Closed cxm95 closed 2 years ago
Hi,
During working with patcherex, I found DetourBackend failed and the patched binary crashed during loading.
BTW, I am working on the ezpz branch.
Code:
import patcherex from patcherex.backends.detourbackend import DetourBackend from patcherex.patches import * backend = DetourBackend("./curl_fuzzer_http") patches = [] transmit_code = ''' ret ''' patches.append(AddCodePatch(transmit_code, name="transmit_function")) patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string")) injected_code = ''' call {transmit_function} ''' patches.append(InsertCodePatch(0x5CE240,injected_code,name="injected_code_after_receive")) backend.apply_patches(patches) backend.save("./curl_fuzzer_http.patched")
Crash Context:
[----------------------------------registers-----------------------------------] RAX: 0xb0caae RBX: 0xb0caae RCX: 0x7ffff7ffe428 --> 0x0 RDX: 0xd ('\r') RSI: 0xfffffffffffff000 RDI: 0x7ffff7ffe010 --> 0x0 RBP: 0x7fffffffdff0 --> 0xb0caae RSP: 0x7fffffffde10 --> 0x0 RIP: 0x7ffff7dd7f9d (<dl_main+2365>: mov edx,DWORD PTR [rax]) R8 : 0x7ffff7ffe030 --> 0x0 R9 : 0xb0cd86 R10: 0x7ffff7df5c1f --> 0x706e203d3d206900 ('') R11: 0xd ('\r') R12: 0x0 R13: 0x0 R14: 0x7ffff7ffe170 --> 0x0 R15: 0x0 EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7dd7f90 <dl_main+2352>: add rax,0x38 0x7ffff7dd7f94 <dl_main+2356>: cmp r9,rax 0x7ffff7dd7f97 <dl_main+2359>: jbe 0x7ffff7dd8034 <dl_main+2516> => 0x7ffff7dd7f9d <dl_main+2365>: mov edx,DWORD PTR [rax] 0x7ffff7dd7f9f <dl_main+2367>: cmp edx,0x6 0x7ffff7dd7fa2 <dl_main+2370>: je 0x7ffff7dd8900 <dl_main+4768> 0x7ffff7dd7fa8 <dl_main+2376>: jbe 0x7ffff7dd7f75 <dl_main+2325> 0x7ffff7dd7faa <dl_main+2378>: cmp edx,0x6474e551 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde10 --> 0x0 0008| 0x7fffffffde18 --> 0x0 0016| 0x7fffffffde20 --> 0x0 0024| 0x7fffffffde28 --> 0x0 0032| 0x7fffffffde30 --> 0x0 0040| 0x7fffffffde38 --> 0x0 0048| 0x7fffffffde40 --> 0x0 0056| 0x7fffffffde48 --> 0x7fffffffde90 --> 0x7fffffffe128 --> 0x7fffffffe3ce ("LANG=C.UTF-8") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV dl_main (phdr=0xb0caae, phnum=0xd, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:1148 1148 rtld.c: No such file or directory. gdb-peda$ bt #0 dl_main (phdr=0xb0caae, phnum=0xd, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:1148 #1 0x00007ffff7defdd0 in _dl_sysdep_start (start_argptr=start_argptr@entry=0x7fffffffe110, dl_main=dl_main@entry=0x7ffff7dd7660 <dl_main>) at ../elf/dl-sysdep.c:253 #2 0x00007ffff7dd7128 in _dl_start_final (arg=0x7fffffffe110) at rtld.c:414 #3 _dl_start (arg=0x7fffffffe110) at rtld.c:521 #4 0x00007ffff7dd6098 in _start () from /lib64/ld-linux-x86-64.so.2 #5 0x0000000000000001 in ?? () #6 0x00007fffffffe3a7 in ?? () #7 0x0000000000000000 in ?? ()
Binary file:
binaries.zip
This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.
stale
pinned
This issue has been closed due to inactivity.
Hi,
During working with patcherex, I found DetourBackend failed and the patched binary crashed during loading.
BTW, I am working on the ezpz branch.
Code:
Crash Context:
Binary file:
binaries.zip