liveoverflow_youtube
liveoverflow_youtube copied to clipboard
LiveOverflow
Opening 0x07/0x08 "unbreakable" in radare2
How? I modified it to hang for a second at the end, so i have time to quickly ^Z it away, and:
sudo gdb
attach <process>
That got gdb attached (with debug symbols & everything)
Then, i used vmmap to get its mappings and found that the layout is something like this:
<asdf+0> (one page)
nothing (one page)
<asdf+0> (one page)
<asdf+0x1000> (one page)
So i used nasm to get an object that looks ok similar:
incbin "asdf"
resb 1024
incbin "asdf"
incbin "asdf"
And ran: nasm embed.s -felf64 -o asdf-fake.o
To my surpries, asdf-fake.o was good enough for radare and i was able to open it.
But there were no symbols (they were left alone in the cold with gdb). After analyzing it i did s <TAB> <TAB> and found some functions radare2 found:
[0x08000180]> s
rax rbx rcx rdx rsi rdi r8
r9 r10 r11 r12 r13 r14 r15
rflags rbp rsp section. segment.ehdr section..text sym..text
rip fcn.08000718 fcn.08000740 fcn.08000750 fcn.08000760 fcn.08000770 fcn.08000780
fcn.080007c0 fcn.08000861 fcn.08000890 fcn.0800089a fcn.08002c08 fcn.08002c30 fcn.08002c40
fcn.08002c50 fcn.08002c60 fcn.08002c70 fcn.08002cb0 fcn.08002d51 fcn.08002d80 fcn.08002d8a
fcn.08004cf8 fcn.08004d20 fcn.08004d30 fcn.08004d40 fcn.08004d50 fcn.08004d60 fcn.08004da0
fcn.08004e41 fcn.08004e70 fcn.08004e7a section..shstrtab section..symtab section..strtab
So i had a look at the first function, fcn.08000718. It was a small leaf function which looked very much like PLT handler. It had a code XREF from fcn.0800089a
What is that? main.
So that wasn't too hard...
And gdb attach isn't even required. You can just use objdump and manually add symbols i guess.
(looking at what it says, it claims that there is 648588715588852480 program headers... unless i screwed up ELF parsing.)
of course. Linux doesn't care about that. it uses sections not program headers...
Oh i screwed up endianness... So i used big-endian for x86-64 which is little endian.. going back to parsing it
I parsed out section headers... there is one useful and a ton of (fuzzed in?) garbage.
It claims there are 9 headers:
Program headers (9 of them)
Section header #0
Type: 6(PT_PHDR)
Section header #1
Type: 3(PT_INTERP)
Section header #2
Type: 1(PT_LOAD)
Section header #3
Type: 1(PT_LOAD)
Section header #4
Type: 2(PT_DYNAMIC)
Section header #5
Type: 4(PT_NOTE)
Section header #6
Type: 1685382480(undefined)
Section header #7
Type: 1685382481(undefined)
Section header #8
Type: 1685382482(undefined)
I looked at the original and it seems to be the same. These 3 super-high section types are withing the "OS Specific" range. So maybe some linux specific stuff?
I appreciate the shared investigation and experiments for people to discover here. But please don't write single sentence responses. This is not a chat 😅
Okay, so as it turns out this only works in older versions of radare, my radare that i got off master few days ago reads it fine. But my (older) gdb as well as all of binutils+llvm-binutils don't like it. The error is even more apparent when you try to llvm-objcopy it:
$ llvm-objcopy ./license_2_fuzz ./license_2_fuzz
llvm-objcopy: error: invalid sh_type for string table section [index 27]: expected SHT_STRTAB, but got SHT_NULL