miasm icon indicating copy to clipboard operation
miasm copied to clipboard

Published 20 hours ago verified publisher icon cea-sec

Elf Loader provides wrong memory in data section

Open mrphrazer opened this issue 3 years ago • 1 comments

Heya!

The elf loader returns wrong values for the provided binary. If you double check with IDA or other tools, it should return 0x398994d6 instead of 0x0.

import sys
from miasm.core.locationdb import LocationDB
from miasm.analysis.binary import Container

container = Container.from_stream(open(sys.argv[1], 'rb'), LocationDB())
byte_stream = container.bin_stream.getbytes(0x60e058, 8)
value = int.from_bytes(byte_stream, byteorder='little')

assert(value == 0x398994d6)

Best,

mrphrazer

binary.zip

mrphrazer avatar May 26 '21 17:05 mrphrazer

IDA (and probably other tools as well) take additional information from the ELF header into account when displaying you the disassembly/hex view. Here, IDA seems to parse the relocation section and dynamically adjusts the .data section based on the entries.

Relocation section '.rela.dyn' at offset 0x380 contains 4 entries:
Offset          Info           Type           Sym. Value    Sym. Name + Addend
00000060dff0  000300000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0
00000060dff8  000400000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
00000060e058  000200000001 R_X86_64_64       0000000000000000 printf@GLIBC_2.2.5 + 3928b266
00000060e080  000100000001 R_X86_64_64       0000000000000000 strlen@GLIBC_2.2.5 + 20e3e38c

Miasm's getbytes simply returns you the raw bytes as their are located on the disk.

floesen avatar May 10 '22 21:05 floesen