search

arisada / midgetpack

midgetpack is a multiplatform secure ELF packer
Other
197 stars 37 forks source link

Error: Building midgetpack on OpenBSD? #3

Closed ghost closed 7 years ago

ghost commented 7 years ago

Where is the problem? $ uname -a OpenBSD tested.com 6.1 GENERIC.MP#49 amd64

 $ ./src/tests/test-amd64-dynamic
Hello, world !

$ ./src/packer/midgetpack -o test -p src/tests/test-amd64-dynamic
amd64 ELF file
Adding new pheader with vaddr base 229089280, offset 5778664612848 of filesz 7296
Please enter password:
Enter the password again:

$ file test test: data

 $ cp src/stub/freebsd_amd64.s src/stub/openbsd_amd64.s
 $ vim src/stub/openbsd_amd64.s
 # add 
.section ".note.openbsd.ident", "a"
        .p2align 2
        .long 8
        .long 4
        .long 1
        .ascii "OpenBSD\0"
        .long 0
        .p2align 2
Edit:
mmap:
    push %r10
    mov %rcx, %r10
    #shr $0xc, %rbp # mmap2 uses *4096
-   mov $477, %rax # sys_mmap
+   mov $197, %rax # sys_mmap

 $ CC="egcc" cmake ..
-- The C compiler identification is GNU 4.9.4
-- Check for working C compiler: /usr/local/bin/egcc
-- Check for working C compiler: /usr/local/bin/egcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Performing Test CCOMPILER_64
-- Performing Test CCOMPILER_64 - Success
-- Performing Test WITH_VISIBILITY_HIDDEN
-- Performing Test WITH_VISIBILITY_HIDDEN - Success
-- Looking for argp.h
-- Looking for argp.h - found
-- Looking for unistd.h
-- Looking for unistd.h - found
-- Check if the system is big endian
-- Searching 16 bit integer
-- Looking for sys/types.h
-- Looking for sys/types.h - found
-- Looking for stdint.h
-- Looking for stdint.h - found
-- Looking for stddef.h
-- Looking for stddef.h - found
-- Check size of unsigned short
-- Check size of unsigned short - done
-- Using unsigned short
-- Check if the system is big endian - little endian
-- Found Argp: /usr/local/lib/libargp.a  
-- The ASM-ATT compiler identification is GNU
-- Found assembler: /usr/bin/as
Using precompiled x86
Exec: stub_linux_amd64
Exec: stub_freebsd_amd64
Exec: stub_openbsd_amd64
Using precompiled arm
-- Configuring done
-- Generating done
-- Build files have been written to: /home/user/Downloads/midgetpack/build

$ make
Scanning dependencies of target mp_shared_static
[  2%] Building C object src/shared/CMakeFiles/mp_shared_static.dir/aes.c.o
[  4%] Building C object src/shared/CMakeFiles/mp_shared_static.dir/crypto.c.o
[  6%] Building C object src/shared/CMakeFiles/mp_shared_static.dir/curve25519_ref.c.o
[  9%] Building C object src/shared/CMakeFiles/mp_shared_static.dir/sha256.c.o
[ 11%] Linking C static library libshared.a
[ 11%] Built target mp_shared_static
Scanning dependencies of target mp_shared_static_amd64
[ 13%] Building C object src/shared/CMakeFiles/mp_shared_static_amd64.dir/aes.c.o
[ 15%] Building C object src/shared/CMakeFiles/mp_shared_static_amd64.dir/crypto.c.o
[ 18%] Building C object src/shared/CMakeFiles/mp_shared_static_amd64.dir/curve25519_ref.c.o
[ 20%] Building C object src/shared/CMakeFiles/mp_shared_static_amd64.dir/sha256.c.o
[ 22%] Linking C static library libshared_amd64.a
[ 22%] Built target mp_shared_static_amd64
Scanning dependencies of target mp_libstub_static_amd64
[ 25%] Building C object src/stub/CMakeFiles/mp_libstub_static_amd64.dir/pack_common.c.o
[ 27%] Linking C static library libstubamd64.a
[ 27%] Built target mp_libstub_static_amd64
Scanning dependencies of target stub_freebsd_amd64
[ 29%] Building ASM-ATT object src/stub/CMakeFiles/stub_freebsd_amd64.dir/pack_amd64.s.o
[ 31%] Building ASM-ATT object src/stub/CMakeFiles/stub_freebsd_amd64.dir/freebsd_amd64.s.o
[ 34%] Linking ASM-ATT executable stub_freebsd_amd64
[ 34%] Built target stub_freebsd_amd64
Scanning dependencies of target stub_openbsd_amd64
[ 36%] Building ASM-ATT object src/stub/CMakeFiles/stub_openbsd_amd64.dir/pack_amd64.s.o
[ 38%] Building ASM-ATT object src/stub/CMakeFiles/stub_openbsd_amd64.dir/openbsd_amd64.s.o
[ 40%] Linking ASM-ATT executable stub_openbsd_amd64
[ 40%] Built target stub_openbsd_amd64
Scanning dependencies of target stub_linux_amd64
[ 43%] Building ASM-ATT object src/stub/CMakeFiles/stub_linux_amd64.dir/pack_amd64.s.o
[ 45%] Building ASM-ATT object src/stub/CMakeFiles/stub_linux_amd64.dir/linux_amd64.s.o
[ 47%] Linking ASM-ATT executable stub_linux_amd64
[ 47%] Built target stub_linux_amd64
[ 50%] Generating stub_linux_armv6
[ 52%] Generating stub_linux_armv6.o
[ 54%] Generating stub_openbsd_amd64.o
[ 56%] Generating stub_freebsd_amd64.o
[ 59%] Generating stub_linux_amd64.o
[ 61%] Generating stub_openbsd_x86
[ 63%] Generating stub_openbsd_x86.o
[ 65%] Generating stub_freebsd_x86
[ 68%] Generating stub_freebsd_x86.o
[ 70%] Generating stub_linux_x86
[ 72%] Generating stub_linux_x86.o
Scanning dependencies of target stubs
[ 75%] Linking C static library libstubs.a
[ 75%] Built target stubs
Scanning dependencies of target mpkex
[ 77%] Building C object src/packer/CMakeFiles/mpkex.dir/crypto.c.o
[ 79%] Building C object src/packer/CMakeFiles/mpkex.dir/mpkex.c.o
[ 81%] Linking C executable mpkex
[ 81%] Built target mpkex
Scanning dependencies of target midgetpack
[ 84%] Building C object src/packer/CMakeFiles/midgetpack.dir/crypto.c.o
[ 86%] Building C object src/packer/CMakeFiles/midgetpack.dir/elf.c.o
[ 88%] Building C object src/packer/CMakeFiles/midgetpack.dir/midgetpack.c.o
[ 90%] Linking C executable midgetpack
[ 90%] Built target midgetpack
Scanning dependencies of target test-amd64-static
[ 93%] Building C object src/tests/CMakeFiles/test-amd64-static.dir/test.c.o
[ 95%] Linking C executable test-amd64-static
[ 95%] Built target test-amd64-static
Scanning dependencies of target test-amd64-dynamic
[ 97%] Building C object src/tests/CMakeFiles/test-amd64-dynamic.dir/test.c.o
[100%] Linking C executable test-amd64-dynamic
[100%] Built target test-amd64-dynami

$ ./src/stub/stub_openbsd_amd64
[1]    53199 segmentation fault  ./stub_openbsd_amd64

# recompile 
# remove tags "-Ttext=0xba000f0 -Tdata=0xba10000"

$ ./src/stub/stub_openbsd_amd64
[1]    4209 bus error  ./stub_openbsd_amd64
ghost commented 7 years ago

I know this does not support OpenBSD but I think it will work. I think it would be good to share the following information.

 $ ./stub_openbsd_amd64
starting stub ...
[1]    71161 segmentation fault  ./stub_openbsd_amd64
 ~/Downloads/midgetpack/build/src/stub

(gdb) > i fil                                                                                                                               
Symbols from 
"/home/ucharfli/Downloads/midgetpack/build/src/stub/stub_openbsd_amd64".                                                                
Local exec file:                                                                                                                            

`/home/ucharfli/Downloads/midgetpack/build/src/stub/stub_openbsd_amd64', file type elf64-x86-64.                                             
        Entry point: 0x2a8                                                                                                                  
        0x00000000000002a8 - 0x000000000000473e is .text                                                                                    
        0x0000000000104740 - 0x0000000000104770 is .note.openbsd.ident                                                                      
        0x0000000000104770 - 0x00000000001047b0 is .hash                                                                                    
        0x00000000001047b0 - 0x00000000001048b8 is .dynsym                                                                                  
        0x00000000001048b8 - 0x00000000001048eb is .dynstr                                                                                  
        0x00000000001048f0 - 0x0000000000104908 is .rela.dyn                                                                                
        0x0000000000104940 - 0x0000000000104da0 is .rodata                                                                                  
        0x0000000000104da0 - 0x0000000000105540 is .eh_frame                                                                                
        0x0000000000205ef0 - 0x0000000000205fe0 is .dynamic                                                                                 
        0x0000000000205fe0 - 0x0000000000206000 is .got                                                                                     
        0x0000000000206000 - 0x0000000000206140 is .data                                                                                    
        0x0000000000206140 - 0x0000000000206170 is .bss
(gdb) > r
Starting program: 
/home/ucharfli/Downloads/midgetpack/build/src/stub/stub_openbsd_amd64 
starting stub ...

Program received signal SIGSEGV, Segmentation fault.
0x0000064c4170447c in ?? ()
(gdb) > bt                                                                                                                                  
#0  0x0000064c4170447c in ?? ()                                                                                                             
#1  0x0000064c4170105d in ?? ()                                                                                                             
#2  0x0000064c417002b8 in ?? ()  = file pack_amd64.s
#3  0x0000000000000000 in ?? ()

(gdb) > disas 0x0000064c4170447c,0x0000064c417044a7                                                                                         
Dump of assembler code from 0x64c4170447c to 0x64c417044a7:                                                                                 
=> 0x0000064c4170447c:  mov    BYTE PTR [rbp+rax*4+0x3],dl                                                                                  
   0x0000064c41704480:  shr    ecx,0x8                                                                                                      
   0x0000064c41704483:  mov    BYTE PTR [rbp+rax*4+0x2],cl                                                                                  
   0x0000064c41704487:  mov    ecx,edx                                                                                                      
   0x0000064c41704489:  shr    edx,0x18                                                                                                     
   0x0000064c4170448c:  shr    ecx,0x10                                                                                                     
   0x0000064c4170448f:  mov    BYTE PTR [rbp+rax*4+0x0],dl                                                                                  
   0x0000064c41704493:  mov    BYTE PTR [rbp+rax*4+0x1],cl                                                                                  
   0x0000064c41704497:  inc    rax                                                                                                          
   0x0000064c4170449a:  cmp    rax,0x8                                                                                                      
   0x0000064c4170449e:  jne    0x64c41704477                                                                                                
   0x0000064c417044a0:  mov    rdi,rbx                                                                                                      
   0x0000064c417044a3:  mov    ecx,0x1a                                                                                                     
End of assembler dump.
(gdb) > disas 0x0000064c4170105d,0x0000064c417010a7                                                                                         
Dump of assembler code from 0x64c4170105d to 0x64c417010a7:                                                                                 
   0x0000064c4170105d:  mov    edx,DWORD PTR [rip+0x204fbd]        # 0x64c41906020                                                          
   0x0000064c41701063:  test   edx,edx                                                                                                      
   0x0000064c41701065:  je     0x64c41701078                                                                                                
   0x0000064c41701067:  mov    rsi,QWORD PTR [rip+0x204faa]        # 0x64c41906018                                                          
   0x0000064c4170106e:  mov    edi,0x1                                                                                                      
   0x0000064c41701073:  call   0x64c417002ed                                                                                                
   0x0000064c41701078:  xor    eax,eax                                                                                                      
   0x0000064c4170107a:  xor    r13d,r13d                                                                                                    
   0x0000064c4170107d:  call   0x64c41700c8b                                                                                                
   0x0000064c41701082:  movzx  r14d,WORD PTR [rbp+0x38]                                                                                     
   0x0000064c41701087:  mov    r15,QWORD PTR [rip+0x204f7a]        # 0x64c41906008                                                          
   0x0000064c4170108e:  add    r15,QWORD PTR [rbp+0x20]                                                                                     
   0x0000064c41701092:  imul   r14,r14,0x38                                                                                                 
   0x0000064c41701096:  lea    r12,[r15+0x10]                                                                                               
   0x0000064c4170109a:  add    r14,r12                                                                                                      
   0x0000064c4170109d:  cmp    r12,r14                                                                                                      
   0x0000064c417010a0:  je     0x64c41701128                                                                                                
   0x0000064c417010a6:  cmp    DWORD PTR [r12-0x10],0x1                                                                                     
End of assembler dump.
(gdb) > disas 0x0000064c417002b8,0x0000064c417002e7
Dump of assembler code from 0x64c417002b8 to 0x64c417002e7:                                                                                 
   0x0000064c417002b8:  pop    rdi                                                                                                          
   0x0000064c417002b9:  pop    rsi                                                                                                          
   0x0000064c417002ba:  pop    rdx                                                                                                          
   0x0000064c417002bb:  pop    rcx                                                                                                          
   0x0000064c417002bc:  pop    rbx                                                                                                          
   0x0000064c417002bd:  xor    rbp,rbp                                                                                                      
   0x0000064c417002c0:  push   rax                                                                                                          
   0x0000064c417002c1:  xor    rax,rax                                                                                                      
   0x0000064c417002c4:  ret                                                                                                                 
   0x0000064c417002c5:  rdtsc                                                                                                               
   0x0000064c417002c7:  mov    DWORD PTR [rdi],eax                                                                                          
   0x0000064c417002c9:  mov    DWORD PTR [rdi+0x4],edx                                                                                      
   0x0000064c417002cc:  ret                                                                                                                 
   0x0000064c417002cd:  nop                                                                                                                 
   0x0000064c417002ce:  nop                                                                                                                 
   0x0000064c417002cf:  nop                                                                                                                 
   0x0000064c417002d0:  push   r10                                                                                                          
   0x0000064c417002d2:  mov    r10,rcx                                                                                                      
   0x0000064c417002d5:  mov    rax,0x1dd                                                                                                    
   0x0000064c417002dc:  syscall                                                                                                             
   0x0000064c417002de:  pop    r10                                                                                                          
   0x0000064c417002e0:  ret                                                                                                                 
   0x0000064c417002e1:  syscall                                                                                                             
   0x0000064c417002e3:  ret                                                                                                                 
   0x0000064c417002e4:  mov    rax,0x49
arisada commented 7 years ago

$ file test test: data

Someone reported me a similar bug but was not allowed to share the sample. It's hard to say what is happening here. It's possible the text and data offsets aren't right.

ghost commented 7 years ago

Thank you for the answer, but I was inadequate.I think I have to work a bit more on this topic. Finally, you will be editing for OpenBSD?

arisada commented 7 years ago

you're welcome. Unfortunately I have little time to spend on midgetpack right now, but OpenBSD is an important enough platform that I should at least have a look. I have very little ELF experience with OpenBSD so I'm not sure how it would differ from FreeBSD. IMO the W^X will cause some troubles when mmaping rwx segments.

ghost commented 7 years ago

I understand. Thanks for everything.