3

i am currently working on a crackme. RDTSC is used in x86 assemblies to get time stamp to match if it is slowed by a debugger or something.The crackme itself is elf32 stripped binary.

I am currently working on Macos + VirtualBox Debian32.

My strategy was to keep first RDTSC call and store it's eax and edx. Keep it somewhere for other rdtsc calls, I set previous eax and edx values to current ones. I have no luck with this strategy. Crackme still knows me.

I searched through google and found IDAstealth another windows program that lets you fake rdtsc calls.

I am looking for equivalent of this in linux. Is there any way to set rdtsc values in linux?

nrz
  • 10,435
  • 4
  • 39
  • 71
Eren Yagdiran
  • 338
  • 2
  • 12

1 Answers1

1

You write the TSC register with a WRMSR instruction with ecx = 59. That's a privileged instruction, so you can only do it in the kernel.

An easier way to 'intercept' RDTSC calls is to set the TSD bit in CR4, disabling the RDTSC instruction. This also can only be done in the kernel.

So any way you slice it, if you want to do this on linux, you'll need to write a kernel module to do the necessary control register manipulation.

Chris Dodd
  • 119,907
  • 13
  • 134
  • 226
  • would you look at this code ? http://pastebin.com/SEMsb7DN. I compiled a kernel module WRMSR instruction included.But kernel doesnt like it.Would you help me about this situation ? Thanks. – Eren Yagdiran Oct 30 '13 at 12:40
  • uint32_t hi,lo; hi=0; lo=0xb; asm volatile("mov %0,%%eax"::"r"(lo)); asm volatile("mov %0,%%edx"::"r"(hi)); is this ok ? i changed the code a bit asm volatile("mov $0x59,%ecx"); asm volatile("wrmsr"); – Eren Yagdiran Oct 30 '13 at 13:17
  • The kernel already has wrmsr helper, use that. Note that if you are virtualizing, you can mess with the tsc in other ways too. You can even make it stop while you are debugging. – Jester Oct 30 '13 at 16:31