objective-c runtime安全措施之五：反汇编（strip）

《O'Reilly.Hacking.and.Securing.ios.Applications>>读书笔记
反汇编：通过优化编译器选项、去除符号表来复杂化编译后生成的汇编代码（使用反汇编工具结合动态调试工具弄清并篡改程序逻辑）
方法3：使用strip命令除去目标文件中的指定符号
原理：使用strip命令去掉符号表中的指定符号
下面的代码是用来检查是否有debugger的存在
#include <unistd.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <string.h>
#include <stdio.h>
int check_debugger( )
{
size_t size = sizeof(struct kinfo_proc);
struct kinfo_proc info;
int ret, name[4];
memset(;info, 0, sizeof(struct kinfo_proc));
name[0] = CTL_KERN;
name[1] = KERN_PROC;
name[2] = KERN_PROC_PID;
name[3] = getpid();
if (ret = (sysctl(name, 4, ;info, ;size, NULL, 0))) {
return ret; /* sysctl() failed for some reason */
}
return (info.kp_proc.p_flag ; P_TRACED) ? 1 : 0;
}
int main( ) {
int i = 0, f;
do {
if (check_debugger())
puts("Eek! I'm being debugged!");
else
puts("I'm doing something really secure here!!");
++i;
sleep(5);
} while(i<10);
}

例子1：正常使用nm导出符号表信息
当符号表被导出，check_debugger和main函数的符号和地址对攻击者是清晰可见的
$ nm main
00003038 S _NXArgc
0000303c S _NXArgv
00003044 S ___progname
00002dd8 t __dyld_func_lookup
00001000 A __mh_execute_header
00002de4 T _check_debugger
00003040 S _environ
U _exit
U _getpid
00002ef4 T _main
U _memset
U _puts
U _sysctl
00003034 d dyld__mach_header
00002db8 t dyld_stub_binding_helper
00002d6c T start
这些符号在二进制反汇编代码中可以看到
_check_debugger:
00002de4 e92d4090 push {r4, r7, lr}
00002de8 e28d7004 add r7, sp, #4 @ 0x4
00002dec e24ddf8f sub sp, sp, #572 @ 0x23c
00002df0 e3cdd007 bic sp, sp, #7 @ 0x7
00002df4 e59f00e8 ldr r0, [pc, #232] @ 0x2ee4
00002df8 e28d1040 add r1, sp, #64 @ 0x40
...
_main:
00002ef4 e92d4080 push {r7, lr}
00002ef8 e1a0700d mov r7, sp
00002efc e24dd018 sub sp, sp, #24 @ 0x18
00002f00 e59f0070 ldr r0, [pc, #112] @ 0x2f78
00002f04 e5070008 str r0, [r7, #-8]
00002f08 e59f0068 ldr r0, [pc, #104] @ 0x2f78
00002f0c e58d0008 str r0, [sp, #8]
...
例子2：使用strip后导出符号表信息
$ strip main
$ nm main
00001000 A __mh_execute_header
U _exit
U _getpid
U _memset
U _puts
U _sysctl
攻击者不知道函数出现在地址空间的哪里，甚至完全不会知道check_debugger函数的存在。为了找出具体程序逻辑，攻击者不得不查看上千行汇编代码，如下所示：
00002d6c e59d0000 ldr r0, [sp]
00002d70 e28d1004 add r1, sp, #4 @ 0x4
00002d74 e2804001 add r4, r0, #1 @ 0x1
00002d78 e0812104 add r2, r1, r4, lsl #2
00002d7c e3cdd007 bic sp, sp, #7 @ 0x7
00002d80 e1a03002 mov r3, r2
00002d84 e4934004 ldr r4, [r3], #4
00002d88 e3540000 cmp r4, #0 @ 0x0
00002d8c 1afffffc bne 0x2d84
00002d90 e59fc018 ldr ip, [pc, #24] @ 0x2db0
00002d94 e08fc00c add ip, pc, ip
00002d98 e59cc000 ldr ip, [ip]
00002d9c e12fff3c blx ip
00002da0 e59fc00c ldr ip, [pc, #12] @ 0x2db4
00002da4 e08fc00c add ip, pc, ip
00002da8 e59cc000 ldr ip, [ip]
00002dac e12fff1c bx ip
00002db0 00000280 andeq r0, r0, r0, lsl #5
00002db4 00000274 andeq r0, r0, r4, ror r2
00002db8 e52dc004 push {ip} @ (str ip, [sp, #-4]!)
00002dbc e59fc00c ldr ip, [pc, #12] @ 0x2dd0
00002dc0 e79fc00c ldr ip, [pc, ip]
00002dc4 e52dc004 push {ip} @ (str ip, [sp, #-4]!)
00002dc8 e59fc004 ldr ip, [pc, #4] @ 0x2dd4
00002dcc e79ff00c ldr pc, [pc, ip]
00002dd0 0000026c andeq r0, r0, ip, ror #4
00002dd4 0000022c andeq r0, r0, ip, lsr #4
00002dd8 e59fc000 ldr ip, [pc, #0] @ 0x2de0
00002ddc e79ff00c ldr pc, [pc, ip]
00002de0 00000004 andeq r0, r0, r4
00002de4 e92d4090 push {r4, r7, lr}
00002de8 e28d7004 add r7, sp, #4 @ 0x4
00002dec e24ddf8f sub sp, sp, #572 @ 0x23c
00002df0 e3cdd007 bic sp, sp, #7 @ 0x7
00002df4 e59f00e8 ldr r0, [pc, #232] @ 0x2ee4
00002df8 e28d1040 add r1, sp, #64 @ 0x40
00002dfc e28d202c add r2, sp, #44 @ 0x2c
00002e00 e59f30e0 ldr r3, [pc, #224] @ 0x2ee8
00002e04 e59fc0e0 ldr ip, [pc, #224] @ 0x2eec
00002e08 e59fe0e0 ldr lr, [pc, #224] @ 0x2ef0
00002e0c e58de22c str lr, [sp, #556]
00002e10 e58d1028 str r1, [sp, #40]
00002e14 e58d1024 str r1, [sp, #36]
00002e18 e3a01000 mov r1, #0 @ 0x0
00002e1c e58d2020 str r2, [sp, #32]
00002e20 e3a02f7b mov r2, #492 @ 0x1ec
00002e24 e58d001c str r0, [sp, #28]
00002e28 e59d0024 ldr r0, [sp, #36]
00002e2c e58dc018 str ip, [sp, #24]
00002e30 e58d3014 str r3, [sp, #20]
00002e34 eb000057 bl 0x2f98 @ symbol stub for: _memset
00002e38 e59d0024 ldr r0, [sp, #36]
00002e3c e58d0230 str r0, [sp, #560]
00002e40 e59d0014 ldr r0, [sp, #20]
00002e44 e58d002c str r0, [sp, #44]
00002e48 e59d0018 ldr r0, [sp, #24]
00002e4c e58d0030 str r0, [sp, #48]
00002e50 e59d0014 ldr r0, [sp, #20]
00002e54 e58d0034 str r0, [sp, #52]
00002e58 eb00004b bl 0x2f8c @ symbol stub for: _getpid
00002e5c e58d0038 str r0, [sp, #56]
00002e60 e59d0020 ldr r0, [sp, #32]
00002e64 e59d1028 ldr r1, [sp, #40]
00002e68 e3a02000 mov r2, #0 @ 0x0
00002e6c e1a0300d mov r3, sp
00002e70 e5832004 str r2, [r3, #4]
00002e74 e5832000 str r2, [r3]
00002e78 e58d1010 str r1, [sp, #16]
00002e7c e3a01004 mov r1, #4 @ 0x4
00002e80 e28d3f8b add r3, sp, #556 @ 0x22c
00002e84 e59d2010 ldr r2, [sp, #16]
00002e88 eb000048 bl 0x2fb0 @ symbol stub for: _sysctl
00002e8c e58d003c str r0, [sp, #60]
00002e90 e59d003c ldr r0, [sp, #60]
00002e94 e59d101c ldr r1, [sp, #28]
00002e98 e1500001 cmp r0, r1
00002e9c 1a000000 bne 0x2ea4
00002ea0 ea000002 b 0x2eb0
00002ea4 e59d003c ldr r0, [sp, #60]
00002ea8 e58d0234 str r0, [sp, #564]
00002eac ea000006 b 0x2ecc
00002eb0 e5dd0051 ldrb r0, [sp, #81]
00002eb4 e2000008 and r0, r0, #8 @ 0x8
00002eb8 e1a001a0 lsr r0, r0, #3
00002ebc e58d000c str r0, [sp, #12]
00002ec0 e59d100c ldr r1, [sp, #12]
00002ec4 e58d1234 str r1, [sp, #564]
00002ec8 e58d0008 str r0, [sp, #8]
00002ecc e59d0234 ldr r0, [sp, #564]
00002ed0 e58d0238 str r0, [sp, #568]
00002ed4 e59d0238 ldr r0, [sp, #568]
00002ed8 e247d004 sub sp, r7, #4 @ 0x4
00002edc e8bd4090 pop {r4, r7, lr}
00002ee0 e12fff1e bx lr
00002ee4 00000000 andeq r0, r0, r0
00002ee8 00000001 andeq r0, r0, r1
00002eec 0000000e andeq r0, r0, lr
00002ef0 000001ec andeq r0, r0, ip, ror #3
00002ef4 e92d4080 push {r7, lr}
00002ef8 e1a0700d mov r7, sp
00002efc e24dd018 sub sp, sp, #24 @ 0x18
00002f00 e59f0070 ldr r0, [pc, #112] @ 0x2f78
00002f04 e5070008 str r0, [r7, #-8]
00002f08 e59f0068 ldr r0, [pc, #104] @ 0x2f78
00002f0c e58d0008 str r0, [sp, #8]
00002f10 ebffffb3 bl 0x2de4
00002f14 e59d1008 ldr r1, [sp, #8]
00002f18 e1500001 cmp r0, r1
00002f1c 1a000000 bne 0x2f24
00002f20 ea000004 b 0x2f38
00002f24 e59f0054 ldr r0, [pc, #84] @ 0x2f80
00002f28 e08f0000 add r0, pc, r0
00002f2c eb00001c bl 0x2fa4 @ symbol stub for: _puts
00002f30 e58d0004 str r0, [sp, #4]
00002f34 ea000003 b 0x2f48
00002f38 e59f003c ldr r0, [pc, #60] @ 0x2f7c
00002f3c e08f0000 add r0, pc, r0
00002f40 eb000017 bl 0x2fa4 @ symbol stub for: _puts
00002f44 e58d0000 str r0, [sp]
00002f48 e59f0034 ldr r0, [pc, #52] @ 0x2f84
00002f4c e59f1034 ldr r1, [pc, #52] @ 0x2f88
00002f50 e5172008 ldr r2, [r7, #-8]
00002f54 e0821001 add r1, r2, r1
00002f58 e5071008 str r1, [r7, #-8]
00002f5c e5171008 ldr r1, [r7, #-8]
00002f60 e1510000 cmp r1, r0
00002f64 daffffe7 ble 0x2f08
00002f68 e5170004 ldr r0, [r7, #-4]
00002f6c e1a0d007 mov sp, r7
00002f70 e8bd4080 pop {r7, lr}
00002f74 e12fff1e bx lr
00002f78 00000000 andeq r0, r0, r0
00002f7c 00000092 muleq r0, r2, r0
00002f80 0000008c andeq r0, r0, ip, lsl #1
00002f84 00000009 andeq r0, r0, r9
00002f88 00000001 andeq r0, r0, r1
跟踪这些代码是比较困难的。假如check_debugger函数是inline的，将更难弄清楚逻辑





作者 danqingd