Crash when searching outside the library range with KittyScanner

[knms360]

In the sample, the search range is specified using ELF.baseSegment().startAddress and ELF.baseSegment().endAddress. However, if I use an arbitrary search range, it crashes. It is most likely that the program is crashing because it is reading an unreadable range. There are no errors when compiling. can get the error with Logcat Error: Fatal signal 11 (SIGSEGV), code 2, fault addr 0xf15b6000 in tid 3825 (android.support)

[knms360]

My Code KittyScanner::ElfScanner g_il2cppELF; g_il2cppELF = KittyScanner::ElfScanner::createWithPath("libMyLibName.so"); uintptr_t search_start = g_il2cppELF.baseSegment().startAddress; uintptr_t search_end = g_il2cppELF.baseSegment().endAddress + 0xFFFF; std::vector<uintptr_t> found_at_list; found_at_list = KittyScanner::findHexAll(search_start, search_end, "01 01 01 00 01 00 00 00 01 00 00 00 01 00 00 00 01 01 00 00", "xxxxxxxxxxxxxxxxxxxx");

[MJx0]

uintptr_t search_end = g_il2cppELF.baseSegment().endAddress + 0xFFFF; why the + 0xFFFF ?

[knms360]

uintptr_t search_end = g_il2cppELF.baseSegment().endAddress + 0xFFFF; why the + 0xFFFF ?

This is to make it clear that it is outside the range. uintptr_t search_start = 0x0000; uintptr_t search_end = 0xFFFF; didn't work either. I get the same error.

[MJx0]

there is no memory permissions checks inside scanner functions. you have to check and provide valid readable memory range by yourself. if you want to scan a full library then use the segments array instead of only the base segment, then check which segment is readable

[knms360]

Is it possible to read the segment from 0x00 to 0xFFFFFFFF and check if it is readable?

[MJx0]

Why would you use hardcoded memory range? you can call getAllMaps() function to get all process memory maps then filter them

[knms360]

Because there is no library that can be used to look up byte arrays. (It's difficult to explain in English, so please refer to the image)

[MJx0]

use termux and print process maps

cat /proc/<pid>/maps

it could be malloc memory or bss.

[knms360]

Ah, um... it seems very difficult, but I'll try it.

[knms360]

That's right, it was in the range of anon:libc_malloc

[MJx0]

You can get malloc memory path with this, but on older android versions it might be empty

std::string mallocPathname()
{
    void *n = malloc(sizeof(void*));

    if (auto fMaps = fopen("/proc/self/maps", "r"))
    {
        char cLine[512] = { 0 };
        while (fgets(cLine, sizeof(cLine), fMaps) != nullptr)
        {
            unsigned long long start = 0, end = 0;
            char pathanme[0xff] = { 0 };
            sscanf(cLine, "%llx-%llx %*s %*s %*s %*s %s", &start, &end, pathanme);
            if (uintptr_t(n) >= start && uintptr_t(n) < end)
               {
                   fclose(fMaps);
                   return pathanme;
                }
        }
        fclose(fMaps);
    }

    free(n);

    return "";
}

You can scan like this after

auto mallocPath = mallocPathname();
if (!mallocPath.empty())
{
  auto maps = KittyMemory::getMapsEqual(mallocPath);
  for (const auto &it : maps)
  {
     // filter out 
     if (it.offset != 0 && it.perms.compare("rw-p")) continue;

    uintptr_t found_at = KittyScanner::findIdaPatternFirst(it.startAddress, it.endAddress, "33 ? 55 66 ? 77 88 ? 99");
    KITTY_LOGI("found IDA pattern at: %p", (void *)found_at);
  }
}

[knms360]

Thanks!! I will give it a try. Thank you so much.

[knms360]

Hey, An error occurs in it.perms.compare No member named 'perms' in 'KittyMemory::ProcMap'

[knms360]

But... I fixed the code and it worked. Was this ok? if (it.offset != 0) continue;

[knms360]

Hey