逆向Mach

逆向Mach

关注
发信
关注(28)粉丝(399)

逆向Mach-O 64位x86汇编分析

本文介绍了逆向Mach-O 64位x86汇编分析的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

该问题供英特尔x86组装专家解答.谢谢您的预先努力!

This question is for Intel x86 assembly experts to answer. Thanks for your effort in advance!

我正在分析一个与 Mach-O 64位x86程序集相匹配的二进制文件.我目前正在使用MacOS 64 OS.该程序集来自 objdump .

I am analysing a binary file, which match Mach-O 64-bit x86 assembly. I am currently using MacOS 64 OS. The assembly comes from objdump.

问题是,当我学习汇编时,可以看到变量名"$ xxx",可以看到ascii中的字符串值,还可以看到被叫者名称,如"call _printf"

The problem is that when I am learning assembly, I can see variable name "$xxx", I can see string value in ascii and I can also see the callee name like "call _printf"

但是在这次大会上,我什么都没得到:

But in this assembly, I can get nothing above:

  1. 没有主要功能:

  1. no main function:

Disassembly of section __TEXT,__text:
__text:
100000c90:  55  pushq   %rbp
100000c91:  48 89 e5    movq    %rsp, %rbp
100000c94:  48 83 ec 10     subq    $16, %rsp
100000c98:  48 8d 3d bf 02 00 00    leaq    703(%rip), %rdi
100000c9f:  b0 00   movb    $0, %al
100000ca1:  e8 68 02 00 00  callq   616
100000ca6:  89 45 fc    movl    %eax, -4(%rbp)
100000ca9:  48 83 c4 10     addq    $16, %rsp
100000cad:  5d  popq    %rbp
100000cae:  c3  retq
100000caf:  90  nop
100000cb0:  55  pushq   %rbp
...

上面是代码帧将被执行,但我不知道它在哪里执行.

The above is codes frame will be executed, but I have no idea where it is executed.

此外,我是AT& T的新手.因此,您能告诉我指令的含义是什么吗?

Also, I newbie of AT&T assemble. Hence, could you tell me what is the meaning of instruction:

    0000000100000c90    pushq   %rbp
    0000000100000c98    leaq    0x2bf(%rip), %rdi       ## literal pool for: "xxxx\n"
    ...
    0000000100000cd0    callq   0x100000c90

是循环吗?我不确定,但事实似乎如此.以及为什么我们使用%rip和%rdi寄存器.在Intel x86中,我知道EIP代表当前的呼叫者地址,但是我不明白这里的含义.

Is it a loop? I am not sure but it seems to be. And why we they use %rip and %rdi register. In intel x86 I know that EIP represents current caller address, but I don't understand the meaning here.

  1. 调用整数:无论他们使用哪种调用约定,我都从未见过像"call 616"这样的代码模式:

  1. call integer:No matter what call convention they used, I had never seen code pattern like "call 616":

"100000cd0: e8 bb ff ff ff  callq   -69 <__mh_execute_header+C90>"

  • 重新输入后:intel x86中的Ret,表示删除堆栈帧并将控制流返回给调用方.它应该是一个独立的功能.但是,在此之后,我们可以看到类似

  • After ret:Ret in intel x86, means delete stack frame and return control flow to caller. It should be an independent function. However, after this, we can see codes like 

    100000cae:  c3  retq
100000caf:  90  nop
/* new function call */
100000cb0:  55  pushq   %rbp
...

    太荒谬了!

    ASCII字符串丢失:我已经查看了十六进制格式的二进制文件,并在将其反转为asm文件之前识别了一些ascii字符串.

    ASCII string lost:I have already viewed the binary in Hexadecimal format, and recognise some ascii string before reverse it to asm file.

    但是,在此文件中没有出现ascii字符串!

    However, in this file no ascii string occurrences!

    1. 总体架构审查:

    1. Total architecture review:

    Disassembly of section __TEXT,__text:
__text:
from address 10000c90 to 100000ef6 of 145 lines

Disassembly of section __TEXT,__stubs:
__stubs:
from address 100000efc to 100000f14 of 5 lines asm codes:
100000efc:  ff 25 16 01 00 00   jmp qword ptr [rip + 278]
100000f02:  ff 25 18 01 00 00   jmp qword ptr [rip + 280]
100000f08:  ff 25 1a 01 00 00   jmp qword ptr [rip + 282]
100000f0e:  ff 25 1c 01 00 00   jmp qword ptr [rip + 284]
100000f14:  ff 25 1e 01 00 00   jmp qword ptr [rip + 286]

Disassembly of section __TEXT,__stub_helper:
__stub_helper:

...

Disassembly of section __TEXT,__cstring:
__cstring:

...

Disassembly of section __TEXT,__unwind_info:
__unwind_info:

...

Disassembly of section __DATA,__nl_symbol_ptr:
__nl_symbol_ptr:

...

Disassembly of section __DATA,__got:
__got:

...

Disassembly of section __DATA,__la_symbol_ptr:
__la_symbol_ptr:

...

Disassembly of section __DATA,__data:
__data:

...

    • 由于它可能是病毒,所以我无法执行它.我应该如何分析?

    Since it might be a virus, I cannot execute it. How should I analyse it ?

    我已经确定了输出在哪里,如果我完全理解该程序中表示的数据流管道,那么我也许能够找出可能的解决方案.

    I have already identified where is the output, and if I totally understand the data flow pipeline represented in this programme, I might be able to figure out the possible solutions.

    如果有人可以给我详细的解释,我将不胜感激.谢谢!

    I am appreciated if someone can give me the detailed explanation. Thank you !

    我在VirtualBox中安装了MacOS,并获得了chmod特权后,我执行了该程序,但除了两行输出外,没有什么特别的.并将结果隐藏在二进制文件中.

    I installed a MacOS in VirtualBox and after chmod privileges , I executed the programme but nothing special except for two lines of output happened. And the result hiding in the binary file.

    推荐答案

    1. 如果不使用C,则不需要main.二进制标头包含入口点地址.
    2. call 616没什么特别的,只是您没有(全部)符号. objdump没有为您计算地址有点奇怪,但它应该是0x100000ca6+616.
    3. 不确定在这里发现什么荒谬.一个功能结束,另一个功能开始.
    4. 这不是问题.是的,您可以在运行时创建字符串,这样就不会在图像中包含它们.它们可能是加密的.
    1. You don't need a main if you are not using C. The binary header contains the entry point address.
    2. Nothing special about call 616, it's just that you don't have (all) symbols. It's somewhat strange that objdump didn't calculate the address for you, but it should be 0x100000ca6+616.
    3. Not sure what you find ridiculous there. One function ends, another starts.
    4. That's not a question. Yes, you can create strings at runtime so you won't have them in the image. Possibly they are encrypted.

    这篇关于逆向Mach-O 64位x86汇编分析的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

    08-19 16:24
    Powered by LMLPHP ©2024 逆向Mach 0.049568