search

lunixbochs / patchkit

binary patching from Python
Other
627 stars 85 forks source link

ELF patched by newly installed patchkit always fails segmentation fault #36

Open wjbsyc opened 3 years ago

wjbsyc commented 3 years ago

I installed patchkit on newly installed ubuntu(18.04 and 20.04) after run ./deps.sh,it shows

All done!

Testing Python import: Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: No module named keystone

so I manually cd to build/keystone/bindings/python and run python setup.py install and it seems work. but actually, some address is obviously incorrect.

ubuntu@VM-16-12-ubuntu:~/patchkit$ ls
bindiff  build  core  deps.sh  explore  hpwnwaf2.py  ida  LICENSE  patch  pwn_test  README.md  run  samples  util
ubuntu@VM-16-12-ubuntu:~/patchkit$ vi hpwnwaf2.py 
ubuntu@VM-16-12-ubuntu:~/patchkit$ ./patch -v ./pwn_test hpwnwaf2.py
[*] hpwnwaf2.py
 [+] replace_waf()
  [INJECT] @0x801000-0x8010c5
  ......
  [HOOK] @0x400583 -> 0x801000
  [!] Segment made writable: 0x400000-0x400784
  [INJECT] @0x8010e1-0x801108
  0x8010e1: e81affffff     call 0x801000
  0x8010e6: 57             push rdi
  0x8010e7: 56             push rsi
  0x8010e8: 51             push rcx
  0x8010e9: 488d3ddd8de6fb lea rdi, [rip - 0x4197223]         <========= here rip - 0x4197223 is incorrect
  0x8010f0: 488d35d6ffffff lea rsi, [rip - 0x2a]
  0x8010f7: 48c7c114000000 mov rcx, 0x14
  0x8010fe: f3a4           rep movsb byte ptr [rdi], byte ptr [rsi]
  0x801100: 59             pop rcx
  0x801101: 5e             pop rsi
  0x801102: 5f             pop rdi
  0x801103: e97bf4bfff     jmp 0x400583
  [INJECT] @0x801108-0x80112a
  0x801108: 57             push rdi
  0x801109: 56             push rsi
  0x80110a: 51             push rcx
  0x80110b: 488d3da38de6fb lea rdi, [rip - 0x419725d]         <========= and here is also incorrect
  0x801112: 488d3588ffffff lea rsi, [rip - 0x78]
  0x801119: 48c7c114000000 mov rcx, 0x14
  0x801120: f3a4           rep movsb byte ptr [rdi], byte ptr [rsi]
  0x801122: 59             pop rcx
  0x801123: 5e             pop rsi
  0x801124: 5f             pop rdi
  0x801125: e962f4bfff     jmp 0x40058c
  [PATCH] @0x8010c5-0x8010d3 | "hook stage 1"
  - 0000000000000000000000000000
  + 0x8010c5: e9590b4000 jmp 0xc01c23
  + 0x8010ca: 90909090   nop (x4)
  + 0x8010ce: e89ffeffff call 0x800f72
  [PATCH] @0x8010d3-0x8010e1 | "hook stage 2"
  - 0000000000000000000000000000
  + 0x8010d3: 55         push rbp
  + 0x8010d4: 4889e5     mov rbp, rsp
  + 0x8010d7: bf27064000 mov edi, 0x400627
  + 0x8010dc: e9770b4000 jmp 0xc01c58
  [PATCH] @0x400583-0x400591 | "hook entry point"
  - 0x400583: 55         push rbp
  - 0x400584: 4889e5     mov rbp, rsp
  - 0x400587: bf27064000 mov edi, 0x400627
  - 0x40058c: e89ffeffff call 0x400430
  + 0x400583: e9590b4000 jmp 0x8010e1
  + 0x400588: 90909090   nop (x4)
  + 0x40058c: e89ffeffff call 0x400430

[+] Saving binary to: /home/ubuntu/patchkit/pwn_test.patched
ubuntu@VM-16-12-ubuntu:~/patchkit$ ./pwn_test.patched 
Segmentation fault (core dumped)               <=============== and the ELF fails segmentation fault
wjbsyc commented 3 years ago

but it works properly on my previously installed one, maybe there is something wrong working with new version of keystone or capstone or unicorn?