search

lunixbochs / patchkit

binary patching from Python
Other
631 stars 85 forks source link

Patching leads to a crash in dl_main #16

Closed mehQQ closed 7 years ago

mehQQ commented 7 years ago

Hi, I am trying to patch a program static linked with a library(874KB). However, the program crashed in dl_main even if I only inserted the hello64 sample. I think this may be caused by some segment inserting error? here is the test program https://drive.google.com/file/d/0B8WhjUrsG-pDQzM5elBaTWdlVFk/view?usp=sharing Thanks!

lunixbochs commented 7 years ago

Execution trace around the problem (generated with usercorn -trace ./issue11 and pr -w250 -m -t issue11.trace issue11.patched.trace): https://gist.github.com/lunixbochs/b3e6777ee06a030b2f9c9bc215070563

Notice rax is 0x69fe4 on the crashing version, and 0x400040 on the working version. That's the PHDR address.

Relevant program headers for unpatched:

  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000400040 0x0000000000400040
                 0x00000000000001f8 0x00000000000001f8  R E    8
  LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000
                 0x0000000000069fe4 0x0000000000069fe4  R E    200000

And for patched:

  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000069fe4 0x0000000000469fe4 0x0000000000400040
                 0x0000000000000230 0x00000000000001f8  R E    8
  LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000
                 0x0000000000069fe4 0x0000000000069fe4  R E    2000

Looks like a bug in my PHDR relocation (I move the program header table to the end of the TEXT segment so I can more easily add entries).

lunixbochs commented 7 years ago

Should be fixed by 8041540 - thanks for the bug report, fixing this led to a few improvements.

If you want to comment on your use case, it could help me prioritize features.

mehQQ commented 7 years ago

I am just trying to patch some vulnerable programs, so I use this tool to insert the patch code. It seems working greatly right now, so many thanks. I will report if I find other bugs. (hope not :P)