search

angr / patcherex

Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
BSD 2-Clause "Simplified" License
248 stars 45 forks source link

DetourBackend Failed: patched binary crashed during loading #24

Closed cxm95 closed 2 years ago

cxm95 commented 4 years ago

Hi,

During working with patcherex, I found DetourBackend failed and the patched binary crashed during loading.

BTW, I am working on the ezpz branch.

Code:

import patcherex

from patcherex.backends.detourbackend import DetourBackend
from patcherex.patches import *

backend = DetourBackend("./curl_fuzzer_http")
patches = []

transmit_code = '''
  ret
  '''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))

injected_code = '''
call {transmit_function}
'''
patches.append(InsertCodePatch(0x5CE240,injected_code,name="injected_code_after_receive"))

backend.apply_patches(patches)
backend.save("./curl_fuzzer_http.patched")

Crash Context:

[----------------------------------registers-----------------------------------]
RAX: 0xb0caae
RBX: 0xb0caae
RCX: 0x7ffff7ffe428 --> 0x0
RDX: 0xd ('\r')
RSI: 0xfffffffffffff000
RDI: 0x7ffff7ffe010 --> 0x0
RBP: 0x7fffffffdff0 --> 0xb0caae
RSP: 0x7fffffffde10 --> 0x0
RIP: 0x7ffff7dd7f9d (<dl_main+2365>:    mov    edx,DWORD PTR [rax])
R8 : 0x7ffff7ffe030 --> 0x0
R9 : 0xb0cd86
R10: 0x7ffff7df5c1f --> 0x706e203d3d206900 ('')
R11: 0xd ('\r')
R12: 0x0
R13: 0x0
R14: 0x7ffff7ffe170 --> 0x0
R15: 0x0
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7dd7f90 <dl_main+2352>:       add    rax,0x38
   0x7ffff7dd7f94 <dl_main+2356>:       cmp    r9,rax
   0x7ffff7dd7f97 <dl_main+2359>:       jbe    0x7ffff7dd8034 <dl_main+2516>
=> 0x7ffff7dd7f9d <dl_main+2365>:       mov    edx,DWORD PTR [rax]
   0x7ffff7dd7f9f <dl_main+2367>:       cmp    edx,0x6
   0x7ffff7dd7fa2 <dl_main+2370>:       je     0x7ffff7dd8900 <dl_main+4768>
   0x7ffff7dd7fa8 <dl_main+2376>:       jbe    0x7ffff7dd7f75 <dl_main+2325>
   0x7ffff7dd7faa <dl_main+2378>:       cmp    edx,0x6474e551
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde10 --> 0x0
0008| 0x7fffffffde18 --> 0x0
0016| 0x7fffffffde20 --> 0x0
0024| 0x7fffffffde28 --> 0x0
0032| 0x7fffffffde30 --> 0x0
0040| 0x7fffffffde38 --> 0x0
0048| 0x7fffffffde40 --> 0x0
0056| 0x7fffffffde48 --> 0x7fffffffde90 --> 0x7fffffffe128 --> 0x7fffffffe3ce ("LANG=C.UTF-8")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
dl_main (phdr=0xb0caae, phnum=0xd, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:1148
1148    rtld.c: No such file or directory.
gdb-peda$ bt
#0  dl_main (phdr=0xb0caae, phnum=0xd, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:1148
#1  0x00007ffff7defdd0 in _dl_sysdep_start (start_argptr=start_argptr@entry=0x7fffffffe110, dl_main=dl_main@entry=0x7ffff7dd7660 <dl_main>) at ../elf/dl-sysdep.c:253
#2  0x00007ffff7dd7128 in _dl_start_final (arg=0x7fffffffe110) at rtld.c:414
#3  _dl_start (arg=0x7fffffffe110) at rtld.c:521
#4  0x00007ffff7dd6098 in _start () from /lib64/ld-linux-x86-64.so.2
#5  0x0000000000000001 in ?? ()
#6  0x00007fffffffe3a7 in ?? ()
#7  0x0000000000000000 in ?? ()

Binary file:

binaries.zip

github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

github-actions[bot] commented 2 years ago

This issue has been closed due to inactivity.