Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] GUM_INSTRUMENTATION_ERROR_WRONG_SIGNATURE, GUM_ATTACH_WRONG_SIGNATURE #803

Open
brunoaduarte opened this issue May 23, 2024 · 0 comments
Open

[BUG] GUM_INSTRUMENTATION_ERROR_WRONG_SIGNATURE, GUM_ATTACH_WRONG_SIGNATURE #803

brunoaduarte opened this issue May 23, 2024 · 0 comments

Comments

@brunoaduarte
Copy link

brunoaduarte commented May 23, 2024
edited
Loading

Cannot intercept libc.so strncmp
Error: unable to intercept function at 0xe8a287d7; please file a bug

Environment: Android 11 (aarch64)

Process.enumerateModules().find(module => module.name === "libc.so")
{
    "base": "0xe89c2000",
    "name": "libc.so",
    "path": "/apex/com.android.runtime/lib/bionic/libc.so",
    "size": 724992
}

* /apex/com.android.runtime/lib/bionic/libc.so
* GHIDRA DISASSEMBLY (OFFSET + 0x10000)
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             noreturn int __stdcall strncmp(char * __s1, char * __s2,
                               assume LRset = 0x0
                               assume TMode = 0x1
             int               r0:4           <RETURN>
             char *            r0:4           __s1
             char *            r1:4           __s2
             size_t            r2:4           __n
                             strncmp                                         XREF[3]:     Entry Point(*), 
                                                                                          strncmp:00096760(T), 
                                                                                          strncmp:00096768(c), 0009b250(*)  
        000767d6 4a b1           cbz        __n,LAB_000767ec
                             LAB_000767d8                                    XREF[1]:     000767ea(j)  
        000767d8 11 f8 01 cb     ldrb.w     r12,[__s2],#0x1
        000767dc 03 78           ldrb       r3,[__s1,#0x0]
        000767de 63 45           cmp        r3,r12
        000767e0 06 d1           bne        LAB_000767f0
        000767e2 1b b1           cbz        r3,LAB_000767ec
        000767e4 01 3a           subs       __n,#0x1
        000767e6 00 f1 01 00     add.w      __s1,__s1,#0x1
        000767ea f5 d1           bne        LAB_000767d8
                             LAB_000767ec                                    XREF[2]:     000767d6(j), 000767e2(j)  
        000767ec 00 20           movs       __s1,#0x0
        000767ee 70 47           bx         lr
                             LAB_000767f0                                    XREF[1]:     000767e0(j)  
        000767f0 a3 eb 0c 00     sub.w      __s1,r3,r12
        000767f4 70 47           bx         lr

Seems to have something to do with

frida-gum/gum/backend-arm/guminterceptor-arm.c

Line 190 in 97b65df

_gum_interceptor_backend_create_trampoline (GumInterceptorBackend * self,

Related: frida/frida#771

error intercepting strncmp offset: 0x667d7
Error: unable to intercept function at 0xe8a287d7; please file a bug
    at value (frida/runtime/core.js:408)
    at <anonymous> (./intercept_libc.so.js:65)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:51)

Interceptor.attach(Module.getExportByName('libc.so', "strncmp"), {
	onEnter(args) {
		const str1 = args[0].readCString();
		const str2 = args[1].readCString();
		const num = args[2].toInt32();
		console.log(`strncmp called with str1: ${str1}, str2: ${str2}, num: ${num}`);
	},
	onLeave(retval) {
		console.log(`strncmp returned: ${retval.toInt32()}`);
	}
});

frida-gum/bindings/gumjs/gumquickinterceptor.c

Line 591 in 97b65df

_gum_quick_throw (ctx, "unable to intercept function at %p; "

frida-gum/bindings/gumjs/gumv8interceptor.cpp

Line 658 in 97b65df

_gum_v8_throw_ascii (isolate, "unable to intercept function at %p; "

frida-gum/gum/guminterceptor.c

Line 439 in 97b65df

function_ctx = gum_interceptor_instrument (self, GUM_INTERCEPTOR_TYPE_DEFAULT,

frida-gum/gum/guminterceptor.c

Line 888 in 97b65df

gum_interceptor_instrument (GumInterceptor * self,

frida-gum/gum/guminterceptor.c

Line 925 in 97b65df

if (!_gum_interceptor_backend_create_trampoline (self->backend, ctx))

frida-gum/gum/backend-arm/guminterceptor-arm.c

Line 190 in 97b65df

_gum_interceptor_backend_create_trampoline (GumInterceptorBackend * self,

IMPORTANT: THE ISSUE DOES NOT OCCUR WITH ANDROID 6.0 libc.so

Android 6.0 (armv7l)
Process.enumerateModules().find(module => module.name === "libc.so")
{
    "base": "0xb6c32000",
    "name": "libc.so",
    "path": "/system/lib/libc.so",
    "size": 532480
}

* /system/lib/libc.so
* GHIDRA DISASSEMBLY (OFFSET + 0x10000)
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             int __stdcall strncmp(char * __s1, char * __s2, size_t _
                               assume LRset = 0x0
                               assume TMode = 0x1
             int               r0:4           <RETURN>
             char *            r0:4           __s1
             char *            r1:4           __s2
             size_t            r2:4           __n
                             strncmp                                         XREF[3]:     Entry Point(*), 
                                                                                          strncmp:000248dc(T), 
                                                                                          strncmp:000248e4(c), 00084ab0(*)  
        00044272 30 b5           push       {r4,r5,lr}
        00044274 72 b1           cbz        __n,LAB_00044294
        00044276 44 1e           subs       r4,__s1,#0x1
        00044278 0d 46           mov        r5,__s2
                             LAB_0004427a                                    XREF[1]:     00044290(j)  
        0004427a 14 f8 01 3f     ldrb.w     r3,[r4,#0x1]!
        0004427e 15 f8 01 0b     ldrb.w     __s1,[r5],#0x1
        00044282 83 42           cmp        r3,__s1
        00044284 01 d0           beq        LAB_0004428a
        00044286 18 1a           subs       __s1,r3,__s1
        00044288 30 bd           pop        {r4,r5,pc}
                             LAB_0004428a                                    XREF[1]:     00044284(j)  
        0004428a 2b b1           cbz        r3,LAB_00044298
        0004428c 53 1b           subs       r3,__n,r5
        0004428e cb 18           adds       r3,__s2,r3
        00044290 f3 d1           bne        LAB_0004427a
        00044292 01 e0           b          LAB_00044298
                             LAB_00044294                                    XREF[1]:     00044274(j)  
        00044294 10 46           mov        __s1,__n
        00044296 30 bd           pop        {r4,r5,pc}
                             LAB_00044298                                    XREF[2]:     0004428a(j), 00044292(j)  
        00044298 18 46           mov        __s1,r3
        0004429a 30 bd           pop        {r4,r5,pc}

@oleavr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brunoaduarte