<< 6/20 >>
First Last

事例1 - PE を適当に読む

  fd = open("12-donn_beach.exe", O_RDONLY);
  for (int i = 0; sections[i].size; i++) {
    Section sec = sections[i];
    void* r = mmap((void*)sec.vma, roundup(sec.size),
                   // めんどくさいので全部フラグ立てる
                   PROT_READ | PROT_WRITE | PROT_EXEC,
                   MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, -1, 0);
    lseek(fd, sec.off, SEEK_SET);
    read(fd, (void*)sec.vma, sec.size);
  }

読んだら nm で調べておいたアドレスの関数を呼ぶ

  int r = ((int (*)(const char*))0x40158d)(password);
  printf("%s\n", r ? "OK" : "FAIL");

厳密には引数の ABI が linux/windows で違うので ABI 変換が必要だけど