Day27 - 防止被 Debugger 逆向

昨天有尝试将验证字串编码，但还是容易被逆向找到程序逻辑并绕过。今天尝试透过 Fuzzing 将程序位元反转使得 Debugger 无法逆向。

目标：

如下图，Bash 可以直接执行该程序，而 GDB 与 Radare 2 无法开启。

方法

使用 Fuzzing 以达成 Parser Differential Attack

Parser Differential Attack 是什麽？

makes modifications to the ELF file such that it will still execute fine, but the disassembler/debugger will not work properly if you loads a binary into it. Similar techniques can be done on other file format like Portable Executable (PE) as well.

Reference

实作

透过比对被 fuzzing (将随机位元交换)档案的 output，达到可以执行原本程序，但无法使用 Debugger 开启。

import random
import os

os.system("cp license_2 license_2_fuzz")

def flip_byte(in_bytes):
    i = random.randint(0,len(in_bytes))
    c = chr(random.randint(0,0xFF))
    return in_bytes[:i]+c+in_bytes[i+1:]

def copy_binary():
    with open("license_2", "rb") as orig_f, open("license_2_fuzz", "wb") as new_f:
        new_f.write(flip_byte(orig_f.read()))

def compare(fn1, fn2):
    with open(fn1) as f1, open(fn2) as f2:
        return f1.read()==f2.read()

def check_output():
    os.system("(./license_2_fuzz ; ./license_2_fuzz AAAA-Z10N-42-OK) > fuzz_output")
    return compare("orig_output", "fuzz_output")


def check_gdb():
    os.system("echo disassemble main | gdb license_2_fuzz > fuzz_gdb")
    return compare("orig_gdb", "fuzz_gdb")

def check_radare():
    os.system('echo -e "aaa\ns sym.main\npdf" | r2 license_2_fuzz > fuzz_radare')
    return compare("orig_radare", "fuzz_radare")

while True:
    copy_binary()
    if check_output() and not check_gdb() and not check_radare():
        print "FOUND POSSIBLE FAIL\n\n\n"
        os.system("tail fuzz_gdb")
        os.system("tail fuzz_radare")
        raw_input()

GDB 无法逆向(如下图)
我们可以发现，在 GDB 使用 info func 与 disassemble main 都无法执行了。