Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/build.sh Secret

Forked from liamwhite/build.sh
Created December 27, 2018 03:00
Show Gist options
  • Save Manouchehri/7263b3231a755d8f34cf719006b2c393 to your computer and use it in GitHub Desktop.
Save Manouchehri/7263b3231a755d8f34cf719006b2c393 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
build.sh
TERMUX_PKG_HOMEPAGE=https://github.com/beehive-lab/mambo
TERMUX_PKG_DESCRIPTION="Dynamic Binary Modification Tool for ARM"
TERMUX_DEBUG=1
TERMUX_PKG_VERSION=1
TERMUX_PKG_SHA256=09be8d78341b1eb3ac62580db8d25c8c41010a7b8cbc2588e876b76f3cfec57c
TERMUX_PKG_SRCURL=https://my.mixtape.moe/vvkkoy.tar.gz
TERMUX_PKG_DEPENDS="ndk-sysroot, libandroid-support, libelf, ruby"
TERMUX_PKG_BUILD_IN_SRC="yes"
TERMUX_PKG_EXTRA_MAKE_ARGS="CFLAGS=-I/data/data/com.termux/files/usr/include CFLAGS+=-mthumb CFLAGS+=-fno-integrated-as CFLAGS+=-DDEBUG"
Raw
fix-assembler-directives.patch
--- a/util.S 2018-12-26 20:24:37.000000000 +0000
+++ b/util.S 2018-12-26 20:49:37.409470288 +0000
@@ -25,7 +25,6 @@
#endif
.global dbm_client_entry
-.func dbm_client_entry
.type dbm_client_entry, %function
#ifdef __arm__
@@ -47,11 +46,9 @@
STP XZR, XZR, [SP, #-16]!
BR X0
#endif
-.endfunc
# R0 - new SP
.global th_enter
-.func th_enter
.type th_enter, %function
#ifdef __arm__
@@ -84,10 +81,8 @@
BR X1
#endif
-.endfunc
.global new_thread_trampoline
-.func
.type new_thread_trampoline, %function
new_thread_trampoline:
#ifdef __arm__
@@ -103,10 +98,8 @@
MOV X1, SP
#endif
B dbm_start_thread_pth
-.endfunc
.global return_with_sp
-.func
.type return_with_sp, %function
return_with_sp:
#ifdef __arm__
@@ -122,10 +115,8 @@
LDP X19, X20, [SP], #96
RET
#endif
-.endfunc
.global raw_syscall
-.func raw_syscall
.type raw_syscall, %function
raw_syscall:
@@ -153,10 +144,8 @@
SVC 0
RET
#endif
-.endfunc
.global signal_trampoline
-.func signal_trampoline
.type signal_trampoline, %function
signal_trampoline:
@@ -207,10 +196,8 @@
MOV X8, #139
SVC 0
#endif
-.endfunc
.global atomic_increment_u64
-.func atomic_increment_u64
.type atomic_increment_u64, %function
atomic_increment_u64:
@@ -240,10 +227,8 @@
RET
#endif
-.endfunc
.global atomic_increment_u32
-.func atomic_increment_u32
.type atomic_increment_u32, %function
atomic_increment_u32:
@@ -265,10 +250,8 @@
RET
#endif
-.endfunc
.global atomic_decrement_if_positive_i32
-.func atomic_decrement_if_positive_i32
.type atomic_decrement_if_positive_i32, %function
atomic_decrement_if_positive_i32:
@@ -302,11 +285,9 @@
RET
#endif
-.endfunc
.global safe_fcall_trampoline
-.func safe_fcall_trampoline
.type safe_fcall_trampoline, %function
safe_fcall_trampoline:
@@ -368,5 +349,3 @@
RET
#endif
-
-.endfunc
--- a/dispatcher.S 2018-12-26 21:36:14.379769831 -0500
+++ b/dispatcher.S 2018-12-26 21:38:09.795722694 -0500
@@ -25,15 +25,12 @@
.syntax unified
.global th_to_arm
-.func th_to_arm
.thumb_func
th_to_arm:
bx pc
-.endfunc
#endif // __arm__
.global dispatcher_trampoline
-.func dispatcher_trampoline
#ifdef __arm__
.code 32
@@ -170,8 +167,10 @@
MRS X21, FPSR
ADD X2, SP, #176
- LDR X3, disp_thread_data
- LDR X9, dispatcher_addr
+ ADRP X3, :got:disp_thread_data
+ LDR X3, [X3, :got_lo12:disp_thread_data]
+ ADRP X9, :got:dispatcher_addr
+ LDR X9, [X9, :got_lo12:dispatcher_addr]
BL push_neon
BLR X9
@@ -188,12 +187,10 @@
B checked_cc_return
-dispatcher_addr: .quad dispatcher
+.global dispatcher_addr
#endif
-.endfunc
.global trace_head_incr
-.func trace_head_incr
#ifdef __arm__
.code 32
SUB PC, PC, #3
@@ -278,8 +275,10 @@
*/
ADD X2, SP, #160
MOV X1, X0
- LDR X0, disp_thread_data
- LDR X3, =create_trace
+ ADRP X0, :got:disp_thread_data
+ LDR X0, [X0, :got_lo12:disp_thread_data]
+ ADRP X3, :got:create_trace
+ LDR X3, [X3, :got_lo12:create_trace]
BL push_neon
BLR X3
@@ -301,11 +300,9 @@
B checked_cc_return
#endif // __aarch64__
-.endfunc
.global syscall_wrapper
.global syscall_wrapper_svc
-.func syscall_wrapper
#ifdef __arm__
.code 32
syscall_wrapper:
@@ -377,8 +374,10 @@
MOV X0, X8
ADD X1, SP, #512
MOV X2, X29
- LDR X3, disp_thread_data
- LDR X4, syscall_handler_pre_addr
+ ADRP X3, :got:disp_thread_data
+ LDR X3, [X3, :got_lo12:disp_thread_data]
+ ADRP X4, :got:syscall_handler_pre_addr
+ LDR X4, [X4, :got_lo12:syscall_handler_pre_addr]
BLR X4
@@ -402,8 +401,10 @@
STR X0, [X1, #0]
MOV X0, X8
MOV X2, X29
- LDR X3, disp_thread_data
- LDR X4, syscall_handler_post_addr
+ ADRP X3, :got:disp_thread_data
+ LDR X3, [X3, :got_lo12:disp_thread_data]
+ ADRP X4, :got:syscall_handler_post_addr
+ LDR X4, [X4, :got_lo12:syscall_handler_post_addr]
BLR X4
s_w_r:
@@ -421,24 +422,14 @@
B checked_cc_return
-syscall_handler_pre_addr: .quad syscall_handler_pre
-syscall_handler_post_addr: .quad syscall_handler_post
+.global syscall_handler_pre_addr
+.global syscall_handler_post_addr
#endif // __aarch64__
-.endfunc
.global disp_thread_data
-disp_thread_data:
-#ifdef __arm__
- .word 0
-#endif
-#ifdef __aarch64__
- .quad 0
-#endif
-
.global send_self_signal
.global checked_cc_return
-.func checked_cc_return
checked_cc_return:
#ifdef __arm__
.code 32
@@ -531,7 +522,8 @@
CMP X0, X2
BEQ .
- LDR X3, =deliver_signals
+ ADRP X3, :got:deliver_signals
+ LDR X3, [X3, :got_lo12:deliver_signals]
BLR X3
MSR NZCV, X19
@@ -568,14 +560,8 @@
LDR X0, [SP], #32
BR X0
#endif
-.endfunc
.global th_is_pending_ptr
-#ifdef __arm__
-th_is_pending_ptr: .word 0
-#elif __aarch64__
-th_is_pending_ptr: .quad 0
-#endif
# place the literal pool before the end_of_dispatcher_s symbol
.ltorg
@@ -583,3 +569,13 @@
.global end_of_dispatcher_s
end_of_dispatcher_s:
+#ifdef __arm__
+th_is_pending_ptr: .word 0
+#elif __aarch64__
+.data
+dispatcher_addr: .quad dispatcher
+disp_thread_data: .quad 0
+syscall_handler_pre_addr: .quad syscall_handler_pre
+syscall_handler_post_addr: .quad syscall_handler_post
+th_is_pending_ptr: .quad 0
+#endif
Raw
fix-dbm-stdio.patch
--- a/dbm.c 2018-12-26 20:24:37.000000000 +0000
+++ b/dbm.c 2018-12-26 21:11:29.185405889 +0000
@@ -526,7 +526,6 @@
global_data.threads = thread_data;
}
-
void reset_process(dbm_thread *thread_data) {
thread_data->tid = syscall(__NR_gettid);
@@ -536,6 +535,7 @@
current_thread = thread_data;
free_all_other_threads(thread_data);
+
/*
MASSIVE HACK
@@ -544,8 +544,8 @@
printf, which might have been locked by a different thread in the parent
process. Here we open new, unlocked, stdout and stderr streams.
*/
- stdout = fdopen(1, "a");
- stderr = fdopen(2, "a");
+ freopen("/dev/stdout", "a", stdout);
+ freopen("/dev/stderr", "a", stderr);
mambo_deliver_callbacks(PRE_THREAD_C, thread_data);
}
@@ -677,4 +677,3 @@
#define ARGDIFF 2
elf_run(block_address, argv[1], argc-ARGDIFF, &argv[ARGDIFF], envp, &auxv);
}
-
Raw
fix-makefile.patch
--- a/makefile 2018-12-26 15:24:37.869210864 -0500
+++ b/makefile 2018-12-26 17:31:12.156138118 -0500
@@ -17,13 +17,13 @@
OPTS+=-DDBM_TRACES #-DTB_AS_TRACE_HEAD #-DBLXI_AS_TRACE_HEAD
#OPTS+=-DCC_HUGETLB -DMETADATA_HUGETLB
-CFLAGS=-D_GNU_SOURCE -g -std=gnu99 -O2
+CFLAGS := $(CFLAGS) -D_GNU_SOURCE -g3 -std=gnu99 -O2 -fPIC -pie
#CFLAGS+=-mcpu=native
-LDFLAGS=-static -ldl -Wl,-Ttext-segment=0xa8000000
-LIBS=-lelf -lpthread
+LDFLAGS := $(LDFLAGS) -ldl -fPIC -pie
+LIBS := $(LIBS) -lelf
HEADERS=*.h makefile
-INCLUDES=-I/usr/include/libelf
+INCLUDES := $(INCLUDES)
SOURCES= dispatcher.S common.c dbm.c traces.c syscalls.c dispatcher.c signals.c util.S
SOURCES+=api/helpers.c api/plugin_support.c api/branch_decoder_support.c api/load_store.c
SOURCES+=elf_loader/elf_loader.o
@@ -48,7 +48,7 @@
CFLAGS += -DPLUGINS_NEW
endif
-.PHONY: pie clean cleanall
+.PHONY: pie clean cleanall install
all:
$(info MAMBO: detected architecture "$(ARCH)")
@@ -74,3 +74,9 @@
api/emit_%.h: pie/pie-%-encoder.c api/generate_emit_wrapper.rb
ruby api/generate_emit_wrapper.rb $< header > $@
+
+PREFIX ?= /usr/local
+
+install: all
+ mkdir -p $(PREFIX)$(DESTDIR)/bin
+ cp dbm $(PREFIX)$(DESTDIR)/bin/dbm
Raw
fix-pthreads.patch
--- a/syscalls.c 2018-12-26 20:24:37.000000000 +0000
+++ b/syscalls.c 2018-12-26 21:24:04.063871281 +0000
@@ -110,7 +110,7 @@
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
- pthread_attr_setinheritsched(&attr, PTHREAD_INHERIT_SCHED);
+ // pthread_attr_setinheritsched(&attr, PTHREAD_INHERIT_SCHED);
/* We're switching to the stack allocated by the application immediately, so make this
as small as possible. Our glibc stores data here, so we can't unmap it.
Also see man pthread_attr_setguardsize BUGS. */
Raw
fix-sigaction.patch
--- a/syscalls.c 2018-12-26 15:24:37.869210864 -0500
+++ b/syscalls.c 2018-12-26 18:51:11.456025807 -0500
@@ -28,9 +28,9 @@
#include <limits.h>
#include <string.h>
#include <errno.h>
+#include <signal.h>
#include "dbm.h"
-#include "kernel_sigaction.h"
#include "scanner_common.h"
#include "syscalls.h"
@@ -251,12 +251,12 @@
uintptr_t handler = 0xdead;
assert(args[3] == 8 && args[0] >= 0 && args[0] < _NSIG);
- struct kernel_sigaction *act = (struct kernel_sigaction *)args[1];
+ struct sigaction *act = (struct sigaction *)args[1];
if (act != NULL) {
- handler = (uintptr_t)act->k_sa_handler;
+ handler = (uintptr_t)act->sa_handler;
// Never remove the UNLINK_SIGNAL handler, which is used internally by MAMBO
- if (args[0] == UNLINK_SIGNAL || (act->k_sa_handler != SIG_IGN && act->k_sa_handler != SIG_DFL)) {
- act->k_sa_handler = (__sighandler_t)signal_trampoline;
+ if (args[0] == UNLINK_SIGNAL || (act->sa_handler != SIG_IGN && act->sa_handler != SIG_DFL)) {
+ act->sa_handler = signal_trampoline;
act->sa_flags |= SA_SIGINFO;
}
}
@@ -267,9 +267,9 @@
uintptr_t syscall_ret = raw_syscall(syscall_no, args[0], args[1], args[2], args[3]);
if (syscall_ret == 0) {
- struct kernel_sigaction *oldact = (struct kernel_sigaction *)args[2];
- if (oldact != NULL && oldact->k_sa_handler != SIG_IGN && oldact->k_sa_handler != SIG_DFL) {
- oldact->k_sa_handler = (void *)global_data.signal_handlers[args[0]];
+ struct sigaction *oldact = (struct sigaction *)args[2];
+ if (oldact != NULL && oldact->sa_handler != SIG_IGN && oldact->sa_handler != SIG_DFL) {
+ oldact->sa_handler = global_data.signal_handlers[args[0]];
}
if (act != NULL) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment