0

这次我没有运气,我有一个很棒的脚本可以将堆栈值写入我自己进程的地址,但是我有点丢失了脚本,我不得不重新编码。不知何故,它并没有真正起作用:\

这是我的脚本:

#import <Foundation/Foundation.h>
#import <mach/mach.h>

NSString *applicationDocumentsDirectory()
{
    //path to the documents directory
    NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
    NSString *basePath = ([paths count] > 0) ? [paths objectAtIndex:0] : nil;
    return basePath;
}

bool writeStack(vm_address_t offset,  long data) {

//declaring global variables

    kern_return_t err;
    mach_port_t port = mach_task_self();

//set memory protections to allow us writing code there

    err = vm_protect(port, (vm_address_t) offset, sizeof(data), NO,VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY);

//check if it fails

    if (err != KERN_SUCCESS || !MACH_PORT_VALID(port))
        {
            //information to write if it fails
            NSString *info = [NSString stringWithFormat:@"Info\n\nPort:%d\nAddress: %p\nMach Task Self:%d\nData: %ld",port,offset,mach_task_self(),data];
            [info writeToFile:[NSString stringWithFormat:@"%@/fail.txt",applicationDocumentsDirectory()] atomically:YES];
                return FALSE;
        }

//write code to memory

    if (vm_write(port, (vm_address_t) offset, (vm_address_t)&data, sizeof(data))) {

        NSString *info = [NSString stringWithFormat:@"Info\n\nPort:%d\nAddress: %p\nMach Task Self:%d\nData: %ld",port,offset,mach_task_self(),data];
        [info writeToFile:[NSString stringWithFormat:@"%@/writeprob.txt",applicationDocumentsDirectory()] atomically:YES];
    }

//set the protections back to normal so the game runs without problems

err = vm_protect(port, (vm_address_t)offset, sizeof(data), NO,VM_PROT_READ | VM_PROT_EXECUTE);

 NSString *info = [NSString stringWithFormat:@"Info\n\nPort:%d\nAddress: %p\nMach Task Self:%d\nData: %ld",port,offset,mach_task_self(),data];
    [info writeToFile:[NSString stringWithFormat:@"%@/success.txt",applicationDocumentsDirectory()] atomically:YES];

        return TRUE;

}

当我查看我的文档目录时,它显示“success.txt”,我没有看到任何可能导致问题的代码部分。一切正常,除了 VALUE 没有写:\ 我检查了几件事,我的应用程序没有 ASLR,我有足够的权限,因为它是我自己的进程......

任何想法可能会失败?非常感谢

4

1 回答 1

0

我自己想通了,伙计们!

问题是:当我向堆中写入一个值时,它可以工作,但是应用程序在我写完之后立即覆盖了该值。因此,我添加了一些东西来“冻结”价值。实际上并没有冻结,而是继续写入地址(在无限循环中)

我使用的代码:

    CFRunLoopTimerContext theContext = {0, nil, NULL, NULL, NULL};
CFRunLoopTimerRef theTimer = CFRunLoopTimerCreate(
    NULL, CFAbsoluteTimeGetCurrent(), 0.01, 0, 0,
    (CFRunLoopTimerCallBack)writeStack, &theContext);
CFRunLoopAddTimer(CFRunLoopGetCurrent(), theTimer, kCFRunLoopCommonModes);

这会产生一个每 0.01 秒运行一次的无限循环。在 void writeStack() {} 函数中,我只需执行以下操作:

1 个字节:

*((uin8_t*)(0xADDRESS)) = 0xDATA;

2字节:

*((uin16_t*)(0xADDRESS)) = CFSwapInt16(0xDATA);

和 4 个字节:

*((uin32_t*)(0xADDRESS)) = CFSwapInt32(0xDATA);

感谢您的帮助;)

于 2013-05-01T09:34:36.893 回答