逆向工程小窺

目標：通過直接修改二進制讓下面的代碼輸出 jail break success

$cat main.c
#include <stdio.h>

int test() {
  return 0xf3f3;
}

int main(int argc, const char *argv[])
{
  if (0 == test()) {
    printf("jail break success\n");
  } else {
    printf("jail break fail\n");
  }
  return 0;
}

工具：otool、二進制編輯器、gdb

首先看二進制文件的text段基本信息，例如文件中的偏移，內存的載入地址。
根據這些信息，結合反彙編信息，就能推導出返回值0xf3f3的地址，然後直接用二進制編輯器修改之即可。

$otool -l a.out
....
Section
  sectname __text
   segname __TEXT
      addr 0x0000000100000f00
      size 0x0000000000000064
    offset 3840
     align 2^4 (16)
    reloff 0
    nreloc 0
     flags 0x80000400
 reserved1 0
 reserved2 0
Section

二進制text段：

$otool -t a.out
a.out:
(__TEXT,__text) section
0000000100000f00 55 48 89 e5 b8 f3 f3 00 00 5d c3 0f 1f 44 00 00
0000000100000f10 55 48 89 e5 48 83 ec 20 c7 45 fc 00 00 00 00 89
0000000100000f20 7d f8 48 89 75 f0 e8 d5 ff ff ff 31 ff 39 c7 0f
0000000100000f30 85 16 00 00 00 48 8d 3d 4a 00 00 00 b0 00 e8 21
0000000100000f40 00 00 00 89 45 ec e9 11 00 00 00 48 8d 3d 48 00
0000000100000f50 00 00 b0 00 e8 0b 00 00 00 89 45 e8 31 c0 48 83
0000000100000f60 c4 20 5d c3

反彙編：

$otool -tV a.out
a.out:
(__TEXT,__text) section
_test:
0000000100000f00  pushq %rbp
0000000100000f01  movq  %rsp, %rbp
0000000100000f04  movl  $0xf3f3, %eax           ## imm = 0xF3F3
0000000100000f09  popq  %rbp
0000000100000f0a  retq
0000000100000f0b  nopl  (%rax,%rax)
_main:
0000000100000f10  pushq %rbp
0000000100000f11  movq  %rsp, %rbp
0000000100000f14  subq  $0x20, %rsp
0000000100000f18  movl  $0x0, -0x4(%rbp)
0000000100000f1f  movl  %edi, -0x8(%rbp)
0000000100000f22  movq  %rsi, -0x10(%rbp)
0000000100000f26  callq _test
0000000100000f2b  xorl  %edi, %edi
0000000100000f2d  cmpl  %eax, %edi
0000000100000f2f  jne 0x100000f4b
0000000100000f35  leaq  0x4a(%rip), %rdi        ## literal pool for: "jail break success\n"
0000000100000f3c  movb  $0x0, %al
0000000100000f3e  callq 0x100000f64             ## symbol stub for: _printf
0000000100000f43  movl  %eax, -0x14(%rbp)
0000000100000f46  jmp 0x100000f5c
0000000100000f4b  leaq  0x48(%rip), %rdi        ## literal pool for: "jail break fail\n"
0000000100000f52  movb  $0x0, %al
0000000100000f54  callq 0x100000f64             ## symbol stub for: _printf
0000000100000f59  movl  %eax, -0x18(%rbp)
0000000100000f5c  xorl  %eax, %eax
0000000100000f5e  addq  $0x20, %rsp
0000000100000f62  popq  %rbp
0000000100000f63  retq 

計算出文件偏移後，用二進制編輯器直接修改之。保存，再運行。成功~

http://stevenygard.com/projects/class-dump/
http://pandara.xyz/2016/08/13/fake_wechat_location/
http://bbs.iosre.com/

Hopper Disassembler 見網盤-》我的軟件