Rust 实战练习 - 8. 内存,ASM,外挂 【重磅】

目标:

  • C写一个Demo版本的游戏
  • 由浅入深,了解外挂原理
  • Linux/Android下实现内存读取
  • ptrace实现内存修改(依赖第三方库)

先准备一个C写的小游戏

c 复制代码
#include <stdio.h>
#include <string.h>

struct Role
{
    float pos_x; // 位置x
    float pos_y;
    float pos_z;

    int level; // 等级
    long money; // 金钱
};

struct Account
{
    char name[20]; // 名字
    long ID; // ID
    struct Role *role; // 多个角色信息
};

void decMoney(struct Role* r){
    r->money -= rand()%100;
}

void main(){
    printf("GameBoy tester!\r\n");
    struct Account ac;
    strcpy(ac.name, "我是张三啊");
    ac.ID = 20240318;
    // roles
    struct Role *rl = (struct Role*)malloc(sizeof(struct Role)*4);
    ac.role = rl;
    for(int i=0;i<4;i++){
        rl[i].level = i*2+10;
        rl[i].money = 5000;
        rl[i].pos_x = i*1000;
        rl[i].pos_y = i*1100;
        rl[i].pos_z = i*1200;
    }
    
    while (1)
    {
        printf("\r\nInput [l,m,p,c] to change value:");
        char input = getchar();
        switch (input)
        {
        case 'l':
            for(int i=0;i<4;i++){
                rl[i].level += rand()%50/10;
            }
            break;
        case 'm':
            for(int i=0;i<4;i++){
                rl[i].money += rand()%20;
            }
            break;
        case 'p':
            for(int i=0;i<4;i++){
                rl[i].pos_x += rand()%100 * 0.1;
                rl[i].pos_y += rand()%20 * 0.2;
                rl[i].pos_z += rand()%10;
            }
            break;
        case 'c':
            for(int i=0;i<4;i++){
                decMoney(&rl[i]);
            }
            break;
        default:
            break;
        }
        // print
        printf("\r\nAccount: [%ld] => %s\r\n", ac.ID, ac.name);
        for(int i=0;i<4;i++){
            printf("Role[%d] => Level:%d, Money: %ld, Pos:[%.2f,%.2f,%.2f]\r\n", 
                i, rl[i].level, rl[i].money, rl[i].pos_x,rl[i].pos_y,rl[i].pos_z);
        }
        printf("Cheat: Account [0x%lX], ID [0x%lX], Name [0x%lX], role [%lX]\r\n", &ac, &(ac.ID), ac.name, &(ac.role));
        printf("Cheat: Role [0x%lX], pos_x [0x%lX], level [0x%lX], money [%lX]\r\n", rl, &(rl[0].pos_x), &(rl[0].level), &(rl[0].money));
        printf("Cheat: decMoney [0x%lX], main: {0x%lX}\r\n",decMoney, main); 
    }
}


// gcc -o gamebox main.c
// ./gamebox
Input [l,m,p,c] to change value:

只要输入 l/m/p/c 就可以随机改变其中的等级,金钱,位置信息。其中输入c会调用函数,随机减少角色的金钱。

Rust修改gamebox

有个出名的技术叫hook,还有一个技术叫修改内存。这也就是简单的游戏外挂范围的技术。这里我们使用rust去模拟一下,修改上面用C写的gamebox。

在Linux下如何搜索内存找到我们需要的数据,不在这里讨论,我们根据gamebox提供的地址,直接定位。一定要自己找,可以使用 PINCE。(类似CE)

备注:ceserver + wine + CE GUI 可以在Linux下进行搜索。

首先,反推几个重要信息的地址关系: (假设字节对齐)

sh 复制代码
[BaseAddr+0] => name 首地址, char[20]
[BaseAddr+20] => ID, long
[BaseAddr+20+8] => Role的首地址一个, Role size=3*4+4+8=24

Role = [BaseAddr+20+8]
[[BaseAddr+20+8]+24*i +0] => Role.pos_x, float
[[BaseAddr+20+8]+24*i +4] => Role.pos_y, float
[[BaseAddr+20+8]+24*i +8] => Role.pos_z, float
[[BaseAddr+20+8]+24*i +12] => Role.level, int
[[BaseAddr+20+8]+24*i +16] => Role.money, long

虽然这个地址信息每次启动时会变化,但是他们的关系应该是固定的。

实际上,字节没有对齐,和我们上面预期有差异:

sh 复制代码
BaseAddr = 0x7FFEE5125640
[BaseAddr+0] => name 首地址, char[20] => 0x7FFEE5125640 实际占用是0x18=24
[BaseAddr+24] => ID, long => 0x7FFEE5125658
[BaseAddr+24+8] => Role的首地址一个, Role size=3*4+4+8=24  => 0x7FFEE5125660 

Role = [BaseAddr+24+8] = [0x7FFEE5125660] = 0x5585F6BFE6B0
[[BaseAddr+24+8]+24*i +0] => Role.pos_x, float => 0x5585F6BFE6B0
[[BaseAddr+24+8]+24*i +4] => Role.pos_y, float
[[BaseAddr+24+8]+24*i +8] => Role.pos_z, float
[[BaseAddr+24+8]+24*i +12] => Role.level, int  => 0x5585F6BFE6BC
[[BaseAddr+24+8]+24*i +16] => Role.money, long => 0x5585F6BFE6C0

准备

https://blog.csdn.net/guojin08/article/details/9454467

https://blog.csdn.net/hhhlizhao/article/details/77930009

https://zhuanlan.zhihu.com/p/348171413

https://zhuanlan.zhihu.com/p/674139021

https://www.52pojie.cn/thread-1355860-1-1.html

Linux上一切皆文件,只要有权限,读写其他程序的内存很简单。

  1. sudo权限,强制读写/proc/ID/mem
  2. 自身为内核空间,直接读写mem
  3. 能获取到proc的mem的物理地址,读写物理内存
  4. dbg相关函数

如果想要注入,修改代码,需要使用ptrace一类的方式。

https://www.52pojie.cn/thread-1568457-1-1.html

Linux和Android的方法都是类似的.

简易内存修改

1.直接读取内存固定位置

读文件方式实现

sh 复制代码
andy@andy-pc:/proc/22093$ cat maps
5593869d4000-5593869d5000 r--p 00000000 08:12 6160449                    /home/andy/Work/rs_prj/d8/C/gamebox
5593869d5000-5593869d6000 r-xp 00001000 08:12 6160449                    /home/andy/Work/rs_prj/d8/C/gamebox
5593869d6000-5593869d7000 r--p 00002000 08:12 6160449                    /home/andy/Work/rs_prj/d8/C/gamebox
5593869d7000-5593869d8000 r--p 00002000 08:12 6160449                    /home/andy/Work/rs_prj/d8/C/gamebox
5593869d8000-5593869d9000 rw-p 00003000 08:12 6160449                    /home/andy/Work/rs_prj/d8/C/gamebox
559386d8f000-559386db0000 rw-p 00000000 00:00 0                          [heap]
7f914db19000-7f914db1c000 rw-p 00000000 00:00 0 
7f914db1c000-7f914db44000 r--p 00000000 08:12 12848718                   /usr/lib/x86_64-linux-gnu/libc.so.6
7f914db44000-7f914dcd9000 r-xp 00028000 08:12 12848718                   /usr/lib/x86_64-linux-gnu/libc.so.6
7f914dcd9000-7f914dd31000 r--p 001bd000 08:12 12848718                   /usr/lib/x86_64-linux-gnu/libc.so.6
7f914dd31000-7f914dd32000 ---p 00215000 08:12 12848718                   /usr/lib/x86_64-linux-gnu/libc.so.6
7f914dd32000-7f914dd36000 r--p 00215000 08:12 12848718                   /usr/lib/x86_64-linux-gnu/libc.so.6
7f914dd36000-7f914dd38000 rw-p 00219000 08:12 12848718                   /usr/lib/x86_64-linux-gnu/libc.so.6
7f914dd38000-7f914dd45000 rw-p 00000000 00:00 0 
7f914dd5e000-7f914dd60000 rw-p 00000000 00:00 0 
7f914dd60000-7f914dd62000 r--p 00000000 08:12 12848709                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7f914dd62000-7f914dd8c000 r-xp 00002000 08:12 12848709                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7f914dd8c000-7f914dd97000 r--p 0002c000 08:12 12848709                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7f914dd98000-7f914dd9a000 r--p 00037000 08:12 12848709                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7f914dd9a000-7f914dd9c000 rw-p 00039000 08:12 12848709                   /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffed5856000-7ffed5877000 rw-p 00000000 00:00 0                          [stack]
7ffed596e000-7ffed5972000 r--p 00000000 00:00 0                          [vvar]
7ffed5972000-7ffed5974000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]

# gamebox
Account: [20240318] => 我是张三啊
Role[0] => Level:14, Money: 4926, Pos:[9.00,3.80,3.00]
Role[1] => Level:15, Money: 4915, Pos:[1002.60,1100.00,1206.00]
Role[2] => Level:17, Money: 4925, Pos:[2007.20,2203.20,2401.00]
Role[3] => Level:20, Money: 4992, Pos:[3006.80,3301.40,3609.00]
Cheat: Account [0x7FFF90D18540], ID [0x7FFF90D18558], Name [0x7FFF90D18540], role [7FFF90D18560]
Cheat: Role [0x558CE6B4F6B0], pos_x [0x558CE6B4F6B0], level [0x558CE6B4F6BC], money [558CE6B4F6C0]
Cheat: decMoney [0x558CE63E11C9]

根据地址信息,数据主要存在 heap和stack上,函数存在代码段。

rust 复制代码
use std::{
    ffi::{CStr, OsString},
    fs::File,
    io::Read,
    os::unix::fs::FileExt,
    path, u8,
};

// 64 bit program
fn main() {
    let pid = find_id_by_name("gamebox");
    println!("gamebox pid: {:?}", pid);
    if pid.len() > 0 {
        let memf = format!("/proc/{}/mem", pid.first().unwrap());
        println!("gamebox mem: {}", memf);
        // 需要root权限
        if let Ok(f) = &File::open(memf) {
            let base_addr:u64 = 0x7FFF90D18540;
            // account
            let id = read_at_mem(f, base_addr + 24, 8);
            let name = read_at_mem(f, base_addr + 0, 20);
            let role_addr = read_at_mem(f, base_addr + 24 + 8, 8);

            let name2 = unsafe { CStr::from_ptr(name.as_ptr() as *const i8) };
            let role_addr2 = u64::from_le_bytes(role_addr.try_into().unwrap());
            println!(
                "Account => ID: {}, Name: {}, role addr: 0x{:#X}",
                u64::from_le_bytes(id.try_into().unwrap()),
                name2.to_str().unwrap(),
                role_addr2,
            );

            // role
            for i in 0..4 {
                let level = read_at_mem(f, role_addr2 + 24*i + 12, 4);
                let money = read_at_mem(f, role_addr2 + 24*i + 16, 8);
                let pos_x = read_at_mem(f, role_addr2 + 24*i + 0, 4);
                let pos_y = read_at_mem(f, role_addr2 + 24*i + 4, 4);
                let pos_z = read_at_mem(f, role_addr2 + 24*i + 8, 4);
                println!(
                    "  Role[{}] => Level: {}, Money: {}, Pos: [{:.2}, {:.2}, {:.2}]",
                    i,
                    u32::from_le_bytes(level.try_into().unwrap()),
                    u64::from_le_bytes(money.try_into().unwrap()),
                    f32::from_le_bytes(pos_x.try_into().unwrap()),
                    f32::from_le_bytes(pos_y.try_into().unwrap()),
                    f32::from_le_bytes(pos_z.try_into().unwrap()),
                );
            }

        } else {
            println!("need root permission!");
        }
    }
}

// 读取指定大小的内存数据
fn read_at_mem(f: &File, addr: u64, sz: usize) -> Vec<u8> {
    let mut buf = Vec::new();
    buf.resize(sz, 0);
    f.read_at(&mut buf, addr).unwrap();
    return buf;
}

// 忽略大小写进行进程查找
fn find_id_by_name(name: &str) -> Vec<String> {
    // 遍历和读取 /proc/xxx/comm
    let root = path::Path::new("/proc/");
    let mut pids: Vec<_> = Vec::new();
    for sub in root.read_dir().unwrap() {
        if let Ok(id_dir) = sub {
            let fp = id_dir.path();
            if fp.is_dir() {
                let comm = fp.join("comm");
                if comm.exists() {
                    let txt = file_read_content(comm.to_str().unwrap());
                    // println!("try file: {:?}, {}", comm, txt);
                    if txt.to_ascii_lowercase() == name.to_ascii_lowercase() {
                        let pid = OsString::from(fp.file_name().unwrap())
                            .into_string()
                            .unwrap();
                        pids.push(pid);
                    }
                }
            }
        }
    }
    pids
}

fn file_read_content(filepath: &str) -> String {
    let mut txt = String::new();
    if let Ok(mut f) = File::open(filepath) {
        f.read_to_string(&mut txt).unwrap();
    }
    // 默认内容有换行
    txt = txt.trim().to_string();
    return txt;
}

2.寻找基地址,真正外挂

基地址的本质是全局变量,所以我们原本的代码无法实现。

修改一下, 重新编译:

c 复制代码
struct Account ac;

void main(){
    printf("GameBoy tester!\r\n");   
    // struct Account ac; // 移动这个到全局变量
    strcpy(ac.name, "我是张三啊");
    ac.ID = 20240318;
    ...
}

另外,程序每次加载到内存中并不一定是固定地址的。

  • 在Windows系统中,xp,win7时代是这样,每次固定加载在固定的地址上,所以每次程序运行的地址都是固定的。
  • 到了后来,windows系统和Linux都使用了动态基地址的flag, 每次的初始地址不固定,所以寻找基地址变得麻烦。

思路:

  • 程序加载到内存时,有导出表或者maps信息,可以看到code的初始地址。
  • main函数相对程序初始地址一般是固定的,与第一步地址一起计算可以得到main的动态地址。
  • 程序全局变量等的地址,相对main是固定的,所以就可以动态计算出来当前变量的地址。(即动态的基地址)

Linux上的获取基地址方法:

  1. 启动gamebox得到全局变量偏移信息
bash' 复制代码
Account: [20240318] => 我是张三啊
Role[0] => Level:10, Money: 5000, Pos:[0.00,0.00,0.00]
Role[1] => Level:12, Money: 5000, Pos:[1000.00,1100.00,1200.00]
Role[2] => Level:14, Money: 5000, Pos:[2000.00,2200.00,2400.00]
Role[3] => Level:16, Money: 5000, Pos:[3000.00,3300.00,3600.00]
Cheat: Account [0x55AF86AE7040], ID [0x55AF86AE7058], Name [0x55AF86AE7040], role [55AF86AE7060]
Cheat: Role [0x55AF87D676B0], pos_x [0x55AF87D676B0], level [0x55AF87D676BC], money [55AF87D676C0]
Cheat: decMoney [0x55AF86AE41C9], main: {0x55AF86AE421E}

所以,Account Offset = Account[0x55AF86AE7040] - main[0x55AF86AE421E] = 0x2E22

  1. 通过gamebox进程maps信息获取main偏移
bash 复制代码
55af86ae3000-55af86ae4000 r--p 00000000 08:12 6160449               /home/andy/Work/rs_prj/d8/C/gamebox
55af86ae4000-55af86ae5000 r-xp 00001000 08:12 6160449               /home/andy/Work/rs_prj/d8/C/gamebox
55af86ae5000-55af86ae6000 r--p 00002000 08:12 6160449               /home/andy/Work/rs_prj/d8/C/gamebox
55af86ae6000-55af86ae7000 r--p 00002000 08:12 6160449               /home/andy/Work/rs_prj/d8/C/gamebox
55af86ae7000-55af86ae8000 rw-p 00003000 08:12 6160449               /home/andy/Work/rs_prj/d8/C/gamebox
55af87d67000-55af87d88000 rw-p 00000000 00:00 0                     [heap]

所以,main Offset = main[0x55AF86AE421E] - gamebox[0x55af86ae3000] = 0x121E

  1. 计算基地址偏移

BaseAddr = gamebox 基地址 + 0x121E + 0x2E22

  1. Code
rust 复制代码
use std::{
    ffi::{CStr, OsString},
    fs::File,
    io::{BufRead, BufReader, Cursor, Read},
    os::unix::fs::FileExt,
    path, u8,
};

// 64 bit program
fn main() {
    let pids = find_id_by_name("gamebox");
    println!("gamebox pid: {:?}", pids);
    if pids.len() > 0 {
        let pid = pids.first().unwrap();
        let memf = format!("/proc/{}/mem", pid);
        let mut base_addr:u64 = process_get_base_addr(pid);
        if base_addr == 0 {
            println!("gamebox find base addr failed: {}", pid);
            return;
        }
        base_addr += 0x121E + 0x2E22; // Account ac 全局变量偏移

        println!("gamebox mem: {}, base addr: {:X}", memf, base_addr);
        // 需要root权限
        if let Ok(f) = &File::open(memf) {            
            // account
            let id = read_at_mem(f, base_addr + 24, 8);
            let name = read_at_mem(f, base_addr + 0, 20);
            let role_addr = read_at_mem(f, base_addr + 24 + 8, 8);

            let name2 = unsafe { CStr::from_ptr(name.as_ptr() as *const i8) };
            let role_addr2 = u64::from_le_bytes(role_addr.try_into().unwrap());
            println!(
                "Account => ID: {}, Name: {}, role addr: 0x{:#X}",
                u64::from_le_bytes(id.try_into().unwrap()),
                name2.to_str().unwrap(),
                role_addr2,
            );

            // role
            for i in 0..4 {
                let level = read_at_mem(f, role_addr2 + 24*i + 12, 4);
                let money = read_at_mem(f, role_addr2 + 24*i + 16, 8);
                let pos_x = read_at_mem(f, role_addr2 + 24*i + 0, 4);
                let pos_y = read_at_mem(f, role_addr2 + 24*i + 4, 4);
                let pos_z = read_at_mem(f, role_addr2 + 24*i + 8, 4);
                println!(
                    "\tRole[{}] => Level: {}, Money: {}, Pos: [{:.2}, {:.2}, {:.2}]",
                    i,
                    u32::from_le_bytes(level.try_into().unwrap()),
                    u64::from_le_bytes(money.try_into().unwrap()),
                    f32::from_le_bytes(pos_x.try_into().unwrap()),
                    f32::from_le_bytes(pos_y.try_into().unwrap()),
                    f32::from_le_bytes(pos_z.try_into().unwrap()),
                );
            }

        } else {
            println!("need root permission!");
        }
    }
}

fn read_at_mem(f: &File, addr: u64, sz: usize) -> Vec<u8> {
    let mut buf = Vec::new();
    buf.resize(sz, 0);
    f.read_at(&mut buf, addr).unwrap();
    return buf;
}

// 忽略大小写进行进程查找
fn find_id_by_name(name: &str) -> Vec<String> {
    // 遍历和读取 /proc/xxx/comm
    let root = path::Path::new("/proc/");
    let mut pids: Vec<_> = Vec::new();
    for sub in root.read_dir().unwrap() {
        if let Ok(id_dir) = sub {
            let fp = id_dir.path();
            if fp.is_dir() {
                let comm = fp.join("comm");
                if comm.exists() {
                    let txt = file_read_content(comm.to_str().unwrap());
                    // println!("try file: {:?}, {}", comm, txt);
                    if txt.to_ascii_lowercase() == name.to_ascii_lowercase() {
                        let pid = OsString::from(fp.file_name().unwrap())
                            .into_string()
                            .unwrap();
                        pids.push(pid);
                    }
                }
            }
        }
    }
    pids
}

fn file_read_content(filepath: &str) -> String {
    let mut txt = String::new();
    if let Ok(mut f) = File::open(filepath) {
        f.read_to_string(&mut txt).unwrap();
    }
    // 默认内容有换行
    txt = txt.trim().to_string();
    return txt;
}

// 通过 /proc/pid/maps 查找 program 地址
fn process_get_base_addr(pid:&str) -> u64{
    let mut addr = 0u64;
    if let Ok(f) = File::open(format!("/proc/{}/maps", pid)){
        let mut txt = String::new();
        let mut br = BufReader::new(f);
        br.read_line(&mut txt).unwrap();
        
        //55af86ae3000-55af86ae4000 r--p 00000000 08:12 6160449      /xx/gamebox        
        if let Some(pos) = txt.find('-') {
            addr = u64::from_str_radix(&txt[..pos], 16).unwrap();
        }
    }
    return addr;
}
bash 复制代码
cargo build
sudo ./target/debug/d8

gamebox pid: ["7586"]
gamebox mem: /proc/7586/mem, base addr: 55AF86AE7040
Account => ID: 20240318, Name: 我是张三啊, role addr: 0x0x55AF87D676B0
        Role[0] => Level: 10, Money: 5000, Pos: [0.00, 0.00, 0.00]
        Role[1] => Level: 12, Money: 5000, Pos: [1000.00, 1100.00, 1200.00]
        Role[2] => Level: 14, Money: 5000, Pos: [2000.00, 2200.00, 2400.00]
        Role[3] => Level: 16, Money: 5000, Pos: [3000.00, 3300.00, 3600.00]

然后,尝试关闭gamebox,然后再重启,继续使用程序读取一下,依然有效。

到此,一个只读取gamebox的外挂做好了。

3.修改程序调用逻辑

如果,我们想把代码中decMoney函数的减少钱的逻辑,改成增加钱的逻辑怎么办?

  • root权限,强制改写 decMoney 函数的汇编代码,可以实现简单功能
  • root权限,在内存中新写一个 函数, 替代decMoney,实现任意功能。这个难度很高。

我们做一个简单的版本:

asm 复制代码
// decMoney 函数汇编代码
.text:00000000000011C9                               public decMoney
.text:00000000000011C9                               decMoney proc near            ; CODE XREF: main+4E3↓p
.text:00000000000011C9                                                             ; DATA XREF: main+68E↓o
.text:00000000000011C9
.text:00000000000011C9                               var_8= qword ptr -8
.text:00000000000011C9
.text:00000000000011C9                               ; __unwind {
.text:00000000000011C9 F3 0F 1E FA                   endbr64
.text:00000000000011CD 55                            push    rbp
.text:00000000000011CE 48 89 E5                      mov     rbp, rsp
.text:00000000000011D1 48 83 EC 10                   sub     rsp, 10h
.text:00000000000011D5 48 89 7D F8                   mov     [rbp+var_8], rdi
.text:00000000000011D9 B8 00 00 00 00                mov     eax, 0
.text:00000000000011DE E8 ED FE FF FF                call    _rand
.text:00000000000011DE
.text:00000000000011E3 48 63 D0                      movsxd  rdx, eax
.text:00000000000011E6 48 69 D2 1F 85 EB 51          imul    rdx, 51EB851Fh
.text:00000000000011ED 48 C1 EA 20                   shr     rdx, 20h
.text:00000000000011F1 C1 FA 05                      sar     edx, 5
.text:00000000000011F4 89 C1                         mov     ecx, eax
.text:00000000000011F6 C1 F9 1F                      sar     ecx, 1Fh
.text:00000000000011F9 29 CA                         sub     edx, ecx
.text:00000000000011FB 6B CA 64                      imul    ecx, edx, 64h ; 'd'
.text:00000000000011FE 29 C8                         sub     eax, ecx 
.text:0000000000001200 89 C2                         mov     edx, eax
.text:0000000000001202 48 8B 45 F8                   mov     rax, [rbp+var_8]
.text:0000000000001206 48 8B 40 10                   mov     rax, [rax+10h]
.text:000000000000120A 48 63 CA                      movsxd  rcx, edx
.text:000000000000120D 48 29 C8                      sub     rax, rcx ; 核心是这里减法处理 
.text:0000000000001210 48 89 C2                      mov     rdx, rax ; v1
.text:0000000000001213 48 8B 45 F8                   mov     rax, [rbp+var_8]
.text:0000000000001217 48 89 50 10                   mov     [rax+10h], rdx ; 最终v1赋值
.text:000000000000121B 90                            nop
.text:000000000000121C C9                            leave
.text:000000000000121D C3                            retn
.text:000000000000121D                               ; } // starts at 11C9
.text:000000000000121D
.text:000000000000121D                               decMoney endp

// 反汇编的C代码
__int64 __fastcall decMoney(__int64 a1)
{
  __int64 v1; // rdx
  __int64 result; // rax

  v1 = *(_QWORD *)(a1 + 16) - rand() % 100;  // 需要修改这里的减法操作
  result = a1;
  *(_QWORD *)(a1 + 16) = v1;
  return result;
}

函数 DecMoney 的偏移为 00000000000011C9,sub rax, rcx的偏移为 000000000000120D。offset=0x44.

asm 复制代码
; https://shell-storm.org/online/Online-Assembler-and-Disassembler/
sub rax, rcx  ; 48 29 c8
add rax, rcx  ; 48 01 c8

所以,修改 函数地址加偏移 0x44 + 1 的值, 从 29 改为 01 就可以啦。

fn_ofset = 0x55AF86AE41C9 − 0x55AF86AE421E = -0x55

说明函数地址在main函数地址之前。

fn_addr = program + 0x121E - 0x55

理论代码如下:

rust 复制代码
use std::{
    ffi::{CStr, OsString},
    fs::File,
    io::{self, BufRead, BufReader, Cursor, Read},
    os::unix::fs::FileExt,
    path, u8,
};

// 64 bit program
fn main() {
    let pids = find_id_by_name("gamebox");
    println!("gamebox pid: {:?}", pids);
    if pids.len() > 0 {
        let pid = pids.first().unwrap();
        let memf = format!("/proc/{}/mem", pid);
        let mut fn_addr = 0u64;
        let mut base_addr:u64 = process_get_base_addr(pid);
        if base_addr == 0 {
            println!("gamebox find base addr failed: {}", pid);
            return;
        }
        fn_addr = base_addr + 0x121E - 0x55;  // decMoney 地址
        base_addr += 0x121E + 0x2E22; // Account ac 全局变量偏移
        
        println!("gamebox mem: {}, base addr: {:X}", memf, base_addr);
        // 需要root权限
        if let Ok(f) = &File::options().write(true).open(memf) {            
            // account
            let id = read_at_mem(f, base_addr + 24, 8);
            let name = read_at_mem(f, base_addr + 0, 20);
            let role_addr = read_at_mem(f, base_addr + 24 + 8, 8);

            let name2 = unsafe { CStr::from_ptr(name.as_ptr() as *const i8) };
            let role_addr2 = u64::from_le_bytes(role_addr.try_into().unwrap());
            println!(
                "Account => ID: {}, Name: {}, role addr: 0x{:#X}",
                u64::from_le_bytes(id.try_into().unwrap()),
                name2.to_str().unwrap(),
                role_addr2,
            );

            // role
            for i in 0..4 {
                let level = read_at_mem(f, role_addr2 + 24*i + 12, 4);
                let money = read_at_mem(f, role_addr2 + 24*i + 16, 8);
                let pos_x = read_at_mem(f, role_addr2 + 24*i + 0, 4);
                let pos_y = read_at_mem(f, role_addr2 + 24*i + 4, 4);
                let pos_z = read_at_mem(f, role_addr2 + 24*i + 8, 4);
                println!(
                    "\tRole[{}] => Level: {}, Money: {}, Pos: [{:.2}, {:.2}, {:.2}]",
                    i,
                    u32::from_le_bytes(level.try_into().unwrap()),
                    u64::from_le_bytes(money.try_into().unwrap()),
                    f32::from_le_bytes(pos_x.try_into().unwrap()),
                    f32::from_le_bytes(pos_y.try_into().unwrap()),
                    f32::from_le_bytes(pos_z.try_into().unwrap()),
                );
            }
            let mut buf = String::new();
            print!("Input any key to modify decMoney function ....");
            io::stdin().read_line(&mut buf).unwrap();

            // modify function decMoney
            let asm_addr = fn_addr + 0x45; 
            // sub rax, rcx => add rax, rcx
            let asm = [0x01u8,];
            f.write_at(&asm, asm_addr).unwrap();

        } else {
            println!("need root permission!");
        }
    }
}

fn read_at_mem(f: &File, addr: u64, sz: usize) -> Vec<u8> {
    let mut buf = Vec::new();
    buf.resize(sz, 0);
    f.read_at(&mut buf, addr).unwrap();
    return buf;
}

// 忽略大小写进行进程查找
fn find_id_by_name(name: &str) -> Vec<String> {
    // 遍历和读取 /proc/xxx/comm
    let root = path::Path::new("/proc/");
    let mut pids: Vec<_> = Vec::new();
    for sub in root.read_dir().unwrap() {
        if let Ok(id_dir) = sub {
            let fp = id_dir.path();
            if fp.is_dir() {
                let comm = fp.join("comm");
                if comm.exists() {
                    let txt = file_read_content(comm.to_str().unwrap());
                    // println!("try file: {:?}, {}", comm, txt);
                    if txt.to_ascii_lowercase() == name.to_ascii_lowercase() {
                        let pid = OsString::from(fp.file_name().unwrap())
                            .into_string()
                            .unwrap();
                        pids.push(pid);
                    }
                }
            }
        }
    }
    pids
}

fn file_read_content(filepath: &str) -> String {
    let mut txt = String::new();
    if let Ok(mut f) = File::open(filepath) {
        f.read_to_string(&mut txt).unwrap();
    }
    // 默认内容有换行
    txt = txt.trim().to_string();
    return txt;
}

// 通过 /proc/pid/maps 查找 program 地址
fn process_get_base_addr(pid:&str) -> u64{
    let mut addr = 0u64;
    if let Ok(f) = File::open(format!("/proc/{}/maps", pid)){
        let mut txt = String::new();
        let mut br = BufReader::new(f);
        br.read_line(&mut txt).unwrap();
        
        //55af86ae3000-55af86ae4000 r--p 00000000 08:12 6160449      /xx/gamebox        
        if let Some(pos) = txt.find('-') {
            addr = u64::from_str_radix(&txt[..pos], 16).unwrap();
        }
    }
    return addr;
}

看起来似乎可行,实际执行发现,即便是root权限也无法直接修改其他进程的内存信息。

其他思路有:

  • ptrace 接口,dbg方式修改
  • 内核空间修改
  • 能找到对应的物理内存地址,修改物理内存

上面几种方法,只有第一种难度最低,后续研究这种。

4.ptrace 版本

ptrace 提供了一种机制使得父进程可以观察和控制子进程的执行过程,ptrace 还可以检查和修改子进程的可执行文件在内存中的image及子进程所使用的寄存器中的值。通常来说,主要用于实现对进程插入断点和跟踪子进程的系统调用。

我们在/proc/xxx/mem 可以root读取,但是写入失败。但是ptrace可以实现这个写入功能。

c 复制代码
long ptrace(enum __ptrace_request request,pid_t pid,void *addr,void *data);
/*
PTRACE_TRACEME,   本进程被其父进程所跟踪。其父进程应该希望跟踪子进程
PTRACE_PEEKTEXT,  从内存地址中读取一个LONG长度数据,内存地址由addr给出
PTRACE_PEEKDATA,  同上
PTRACE_PEEKUSER,  可以检查用户态内存区域(USER area),从USER区域中读取一个字节,偏移量为addr
PTRACE_POKETEXT,  往内存地址中写入一个LONG长度数据。内存地址由addr给出
PTRACE_POKEDATA,  往内存地址中写入一个LONG长度数据。内存地址由addr给出
PTRACE_POKEUSER,  往USER区域中写入一个LONG长度数据,偏移量为addr
PTRACE_GETREGS,    读取寄存器
PTRACE_GETFPREGS,  读取浮点寄存器
PTRACE_SETREGS,  设置寄存器
PTRACE_SETFPREGS,  设置浮点寄存器
PTRACE_CONT,    重新运行
PTRACE_SYSCALL,  重新运行
PTRACE_SINGLESTEP,  设置单步执行标志
PTRACE_ATTACH,追踪指定pid的进程
PTRACE_DETACH,  结束追踪
*/

// ptrace Demo 
#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>
int main(int argc, char* argv[])
{
	pid_t attack_pid = -1;
	long  val        = 66;
 
	if (argc < 2 || argv[1] <= 0)
	{
		printf("usage: ./main pid(pid > 0)\n");
		return 0;
	}
	attack_pid = strtoul(argv[1], 0, 10);
        if (ptrace(PTRACE_ATTACH, attack_pid, NULL, NULL) < 0)
	{
		printf("attach failed\n");
		return 0;
	}
    //读取数据
	printf("global1 %d\n", ptrace(PTRACE_PEEKDATA , attack_pid, (void*)0x804a028, NULL));
	printf("stack_var %d\n", ptrace(PTRACE_PEEKDATA , attack_pid, (void*)0xbfa4195c, NULL));
    //修改数据
	ptrace(PTRACE_POKEDATA , attack_pid, (void*)0x804a028, val);
	ptrace(PTRACE_POKEDATA , attack_pid, (void*)0xbfa4195c, val);
 
	ptrace (PTRACE_DETACH, attack_pid, NULL, NULL);
	waitpid(attack_pid, NULL, WUNTRACED);
	return 0;
}
 
 
//main.c被改写的进程
#include <stdio.h>
 
int global1 = 11; // 
 
int main(void)
{
  long stack_var = 10;
  char c = 'a';
  while(1)
  {
    printf("global1 addrss 0x%lx, global1=%d\n", &global1, global1);
    printf("stack_var addrss 0x%lx, stack_var=%d\n", &stack_var, stack_var);
    scanf("%c", &c);
    getchar();
    if (c != 'c')
    {
        break;
    }
  }
  return 0;
}

https://dev59.com/unix/s3VD5IYBdhLWcg3wWaRh

完整的Rust版本的ptrace代码如下:

rust 复制代码
use std::{
    ffi::{c_void, CStr, OsString},
    fs::File,
    io::{self, BufRead, BufReader, Read, Write},
    os::unix::fs::FileExt,
    path, u8,
};

use nix::{sys::{ptrace, wait::waitpid}, unistd::Pid};

// 64 bit program
fn main() {
    let pids = find_id_by_name("gamebox");
    println!("gamebox pid: {:?}", pids);
    if pids.len() > 0 {
        let pid = pids.first().unwrap();
        let mut fn_addr = 0u64;
        let mut base_addr: u64 = process_get_base_addr(pid);
        if base_addr == 0 {
            println!("gamebox find base addr failed: {}", pid);
            return;
        }
        fn_addr = base_addr + 0x121E - 0x55; // decMoney 地址
        base_addr += 0x121E + 0x2E22; // Account ac 全局变量偏移

        println!(
            "gamebox base addr: {:#X}, fn addr: {:#X}",
            base_addr, fn_addr
        );
        // 需要root权限
        let ppid = Pid::from_raw(i32::from_str_radix(pid, 10).unwrap());

        if let Ok(_) = ptrace::attach(ppid) {
            waitpid(ppid, None).unwrap();
        
            // account
            let id = ptrace_read_at(ppid, base_addr + 24, 8);
            let name = ptrace_read_at(ppid, base_addr + 0, 20);
            let role_addr = ptrace_read_at(ppid, base_addr + 24 + 8, 8);

            let name2 = unsafe { CStr::from_ptr(name.as_ptr() as *const i8) };
            let role_addr2 = u64::from_le_bytes(role_addr.try_into().unwrap());
            println!(
                "Account => ID: {}, Name: {:?}, role addr: 0x{:#X}",
                u64::from_le_bytes(id.try_into().unwrap()),
                name2.to_str(),
                role_addr2,
            );

            // role
            for i in 0..4 {
                let level = ptrace_read_at(ppid, role_addr2 + 24 * i + 12, 4);
                let money = ptrace_read_at(ppid, role_addr2 + 24 * i + 16, 8);
                let pos_x = ptrace_read_at(ppid, role_addr2 + 24 * i + 0, 4);
                let pos_y = ptrace_read_at(ppid, role_addr2 + 24 * i + 4, 4);
                let pos_z = ptrace_read_at(ppid, role_addr2 + 24 * i + 8, 4);
                println!(
                    "\tRole[{}] => Level: {}, Money: {}, Pos: [{:.2}, {:.2}, {:.2}]",
                    i,
                    u32::from_le_bytes(level.try_into().unwrap()),
                    u64::from_le_bytes(money.try_into().unwrap()),
                    f32::from_le_bytes(pos_x.try_into().unwrap()),
                    f32::from_le_bytes(pos_y.try_into().unwrap()),
                    f32::from_le_bytes(pos_z.try_into().unwrap()),
                );
            }
            

            // modify function decMoney
            let asm_addr = fn_addr + 0x44;
            // ptrace 每次写入也是 8 字节的数据, 所以先读取,然后再写入
            let mut old_asm = ptrace_read_at(ppid, asm_addr, 8);
            println!("old_asm: {:?}", old_asm);

            // 修改 sub rax, rcx => add rax, rcx
            old_asm[1] = 0x01;

            let new_val = u64::from_ne_bytes(old_asm.try_into().unwrap());
            unsafe { 
                ptrace::write(ppid, asm_addr as *mut c_void, new_val as *mut c_void).unwrap();
             };

            let old_asm2 = ptrace_read_at(ppid, asm_addr, 8);
            println!("old_asm2: {:?}", old_asm2);
            
            ptrace::detach(ppid, None).unwrap();
        } else {
            println!("need root permission!");
        }
    }
}

fn read_at_mem(f: &File, addr: u64, sz: usize) -> Vec<u8> {
    let mut buf = Vec::new();
    buf.resize(sz, 0);
    f.read_at(&mut buf, addr).unwrap();
    return buf;
}

fn ptrace_read_at(ppid: Pid, addr: u64, sz: usize) -> Vec<u8> {
    let mut buf = Vec::new();
    buf.resize(sz, 0);
    // println!("Begin read {:#X}, sz={}", addr, sz);
    let mut sz2 = sz/8;
    
    if sz%8 != 0 {
        sz2 += 1;
    }

    for i in 0..sz2 {
        let paddr = (addr + (i*8) as u64) as *mut c_void;
        // ptrace 每次读取 8 个字节的数据
        let val = ptrace::read(ppid, paddr).unwrap();
        //println!("read: [{}] = {:#X}", addr + (i*8) as u64,val);
        let mut idx = i*8;
        for b in val.to_ne_bytes(){
            if idx < sz {
                buf[idx] = b;
                idx += 1;
            }else{
                break;
            }            
        }
    }
    return buf;
}

// 忽略大小写进行进程查找
fn find_id_by_name(name: &str) -> Vec<String> {
    // 遍历和读取 /proc/xxx/comm
    let root = path::Path::new("/proc/");
    let mut pids: Vec<_> = Vec::new();
    for sub in root.read_dir().unwrap() {
        if let Ok(id_dir) = sub {
            let fp = id_dir.path();
            if fp.is_dir() {
                let comm = fp.join("comm");
                if comm.exists() {
                    let txt = file_read_content(comm.to_str().unwrap());
                    // println!("try file: {:?}, {}", comm, txt);
                    if txt.to_ascii_lowercase() == name.to_ascii_lowercase() {
                        let pid = OsString::from(fp.file_name().unwrap())
                            .into_string()
                            .unwrap();
                        pids.push(pid);
                    }
                }
            }
        }
    }
    pids
}

fn file_read_content(filepath: &str) -> String {
    let mut txt = String::new();
    if let Ok(mut f) = File::open(filepath) {
        f.read_to_string(&mut txt).unwrap();
    }
    // 默认内容有换行
    txt = txt.trim().to_string();
    return txt;
}

// 通过 /proc/pid/maps 查找 program 地址
fn process_get_base_addr(pid: &str) -> u64 {
    let mut addr = 0u64;
    if let Ok(f) = File::open(format!("/proc/{}/maps", pid)) {
        let mut txt = String::new();
        let mut br = BufReader::new(f);
        br.read_line(&mut txt).unwrap();

        //55af86ae3000-55af86ae4000 r--p 00000000 08:12 6160449      /xx/gamebox
        if let Some(pos) = txt.find('-') {
            addr = u64::from_str_radix(&txt[..pos], 16).unwrap();
        }
    }
    return addr;
}

/*
gamebox pid: ["101595"]
gamebox base addr: 0x55698A849040, fn addr: 0x55698A8461C9
Account => ID: 20240318, Name: Ok("我是张三啊"), role addr: 0x0x55698B1156B0
        Role[0] => Level: 10, Money: 5000, Pos: [0.00, 0.00, 0.00]
        Role[1] => Level: 12, Money: 5000, Pos: [1000.00, 1100.00, 1200.00]
        Role[2] => Level: 14, Money: 5000, Pos: [2000.00, 2200.00, 2400.00]
        Role[3] => Level: 16, Money: 5000, Pos: [3000.00, 3300.00, 3600.00]
old_asm: [72, 41, 200, 72, 137, 194, 72, 139]
Input any key to modify decMoney function ....
old_asm2: [72, 1, 200, 72, 137, 194, 72, 139]
*/

proc

https://blog.csdn.net/murphy_ma123456/article/details/16117577

https://blog.csdn.net/m0_37315653/article/details/82693108

https://zhuanlan.zhihu.com/p/378388389

相关推荐
源码哥_博纳软云14 分钟前
JAVA同城服务场馆门店预约系统支持H5小程序APP源码
java·开发语言·微信小程序·小程序·微信公众平台
学会沉淀。21 分钟前
Docker学习
java·开发语言·学习
西猫雷婶1 小时前
python学opencv|读取图像(二十一)使用cv2.circle()绘制圆形进阶
开发语言·python·opencv
kiiila1 小时前
【Qt】对象树(生命周期管理)和字符集(cout打印乱码问题)
开发语言·qt
小_太_阳1 小时前
Scala_【2】变量和数据类型
开发语言·后端·scala·intellij-idea
直裾1 小时前
scala借阅图书保存记录(三)
开发语言·后端·scala
唐 城2 小时前
curl 放弃对 Hyper Rust HTTP 后端的支持
开发语言·http·rust
火星机器人life2 小时前
基于ceres优化的3d激光雷达开源算法
算法·3d
虽千万人 吾往矣2 小时前
golang LeetCode 热题 100(动态规划)-更新中
算法·leetcode·动态规划
arnold663 小时前
华为OD E卷(100分)34-转盘寿司
算法·华为od