Weird PowerPC ABI not being handled

[fmagin]

Describe the bug.

If generating an entry state with arguments, the arguments and argc are not set up as expected by the program by the time it reaches main. They are in r3 and r4 in the entry_state, and should be in r3 and r4 when reaching main, but for example the argv pointer get's overwritten at 0x100004d8 in start without ever being read.

Environment Information.

Pretty sure this is not an environment issue.

To Reproduce.

To actually ever reach main (another indication of a general other weird ABI) https://github.com/angr/angr/blob/2dbc711baf82cd59c21a382e9605f47f3db743eb/angr/procedures/glibc/__libc_start_main.py#L197-L208 has to be commented out, otherwise the SimProcedure just produces one unconstrained successor. When commented out it seems like the initializers are correctly run and main is reached (albeit with incorrect arguments set)

The loader issue ( https://github.com/angr/cle/issues/142 ) has to be fixed so the SimProcs actually work, so the hooks do that manually:

import angr
import claripy

proj = angr.Project("./PowerToThePeople", load_options={'auto_load_libs': False})
# Generated from ghidra
f_list = [(0x10010b64, 'putchar'),
 (0x10010b74, 'memcpy'),
 (0x10010b84, 'strncpy'),
 (0x10010b94, 'memset'),
 (0x10010b9c, 'sprintf'),
 (0x10010ba4, 'exit'),
 (0x10010bac, 'atoi'),
 (0x10010bb4, 'strlen'),
 (0x10011000, 'putchar'),
 (0x10011008, 'memcpy'),
 (0x10011014, 'strncpy'),
 (0x10011020, 'memset'),
 (0x10011024, 'sprintf'),
 (0x10011028, 'exit'),
 (0x1001102c, 'atoi'),
 (0x10011030, 'strlen')]

[ proj.hook(addr, angr.SIM_LIBRARIES['libc.so.6'].get(fname, proj.arch), replace=True) for addr, fname in f_list]

proj.hook(0x10010b6c, angr.SIM_LIBRARIES['libc.so.6'].get("__register_frame_info", proj.arch), replace=True)

start_main = angr.SIM_LIBRARIES['libc.so.6'].get("__libc_start_main", proj.arch)

proj.hook(0x10010b8c,start_main, proj.arch, replace=True)

argv1 = claripy.BVS('argv1', 8*9)
argc = claripy.BVS('argc', 4*8)
state = proj.factory.entry_state(args=[proj.filename, argv1], argc=argc)

# If you have angrcli (it's on pip!), this could make debugging a lot easier
import angrcli.plugins.ContextView
from angrcli.interaction.explore import ExploreInteractive
e = ExploreInteractive(proj, state)

# Step through
e.cmdloop()

Tarball with binary and the above script: PowerToThePeople.tar.gz

Additional context. This is technically a RE challenge, so it could be assumed this is intentionally broken, but I contacted the author (mr.un1k0d3r) who told me

I wrote the code in standard c and used uclibc toolchain to compile

, i.e. this is probably not intentional.

I couldn't get the uclibc toolchain to bootstrap me a toolchain so I could compile PowerPC binary that could serve as a minimal PoC

[ltfish]

I wonder if this binary runs under Linux, because the root cause is how we are setting up entry registers in SimLinux.set_entry_register_values() works for modern Linux PowerPC binaries, but does not work for this binary.

I hacked something together real quick to make it work on this binary (which is easy -- you just need to modify set_entry_register_values()). However, the proper fix here is to implement a new SimOS instance if this binary is not intended to run on Linux. For a proper fix, I would need to know about on which OS this binary is supposed to run and what this ABI is.

[ltfish]

To actually ever reach main (another indication of a general other weird ABI) has to be commented out

You can override _extract_args() in class __uClibc_main.

[github-actions[bot]]

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

[github-actions[bot]]

This issue has been closed due to inactivity.