diff --git a/README.md b/README.md index c254b0b..17c4c97 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,36 @@ Hex dump of section '.comment': 0x00000020 00000000 00000000 000000 ........... ``` +## GOT overwrite + +Overwrites the GOT section with a specified value + +``` +$ cattleya -i bin/got --got --got-l system --got-f secret -o obfuscated +$ ./obfuscated +secret function called +``` + +As shown below, only the system function is called in the main function as far as disassembly is concerned: + +``` +$ objdump -d obfuscated +... +00000000004011d2
: + 4011d2: f3 0f 1e fa endbr64 + 4011d6: 55 push %rbp + 4011d7: 48 89 e5 mov %rsp,%rbp + 4011da: 48 83 ec 10 sub $0x10,%rsp + 4011de: 48 8d 05 36 0e 00 00 lea 0xe36(%rip),%rax # 40201b <_IO_stdin_used+0x1b> + 4011e5: 48 89 c7 mov %rax,%rdi + 4011e8: e8 73 fe ff ff call 401060 + 4011ed: 89 45 fc mov %eax,-0x4(%rbp) + 4011f0: b8 00 00 00 00 mov $0x0,%eax + 4011f5: c9 leave + 4011f6: c3 ret +... +``` + # Recursive option By specifying the directory name in the recursive option, the same obfuscation can be applied to all ELF files in that directory: