Ida dynamically modifies memory data and register values, and ida dynamic register values.

Ida dynamically modifies memory data and register values, and ida dynamic register values.

We continue to analyze the self-destroyed program password app. We found that the app will use fopen () to open the/proc/[pid]/status file, and then use fgets () and strstr () so we have the next breakpoint at strstr () and then synchronize the hex view data with R0. Each time you click "continue", we will see the parameters passed in by strstr. When the input parameter changes to TracerPid: XXXX, let's stop. Normally, the TracerPid value is 0. However, the pid of the debugger is changed when it is debugged.

To prevent programs from being debugged, we need to change the value back to 0. Right-click hex view 2 and select edit. Then we enter 30 and 00, and then click "apply changes ". You can change TracerPid to 0. Then we can use bypass to perform this anti-debugging check.

However, this program detects TracerPid frequently, and we need to constantly modify the value of TracerPid. This method is a bit temporary, so we will introduce the patch so file method in the next section to solve this problem.

In addition to the data in the memory, the register data can be modified dynamically during ida dynamic debugging. For example, the program runs to CMP R6, #0. The original R6 value is 0. After comparison, the program will jump to the 4082A3FC address.

However, if we execute the 4082A1F8 Statement on the PC, the value of R6 is dynamically changed to 0. The program will not jump.

You can even modify the value of the PC register to control the jump of the program to any position you want to jump to. It works exactly the same way as drop. But remember to pay attention to stack balancing and other issues.