通过自我修改code动态模糊 [英] Dynamic obfuscation by self-modifying code

问题描述

下面发生了什么我试图做的：

Here what's i am trying to do:

假设你有两个fonction

assume you have two fonction

void f1(int *v)
{
   *v = 55;
}
void f2(int *v)
{
   *v = 44;
}

char *template;
template = allocExecutablePages(...);

char *allocExecutablePages (int pages)
{
    template = (char *) valloc (getpagesize () * pages);
    if (mprotect (template, getpagesize (),
        PROT_READ|PROT_EXEC|PROT_WRITE) == -1) {
            perror ("mprotect");
    }
}

我愿做f1和f2之间的比较（所以分不清什么是相同的，什么是不）（所以得到这些功能的装配生产线，并通过线比较的线）
然后把这些线在我的模板。

I would like to do a comparison between f1 and f2 (so tell what is identical and what is not) (so get the assembly lines of those function and make a line by line comparison) And then put those line in my template.

有没有用C的方式来做到这一点？

Is there a way in C to do that?

感谢

感谢对你解答这些家伙，但也许我还没有正确地解释了我的需求。

Thank's for all you answers guys but maybe i haven't explained my need correctly.

基本上我想写一点点模糊的方法。
该想法在于让两个或多个功能在存储器共享同一位置。内存区域（我们称之为一个模板）设置包含一些
从功能机code字节，更具体地讲，那些他们都
有共同点。被执行特定功能之前，一个编辑脚本用于
修补模板提供必要的机器code字节创建
该函数的完整版本。当另一功能分配给同一
模板是即将执行，该过程重复，此时用一个
不同的编辑脚本。为了说明这一点，假设您想要一个混淆
方案，包含两个函数f1和f2。第一个（F1）具有
以下机床code字节

basically I'm trying to write a little obfuscation method. The idea consists in letting two or more functions share the same location in memory. A region of memory (which we will call a template) is set up containing some of the machine code bytes from the functions, more specifically, the ones they all have in common. Before a particular function is executed, an edit script is used to patch the template with the necessary machine code bytes to create a complete version of that function. When another function assigned to the same template is about to be executed, the process repeats, this time with a different edit script. To illustrate this, suppose you want to obfuscate a program that contains two functions f1 and f2. The first one (f1) has the following machine code bytes

Address Machine code
0          10
1          5
2          6
3          20
and the second one (f2) has
Address Machine code
0          10
1          9
2          3
3          20
At obfuscation time, one will replace f1 and f2 by the template
Address Machine code
0           10
1           ?
2           ? 
3           20
and by the two edit scripts e1 = {1 becomes 5, 2 becomes 6} and e2 = {1
becomes 9, 2 becomes 3}.


#include <stdlib.h>
#include <string.h>

typedef unsigned int uint32;
typedef char * addr_t;

typedef struct {
uint32 offset;
char value;
} EDIT;

EDIT script1[200], script2[200];
char *template;
int template_len, script_len = 0;
typedef void(*FUN)(int *);
int val, state = 0;

void f1_stub ()
{
if (state != 1) {
patch (script1, script_len, template);
state = 1;
}
((FUN)template)(&val);
}

void f2_stub () {
if (state != 2) {
patch (script2, script_len, template);
state = 2;
}
((FUN)template)(&val);
}

int new_main (int argc, char **argv)
{
f1_stub ();
f2_stub ();
return 0;
}

void f1 (int *v) { *v = 99; }
void f2 (int *v) { *v = 42; }

int main (int argc, char **argv)
{
int f1SIZE, f2SIZE;
/* makeCodeWritable (...); */
/* template = allocExecutablePages(...); */
/* Computed at obfuscation time */
diff ((addr_t)f1, f1SIZE,
(addr_t)f2, f2SIZE,
script1, script2,
&script_len,
template,
&template_len);
/* We hide the proper code */
memset (f1, 0, f1SIZE);
memset (f2, 0, f2SIZE);
return new_main (argc, argv);
}

所以，我现在需要编写差异的功能。将带我的两个函数的地址，这将产生与相关联的脚本的模板。

So i need now to write the diff function. that will take the addresses of my two function and that will generate a template with the associated script.

所以这就是为什么我想字节比较字节我的两个功能

So that is why i would like to compare bytes by bytes my two function

对不起，我的第一篇文章是谁不是很理解！

Sorry for my first post who was not very understandable!

感谢您

推荐答案

你想在运行时或在作者要做到这一点？

Do you want to do this at runtime or during authorship?

您或许可以指导你的C编译器生成汇编语言输出，例如GCC有哪些会产生输出file.s你的编译器套件还可以有像objdump的一个程序，它可以反编译目标文件或整个-S选项可执行文件。然而，你通常要离开优化到一个现代化的编译器，而不是自己做。

You can probably instruct your C compiler to produce assembly language output, for example gcc has the -S option which will produce output in file.s Your compiler suite may also have a program like objdump which can decompile an object file or entire executable. However, you generally want to leave optimizations up to a modern compiler rather than do it yourself.

在运行时，与放大器;操作者可以采取函数的地址，你可以通过它阅读，但你必须要ppared对什么有趣之前遇到分支指令的可能性$ P $，所以你确实有以编程方式理解至少有一个子集的指令集。你将运行读函数指针，当进入当然会得到处都是用机器，ABI，编译器优化标志等。

At runtime the & operator can take the address of a function and you can read through it, though you have to be prepared for the possibility of encountering a branch instruction before anything interesting, so you actually have to programatically "understand" at least a subset of the instruction set. What you will run into when reading function pointers will of course vary all over the place by machine, ABI, compiler, optimization flags, etc.

这篇关于通过自我修改code动态模糊的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！