search

nongiach / arm_now

arm_now is a qemu powered tool that allows instant setup of virtual machines on arm cpu, mips, powerpc, nios2, x86 and more, for reverse, exploit, fuzzing and programming purpose.
https://github.com/nongiach/arm_now/wiki
MIT License
867 stars 87 forks source link

Can't Execute Binary #34

Closed jpc0016 closed 4 years ago

jpc0016 commented 5 years ago

Good afternoon,

I'm using arm_now to debug a MIPS binary. I was able to download the challenge binary but cannot run it. I ran chmod +x on the file. I get the following.

ls
ch27.bin    wget-log    wget-log.2  wget-log.4  wget-log.6
index.html  wget-log.1  wget-log.3  wget-log.5  wget-log.7
# ./ch27.bin 
-sh: ./ch27.bin: not found
#
ShellCode33 commented 5 years ago

Hi, this usually happens when you're executing a binary on the wrong architecture, try using another MIPS arch, see arm_now list

idlewog commented 5 years ago

same here ... tried all the possible arch ... none works ....

SakiiR commented 5 years ago

As @ShellCode33, the ld thing do not recognize the binary as a standard one relatively to the current arch. Try an other architecture.

And that would be great to have more details about what arch you are using and what is the binary..

$ uname -a
$ file ./ch27.bin # That smells root me challenge
idlewog commented 5 years ago

Yes @SakiiR you're right ... that's a root-me challenge .... i'v done it with ghidra instead .... but , as i said , i tried all the possible arch ... and none worked binwalk and file gives me different results ... weird .... anyway, i can post the output of ld cmd next week ...if it can help ....

SakiiR commented 5 years ago

Yeap, it may help, thank you

jpc0016 commented 5 years ago

I tried running arm_now again and got the below output. I got the same output trying to start mips32el.

$ arm_now start
WARNING: arm_now/ already exists, use --clean to restart with a fresh filesystem
File not found by ext2_lookup
WARNING: e2rm file already suppressed
File not found by ext2_lookup
WARNING: e2rm file already suppressed
Tempdir /tmp/tmpa0ndv7ri
File not found by ext2_lookup
WARNING: e2rm file already suppressed
Starting qemu-system-mipsel
stty intr ^]
       export QEMU_AUDIO_DRV="none"
       qemu-system-mipsel -kernel arm_now/kernel -hda arm_now/rootfs.ext2 -append 'root=/dev/hda console=ttyS0 rw physmap.enabled=0 noapic'                -m 256M                -nographic                -serial stdio -monitor null  -nic user                                 -no-reboot
       stty intr ^c

qemu-system-mipsel: -nic: invalid option
+++++++++++++++++++++++++++ Checking the filesystem ++++++++++++++++++++++++++++
e2fsck 1.44.1 (24-Mar-2018)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

         884 inodes used (3.54%, out of 24960)
          27 non-contiguous files (3.1%)
           4 non-contiguous directories (0.5%)
             # of inodes with ind/dind/tind blocks: 46/14/0
       19660 blocks used (19.20%, out of 102400)
           0 bad blocks
           0 large files

         312 regular files
          67 directories
           1 character device file
           0 block device files
           0 fifos
           0 links
         495 symbolic links (487 fast symbolic links)
           0 sockets
------------
         875 files
nongiach commented 5 years ago

Hi guys,

When you see a "not found" error on linux "most of the time" it's because a file is missing. In your very case for ch27.bin it's because the linker ld-uClibc.so.0 is not found.

This can be corrected by uploaded the linker and libraries on your system. It's one of the work in progress that I should finish (add the option to choose the libc implementation).

Note: If you have the right linker and you still see the not found it's because libraries are missing, they can be listed with ldd ./your_binary or

$ /lib/x86_64-linux-gnu/ld-2.29.so --list /bin/ls
    linux-vdso.so.1 (0x00007ffd1a387000)
    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f2aa3634000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2aa3474000)
    libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f2aa33ef000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2aa33ea000)
    /lib64/ld-linux-x86-64.so.2 => /lib/x86_64-linux-gnu/ld-2.29.so (0x00007f2aa36a6000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f2aa33c9000)

Kiss.

MostParsingVex commented 4 years ago

...

qemu-system-mipsel: -nic: invalid option

...

This appears to be addressed in issue #37

jpc0016 commented 4 years ago

I used the --sync option to get ld-uClibc.so.0 onto the MIPS image and placed it into /lib/. Now there's an error message:

# ./ch27.bin 
-sh: ./ch27.bin: Accessing a corrupted shared library

Did I place the shared object in the correct directory?

MostParsingVex commented 4 years ago

Did you check if you're using the same endianness and abi? mips-linux-gnu is different from mipsel-linux-gnu

jpc0016 commented 4 years ago

My binary is MIPS 32-bit little endian. Also where are mips-linux-gnu and mipsel-linux-gnu referenced? 

$ file ch27.bin 
ch27.bin: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

I tried $ arm_now start mips32 --sync instead of mips32el and received the following error when attempting to execute:

./ch27.bin: line 1: syntax error: unexpected "("

Stackexchange tells me this error stems from the binary not being the correct architecture. So I'm back to the original error of "Accessing a corrupted shared library" and mips32el must be the correct architecture. There must be an error in how ld-uClibc is interpreted in the emulated system.