Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ELF patched by newly installed patchkit always fails segmentation fault #36

Open
wjbsyc opened this issue Jun 17, 2021 · 1 comment
Open

Comments

@wjbsyc
Copy link

wjbsyc commented Jun 17, 2021

I installed patchkit on newly installed ubuntu(18.04 and 20.04)
after run ./deps.sh,it shows

All done!

Testing Python import: Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: No module named keystone

so I manually cd to build/keystone/bindings/python and run python setup.py install and it seems work.
but actually, some address is obviously incorrect.

ubuntu@VM-16-12-ubuntu:~/patchkit$ ls
bindiff  build  core  deps.sh  explore  hpwnwaf2.py  ida  LICENSE  patch  pwn_test  README.md  run  samples  util
ubuntu@VM-16-12-ubuntu:~/patchkit$ vi hpwnwaf2.py 
ubuntu@VM-16-12-ubuntu:~/patchkit$ ./patch -v ./pwn_test hpwnwaf2.py
[*] hpwnwaf2.py
 [+] replace_waf()
  [INJECT] @0x801000-0x8010c5
  ......
  [HOOK] @0x400583 -> 0x801000
  [!] Segment made writable: 0x400000-0x400784
  [INJECT] @0x8010e1-0x801108
  0x8010e1: e81affffff     call 0x801000
  0x8010e6: 57             push rdi
  0x8010e7: 56             push rsi
  0x8010e8: 51             push rcx
  0x8010e9: 488d3ddd8de6fb lea rdi, [rip - 0x4197223]         <========= here rip - 0x4197223 is incorrect
  0x8010f0: 488d35d6ffffff lea rsi, [rip - 0x2a]
  0x8010f7: 48c7c114000000 mov rcx, 0x14
  0x8010fe: f3a4           rep movsb byte ptr [rdi], byte ptr [rsi]
  0x801100: 59             pop rcx
  0x801101: 5e             pop rsi
  0x801102: 5f             pop rdi
  0x801103: e97bf4bfff     jmp 0x400583
  [INJECT] @0x801108-0x80112a
  0x801108: 57             push rdi
  0x801109: 56             push rsi
  0x80110a: 51             push rcx
  0x80110b: 488d3da38de6fb lea rdi, [rip - 0x419725d]         <========= and here is also incorrect
  0x801112: 488d3588ffffff lea rsi, [rip - 0x78]
  0x801119: 48c7c114000000 mov rcx, 0x14
  0x801120: f3a4           rep movsb byte ptr [rdi], byte ptr [rsi]
  0x801122: 59             pop rcx
  0x801123: 5e             pop rsi
  0x801124: 5f             pop rdi
  0x801125: e962f4bfff     jmp 0x40058c
  [PATCH] @0x8010c5-0x8010d3 | "hook stage 1"
  - 0000000000000000000000000000
  + 0x8010c5: e9590b4000 jmp 0xc01c23
  + 0x8010ca: 90909090   nop (x4)
  + 0x8010ce: e89ffeffff call 0x800f72
  [PATCH] @0x8010d3-0x8010e1 | "hook stage 2"
  - 0000000000000000000000000000
  + 0x8010d3: 55         push rbp
  + 0x8010d4: 4889e5     mov rbp, rsp
  + 0x8010d7: bf27064000 mov edi, 0x400627
  + 0x8010dc: e9770b4000 jmp 0xc01c58
  [PATCH] @0x400583-0x400591 | "hook entry point"
  - 0x400583: 55         push rbp
  - 0x400584: 4889e5     mov rbp, rsp
  - 0x400587: bf27064000 mov edi, 0x400627
  - 0x40058c: e89ffeffff call 0x400430
  + 0x400583: e9590b4000 jmp 0x8010e1
  + 0x400588: 90909090   nop (x4)
  + 0x40058c: e89ffeffff call 0x400430

[+] Saving binary to: /home/ubuntu/patchkit/pwn_test.patched
ubuntu@VM-16-12-ubuntu:~/patchkit$ ./pwn_test.patched 
Segmentation fault (core dumped)               <=============== and the ELF fails segmentation fault
@wjbsyc
Copy link
Author

wjbsyc commented Jun 17, 2021

but it works properly on my previously installed one, maybe there is something wrong working with new version of keystone or capstone or unicorn?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant