a demo show how to dump lldb info to ida.

Overview

用一个demo来聊聊动态trace

这个仓库能做什么?

帮助理解动态trace的思想。仓库内的demo,可操作,可实践。

动态trace核心思想:

动态记录一个函数内每一条指令的执行中产生的信息,并导入IDA,用来弥补IDA等静态分析工具的不足。

反编译看一下

  • 先clone仓库,把hellolldb.app拖到IDA里分析一下。这个hellolldb.app是我自己造的demo。demo只有按钮,点击按钮之后会触发回调onBtnClick,回调里会弹个窗,并打印一行log。我手动对demo加了一些常见的混淆。下面的截图是混淆后的代码。自己逆一下自己的demo,IDA7.0 :

    • Function Window里看不到函数名
    • 有DCQ
    • 有br切开整个函数的body
    • 整个函数(开头结尾)没被识别,无法F5

    1

开始动态执行:

把helllolldb.app拖到MonkeyDev里,并且在onBtnClick下个断点。点击按钮,断点断住。

把lldb-trace里的导出json的路径改成你自己的:

26	filename = "/Users/bliss_ddo/Desktop/%d.json"%(time.time())

输入script 进入交互式脚本执行环境:

(lldb)script

在交互式环境导入lldb-trace.py

exec(open('/Users/bliss_ddo/Desktop/lldb2ida/lldb-trace.py').read())

执行脚本里的函数:

 Tracer().tracehere(True)

2

回车,执行,得到一份运行时的json。把json改个名,叫1.json

这个脚本做了什么?

  • 记录函数的开头和结尾(后续在IDA里修复函数)
  • 对每一行指令打个断点,并注册断点hit的回调。
    • 记录每一行指令的内存地址,值
    • 对于br指令,记录读取br后寄存器的值,用来修复成b指令
    • 记录断点hit的count,后续修复用。
  • 找到当前断点的上级,也就是lr寄存器的值,在这个地方断点并注册回调,用来标记trace结束。trace结束时,把上述的运行记录导出到一份json里。

看一下json里的内容

用json-formatter.py来看一下这个json里的内容,终端运行

python /Users/bliss_ddo/Desktop/lldb2ida/json-formatter.py

3

第一列,index,

第二列,激发次数

第三列,带aslr的地址

第四列,不带aslr的地址

第五列,汇编助记词和操作数

第六列,内存里的值

第n列,任何逆向trace的值,脚本自己扩展

把这个JSON搞到IDA里

打开IDA,在下方的交互式环境里输入

 exec(open('/Users/bliss_ddo/Desktop/lldb2ida/ida-fix.py').read())

4

脚本做了什么事?看脚本的最后几行。

fixer = Fixer("/Users/bliss_ddo/Desktop/1.json") //读取动态trace的json
fixer.processJSON() //解析一下
fixer.fix_function_range() // 调用idc的函数,重新确定函数开始和结尾
fixer.fix_br() // 判断br的寄存器值是否落在函数内,如果在函数内,将其修复成b (reg-pc) b的计算规则见下文
fixer.fix_unknow_as_nop() // 讲DCQ里无法被mark as code的变成nop
# fixer.fix_unexec_as_nop() // 这句比较危险,把没被执行的代码变成nop,可以去掉虚假控制流,当然也有可能误杀。在逆一些签名加密之类的比较管用。这里就认为动态执行的路径,就是最最最正确的路径
# fixer.restore() //出错的时候的时候把IDA恢复回去。。。

记得把patch应用到原来的二进制里

IDA菜单-->Edit-->Patch program --> Apply.......

再次再MonkeyDev里运行一下修复后的二进制,ok能用。

后记

也就仅仅是用手头工具做了个demo。

这个过程中调研了很多的工具,也涨了很多姿势,工具没有十分趁手的,就自己做了个小demo。

道阻且长,一起加油。

You might also like...
A Django web application that shortens long URLs. This is a demo project to show off my tech abilities.
A Django web application that shortens long URLs. This is a demo project to show off my tech abilities.

Django URL Shortener This project is just a complete and production-ready URL shortener web application to show off my tech and coding abilities. Impo

ONNX Runtime Web demo is an interactive demo portal showing real use cases running ONNX Runtime Web in VueJS.

ONNX Runtime Web demo is an interactive demo portal showing real use cases running ONNX Runtime Web in VueJS. It currently supports four examples for you to quickly experience the power of ONNX Runtime Web.

A bot to use in a pump & dump event
A bot to use in a pump & dump event

A bot to use in a pump & dump event on Binance.com. Please note the bot is in heavy devleopment currently so be aware of errors. If you experience err

Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon. Accurately dump Commodore 64 tapes
Accurately dump Commodore 64 tapes

TrueTape64 A cheap, easy to build adapter to interface a Commodore 1530 (C2N) Datasette to your PC to dump and preserve your aging Commodore 64 softwa

Raganarok X: Next Generation Data Dump

Raganarok X Data Dump Raganarok X: Next Generation Data Dump More interesting Files File Name Contains en_langs All the variables you need in English

Script for automatic dump and brute-force passwords using Volatility Framework
Script for automatic dump and brute-force passwords using Volatility Framework

Volatility-auto-hashdump Script for automatic dump and brute-force passwords using Volatility Framework

Cross-platform MachO/ObjC Static binary analysis tool & library. class-dump + otool + lipo + more

ktool Static Mach-O binary metadata analysis tool / information dumper pip3 install k2l Development is currently taking place on the @python3.10 branc

details on efforts to dump the Watermelon Games Paprium cart
details on efforts to dump the Watermelon Games Paprium cart

Reminder, if you like these repos, fork them so they don't disappear https://github.com/ArcadeHustle/WatermelonPapriumDump/fork Big thanks to Fonzie f

Simple tools to make/dump CPC+ CPR cartridge files

Simple tools to make/dump CPC+ CPR cartridge files mkcpr.py: make a CPR file from files (one chunk per file); see notes cprdump.py: dump the chunks of

HDLG is a modern cross-platform GUI for hdl-dump with Batch installation capabilities.

HDLG is a modern cross-platform GUI for hdl-dump with Batch installation capabilities. Looking for Artwork This project is looking for an Icon an

Dump Data from FTDI Serial Port to Binary File on MacOS

Dump Data from FTDI Serial Port to Binary File on MacOS

Automatically load and dump your dataclasses 📂🙋

file dataclasses Installation By default, filedataclasses comes with support for JSON files only. To support other formats like YAML and TOML, filedat

A blind SQL injection script that uses binary search aka bisection method to dump datas from database.

Blind SQL Injection I wrote this script to solve PortSwigger Web Security Academy's particular Blind SQL injection with conditional responses lab. Bec

Wikidot-forum-dump - Simple Python script that dumps a Wikidot wiki forum into JSON structures.

wikidot-forum-dump Script is partially based on 2stacks by bluesoul: https://github.com/scuttle/2stacks To dump a Wiki's forum, edit config.py and put

Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

Unauthenticated Sqlinjection that leads to dump database but this one impersonated Admin and drops a interactive shell

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability. Features Dump a single file w

Pyhexdmp - Python hex dump module

Pyhexdmp - Python hex dump module

Backup dc registry - A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY
Backup dc registry - A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY

Backup Operator Registry Backup to Domain Compromise A simple POC that abuses Ba

Comments
  • lldb-trace.py 运行错误

    lldb-trace.py 运行错误

    循环报错: Traceback (most recent call last): File "temp.py", line 7, in lldb_autogen_python_bp_callback_func__184 TypeError: trace_callback() missing 1 required positional argument: 'internal_dict' Traceback (most recent call last): File "temp.py", line 7, in lldb_autogen_python_bp_callback_func__185 TypeError: trace_callback() missing 1 required positional argument: 'internal_dict' Traceback (most recent call last):

    删除掉trace_callback方法中的参数internal_dict 后,一直打印 br!!!!! 无法结束,也没有拿到log

    opened by timelessRecall 0
Owner
null
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)

EventTranscriptParser EventTranscriptParser is python based tool to extract forensically useful details from EventTranscript.db (Windows Diagnostic Da

P. Abhiram Kumar 24 Nov 18, 2022
Course-parsing - Parsing Course Info for NIT Kurukshetra

Parsing Course Info for NIT Kurukshetra Overview This repository houses code for

Saksham Mittal 3 Feb 3, 2022
use python script to fix vmp dump api in ida

FixVmpDump use python script to fix vmp dump api in ida. support x86 and x64. details in my blog: https://blog.csdn.net/yan_star/article/details/11279

null 97 Nov 2, 2022
D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.

Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation

Banny 30 Dec 6, 2022
A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

Dumpulator-IDA Currently proof-of-concept This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from

Michael 9 Sep 21, 2022
HMLLDB is a collection of LLDB commands to assist in the debugging of iOS apps.

HMLLDB is a collection of LLDB commands to assist in the debugging of iOS apps. 中文介绍 Features Non-intrusive. Your iOS project does not need to be modi

mao2020 47 Oct 22, 2022
A simple IDA Pro plugin to show all HexRays decompiler comments written by user

XRaysComments A simple IDA Pro plugin to show all HexRays decompiler comments written by user Installation Copy the file xray_comments.py to the plugi

Nox 20 Dec 27, 2022
Python-Stock-Info-CLI: Get stock info through CLI by passing stock ticker.

Python-Stock-Info-CLI Get stock info through CLI by passing stock ticker. Installation Use the following command to install the required modules at on

Ayush Soni 1 Nov 5, 2021
SamrSearch - SamrSearch can get user info and group info with MS-SAMR

SamrSearch SamrSearch can get user info and group info with MS-SAMR.like net use

knight 10 Oct 6, 2022
Show Data: Show your dataset in web browser!

Show Data is to generate html tables for large scale image dataset, especially for the dataset in remote server. It provides some useful commond line tools and fully customizeble API reference to generate html table different tasks.

Dechao Meng 83 Nov 26, 2022