Hack another ELF on the stack

[dropbear] Recently found himself in a ritual. Dumping some data from an Android app at a certain point for reverse engineering purposes. Although it worked great on the simulator, it was painfully slow on the hardware via lldb. The solution was to write a patch and apply it to the ELF file.

Writing AArch64 assembly for buffer dumping is relatively trivial, but adding it to an existing ELF and repackaging it into a new APK leads to a bizarre error. Offset in relative .rodata Now all is wrong. For those who don’t regularly interface with the ELF file format, we have a great resource to take you into the depths of darkness. But the quick summary version is that sections have different resources and you find parts of those resources by relative offsets. The program title describes what kind of resources each section contains.

[dropbear] A NOTE section was found containing only some metadata. He created a new section at the end of the file for his custom assembly and modified the title to declare the NOTE section as a LOAD section, pointing to his new section, which will be mapped to memory. All that was left was for the assembly to tweak the original code to jump to its new code which was dumped. The BSS section was expanded by a few bytes so that its program could save its status there.

This is an impressive strategy, and his program for changing program headers is on his website under a BSD-3 license.

Leave a Reply

Your email address will not be published.