Simple reverse first bullet

(Original content, no reprint)

Prior to the general understanding of the PE format, elf format, COFF format and layout of memory layout and stack, this direct combat anti-compilation.

Reference book: 1.0day Security: Software Vulnerability Analysis Technology
2.IDA PRO Authoritative Guide

First build the development environment: Virtual machine Installation system Windows XP SP2, install vc++6.0, install ollydbg and Ida PRO

Host: Linux, installing DUMPBIN, objdump, Nidisasm, and Ditorm (after three temporarily unused)

One: To develop a simple C language program, the main logic is simple verification (this time the purpose is to break through this verification limit)

#include <string.h>#include<stdio.h>#definePASSWORD "123456"intVerify_password (Char*password) {    intauthenticated; Authenticated=strcmp (Password,password); returnauthenticated;}intMainintargcChar*argv[]) {    intValid_flag =0; Charpassword[1024x768];  while(1) {printf ("Please input password:"); scanf ("%s", password); Valid_flag=Verify_password (password); if(Valid_flag) {printf ("Incorrect password!\n\n"); }Else{printf ("congratulation! You have passed the verification");  Break; }    }    return 0;}

Second: First use some other depth detection tools to check

1. Strings (used under Linux to extract string contents from a file)

   　　　　

   (because there is too much content, so add grep), you can see that many of the strings inside are found. However, it is important to note that:

   • These strings may be function names or library names, or they may be output by the program, and must not be judged only by these strings to determine the function of the program.
   • By default, strings only scans the loadable, initialized parts of a file, and uses the-a command to force strings to scan the entire file
   • Strings does not indicate the position of the string in the file, and the command line-T enables strings to display the file offset information for each string found. (combined with subsequent steps for better operation)
   • Many files use a different character set. Use command line-e to enable strings to search for a wider range of characters
2. IDA Pro Disassembly

　　

Graphical process descriptions can be viewed through F12, such as:

　　　　　　　　

You can also open a view that contains strings in Ida, and you can view the original string as shown in:

(. Rdata segment represents read-only data, such as string literals, constants, and debug directory information.) )

Go ahead, take a look at a function

.Text:00401020_verify_password proc Near;CODE Xref:j__verify_passwordj.Text:00401020.Text:00401020var_44 = byte ptr-44h; The compiler automatically generates tokens.Text:00401020Var_4 = dword ptr-4.Text:00401020Str1 = dword ptr8.Text:00401020.Text:00401020                 Pushthe original EBP (function stack frame) starts here.Text:00401021                 movEBP, esp; the new Ebp=esp (top of the stack).Text:00401023                 SubESP, 44h; open 44 spaces.Text:00401026                 Pushebx.Text:00401027                 PushESI.Text:00401028                 PushEDI; Preserves some data for the called function.Text:00401029                 LeaEDI, [ebp+var_44].Text:0040102C                 movecx, 11h.Text:00401031                 moveax, 0CCCCCCCCh.Text:00401036                 Rep Stosd.Text:00401038                 PushOffset STR2;"123456".Text:0040103D                 moveax, [ebp+str1].Text:00401040                 Pushfa[;STR1.Text:00401041                 Pager_strcmp.Text:00401046                 AddEsp8.Text:00401049                 mov[Ebp+var_4], eax.Text:0040104C                 moveax, [ebp+var_4].Text:0040104F                 PopEDI.Text:00401050                 PopESI.Text:00401051                 Popebx.Text:00401052                 AddESP, 44h.Text:00401055                 CMPEBP, esp.Text:00401057                 Pager__chkesp.Text:0040105C                 movESP, EBP; restore EBP.Text:0040105E                 PopEBP.Text:0040105F                 RETN

This combination of the previous analysis of the stack, you can clearly see the implementation process of the program. Push offset STR2 This is what you want to compare, so you can choose to read the data in the. Rdata segment to get the password.

Continue to see the main function, the result after call is saved in the EAX, and the 0 comparison to determine whether the correct password. To change the process, you can turn JZ into jnz. (jz->0x74,jnz->0x75)

.Text:004010c6                 PagerJ__verify_password.Text:004010CB                 AddEsp4.Text:004010CE                 mov[Ebp+var_4], eax.Text:004010d1                 CMP[Ebp+var_4],0.Text:004010d5                 JZShort Loc_4010e6

Next, the conversion of the virtual memory address (VA) and the file offset address is also involved

File Offset address = Virtual memory address (VA)-Reprint base (Image base)-section offset =0x004010d5-0x00400000-(0x00001000-0x00001000) =0x10d5

Using Winhex to modify the 74 to 75, you can achieve the goal. Result: Input the correct password before, but no, all other characters pass

　　

　　　　

　　　　

　　　　

Simple reverse first bullet