When parsing MIPS dynamic linked binary, the ELF crashed?

[QudaRulo]

Hello, I use the pwntools to parse a binary under Ubuntu 20.04, the version of pwntools is 4.8.0

if input file of ELF() is static linked everything is ok.

But when input file is dynamic linked, ELF() will crash And i use the based project elftools, it didn't crash. I think there is something broken in it.

[QudaRulo]

because the version of unicorn i installed is 2.0, maybe pwntools doesn't support the unicorn2.

[Arusekk]

Can you try to trace down the issue down to a traceback from the last python opcode executed? It is probably a CALL_FUNCTION of a builtin function. Or can you provide a backtrace (e.g. from GDB) running your python script, like the following?

$ PWNLIB_NOTERM=1 gdb -ex r -ex bt --args python3 -c 'from pwn import*;context.binary="./telnetd"'

[QudaRulo]

Can you try to trace down the issue down to a traceback from the last python opcode executed? It is probably a CALL_FUNCTION of a builtin function. Or can you provide a backtrace (e.g. from GDB) running your python script, like the following?

$ PWNLIB_NOTERM=1 gdb -ex r -ex bt --args python3 -c 'from pwn import*;context.binary="./telnetd"'

it seems that i didn't find stack info.

but the system catch some crash info, i remember that this function exits in libunicornxx likely.

[Arusekk]

I have honestly no idea what could possibly cause that. But if you find out, I will be curious to get more info on it.

[QudaRulo]

I am working on Unicorn recently. when done, I will continue to debug the relating code and try my best to solve the problem.

[Arusekk]

Do you mean Python crashes? Can you give more details about your Python version?

Email z piątku, 1 lipca 2022 od Green bumpa:

Hello, I use the pwntools to parse a binary under Ubuntu 20.04, the version of pwntools is 4.8.0

if input file of ELF() is static linked everything is ok.

But when input file is dynamic linked, ELF() will crash And i use the based project elftools, it didn't crash. I think there is something broken in it.

-- Reply to this email directly or view it on GitHub: https://github.com/Gallopsled/pwntools/issues/2081 You are receiving this because you are subscribed to this thread.

Message ID: @.***

-- Wysłane z mojego urządzenia Sailfish

[QudaRulo]

No. It is As the following fig. I think that the program crash at function cpu_exec_mipsel, which is exported from libunicornxxx. Thus, I believe this error is related to unicorn.

I parsed the same file using pwntools in a unicorn v1.x environment installed by my friend and everything worked fine. But in my environment, unicorn is v2.x, and the error I said before appeared.

I found in the source code of the ELF class what might be causing this error.

Line 366 in elf.py(init of ELF), And line 1048 in elf.py(in function _populate_plt) Then line 48 in plt.py(in function emulate_plt_instructions) Line 178 in plt.py(in function emulate_plt_instructions_inner) It may be _populate_plt --> emulate_plt_instructions --> emulate_plt_instructions_inner --> ... --> cpu_exec_mipsel

I have another idea: in the symbol table of the ELF file of the mips architecture, the absolute address of the section .stubs table entry is stored in its st_value. Just using static parsing should be able to do the job as well.

[Arusekk]

Email ze środy 26 października 2022 od ModaStampa:

I have another idea: in the symbol table of the ELF file of the mips architecture, the absolute address of the section .stubs table entry is stored in its st_value. Just using static parsing should be able to do the job as well.

Yes, it sure should, but CTF binaries are often stripped or have the sections misaranged. This is why there is emulation in the first place.

-- Wysłane z mojego urządzenia Sailfish