Ida dynamically modifies memory data and register values, and ida dynamic register values.

Source: Internet
Author: User

Ida dynamically modifies memory data and register values, and ida dynamic register values.

We continue to analyze the self-destroyed program password app. We found that the app will use fopen () to open the/proc/[pid]/status file, and then use fgets () and strstr () so we have the next breakpoint at strstr () and then synchronize the hex view data with R0. Each time you click "continue", we will see the parameters passed in by strstr. When the input parameter changes to TracerPid: XXXX, let's stop. Normally, the TracerPid value is 0. However, the pid of the debugger is changed when it is debugged.

To prevent programs from being debugged, we need to change the value back to 0. Right-click hex view 2 and select edit. Then we enter 30 and 00, and then click "apply changes ". You can change TracerPid to 0. Then we can use bypass to perform this anti-debugging check.

However, this program detects TracerPid frequently, and we need to constantly modify the value of TracerPid. This method is a bit temporary, so we will introduce the patch so file method in the next section to solve this problem.

In addition to the data in the memory, the register data can be modified dynamically during ida dynamic debugging. For example, the program runs to CMP R6, #0. The original R6 value is 0. After comparison, the program will jump to the 4082A3FC address.

However, if we execute the 4082A1F8 Statement on the PC, the value of R6 is dynamically changed to 0. The program will not jump.

You can even modify the value of the PC register to control the jump of the program to any position you want to jump to. It works exactly the same way as drop. But remember to pay attention to stack balancing and other issues.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.