修改后main函数disassembling
总结:
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[])
{
if(argc==2)
{
if (strcmp("CORRECT_SERIAL", argv[1])==0)
{
printf("Accessed!\n");
}
else
{
printf("Denied!\n");
}
}
else
{
printf("Usage %s [serial_number]\n", argv[0]);
}
}
#/bin/python3!
import os
import random
def alter_byte(bytes_in):
i = random.randint(0, len(bytes_in))
c = chr(random.randint(0,255))
return bytes_in[:i] + c.encode()+ bytes_in[i+1:]
def alter_file():
with open("secret", 'rb') as f_obj, open("secret_tmp", 'wb') as new_f:
f_content = f_obj.read()
new_content = alter_byte(f_content)
new_f.write(new_content)
def cmp_out_file(f_1, f_2):
with open(f_1, 'rb') as f_1_obj, open(f_2, 'rb') as f_2_obj:
return f_1_obj.read() == f_2_obj.read()
def check_normal():
cmd = "(./secret_tmp; ./secret_tmp CORRECT_SERIAL; ./secret_tmp WRONG_SERIAL) > normal_tmp.txt"
os.system(cmd)
return cmp_out_file("std_output.txt", "normal_tmp.txt")
def check_gdb():
os.system("echo disassemble main | gdb secret_tmp > gdb_tmp.txt")
return cmp_out_file("gdb.txt", "gdb_tmp.txt")
def check_r2():
os.system("echo 'aaa\rs main\rpdf' | radare2 secret_tmp > r2_tmp.txt")
return cmp_out_file("r2_tmp.txt", "r2.txt")
if __name__ == '__main__':
os.system("cp secret secret_tmp")
os.system("echo disassemble main | gdb secret_tmp > gdb.txt")
os.system("(./secret_tmp; ./secret_tmp CORRECT_SERIAL; ./secret_tmp WRONG_SERIAL) > std_output.txt")
os.system("echo 'aaa\rs main\rpdf' | radare2 secret_tmp > r2.txt")
while True:
alter_file()
if check_normal() and not check_gdb() and not check_r2():
print("************* Found possible solution ************")
os.system("rm gdb.txt r2_tmp.txt r2.txt gdb_tmp.txt normal_tmp.txt std_output.txt")
exit()#/bin/python3!
import os
import random
def alter_byte(bytes_in):
i = random.randint(0, len(bytes_in))
c = chr(random.randint(0,255))
return bytes_in[:i] + c.encode()+ bytes_in[i+1:]
def alter_file():
with open("secret", 'rb') as f_obj, open("secret_tmp", 'wb') as new_f:
f_content = f_obj.read()
new_content = alter_byte(f_content)
new_f.write(new_content)
def cmp_out_file(f_1, f_2):
with open(f_1, 'rb') as f_1_obj, open(f_2, 'rb') as f_2_obj:
return f_1_obj.read() == f_2_obj.read()
def check_normal():
cmd = "(./secret_tmp; ./secret_tmp CORRECT_SERIAL; ./secret_tmp WRONG_SERIAL) > normal_tmp.txt"
os.system(cmd)
return cmp_out_file("std_output.txt", "normal_tmp.txt")
def check_gdb():
os.system("echo disassemble main | gdb secret_tmp > gdb_tmp.txt")
return cmp_out_file("gdb.txt", "gdb_tmp.txt")
def check_r2():
os.system("echo 'aaa\rs main\rpdf' | radare2 secret_tmp > r2_tmp.txt")
return cmp_out_file("r2_tmp.txt", "r2.txt")
if __name__ == '__main__':
os.system("cp secret secret_tmp")
os.system("echo disassemble main | gdb secret_tmp > gdb.txt")
os.system("(./secret_tmp; ./secret_tmp CORRECT_SERIAL; ./secret_tmp WRONG_SERIAL) > std_output.txt")
os.system("echo 'aaa\rs main\rpdf' | radare2 secret_tmp > r2.txt")
while True:
alter_file()
if check_normal() and not check_gdb() and not check_r2():
print("************* Found possible solution ************")
os.system("rm gdb.txt r2_tmp.txt r2.txt gdb_tmp.txt normal_tmp.txt std_output.txt")
exit()1. fuzzing前后直接运行对比:
修改后的文件都能够正常实现应有的功能。
2. fuzzing前后gdb调试对比:
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2019-1-6 15:25
被逆向实习生编辑
,原因: 修改显示
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
不是从word复制的,是复制的纯文字,然后插的图片 |
|
|
我之前发都没问题,不知道这次咋回事,点击编辑还能看到写的内容,但就是显示不出来。我换了哥电脑和浏览器,关掉插件再尝试一次。 |
|
|
就是显示不出来,点击编辑里面是有内容的:  |
|
|
|
|
|
|
|
|
已经编辑完成 |
|
|
|
|
|
|
|
|
Youtube: https://www.youtube.com/watch?v=OZvc-c1OLnM&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&index=10&t=0s LiveOverflow 的视频 无论对新手还是进阶都很友好。总有有意思的东西可以学习。 |
|
|
此贴必火,火钳刘明, 1024
|
|
|
|
|
|
不用打开程序,直接运行脚本,每次循环会复制一次要被修改的程序,并且对复制的程序任意修改一个字节,然后检测能否被gdb和r2正常打开调试。 |
|
|
|
KevinsBobo
