Hello, a simple binary I'm trying to patch segfaults. I believe this is due to some RIP relative addressing issue. The code I'm trying to patch in is very basic, so I highly doubt it's the problem. I have even tried to patch an empty string, and still segfault.
Running with gdb, I found that in the original binary as string is being
referenced using llea rax, [rip+0xed3], which results to 0x402004. In the patched binary, the instruction remains the same, however the resulting address is changed due to the trampoline, now it is 0x601b4b, which contains absolutely nothing, while the resulting string is still at 0x402004.
Steps to reproduce the bug
The script I'm using:
import sys
from patcherex.backends.detourbackend import DetourBackend
from patcherex.patches import InsertCodePatch
binary = sys.argv[1]
backend = DetourBackend(binary)
patches = []
project = backend.project
random = '''
mov r11, 0xdeadbeef
'''
for node in sorted(backend.cfg.model.nodes(), key=lambda n: n.addr):
if not node.is_simprocedure and node.name == "hello":
patch_addr = node.addr
print("function at 0x%x with name %s" % (node.addr, node.name))
print("patching at 0x%x" % patch_addr)
# insert the code at the beginning of the function
patches.append(InsertCodePatch(patch_addr, random))
backend.apply_patches(patches)
backend.save(sys.argv[2])
It essentially adds some code at the start of the hello function.
Provide the binary as argv[1] and the output as argv[2].
This is the C code of the binary, compiled with gcc hello.c -no-pie -o hello:
/home/elleven/.local/lib/python3.10/site-packages/angr/misc/bug_report.py:1: DeprecationWarning: the imp module is deprecated in favour of importlib and slated for removal in Python 3.12; see the module's documentation for alternative uses
import imp
angr environment report
=============================
Date: 2023-01-22 22:01:18.628484
!!! running in global environment. Are you sure? !!!
Platform: linux-x86_64
Python version: 3.10.9 (main, Dec 19 2022, 17:35:49) [GCC 12.2.0]
######## angr #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/angr
Pip version angr 9.2.34
Couldn't find git info
######## ailment #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/ailment
Pip version ailment 9.2.34
Couldn't find git info
######## cle #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/cle
Pip version cle 9.2.34
Couldn't find git info
######## pyvex #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/pyvex
Pip version pyvex 9.2.34
Couldn't find git info
######## claripy #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/claripy
Pip version claripy 9.2.34
Couldn't find git info
######## archinfo #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/archinfo
Pip version archinfo 9.2.34
Couldn't find git info
######## z3 #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/z3
Pip version z3-solver 4.10.2.0
Couldn't find git info
######## unicorn #########
Python found it in /home/elleven/.local/lib/python3.10/site-packages/unicorn
Pip version unicorn 2.0.1.post1
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/elleven/.local/lib/python3.10/site-packages/angr/state_plugins/../lib/angr_native.so', handle 55b85f0058f0 at 0x7faf61a66aa0>
unicorn: <CDLL '/home/elleven/.local/lib/python3.10/site-packages/unicorn/lib/libunicorn.so.2', handle 55b85e98f650 at 0x7faf67365c90>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7faf67dfe260>
z3: <CDLL '/home/elleven/.local/lib/python3.10/site-packages/z3/lib/libz3.so', handle 55b85ecfe7d0 at 0x7faf639bd720>
Description
Hello, a simple binary I'm trying to patch segfaults. I believe this is due to some RIP relative addressing issue. The code I'm trying to patch in is very basic, so I highly doubt it's the problem. I have even tried to patch an empty string, and still segfault.
Running with gdb, I found that in the original binary as string is being referenced using
llea rax, [rip+0xed3], which results to0x402004. In the patched binary, the instruction remains the same, however the resulting address is changed due to the trampoline, now it is0x601b4b, which contains absolutely nothing, while the resulting string is still at0x402004.Steps to reproduce the bug
The script I'm using:
It essentially adds some code at the start of the
hellofunction. Provide the binary as argv[1] and the output as argv[2]. This is the C code of the binary, compiled withgcc hello.c -no-pie -o hello:Environment
Linux: 5.15.89-1-lts GLIBC: 2.36 patchrex: 1.2, commit: f888f5e043b2fd145df4b9a357e8d51f4beb9e5f
angr bug report:
Additional context
No response