>> >> We do not reverse engineer the .text section, but change the .dynstr >> section that is specific to the ELF format. I doubt any app out there md5s >> itself. > >It's possible. They certainly try very hard to thwart reverse >engineers. > >http://www.secdev.org/conf/skype_BHEU06.handout.pdf > Here is your POC for the manipulation of dynstr (and therefore, interception of library calls without interfering with redefining/overriden libc names like memory debuggers and AOSS do). skype-1.2.0.18.tar.bz2 .dynsym table (0x2f80), as printed per "HT" 0130 global func 00000000 0000007c *undefined writ 05b9 global func 00000000 0000007c *undefined open 074d global func 00000000 0000007c *undefined read .dynsym table (absaddr 0x2f80): ofs absaddr stringptr +0x0130 0x4280 0xe0c0 +0x05b9 0x8b10 0xddbc +0x074d 0xa450 0xdff0 .dynstr table (absaddr 0xa750): ofs absaddr name +0xe0c0 0x18810 write +0xddbc 0x1850c open (note it is part of "fdopen") +0xdff0 0x18740 read Change to w2ite, o2en, r2en. Implement w2ite(), o2en(), r2()en and fdo2en() in an extra library. Load that via LD_PRELOAD. ---extra.c--- #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> int o2en(const char *path, int flags, mode_t mode) { int ret = open(path, flags, mode); printf("open(\"%s\", %x, %04o) = %d\n", path, flags, (int)mode, ret); return ret; } FILE *fdo2en(int fd, const char *mode) { FILE *ret = fdopen(fd, mode); printf("fdopen(%d, \"%s\") = %#p\n", fd, mode, ret); return ret; } ssize_t r2ad(int fd, void *buf, size_t count) { ssize_t ret = read(fd, buf, count); printf("read(%d, %#p, %zu) = %zd\n", fd, buf, count, ret); return ret; } ssize_t w2ite(int fd, const void *buf, size_t count) { ssize_t ret = write(fd, buf, count); printf("write(%d, %#p, %zu) = %zd\n", fd, buf, count, ret); return ret; } ---eof--- 11:21 linux01:~ > cc extra.c -Wall -o extra.so -shared 11:21 linux01:~ > export LD_PRELOAD=$PWD/extra.so write(4, 0xbfffe82b, 1) = 1 write(4, 0x8a211d0, 26) = 26 read(4, 0x8a27620, 2048) = 4 write(4, 0x8a211d0, 7) = 7 read(4, 0x8a31750, 2048) = 260 read(4, 0x8a31f60, 2048) = -1 read(4, 0x8a31f60, 2048) = 82 read(4, 0x8a32770, 2048) = -1 read(4, 0x8a32770, 2048) = 256 read(4, 0x8a31f60, 2048) = -1 open("/home/jengelh/.Skype/shared.lck", 8041, 0777) = 8 open("/home/jengelh/.Skype/shared.xml", 8000, 0777) = 9 read(9, 0x8a3c900, 168) = 168 open("/dev/urandom", 0, 0004) = 8 read(8, 0xbfffe760, 8) = 8 open("/dev/urandom", 0, 0004) = 8 read(8, 0xbfffe760, 8) = 8 open("/dev/urandom", 0, 1051125610) = 8 read(8, 0xbfffe7a0, 8) = 8 open("/dev/urandom", 0, 1051131340) = 8 read(8, 0xbfffe7a0, 8) = 8 W.W.W.W.W. Jan Engelhardt -- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/alsa-devel
