You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, a simple binary I'm trying to patch segfaults. I believe this is due to some RIP relative addressing issue. The code I'm trying to patch in is very basic, so I highly doubt it's the problem. I have even tried to patch an empty string, and still segfault.
Running with gdb, I found that in the original binary as string is being
referenced using llea rax, [rip+0xed3], which results to 0x402004. In the patched binary, the instruction remains the same, however the resulting address is changed due to the trampoline, now it is 0x601b4b, which contains absolutely nothing, while the resulting string is still at 0x402004.
Steps to reproduce the bug
The script I'm using:
importsysfrompatcherex.backends.detourbackendimportDetourBackendfrompatcherex.patchesimportInsertCodePatchbinary=sys.argv[1]
backend=DetourBackend(binary)
patches= []
project=backend.projectrandom=''' mov r11, 0xdeadbeef '''fornodeinsorted(backend.cfg.model.nodes(), key=lambdan: n.addr):
ifnotnode.is_simprocedureandnode.name=="hello":
patch_addr=node.addrprint("function at 0x%x with name %s"% (node.addr, node.name))
print("patching at 0x%x"%patch_addr)
# insert the code at the beginning of the functionpatches.append(InsertCodePatch(patch_addr, random))
backend.apply_patches(patches)
backend.save(sys.argv[2])
It essentially adds some code at the start of the hello function.
Provide the binary as argv[1] and the output as argv[2].
This is the C code of the binary, compiled with gcc hello.c -no-pie -o hello:
/home/elleven/.local/lib/python3.10/site-packages/angr/misc/bug_report.py:1: DeprecationWarning: the imp module is deprecated in favour of importlib and slated for removal in Python 3.12; see the module's documentation for alternative uses
import imp
angr environment report
=============================
Date: 2023-01-22 22:01:18.628484
!!! running in global environment. Are you sure? !!!
Platform: linux-x86_64
Python version: 3.10.9 (main, Dec 19 2022, 17:35:49) [GCC 12.2.0]
######## angr #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/angr
Pip version angr 9.2.34
Couldn't find git info
######## ailment #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/ailment
Pip version ailment 9.2.34
Couldn't find git info
######## cle #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/cle
Pip version cle 9.2.34
Couldn't find git info
######## pyvex #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/pyvex
Pip version pyvex 9.2.34
Couldn't find git info
######## claripy #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/claripy
Pip version claripy 9.2.34
Couldn't find git info
######## archinfo #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/archinfo
Pip version archinfo 9.2.34
Couldn't find git info
######## z3 #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/z3
Pip version z3-solver 4.10.2.0
Couldn't find git info
######## unicorn #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/unicorn
Pip version unicorn 2.0.1.post1
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/elleven/.local/lib/python3.10/site-packages/angr/state_plugins/../lib/angr_native.so', handle 55b85f0058f0 at 0x7faf61a66aa0>
unicorn: <CDLL '/home/elleven/.local/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2', handle 55b85e98f650 at 0x7faf67365c90>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7faf67dfe260>
z3: <CDLL '/home/elleven/.local/lib/python3.10/site-packages/z3/lib/libz3.so', handle 55b85ecfe7d0 at 0x7faf639bd720>
Additional context
No response
The text was updated successfully, but these errors were encountered:
Description
Hello, a simple binary I'm trying to patch segfaults. I believe this is due to some RIP relative addressing issue. The code I'm trying to patch in is very basic, so I highly doubt it's the problem. I have even tried to patch an empty string, and still segfault.
Running with gdb, I found that in the original binary as string is being
referenced using
llea rax, [rip+0xed3], which results to0x402004. In the patched binary, the instruction remains the same, however the resulting address is changed due to the trampoline, now it is0x601b4b, which contains absolutely nothing, while the resulting string is still at0x402004.Steps to reproduce the bug
The script I'm using:
It essentially adds some code at the start of the
hellofunction.Provide the binary as argv[1] and the output as argv[2].
This is the C code of the binary, compiled with
gcc hello.c -no-pie -o hello:Environment
Linux: 5.15.89-1-lts
GLIBC: 2.36
patchrex: 1.2, commit: f888f5e
angr bug report:
Additional context
No response
The text was updated successfully, but these errors were encountered: