Giter Club home page Giter Club logo

Comments (6)

AeonLucid avatar AeonLucid commented on July 21, 2024

Are you sure? It seems like this is something that should've broken things earlier.
Can you provide C code that I can compile for Android to reproduce the issue?

from androidnativeemu.

flankerhqd avatar flankerhqd commented on July 21, 2024

Yes, It actually only happens e.g. when you have multiple global pointers pointing to offsets of specific array. I found this problem when running libc's printf functions. libc's stdin, stdout, stderr points to __sF array of __sF[0], __sF[1], __sF[2], but since the relocation is broken, the three pointer wrongly point to the same address.

A minimized code snippet:

#include <stdio.h>
char arr[] = {1,2,3};
char* p1 = &arr[1];
char* p2 = &arr[2];

We can see arr is used to relocate two R_ARM_ABS32 entry, which are acutally p1 and p2.

 readelf -r libtest.so

Relocation section '.rel.dyn' at offset 0x388 contains 5 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
00001ef0  00000017 R_ARM_RELATIVE   
00001ef4  00000017 R_ARM_RELATIVE   
00002000  00000017 R_ARM_RELATIVE   
00002008  00000402 R_ARM_ABS32       00002004   arr
0000200c  00000402 R_ARM_ABS32       00002004   arr

Relocation section '.rel.plt' at offset 0x3b0 contains 3 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
00001ff4  00000216 R_ARM_JUMP_SLOT   00000000   __cxa_finalize@LIBC
00001ff8  00000116 R_ARM_JUMP_SLOT   00000000   __cxa_atexit@LIBC
00001ffc  00000316 R_ARM_JUMP_SLOT   00000000   __register_atfork@LIBC

Adding function of returning address of p1 and p2, recompiling with -fPIC

armv7a-linux-androideabi26-clang test.c -shared -o libtest.so -fPIC

#include <stdio.h>
char arr[] = {1,2,3};
char* p1 = &arr[1];
char* p2 = &arr[2];

char* func1()
{
    return p1;
}

char* func2()
{
    return p2;
}

Calling func1 and func2 with AndroidNativeEmu gives us the same address of

symbol name func1 address cbd16480
returned r0: 0xcbd18004
symbol name func2 address cbd16494
returned r0: 0xcbd18004

Which is obviously incorrect.

libtest.zip

Referring to a Java version of emulation:

https://github.com/zhkl0228/unidbg/blob/067dd9749d01a43ed6f754f00572dda4c236f4c4/src/main/java/com/github/unidbg/linux/AndroidElfLoader.java#L421

It's correctly added.

from androidnativeemu.

maiyao1988 avatar maiyao1988 commented on July 21, 2024

this is true,you can see linker source code for how to fix R_ARM_ABS32 address.
here is the link
https://android.googlesource.com/platform/bionic/+/738370d9387396922c10910edb61272e585be107/linker/linker.cpp#967

In modules.py, I think the correct code should be like this

`

                if rel_info_type == arm.R_ARM_ABS32:
                    if sym.name in symbols_resolved:
                        sym_addr = symbols_resolved[sym.name].address

                        value_orig_bytes = self.emu.mu.mem_read(rel_addr, 4)
                        value_orig = int.from_bytes(value_orig_bytes, byteorder='little')

                        #*reinterpret_cast<Elf32_Addr*>(reloc) += sym_addr;
                        value = sym_addr + value_orig

                        self.emu.mu.mem_write(rel_addr, value.to_bytes(4, byteorder='little'))

`

from androidnativeemu.

flankerhqd avatar flankerhqd commented on July 21, 2024

this is true,you can see linker source code for how to fix R_ARM_ABS32 address.
here is the link
https://android.googlesource.com/platform/bionic/+/738370d9387396922c10910edb61272e585be107/linker/linker.cpp#967

In modules.py, I think the correct code should be like this

`

                if rel_info_type == arm.R_ARM_ABS32:
                    if sym.name in symbols_resolved:
                        sym_addr = symbols_resolved[sym.name].address

                        value_orig_bytes = self.emu.mu.mem_read(rel_addr, 4)
                        value_orig = int.from_bytes(value_orig_bytes, byteorder='little')

                        #*reinterpret_cast<Elf32_Addr*>(reloc) += sym_addr;
                        value = sym_addr + value_orig

                        self.emu.mu.mem_write(rel_addr, value.to_bytes(4, byteorder='little'))

`

So seems R_ARM_REL32 in modules.py also need to be fixed?

from androidnativeemu.

maiyao1988 avatar maiyao1988 commented on July 21, 2024

this is true,you can see linker source code for how to fix R_ARM_ABS32 address.
here is the link
https://android.googlesource.com/platform/bionic/+/738370d9387396922c10910edb61272e585be107/linker/linker.cpp#967
In modules.py, I think the correct code should be like this
`

                if rel_info_type == arm.R_ARM_ABS32:
                    if sym.name in symbols_resolved:
                        sym_addr = symbols_resolved[sym.name].address

                        value_orig_bytes = self.emu.mu.mem_read(rel_addr, 4)
                        value_orig = int.from_bytes(value_orig_bytes, byteorder='little')

                        #*reinterpret_cast<Elf32_Addr*>(reloc) += sym_addr;
                        value = sym_addr + value_orig

                        self.emu.mu.mem_write(rel_addr, value.to_bytes(4, byteorder='little'))

`

So seems R_ARM_REL32 in modules.py also need to be fixed?

yes, the original R_ARM_REL32 fixing method in modules.py is not right.

from androidnativeemu.

AeonLucid avatar AeonLucid commented on July 21, 2024

I have fixed R_ARM_ABS32.
I'm pretty sure that R_ARM_REL32 is correct, but feel free to reopen if it's not.

from androidnativeemu.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.