objective-c runtime安全措施之四:反汇编(编译选项)
3803 点击·0 回帖
灯火互联
楼主
 |  | |
 | 《O'Reilly.Hacking.and.Securing.ios.Applications>>读书笔记 反汇编:通过优化编译器选项、去除符号表来复杂化编译后生成的汇编代码(使用反汇编工具结合动态调试工具弄清并篡改程序逻辑) 方法2:使用编译器的 -03 选项 原理:-03编译选项可以将具体的计算逻辑隐藏起来,直接输出计算结果 int main(int argc, char **argv) { int i; int a = 0; for(i=0;i<10;++i) { a += i; } printf("%d\n", a); return 0; } 例子1:普通编译方式编译的汇编代码 _main: 0000000100000ec0 pushq %rbp 0000000100000ec1 movq %rsp,%rbp 0000000100000ec4 subq $0x20,%rsp 0000000100000ec8 movl %edi,0xfc(%rbp) 0000000100000ecb movq %rsi,0xf0(%rbp) 0000000100000ecf movl $0x00000000,0xe0(%rbp) 0000000100000ed6 movl $0x00000000,0xe4(%rbp) 0000000100000edd jmp 0x100000ef3 0000000100000edf movl 0xe0(%rbp),%eax 0000000100000ee2 movl 0xe4(%rbp),%ecx 0000000100000ee5 addl %ecx,%eax 0000000100000ee7 movl %eax,0xe0(%rbp) 0000000100000eea movl 0xe4(%rbp),%eax 0000000100000eed addl $0x01,%eax ;加1 0000000100000ef0 movl %eax,0xe4(%rbp) 0000000100000ef3 movl 0xe4(%rbp),%eax 0000000100000ef6 cmpl $0x09,%eax ;加9 0000000100000ef9 jle 0x100000edf 0000000100000efb movl 0xe0(%rbp),%eax 0000000100000efe xorb %cl,%cl 0000000100000f00 leaq 0x00000055(%rip),%rdx 0000000100000f07 movq %rdx,%rdi 0000000100000f0a movl %eax,%esi 0000000100000f0c movb %cl,%al 0000000100000f0e callq 0x100000f30 ; symbol stub for: _printf 0000000100000f13 movl $0x00000000,0xe8(%rbp) 0000000100000f1a movl 0xe8(%rbp),%eax 0000000100000f1d movl %eax,0xec(%rbp) 0000000100000f20 movl 0xec(%rbp),%eax 0000000100000f23 addq $0x20,%rsp 0000000100000f27 popq %rbp 0000000100000f28 ret 例子2:采用 -03 编译选项编译的汇编代码 _main: 0000000100000f10 pushq %rbp 0000000100000f11 movq %rsp,%rbp 0000000100000f14 movl $0x0000002d,%esi ;最终结果45 0000000100000f19 xorb %al,%al 0000000100000f1b leaq 0x0000003a(%rip),%rdi 0000000100000f22 callq 0x100000f32 ; symbol stub for: _printf 0000000100000f27 xorl %eax,%eax 0000000100000f29 popq %rbp 0000000100000f2a ret 优化后的输出直接计算出结果0x2D(45,1+2+3+4+5+6+7+8+9的和),将其发送给printf函数,没有显示任何循环过程。这样依赖,攻击者也完全看不出计算逻辑了。下面的调试过程,显示了优化后,直接在寄存器中创建和存储了一个常量。 $ gdb -q ./testprog Reading symbols for shared libraries .. done (gdb) break printf Function "printf" not defined. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (printf) pending. (gdb) r Starting program: /Users/jonz/Downloads/a Reading symbols for shared libraries +........................ done Breakpoint 1 at 0x7fff8b69922e Pending breakpoint 1 - "printf" resolved (gdb) info reg rax 0x0 0 rbx 0x0 0 rcx 0x0 0 rdx 0x100000f5c 4294971228 rsi 0x2d 45 rdi 0x100000f5c 4294971228 作者 danqingd | |
 |  |