Linux upx shelling notes

Author: Arctic fox, watching the snow Forum

Linux has few software that requires crack, so it is always entertaining recently. The software you write is just fun with yourself, but it doesn't mean anything because you know your means. I really want some experts to write crackme for linux.
I recently looked at windows shelling and understood the principle of shelling. I didn't have much contact with shelling before. I usually just checked out the software without shelling. There are few linux shells. Only an upx shell is found, which is a weak shell in windows. In fact, it is also a weak shell in linux. You can use the "upx-d" command to solve the problem. But I always like to do it manually. Haha... it is purely self-entertainment.
OK, start our linux upx shell trip .........
I spent a lot of time selecting tools and suddenly found that GDB was so pale and powerless in front of upx... I finally know why some people say that GDB is not suitable for reverse engineering... although the software runs normally in the debugger, It is disconnected normally. However, you cannot view the disassembly code ........
Helpless... using IDA, the best tool in the legend, I learned how to use IDC scripts...
There is no reference to any information. It is a very unpleasant thing because I don't know whether it can be successful. No, let's take a step...
I used "upx-d" to remove the original file and found that the file is full and no part is lost. Therefore, I believe these files will appear in a certain corner of the process space at a certain time, this greatly strengthened my confidence in manual shelling (but I was not able to find the complete program file at the end of this article, but I believe that in theory, the entire file should appear in the memory space ...).

My shelling software was used in my last article as a plug-in for mines (mine clearance game ). First find the upx-3.03-i386_linux software accessories I will give the Free Degree of this article to find.
To shell our target software, the command is as follows: It is indeed a good compression shell software with a 54% compression law.

Code:
[Jun @ beijihuCom dumpupx] $./upx mines
Ultimate Packer for eXecutables
Copyright (C) 1996-2008
UPX 3.03 Markus Oberhumer, Laszlo Molnar & John Reiser Apr 27th 2008

File size Ratio Format Name
------------------------------------------------
13960-> 7556 54.13% linux/elf386 mines

Packed 1 file.
[Jun @ beijihuCom dumpupx] $
Okay, now we start debugging him. After the shell is added, the general debugging software is powerless to him...
Experiment with the effects of GDB and DDD... And objdump
Readelf can still be used normally (only part of functions are supported. I will not discuss it in detail ...)

Code:
[Jun @ beijihuCom dumpupx] $ readelf-e./mines
ELF Header:
Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2 s complement, little endian
Version: 1 (current)
OS/ABI: UNIX-Linux
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0xc02598
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 0
Section header string table index: 0

There are no sections in this file.

Program Headers:
Type Offset incluaddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00c010000x00c010000x01d60 0x01d60 r e 0x1000
LOAD 0x0002fc 0x0804b2fc 0x0804b2fc 0x00000 0x00000 RW 0x1000
The above output shows that its entry point is 0xc02598, which is different from the program compiled by GCC. In fact, the original entry points are basically unchanged from the effect of "upx-d", that is, the software entry points during manual shelling, the loading method is the same as that of the unshelled software... this adds weight for the successful shelling ..
Continue to debug... gdb

Code:
(Gdb) B * 0xc02598
Breakpoint 1 at 0xc02598
(Gdb) r
Starting program:/home/jun/Crack/dumpupx/mines
Warning: shared library handler failed to enable breakpoint
(No debugging symbols found)

Breakpoint 1, 0x00c02598 in ?? ()
(Gdb) disassemble
No function contains program counter for selected frame.
(Gdb)
Gdb does not disassemble the code, and does not even know what the next operation is... it seems that it is useless.
The legendary reverse tool IDA. I learned something about it and started debugging with simple operations.

Code:
[Jun @ beijihuCom dumpupx] $ idal./mines
When the loading is complete, it will stop at the entrance. Hehe will press F4. The program runs and stops at the entrance.

Single-step running... in fact, I don't have any way. I don't know how to break a breakpoint. This simple method can be used for debugging...
This is what I think. upx is a compression shell. When he gives the execution right to the original target program, there will be a huge jump. Many new users will shell out of windows, all are based on this oep standard. Linux should be no exception...
A single step from F8 to 0xc025c8 to oxc025d1 at 0xc025d3 will jump back. It is obviously a loop. It's not a waste of time in the loop. Let's look down. There is a retn returned below. Move the cursor to F4. In fact, there is no certainty. The result is good, but it does not fly away. F8 is here.

Continue one step, retn to a place

For more information, see. It won't be so clever. I saw the jmp dword ptr [edi] Jump. It won't be a great jump in the legend.

No matter if F4.
I jumped here in one step.

I don't understand the specific meaning of the code, but it is obviously not the entry of the program... why? Step by step... continue

I suddenly realized that this is a ld connection, and it cannot be run by him. It is likely to be a connection to the shared library for the running of our target program .. will modify the image files in our memory. In this way, we dumped not the original clean program, because we do not have a repair tool, it is much more troublesome than the PE repair in windows ...... so we need to quickly dump it out...
Idc scripts used to dump Images

Code:
#