Commit 1aded942 authored by Thanassis Tsiodras's avatar Thanassis Tsiodras
Browse files

Example code reproducing all steps.

parents
CC=sparc-elf-gcc
OBJDUMP=sparc-elf-objdump
OBJ=newcode.o old_library_code.o
all: example
example: ${OBJ}
${CC} -o example $^
./patch_binary
%.o: %.c
${CC} -c -o $@ $<
clean:
rm -f ${OBJ} example
An example program, demonstrating how to automatically patch a binary, in order
to access "hidden" static data inside a function - that you are not allowed to
modify due to legacy reasons.
The function `foo` inside `old_library_code.c` contains static, hidden data:
void foo()
{
static int data[128];
We can't touch this function, for whatever reason. But we do want to access
the data from new code we have written:
int main()
{
...
for(i=0; i<128; i++)
printf("%d ", thanassis_data[i]);
}
We do this via `thanassis_data` - which we will somehow force,
to be semantically identical to `data`.
How?
Look at `patch_binary` - we extract the address of the hidden symbol (which
we see in the `nm old_library_code.o` output is named `data.0` - and we
then patch the binary via GDB, to set `thanassis_data` to *point to the
same address*.
Example run:
(master)$ make
sparc-elf-gcc -c -o newcode.o newcode.c
sparc-elf-gcc -c -o old_library_code.o old_library_code.c
sparc-elf-gcc -o example newcode.o old_library_code.o
./patch_binary
[-] The static variable is at memory offset: 4000a86c
[-] Patching binary with GDB...
[-] Done!
(master)*$ taste-simulate-leon3 ./example
GNU gdb (GDB) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "--host=x86_64-linux-gnu --target=sparc-rtems5".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./example...done.
(gdb) Connected to the simulator.
(gdb) (gdb) Starting program: /home/taste/GitLocal/access_static_data/example
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 [Inferior 1 (process 42000) exited normally]
(gdb) quit
As you can see, we extract the data of the static - as they were set inside
the function `foo`.
#include <stdio.h>
volatile unsigned value = 0xDEADBEEF;
int *thanassis_data;
extern int foo();
int main()
{
int i;
foo(); // static data have now been written into
thanassis_data = (int *) value;
for(i=0; i<128; i++)
printf("%d ", thanassis_data[i]);
}
void foo()
{
static int data[128];
int i;
for(i=0; i<128; i++)
data[i] = i;
}
#!/bin/bash
HIDDEN_ADDR=$(sparc-elf-nm example | grep data.0 | awk '{print $1}')
if [ -z "$HIDDEN_ADDR" ] ; then
echo "[x] Failed to find symbol 'data.0'! Aborting..."
exit 1
fi
echo "[-] The static variable is at memory offset: $HIDDEN_ADDR"
echo "[-] Patching binary with GDB..."
echo "set value = 0x$HIDDEN_ADDR" > gdb.cmd
echo "quit" >> gdb.cmd
sparc-elf-gdb --write example -x gdb.cmd >/dev/null 2>&1
rm -f gdb.cmd
echo "[-] Done!"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment