3

i am currently working on a crackme. RDTSC is used in x86 assemblies to get time stamp to match if it is slowed by a debugger or something.The crackme itself is elf32 stripped binary.

I am currently working on Macos + VirtualBox Debian32.

My strategy was to keep first RDTSC call and store it's eax and edx. Keep it somewhere for other rdtsc calls, I set previous eax and edx values to current ones. I have no luck with this strategy. Crackme still knows me.

I searched through google and found IDAstealth another windows program that lets you fake rdtsc calls.

I am looking for equivalent of this in linux. Is there any way to set rdtsc values in linux?

Improve this question
1

1 Answer 1

Reset to default
1

You write the TSC register with a WRMSR instruction with ecx = 59. That's a privileged instruction, so you can only do it in the kernel.

An easier way to 'intercept' RDTSC calls is to set the TSD bit in CR4, disabling the RDTSC instruction. This also can only be done in the kernel.

So any way you slice it, if you want to do this on linux, you'll need to write a kernel module to do the necessary control register manipulation.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

would you look at this code ? pastebin.com/SEMsb7DN. I compiled a kernel module WRMSR instruction included.But kernel doesnt like it.Would you help me about this situation ? Thanks.
uint32_t hi,lo; hi=0; lo=0xb; asm volatile("mov %0,%%eax"::"r"(lo)); asm volatile("mov %0,%%edx"::"r"(hi)); is this ok ? i changed the code a bit asm volatile("mov $0x59,%ecx"); asm volatile("wrmsr");
The kernel already has wrmsr helper, use that. Note that if you are virtualizing, you can mess with the tsc in other ways too. You can even make it stop while you are debugging.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.