Log in

View Full Version : debugger for linux


nguyen_nam
November 5th, 2002, 19:26
hi,

i have read some articles on hculinux.cjb.net just to see that windows rulez!

no wdasm, no sice, no trw, no smartcheck, no regmon , nothing what's good in linux cracking?

or maybe there are some good debugger (besides GDB) that I don't know yet?

that's really hard to do any works without those handy tools.

nguyen_nam

NervGaz
November 5th, 2002, 22:36
As far as debuggers go you have fenris and privateice... dunno how good they really are but they're supposed to be a whole lot better than gdb... and there's strace() and a whole lot more that's really interesting for runtime patching and stuff like that... i suggest poking around some of the articles at www.phrack.org for more info on reversing in linux/Unix... mostly hacking related but still slightly reversing related info...

Nobody
November 7th, 2002, 05:12
Try PICE and ltrace . Otherwise u had to choose the "programming" debug tools like adb and gdb . Dump utility like nm ,objdump and elfreader . IDA can do the great job on linux/unix static analysis . But it often need to dynamic watch the parameters pass and return from call . It need to set the break points at the target address . And we had better feed some symbols table to the debugger before go into the deep hell . Here i often got the windows version 1st then find out the right location exisit in data session to patch. Then i can find the same pattern in solaris/linux to patch them . The only difference is the big-little endian problem. This method work well in many cases . Besides,it is a need for program developer and dedicate engineer to test the software . So it is often leave some back-door in the initialization routine . One of the good place to patch is to change those initial values in global variables . All things go worse if you try to patch on the downstream . They jump to branch on certain conditions . Then you should take every cases if valid check goes everywhere . I have look the great help in the invent of the disassembly flow chart in the recent IDA 4.21 and 4.30 . That help me a lot in tracing the program flow in a global vision keep in my mind . With this flow chart , it can trace from the error of root back until the righ path . It often can judge it from the return status register EAX is one or zero . If you are not a legal user of IDA , i suggest you to have one to keep the latest version of IDA. Its new feature make my life easy in crack tools. And tools make my life further easy .

nguyen_nam
November 11th, 2002, 16:03
>>But it often need to dynamic watch the parameters pass and return from call . It need to set the break points at the target address . And we had better feed some symbols table to the debugger before go into the deep hell . Here i often got the windows version 1st then find out the right location exisit in data session to patch. Then i can find the same pattern in solaris/linux to patch them .>>

I never got PICE work for me. Compiled against my kernel, but at last got some weird error.

I have used ald as alternative. Work quite good, thought it's not SICE )

My approach was the same. Crack target in windows, do a dead listing in IDA and use ald to debug under Linux. So cracking in Linux is a kind of 2 in 1.