注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

碳基体

http://weibo.com/tanjiti

 
 
 
 
 

日志

 
 

objective-c runtime安全措施之三:反汇编(strip)  

2012-04-01 11:26:34|  分类: iOS app security |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

《O'Reilly.Hacking.and.Securing.iOS.Applications>>读书笔记

反汇编:通过优化编译器选项、去除符号表来复杂化编译后生成的汇编代码(使用反汇编工具结合动态调试工具弄清并篡改程序逻辑)

方法3:使用strip命令除去目标文件中的指定符号

原理:使用strip命令去掉符号表中的指定符号

下面的代码是用来检查是否有debugger的存在

#include <unistd.h>

#include <sys/types.h>

#include <sys/sysctl.h>

#include <string.h>

#include <stdio.h>

int check_debugger( )

{

size_t size = sizeof(struct kinfo_proc);

struct kinfo_proc info;

int ret, name[4];

memset(&info, 0, sizeof(struct kinfo_proc));

name[0] = CTL_KERN;

name[1] = KERN_PROC;

name[2] = KERN_PROC_PID;

name[3] = getpid();

if (ret = (sysctl(name, 4, &info, &size, NULL, 0))) {

return ret; /* sysctl() failed for some reason */

}

return (info.kp_proc.p_flag & P_TRACED) ? 1 : 0;

}

int main( ) {

int i = 0, f;

do {

if (check_debugger())

puts("Eek! I'm being debugged!");

else

puts("I'm doing something really secure here!!");

++i;

sleep(5);

} while(i<10);

}

 

例子1:正常使用nm导出符号表信息

当符号表被导出,check_debuggermain函数的符号和地址对攻击者是清晰可见的

$ nm main

00003038 S _NXArgc

0000303c S _NXArgv

00003044 S ___progname

00002dd8 t __dyld_func_lookup

00001000 A __mh_execute_header

00002de4 T _check_debugger

00003040 S _environ

U _exit

U _getpid

00002ef4 T _main

U _memset

U _puts

U _sysctl

00003034 d dyld__mach_header

00002db8 t dyld_stub_binding_helper

00002d6c T start

这些符号在二进制反汇编代码中可以看到

_check_debugger:

00002de4 e92d4090 push {r4, r7, lr}

00002de8 e28d7004 add r7, sp, #4 @ 0x4

00002dec e24ddf8f sub sp, sp, #572 @ 0x23c

00002df0 e3cdd007 bic sp, sp, #7 @ 0x7

00002df4 e59f00e8 ldr r0, [pc, #232] @ 0x2ee4

00002df8 e28d1040 add r1, sp, #64 @ 0x40

...

_main:

00002ef4 e92d4080 push {r7, lr}

00002ef8 e1a0700d mov r7, sp

00002efc e24dd018 sub sp, sp, #24 @ 0x18

00002f00 e59f0070 ldr r0, [pc, #112] @ 0x2f78

00002f04 e5070008 str r0, [r7, #-8]

00002f08 e59f0068 ldr r0, [pc, #104] @ 0x2f78

00002f0c e58d0008 str r0, [sp, #8]

...

例子2:使用strip后导出符号表信息

$ strip main

$ nm main

00001000 A __mh_execute_header

U _exit

U _getpid

U _memset

U _puts

U _sysctl

攻击者不知道函数出现在地址空间的哪里,甚至完全不会知道check_debugger函数的存在。为了找出具体程序逻辑,攻击者不得不查看上千行汇编代码,如下所示:

00002d6c e59d0000 ldr r0, [sp]

00002d70 e28d1004 add r1, sp, #4 @ 0x4

00002d74 e2804001 add r4, r0, #1 @ 0x1

00002d78 e0812104 add r2, r1, r4, lsl #2

00002d7c e3cdd007 bic sp, sp, #7 @ 0x7

00002d80 e1a03002 mov r3, r2

00002d84 e4934004 ldr r4, [r3], #4

00002d88 e3540000 cmp r4, #0 @ 0x0

00002d8c 1afffffc bne 0x2d84

00002d90 e59fc018 ldr ip, [pc, #24] @ 0x2db0

00002d94 e08fc00c add ip, pc, ip

00002d98 e59cc000 ldr ip, [ip]

00002d9c e12fff3c blx ip

00002da0 e59fc00c ldr ip, [pc, #12] @ 0x2db4

00002da4 e08fc00c add ip, pc, ip

00002da8 e59cc000 ldr ip, [ip]

00002dac e12fff1c bx ip

00002db0 00000280 andeq r0, r0, r0, lsl #5

00002db4 00000274 andeq r0, r0, r4, ror r2

00002db8 e52dc004 push {ip} @ (str ip, [sp, #-4]!)

00002dbc e59fc00c ldr ip, [pc, #12] @ 0x2dd0

00002dc0 e79fc00c ldr ip, [pc, ip]

00002dc4 e52dc004 push {ip} @ (str ip, [sp, #-4]!)

00002dc8 e59fc004 ldr ip, [pc, #4] @ 0x2dd4

00002dcc e79ff00c ldr pc, [pc, ip]

00002dd0 0000026c andeq r0, r0, ip, ror #4

00002dd4 0000022c andeq r0, r0, ip, lsr #4

00002dd8 e59fc000 ldr ip, [pc, #0] @ 0x2de0

00002ddc e79ff00c ldr pc, [pc, ip]

00002de0 00000004 andeq r0, r0, r4

00002de4 e92d4090 push {r4, r7, lr}

00002de8 e28d7004 add r7, sp, #4 @ 0x4

00002dec e24ddf8f sub sp, sp, #572 @ 0x23c

00002df0 e3cdd007 bic sp, sp, #7 @ 0x7

00002df4 e59f00e8 ldr r0, [pc, #232] @ 0x2ee4

00002df8 e28d1040 add r1, sp, #64 @ 0x40

00002dfc e28d202c add r2, sp, #44 @ 0x2c

00002e00 e59f30e0 ldr r3, [pc, #224] @ 0x2ee8

00002e04 e59fc0e0 ldr ip, [pc, #224] @ 0x2eec

00002e08 e59fe0e0 ldr lr, [pc, #224] @ 0x2ef0

00002e0c e58de22c str lr, [sp, #556]

00002e10 e58d1028 str r1, [sp, #40]

00002e14 e58d1024 str r1, [sp, #36]

00002e18 e3a01000 mov r1, #0 @ 0x0

00002e1c e58d2020 str r2, [sp, #32]

00002e20 e3a02f7b mov r2, #492 @ 0x1ec

00002e24 e58d001c str r0, [sp, #28]

00002e28 e59d0024 ldr r0, [sp, #36]

00002e2c e58dc018 str ip, [sp, #24]

00002e30 e58d3014 str r3, [sp, #20]

00002e34 eb000057 bl 0x2f98 @ symbol stub for: _memset

00002e38 e59d0024 ldr r0, [sp, #36]

00002e3c e58d0230 str r0, [sp, #560]

00002e40 e59d0014 ldr r0, [sp, #20]

00002e44 e58d002c str r0, [sp, #44]

00002e48 e59d0018 ldr r0, [sp, #24]

00002e4c e58d0030 str r0, [sp, #48]

00002e50 e59d0014 ldr r0, [sp, #20]

00002e54 e58d0034 str r0, [sp, #52]

00002e58 eb00004b bl 0x2f8c @ symbol stub for: _getpid

00002e5c e58d0038 str r0, [sp, #56]

00002e60 e59d0020 ldr r0, [sp, #32]

00002e64 e59d1028 ldr r1, [sp, #40]

00002e68 e3a02000 mov r2, #0 @ 0x0

00002e6c e1a0300d mov r3, sp

00002e70 e5832004 str r2, [r3, #4]

00002e74 e5832000 str r2, [r3]

00002e78 e58d1010 str r1, [sp, #16]

00002e7c e3a01004 mov r1, #4 @ 0x4

00002e80 e28d3f8b add r3, sp, #556 @ 0x22c

00002e84 e59d2010 ldr r2, [sp, #16]

00002e88 eb000048 bl 0x2fb0 @ symbol stub for: _sysctl

00002e8c e58d003c str r0, [sp, #60]

00002e90 e59d003c ldr r0, [sp, #60]

00002e94 e59d101c ldr r1, [sp, #28]

00002e98 e1500001 cmp r0, r1

00002e9c 1a000000 bne 0x2ea4

00002ea0 ea000002 b 0x2eb0

00002ea4 e59d003c ldr r0, [sp, #60]

00002ea8 e58d0234 str r0, [sp, #564]

00002eac ea000006 b 0x2ecc

00002eb0 e5dd0051 ldrb r0, [sp, #81]

00002eb4 e2000008 and r0, r0, #8 @ 0x8

00002eb8 e1a001a0 lsr r0, r0, #3

00002ebc e58d000c str r0, [sp, #12]

00002ec0 e59d100c ldr r1, [sp, #12]

00002ec4 e58d1234 str r1, [sp, #564]

00002ec8 e58d0008 str r0, [sp, #8]

00002ecc e59d0234 ldr r0, [sp, #564]

00002ed0 e58d0238 str r0, [sp, #568]

00002ed4 e59d0238 ldr r0, [sp, #568]

00002ed8 e247d004 sub sp, r7, #4 @ 0x4

00002edc e8bd4090 pop {r4, r7, lr}

00002ee0 e12fff1e bx lr

00002ee4 00000000 andeq r0, r0, r0

00002ee8 00000001 andeq r0, r0, r1

00002eec 0000000e andeq r0, r0, lr

00002ef0 000001ec andeq r0, r0, ip, ror #3

00002ef4 e92d4080 push {r7, lr}

00002ef8 e1a0700d mov r7, sp

00002efc e24dd018 sub sp, sp, #24 @ 0x18

00002f00 e59f0070 ldr r0, [pc, #112] @ 0x2f78

00002f04 e5070008 str r0, [r7, #-8]

00002f08 e59f0068 ldr r0, [pc, #104] @ 0x2f78

00002f0c e58d0008 str r0, [sp, #8]

00002f10 ebffffb3 bl 0x2de4

00002f14 e59d1008 ldr r1, [sp, #8]

00002f18 e1500001 cmp r0, r1

00002f1c 1a000000 bne 0x2f24

00002f20 ea000004 b 0x2f38

00002f24 e59f0054 ldr r0, [pc, #84] @ 0x2f80

00002f28 e08f0000 add r0, pc, r0

00002f2c eb00001c bl 0x2fa4 @ symbol stub for: _puts

00002f30 e58d0004 str r0, [sp, #4]

00002f34 ea000003 b 0x2f48

00002f38 e59f003c ldr r0, [pc, #60] @ 0x2f7c

00002f3c e08f0000 add r0, pc, r0

00002f40 eb000017 bl 0x2fa4 @ symbol stub for: _puts

00002f44 e58d0000 str r0, [sp]

00002f48 e59f0034 ldr r0, [pc, #52] @ 0x2f84

00002f4c e59f1034 ldr r1, [pc, #52] @ 0x2f88

00002f50 e5172008 ldr r2, [r7, #-8]

00002f54 e0821001 add r1, r2, r1

00002f58 e5071008 str r1, [r7, #-8]

00002f5c e5171008 ldr r1, [r7, #-8]

00002f60 e1510000 cmp r1, r0

00002f64 daffffe7 ble 0x2f08

00002f68 e5170004 ldr r0, [r7, #-4]

00002f6c e1a0d007 mov sp, r7

00002f70 e8bd4080 pop {r7, lr}

00002f74 e12fff1e bx lr

00002f78 00000000 andeq r0, r0, r0

00002f7c 00000092 muleq r0, r2, r0

00002f80 0000008c andeq r0, r0, ip, lsl #1

00002f84 00000009 andeq r0, r0, r9

00002f88 00000001 andeq r0, r0, r1

跟踪这些代码是比较困难的。假如check_debugger函数是inline的,将更难弄清楚逻辑(原因见http://danqingdani.blog.163.com/blog/static/18609419520123111202352/ )。

  评论这张
 
阅读(1035)| 评论(0)
推荐

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017