upx IDA UNF #10 错误崩溃

这里的参数：R0: l_info 的偏移 R1：0x3BB0 R2:init 前 4 字节
LOAD:000022B4 BL restore_core_regs ; 崩溃点

2b8

EEC37000
0xeec5747c BL SUB_EEC573D4

EEC351A0 00 00 00 EF 7F 00 A0 E3 01 70 A0 E3 00 00 00 EF ................
EEC351B0 50 52 4F 54 5F 45 58 45 43 7C 50 52 4F 54 5F 57 PROT_EXEC|PROT_W
EEC351C0 52 49 54 45 20 66 61 69 6C 65 64 2E 0A 00 2D 2A RITE failed...-*
EEC351D0 00 00 00 00 73 46 01 3B 1B 06 89 08 1B 0E 89 00 ....sF.;........
EEC351E0 50 2B 11 D1 0E E0 04 39 42 58 13 01 00 00 00 00 P+......BX......
EEC351F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
EEC35200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

EEC351A0 00 00 00 EF 7F 00 A0 E3 01 70 A0 E3 00 00 00 EF ................
EEC351B0 50 52 4F 54 5F 45 58 45 43 7C 50 52 4F 54 5F 57 PROT_EXEC|PROT_W
EEC351C0 52 49 54 45 20 66 61 69 6C 65 64 2E 0A 00 2D 2A RITE failed...-*
EEC351D0 00 00 00 00 73 46 01 3B 1B 06 89 08 1B 0E 89 00 ....sF.;........
EEC351E0 50 2B 11 D1 0E E0 04 39 42 58 13 01 1B 0F 0B 2B P+......BX.....+
EEC351F0 08 D1 89 08 53 1A 89 00 12 0E 1B 02 12 06 1B 0A .щ .S...........
EEC35200 1A 43 42 50 00 29 EE D1 70 47 00 B5 00 00 00 00 .CBP.)...G......
EEC35210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

libdu.so:EEC57418 MOVS R2, #0
libdu.so:EEC5741A MOVS R7, #0xF0002
libdu.so:EEC57420 SVC 0
libdu.so:EEC57422 BX LR

EEC351B0 50 52 4F 54 5F 45 58 45 43 7C 50 52 4F 54 5F 57 PROT_EXEC|PROT_W
EEC351C0 52 49 54 45 20 66 61 69 6C 65 64 2E 0A 00 2D 2A RITE failed...-*
EEC351D0 00 00 00 00 73 46 01 3B
1B 06 89 08 1B 0E 89 00 ....sF.;........
EEC351E0 50 2B 11 D1 0E E0 04 39 42 58 13 01 1B 0F 0B 2B P+......BX.....+
EEC351F0 08 D1 89 08 53 1A 89 00 12 0E 1B 02 12 06 1B 0A .щ .S...........
EEC35200 1A 43 42 50 00 29 EE D1 70 47 00 B5
00 24 E4 43 .CBP.)...G...$..
EEC35210 32 23 03 22 0D 99 0C 98 06 1C C0 27 00 DF B0 42 2#.".........߰ B
EEC35220 00 D0 01 DE 0B 9D 0F 99 00 F0 29 F8 1F BC A0 47 ...............G
EEC35230 08 BC 03 BC 03 B4 40 18 09 4B 03 60 01 30 0B 90 [email protected]..0.. EEC35240 3F BC 1B 42 00 D0 A0 47 00 98 01 99 09 18 00 F0 ?..B.Р G........ EEC35250 2B F8 0B BC 9E 46 05 22 7D 27 00 DF 5B 27 03 BD +....F."}'...'.. EEC35260 00 DF FF BD 89 08 89 00 00 B5 0B 1C 00 F0 64 F8 ................ EEC35270 08 BC 9E 46 0B 68 04 31 03 60 04 30 01 3D 07 23 ...F.h.1..0.=.#
EEC35280 1D 42 F7 D1 ED 08 0D D0 78 47 C0 46 D4 03 2D E9 .B.......G....-.
EEC35290 DC 13 B1 E8 F0 01 F0 E7 DC 13 A0 E8 FB FF FF 1A ................
EEC352A0 D4 03 BD E8 1E FF 2F E1 00 22 0F 27 3F 04 02 37 ....../....'?..7
EEC352B0 00 DF 70 47 73 46 01 3B 00 00 00 00 00 00 00 00 ...GsF.;........

eec18aac -> eec35084 -> EEC351C0 -> EEC351F4

eec36000 源地址
EEC564CC 地址处，与 .s 源码不同， -->> 相同

libdu.so:EEC564CC MOVS R2, #0
libdu.so:EEC564CE MOVS R7, #0xF0002
libdu.so:EEC564D4 SVC 0
libdu.so:EEC564D6 BX LR

F0 01 F0 E7 -> UDF #0x10
变为如下：
D4 03 BD E8 -> LDMFD SP!, {R2,R4,R6-R9}

00 F0 54 F8 取出 f0 00

接着是每4个字节的拷贝 00 24 E4 43 32 23 03 22 0D 99 0C 98 只拷贝了这 12 字节

接着拷贝：
06 1C C0 27 00 DF B0
00 D0 01 DE 0B 9D 0F 99 00 F0 29 F8 1F BC A0 47
08 BC 03 BC 03 B4 40 18 09 4B 03 60 01 30 0B 90
3F BC 1B 42 00 D0 A0 47 00 98 01 99 09 18 00 F0
2B F8 0B BC 9E 46 05 22 7D 27 00 DF 5B 27 03 BD
00 DF FF BD 89 08 89 00 00 B5 0B 1C 00 F0 64 F8
08 BC 9E 46 0B 68 04 31
03 60 04 30 01 3D 07 23
1D 42 F7 D1 ED 08 0D D0 78 47 C0 46 D4 03 2D E9
DC 13 B1 E8 F0 01 F0 E7
DC 13 A0 E8 FB FF FF 1A
F0 01 F0 E7 1E FF 2F E1 00 22 0F 27 3F 04 02 37
00 DF 70 47 73 46 01 3B 00 00 00 00 00 00 00 00

libdu.so:EEC574BC LDMIA R1!, {R2-R4,R6-R9,R12}
libdu.so:EEC574C0 SUBS R5, R5, #1
libdu.so:EEC574C4 STMIA R0!, {R2-R4,R6-R9,R12}
libdu.so:EEC574C8 BNE loc_EEC574BC
libdu.so:EEC574CC LDMFD SP!, {R2,R4,R6-R9}

R4 拷贝错误，与源码不同，给转变为了 F0 01 F0 E7 ，并显示参数 debug:002 E7F001F0

EEC574A0 0B 68 04 31 03 60 04 30 01 3D 07 23 1D 42 F7 D1 .h.1.`.0.=.#.B..
EEC574B0 ED 08 0D D0 78 47 C0 46 D4 03 2D E9 DC 13 B1 E8 .....G....-.....
EEC574C0 01 50 55 E2 这个值也被改变改变为 F0 01 F0 E7

LDMIA R1!, {R2-R4,R6-R9,R12}
SUBS R5, R5, #1
STMIA R0!, {R2-R4,R6-R9,R12}
BNE loc_EEC574BC
LDMFD SP!, {R2,R4,R6-R9}

与代码长度无关
到 194 时依然正常

解决：他奶奶的

IDA 翻译对应的指令如下，我给直接复制了过来，编译不会报错，没有错误信息，但在加载的时候却出现 UDF #0x10，然后崩溃
LDR R5, =0xFFFFF000

这个指令对应的是
LDR R5, [PC, #0x40]

用这个指令替换掉 FFF000

所以在写 shellcode 的时候，要仔细，不要仅看编译过了，还有其他的问题呢

upx IDA UNF #10 错误崩溃

你可能感兴趣的:(upx IDA UNF #10 错误崩溃)