search

plasma-disassembler / plasma

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.
GNU General Public License v3.0
3.05k stars 275 forks source link

opcode \xff\x25 was not found, please report #42

Closed Fi5t closed 8 years ago

Fi5t commented 8 years ago

When I give a certain *.so file to script I get following error:

warning: I'm expecting to see a jmp *(ADDR) on each plt entry
warning: opcode \xff\x25 was not found, please report
error: symbol main not found
error: You can see all symbols with -s (if resolution is done).
error: Note: --dump need the option -x.

What am i doing wrong?

ghost commented 8 years ago

Thank you for reporting. In fact I didn't know how to proper resolve relocations.

Here is an example of how I do relocations. In the relocation section we have an association of symbol names with an address in the GOT : puts@plt -> 0x600a40

>> dq 0x600a40
.got.plt             [ 0x600a28 - 0x600a57 - 48 - 48 ]
0x600a40: 0x4003e6 (.plt)

>> dump .plt
.plt                 [ 0x4003d0 - 0x40040f - 64 - 64 ]
0x4003d0: push *((.got.plt) 0x600a30) # push qword ptr [rip + 0x20065a]
0x4003d6: jmp *((.got.plt) 0x600a38) # STOPPED
0x4003dc: nop *(rax) # nop dword ptr [rax]
puts@plt
0x4003e0: jmp *((.got.plt) 0x600a40) # STOPPED
0x4003e6: push 0 # push 0
0x4003eb: jmp 0x4003d0

You can see that the address in the GOT is the address on the push 0, but when you want to do call puts@plt, you call at 0x4003e0 and not 0x4003e6.

So I substract 6 and I'm expecting to see a jmp *ADDR (opcode \xff\x25) which is supposed to be the first instruction of the plt entry. It seems that in your .so, a different format is used to manage the plt.

Can you give me please the result of the command dump .plt ? Or do you have any ideas of how to do it better ?

Fi5t commented 8 years ago

Of course. Here is the result of dump:

>> dump .plt
.plt                 [ 0x6f0 - 0x78f - 160 - 160 ]
0x6f0: push *(ebx + 4) # push dword ptr [ebx + 4]
0x6f6: jmp *(ebx + 8) # STOPPED
0x6fc: *(eax) += al # add byte ptr [eax], al
0x6fe: *(eax) += al # add byte ptr [eax], al
0x700: jmp *(ebx + 12) # STOPPED
0x706: push 0 # push 0
0x70b: jmp 0x6f0
0x710: jmp *(ebx + 16) # STOPPED
0x716: push 8 # push 8
0x71b: jmp 0x6f0
0x720: jmp *(ebx + 20) # STOPPED
0x726: push 16 # push 0x10
0x72b: jmp 0x6f0
0x730: jmp *(ebx + 24) # STOPPED
0x736: push 24 # push 0x18
0x73b: jmp 0x6f0
0x740: jmp *(ebx + 28) # STOPPED
0x746: push 32 # push 0x20
0x74b: jmp 0x6f0
0x750: jmp *(ebx + 32) # STOPPED
0x756: push 40 # push 0x28
0x75b: jmp 0x6f0
0x760: jmp *(ebx + 36) # STOPPED
0x766: push 48 # push 0x30
0x76b: jmp 0x6f0
0x770: jmp *(ebx + 40) # STOPPED
0x776: push 56 # push 0x38
0x77b: jmp 0x6f0
0x780: jmp *(ebx + 44) # STOPPED
0x786: push 64 # push 0x40
ghost commented 8 years ago

Ok I see. I got the same error with a libc on 32 bits. I fixed it on the master branch, can you confirm that it's good for you ? Thanks.

28f0e6ca5259605be8d1a75966d5e7b48aa2d1fe

Fi5t commented 8 years ago

I no longer get an error. Thank you!