Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Crash when using static linked synamorio client
40 views
Skip to first unread message
guoquan yang
Dec 20, 2024, 10:54:30 AM12/20/24
to DynamoRIO Users
Good Evening,
For some reason, I have to use static linked client by using configure_DynamoRIO_static,
But get following crash,license_crack_interceptor is the client;
rk3399_all:/data/bar300 # license_crack_android/build/license_crack_interceptor
icense_crack_android/build/license_crack_interceptor <
Client initializing...
Client process pid: 18051
<Application /data/bar300/license_crack_android/build/license_crack_interceptor (18051). Internal Error: DynamoRIO debug check failure: /home/yangguoquan/work/bar300/dynamorio/core/lib/instrument.c:600 client_start <= (app_pc)uses_dr_version && (app_pc)uses_dr_version < client_end
(Error occurred @0 frags in tid 18051)
version 11.0.0, custom build
-stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
/data/bar300/license_crack_android/build/license_crack_interceptor=0xacd8b688>
icense_crack_android/build/license_crack_interceptor <
Client initializing...
Client process pid: 18051
<Application /data/bar300/license_crack_android/build/license_crack_interceptor (18051). Internal Error: DynamoRIO debug check failure: /home/yangguoquan/work/bar300/dynamorio/core/lib/instrument.c:600 client_start <= (app_pc)uses_dr_version && (app_pc)uses_dr_version < client_end
(Error occurred @0 frags in tid 18051)
version 11.0.0, custom build
-stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
/data/bar300/license_crack_android/build/license_crack_interceptor=0xacd8b688>
1、Then I analyse the source code and find the failure point in file : dynamorio/core/lib/instrument.c function:
static void
add_client_lib(const char *path, const char *id_str, const char *options)
add_client_lib(const char *path, const char *id_str, const char *options)
{
......
size_t idx = num_client_libs++;
client_libs[idx].id = id;
client_libs[idx].lib = client_lib;
app_pc client_start, client_end;
#if defined(STATIC_LIBRARY) && defined(LINUX)
// For DR under static+linux we know that the client and DR core
// code are built into the app itself. To avoid various edge cases
// in finding the "library" bounds, delegate this boundary discovery
// to the dll bounds functions. xref i#3387.
client_start = get_dynamorio_dll_start();
client_end = get_dynamorio_dll_end();
ASSERT(client_start <= (app_pc)uses_dr_version &&
(app_pc)uses_dr_version < client_end); //the client_start is out of boundary, and trig the assert
#else
DEBUG_DECLARE(bool ok =)
shared_library_bounds(client_lib, (byte *)uses_dr_version, NULL,
&client_start, &client_end);
ASSERT(ok);
#endif
client_libs[idx].start = client_start;
client_libs[idx].end = client_end;
LOG(GLOBAL, LOG_INTERP, 1, "loaded %s at " PFX "-" PFX "\n", path,
client_libs[idx].start, client_libs[idx].end);
client_libs[idx].id = id;
client_libs[idx].lib = client_lib;
app_pc client_start, client_end;
#if defined(STATIC_LIBRARY) && defined(LINUX)
// For DR under static+linux we know that the client and DR core
// code are built into the app itself. To avoid various edge cases
// in finding the "library" bounds, delegate this boundary discovery
// to the dll bounds functions. xref i#3387.
client_start = get_dynamorio_dll_start();
client_end = get_dynamorio_dll_end();
ASSERT(client_start <= (app_pc)uses_dr_version &&
(app_pc)uses_dr_version < client_end); //the client_start is out of boundary, and trig the assert
#else
DEBUG_DECLARE(bool ok =)
shared_library_bounds(client_lib, (byte *)uses_dr_version, NULL,
&client_start, &client_end);
ASSERT(ok);
#endif
client_libs[idx].start = client_start;
client_libs[idx].end = client_end;
LOG(GLOBAL, LOG_INTERP, 1, "loaded %s at " PFX "-" PFX "\n", path,
client_libs[idx].start, client_libs[idx].end);
......
}
2、the problem is in the following two functions,they all call get_dynamo_library_bounds which returns the wrong bounds
client_start = get_dynamorio_dll_start();
client_end = get_dynamorio_dll_end();3、static void get_dynamo_library_bounds(void)
{
......
#ifdef STATIC_LIBRARY
# ifdef LINUX
/* For static+linux, we might have linker vars to help us and we definitely
* know our "library name" since we are in the app. When we have both we
* don't need to do a memquery.
*/
if (&dynamorio_so_start != &weak_dynamorio_so_bounds_filler &&
&dynamorio_so_end != &weak_dynamorio_so_bounds_filler) {
do_memquery = false;
dynamo_dll_start = (app_pc)&dynamorio_so_start; //it looks right, but the compiled resut object code is wrong
dynamo_dll_end = (app_pc)ALIGN_FORWARD(&dynamorio_so_end, PAGE_SIZE);
LOG(GLOBAL, LOG_VMAREAS, 2,
"Using dynamorio_so_start and dynamorio_so_end for library bounds"
"\n");
const char *dr_path = get_application_name();
strncpy(dynamorio_library_filepath, dr_path,
BUFFER_SIZE_ELEMENTS(dynamorio_library_filepath));
NULL_TERMINATE_BUFFER(dynamorio_library_filepath);
const char *slash = strrchr(dr_path, '/');
ASSERT(slash != NULL);
/* Include the slash in the library path */
size_t copy_chars = 1 + slash - dr_path;
ASSERT(copy_chars < BUFFER_SIZE_ELEMENTS(dynamorio_library_path));
strncpy(dynamorio_library_path, dr_path, copy_chars);
dynamorio_library_path[copy_chars] = '\0';
}
# endif
if (do_memquery) {
/* No linker vars, so we need to find bound using an internal PC */
check_start = (app_pc)&get_dynamo_library_bounds;
}
#else /* !STATIC_LIBRARY */
# ifdef LINUX
/* For static+linux, we might have linker vars to help us and we definitely
* know our "library name" since we are in the app. When we have both we
* don't need to do a memquery.
*/
if (&dynamorio_so_start != &weak_dynamorio_so_bounds_filler &&
&dynamorio_so_end != &weak_dynamorio_so_bounds_filler) {
do_memquery = false;
dynamo_dll_start = (app_pc)&dynamorio_so_start; //it looks right, but the compiled resut object code is wrong
dynamo_dll_end = (app_pc)ALIGN_FORWARD(&dynamorio_so_end, PAGE_SIZE);
LOG(GLOBAL, LOG_VMAREAS, 2,
"Using dynamorio_so_start and dynamorio_so_end for library bounds"
"\n");
const char *dr_path = get_application_name();
strncpy(dynamorio_library_filepath, dr_path,
BUFFER_SIZE_ELEMENTS(dynamorio_library_filepath));
NULL_TERMINATE_BUFFER(dynamorio_library_filepath);
const char *slash = strrchr(dr_path, '/');
ASSERT(slash != NULL);
/* Include the slash in the library path */
size_t copy_chars = 1 + slash - dr_path;
ASSERT(copy_chars < BUFFER_SIZE_ELEMENTS(dynamorio_library_path));
strncpy(dynamorio_library_path, dr_path, copy_chars);
dynamorio_library_path[copy_chars] = '\0';
}
# endif
if (do_memquery) {
/* No linker vars, so we need to find bound using an internal PC */
check_start = (app_pc)&get_dynamo_library_bounds;
}
#else /* !STATIC_LIBRARY */
......
}
4、the following is the decompiled code of get_dynamo_library_bounds from my client license_crack_interceptor:
void get_dynamo_library_bounds()
{
unsigned int v0; // r5
const char *application_name; // r5
const char *application_pid; // r0
app_pc check_end; // [sp+14h] [bp+4h] BYREF
app_pc check_start; // [sp+18h] [bp+8h] BYREF
int res; // [sp+1Ch] [bp+Ch]
size_t copy_chars; // [sp+20h] [bp+10h]
const unsigned __int8 *slash; // [sp+24h] [bp+14h]
const unsigned __int8 *dr_path; // [sp+28h] [bp+18h]
bool do_memquery; // [sp+2Fh] [bp+1Fh]
if ( !dynamorio_library_filepath[0] )
{
do_memquery = 0;
dynamo_dll_start = (app_pc)&dynamorio_so_end; //should be (app_pc)&dynamorio_so_start
v0 = (unsigned int)&algn_685686[os_page_size() + 1];
dynamo_dll_end = (app_pc)(-os_page_size() & v0);
if ( d_r_stats && d_r_stats->loglevel > 1 && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(main_logfile, 0x2000u, 2u, "Using dynamorio_so_start and dynamorio_so_end for library bounds\n");
dr_path = get_application_name();
d_r_strncpy(dynamorio_library_filepath, dr_path, 0x200u);
dynamorio_library_filepath[511] = 0;
slash = d_r_strrchr(dr_path, 47);
if ( dynamo_options.checklevel && !slash )
d_r_internal_error("/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c", 9548, "slash != NULL");
copy_chars = slash + 1 - dr_path;
if ( dynamo_options.checklevel && copy_chars >= 0x200 )
d_r_internal_error(
"/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c",
9551,
"copy_chars < BUFFER_SIZE_ELEMENTS(dynamorio_library_path)");
d_r_strncpy(dynamorio_library_path, dr_path, copy_chars);
dynamorio_library_path[copy_chars] = 0;
if ( do_memquery )
check_start = (app_pc)get_dynamo_library_bounds;
if ( do_memquery )
{
res = memquery_library_bounds(
0,
&check_start,
&check_end,
dynamorio_library_path,
0x200u,
dynamorio_libname_buf,
0x200u);
if ( dynamo_options.checklevel && res <= 0 )
d_r_internal_error("/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c", 9581, "res > 0");
d_r_snprintf(
dynamorio_library_filepath,
0x200u,
"%s%s",
(const char *)dynamorio_library_path,
(const char *)dynamorio_libname);
dynamorio_library_filepath[511] = 0;
dynamo_dll_start = check_start;
dynamo_dll_end = check_end;
}
if ( d_r_stats && d_r_stats->loglevel && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(main_logfile, 0x2000u, 1u, "DynamoRIO library path: %s\n", (const char *)dynamorio_library_path);
if ( d_r_stats && d_r_stats->loglevel && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(
main_logfile,
0x2000u,
1u,
"DynamoRIO library file path: %s\n",
(const char *)dynamorio_library_filepath);
if ( d_r_stats && d_r_stats->loglevel && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(main_logfile, 0x2000u, 1u, "DR library bounds: %p to %p\n", dynamo_dll_start, dynamo_dll_end);
if ( !dynamo_dll_start || !dynamo_dll_end )
{
application_name = (const char *)get_application_name();
application_pid = (const char *)get_application_pid();
d_r_notify(
SYSLOG_CRITICAL_0,
0,
0,
2u,
"SYSLOG_CRITICAL",
"Application %s (%s). Failed to find DynamoRIO library bounds.",
application_name,
application_pid);
os_terminate_with_code(0, TERMINATE_PROCESS_0, 40);
if ( dynamo_options.checklevel )
d_r_internal_error("/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c", 9610, "false");
}
}
}
{
unsigned int v0; // r5
const char *application_name; // r5
const char *application_pid; // r0
app_pc check_end; // [sp+14h] [bp+4h] BYREF
app_pc check_start; // [sp+18h] [bp+8h] BYREF
int res; // [sp+1Ch] [bp+Ch]
size_t copy_chars; // [sp+20h] [bp+10h]
const unsigned __int8 *slash; // [sp+24h] [bp+14h]
const unsigned __int8 *dr_path; // [sp+28h] [bp+18h]
bool do_memquery; // [sp+2Fh] [bp+1Fh]
if ( !dynamorio_library_filepath[0] )
{
do_memquery = 0;
dynamo_dll_start = (app_pc)&dynamorio_so_end; //should be (app_pc)&dynamorio_so_start
v0 = (unsigned int)&algn_685686[os_page_size() + 1];
dynamo_dll_end = (app_pc)(-os_page_size() & v0);
if ( d_r_stats && d_r_stats->loglevel > 1 && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(main_logfile, 0x2000u, 2u, "Using dynamorio_so_start and dynamorio_so_end for library bounds\n");
dr_path = get_application_name();
d_r_strncpy(dynamorio_library_filepath, dr_path, 0x200u);
dynamorio_library_filepath[511] = 0;
slash = d_r_strrchr(dr_path, 47);
if ( dynamo_options.checklevel && !slash )
d_r_internal_error("/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c", 9548, "slash != NULL");
copy_chars = slash + 1 - dr_path;
if ( dynamo_options.checklevel && copy_chars >= 0x200 )
d_r_internal_error(
"/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c",
9551,
"copy_chars < BUFFER_SIZE_ELEMENTS(dynamorio_library_path)");
d_r_strncpy(dynamorio_library_path, dr_path, copy_chars);
dynamorio_library_path[copy_chars] = 0;
if ( do_memquery )
check_start = (app_pc)get_dynamo_library_bounds;
if ( do_memquery )
{
res = memquery_library_bounds(
0,
&check_start,
&check_end,
dynamorio_library_path,
0x200u,
dynamorio_libname_buf,
0x200u);
if ( dynamo_options.checklevel && res <= 0 )
d_r_internal_error("/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c", 9581, "res > 0");
d_r_snprintf(
dynamorio_library_filepath,
0x200u,
"%s%s",
(const char *)dynamorio_library_path,
(const char *)dynamorio_libname);
dynamorio_library_filepath[511] = 0;
dynamo_dll_start = check_start;
dynamo_dll_end = check_end;
}
if ( d_r_stats && d_r_stats->loglevel && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(main_logfile, 0x2000u, 1u, "DynamoRIO library path: %s\n", (const char *)dynamorio_library_path);
if ( d_r_stats && d_r_stats->loglevel && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(
main_logfile,
0x2000u,
1u,
"DynamoRIO library file path: %s\n",
(const char *)dynamorio_library_filepath);
if ( d_r_stats && d_r_stats->loglevel && (d_r_stats->logmask & 0x2000) != 0 )
d_r_print_log(main_logfile, 0x2000u, 1u, "DR library bounds: %p to %p\n", dynamo_dll_start, dynamo_dll_end);
if ( !dynamo_dll_start || !dynamo_dll_end )
{
application_name = (const char *)get_application_name();
application_pid = (const char *)get_application_pid();
d_r_notify(
SYSLOG_CRITICAL_0,
0,
0,
2u,
"SYSLOG_CRITICAL",
"Application %s (%s). Failed to find DynamoRIO library bounds.",
application_name,
application_pid);
os_terminate_with_code(0, TERMINATE_PROCESS_0, 40);
if ( dynamo_options.checklevel )
d_r_internal_error("/home/yangguoquan/work/bar300/dynamorio/core/unix/os.c", 9610, "false");
}
}
}
Who can help me,Thanks a lot !!!
Abhinav Sharma
Dec 20, 2024, 1:51:00 PM12/20/24
to DynamoRIO Users
Hi,
It is documented at [1] that if static libraries do not define dynamorio_so_start and dynamorio_so_end, they both default to weak_dynamorio_so_bounds_filler. The allegedly incorrectly compiled dynamo_dll_start assignement at [2] may just be an optimization by the compiler; since it did not find any definition of dynamorio_so_start it was assumed to be default-initialized which is the same as dynamorio_so_end.
I'm not fully familiar with this but would like to see if the following helps:
To fix this, maybe we need to ensure that dynamorio_so_start and dynamorio_so_end are properly defined. I see they are set by our ldscript[3] in our cmake config. Maybe try setting DynamoRIO_SET_PREFERRED_BASE like suggested at [4] (which would invoke the ldscript)?
Hopefully this helps, but could you also share more of your cmake config that uses configure_DynamoRIO_static? And maybe also whether you're building for 64 or 32 bit (as per [5] setting DynamoRIO_SET_PREFERRED_BASE shouldn't be needed on 64-bit)?
Abhinav
guoquan yang
Dec 29, 2024, 8:51:54 AM12/29/24
to DynamoRIO Users
The probable reason is the imcompatible of android 8 & dynamorio,when i change to android 7,the problem resolved!
<log dir=/data/bar300/logs/license_crack_interceptor.15213.00000000>
<Starting application /data/bar300/license_crack_android/build/license_crack_interceptor (15213)>
<unable to determine lib path for cross-arch execve>
<Initial options = -logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' - no_native_exec_managed_code -no_indcall2direct >
Client initializing...
Client initialized successfully
Module loaded: license_crack_interceptor
Module loaded: libc++.so
Module loaded: libpreload.so
Module loaded: libc.so
Module loaded: libm.so
Module loaded: libnetd_client.so
Module loaded: linker
Client started successfully
Symbol in default namespace: 0xf1f61198
<(1+x) Handling our fault in a TRY at 0xb7243ae2>
Module loaded: libASRParse.so
Module loaded: libstdc++.so
Module loaded: libmedia.so
Module loaded: libfuzzy_match.so
Module loaded: welink
Module loaded: libtup_logone.so
Module loaded: libtup_socket.so
Module loaded: libsecurec.so
Module loaded: libtup_os_adapter.so
Module loaded: libtup_login.so
Module loaded: libtup_call_audio.so
Module loaded: libtup_call_mediaservice.so
Module loaded: libtup_call_bfcp.so
Module loaded: libtup_confctrl.so
Module loaded: libtup_ai_face.so
Module loaded: libbase.so
Module loaded: libutils.so
Module loaded: libbinder.so
Module loaded: libstagefright.so
Module loaded: libui.so
Module loaded: libnativehelper.so
Module loaded: libnativeloader.so
Module loaded: libEGL.so
Module loaded: libgui.so
Module loaded: libcamera_client.so
Module loaded: libdrmframework.so
Module loaded: libicui18n.so
Module loaded: libicuuc.so
Module loaded: libpowermanager.so
Module loaded: libstagefright_foundation.so
Module loaded: libmediautils.so
Module loaded: libcrypto.so
Module loaded: libandroidfw.so
Module loaded: libopencv_core.so
<cannot encode ldaex at pc 0xe7b94b82> -- print by dynamorio
<Source operand #0 has wrong type/size> -- print by dynamorio
<copy_pc is NULL at PC 0xe7b94b82> -- print by me
<copy_pc is NULL at PC 0xe7b94b82> -- print by me
<Application /data/bar300/license_crack_android/build/license_crack_interceptor (15213). Tool internal crash at PC 0xb7468514. Please report this at your tool's issue tracker. Program aborted.
Received SIGSEGV at pc 0xb7468514 in thread 15213
Base: 0xb7689688
Registers: r0 =0x00000000 r1 =0xe7b94b82 r2 =0x00000004 r3 =0x00000041
r4 =0xb7633b88 r5 =0x3f26dc2c r6 =0x00000002 r7 =0x3f26d968
r8 =0xe7c4505c r9 =0xe7c45064 r10=0x3f25d000 r11=0xb70b4711
r12=0x00000000 r13=0x3f26d968 r14=0xb71e06af r15=0xb7468514
eflags=0x20050010
version 11.0.0, custom build
-logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' - no_native_exec_managed_code -no_indcall2direct
0xb70b4711 0x78af04b0>
<Invoking fault handler for application /data/bar300/license_crack_android/build/license_crack_interceptor (15213).>
255|rk3399_all:/data/bar300 # export DYNAMORIO_OPTIONS="-logdir /data/bar300/logs -stderr_mask 15 -loglevel 4 -logmask 0xffffffff -checklevel 0 -native_exec -native_exec_list libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libopencv_flann.so;libopencv_highgui.so;libopencv_imgcodecs.so;libopencv_imgproc.so;libopencv_video.so;libopencv_videoio.so"
pencv_imgproc.so;libopencv_video.so;libopencv_videoio.so" <
rk3399_all:/data/bar300 #
there is ldaex instuction in libopencv_core indeed, the followling is the decompiled code :
do
v11 = __ldrex(dword_24CFF4);
while ( __strex(v11 + 1, (unsigned int *)&unk_24D010) );
<log dir=/data/bar300/logs/license_crack_interceptor.20127.00000000>
<Starting application /data/bar300/license_crack_android/build/license_crack_interceptor (20127)>
<unable to determine lib path for cross-arch execve>
<Initial options = -logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec -native_exec_default_list '' -native_exec_list 'libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libopencv_flann.so;libopencv_highgui.so;libopencv_imgcodecs.so;libopencv_imgproc.so;libopencv_video.so;libopencv_videoio.so' -no_native_exec_managed_code -no_indcall2direct >
Client initializing...
Client initialized successfully
Module loaded: license_crack_interceptor
Module loaded: libc++.so
Module loaded: libpreload.so
Module loaded: libc.so
Module loaded: libm.so
Module loaded: libnetd_client.so
Module loaded: linker
Client started successfully
Symbol in default namespace: 0xf1676198
<(1+x) Handling our fault in a TRY at 0xb4188ae2>
Module loaded: libASRParse.so
Module loaded: libstdc++.so
Module loaded: libmedia.so
Module loaded: libfuzzy_match.so
Module loaded: welink
Module loaded: libtup_logone.so
Module loaded: libtup_socket.so
Module loaded: libsecurec.so
Module loaded: libtup_os_adapter.so
Module loaded: libtup_login.so
Module loaded: libtup_call_audio.so
Module loaded: libtup_call_mediaservice.so
Module loaded: libtup_call_bfcp.so
Module loaded: libtup_confctrl.so
Module loaded: libtup_ai_face.so
Module loaded: libbase.so
Module loaded: libutils.so
Module loaded: libbinder.so
Module loaded: libstagefright.so
Module loaded: libui.so
Module loaded: libnativehelper.so
Module loaded: libnativeloader.so
Module loaded: libEGL.so
Module loaded: libgui.so
Module loaded: libcamera_client.so
Module loaded: libdrmframework.so
Module loaded: libicui18n.so
Module loaded: libicuuc.so
Module loaded: libpowermanager.so
Module loaded: libstagefright_foundation.so
Module loaded: libmediautils.so
Module loaded: libcrypto.so
Module loaded: libandroidfw.so
Module loaded: libopencv_core.so
<module libopencv_core.so set up for native execution> -- print by dynamorio
<A predicate is required> -- print by dynamorio
<copy_pc is NULL at PC 0x00000000> -- print by me
<copy_pc is NULL at PC 0x00000000> -- print by me
<Exit stub offset 9c78 exceeds fragment size b4 at 0x454f6388> -- print by me in function : emit_fragment_common
<Application /data/bar300/license_crack_android/build/license_crack_interceptor (20127). Tool internal crash at PC 0xb4129876. Please report this at your tool's issue tracker. Program aborted.
Received SIGSEGV at pc 0xb4129876 in thread 20127
Base: 0xb45ce688
Registers: r0 =0x450b4040 r1 =0x00000000 r2 =0x00000fa1 r3 =0x00000000
r4 =0xb4578b88 r5 =0x01000080 r6 =0xf10c7550 r7 =0x450dad80
r8 =0xf17d85dc r9 =0xf17e85f0 r10=0x450ca000 r11=0xb3ff9711
r12=0xb45b2c18 r13=0x450dad58 r14=0xb412afd7 r15=0xb4129876
eflags=0x200b0030
version 11.0.0, custom build
-logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec -native_exec_default_list '' - native_exec_list 'libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libope
0xb3ff9711 0x78af04b0>
<Invoking fault handler for application /data/bar300/license_crack_android/build/license_crack_interceptor (20127).>
But I meet with another problem: dynamorio crash when analysis libopencv_core.so for some special instruction,then I try to skip opencv by using native_exec mode and also dose not work
details as follows:
1、rk3399_all:/data/bar300 # license_crack_android/build/license_crack_interceptor
icense_crack_android/build/license_crack_interceptor <<log dir=/data/bar300/logs/license_crack_interceptor.15213.00000000>
<Starting application /data/bar300/license_crack_android/build/license_crack_interceptor (15213)>
<unable to determine lib path for cross-arch execve>
<Initial options = -logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' - no_native_exec_managed_code -no_indcall2direct >
Client initializing...
Client initialized successfully
Module loaded: license_crack_interceptor
Module loaded: libc++.so
Module loaded: libpreload.so
Module loaded: libc.so
Module loaded: libm.so
Module loaded: libnetd_client.so
Module loaded: linker
Client started successfully
Symbol in default namespace: 0xf1f61198
<(1+x) Handling our fault in a TRY at 0xb7243ae2>
Module loaded: libASRParse.so
Module loaded: libstdc++.so
Module loaded: libmedia.so
Module loaded: libfuzzy_match.so
Module loaded: welink
Module loaded: libtup_logone.so
Module loaded: libtup_socket.so
Module loaded: libsecurec.so
Module loaded: libtup_os_adapter.so
Module loaded: libtup_login.so
Module loaded: libtup_call_audio.so
Module loaded: libtup_call_mediaservice.so
Module loaded: libtup_call_bfcp.so
Module loaded: libtup_confctrl.so
Module loaded: libtup_ai_face.so
Module loaded: libbase.so
Module loaded: libutils.so
Module loaded: libbinder.so
Module loaded: libstagefright.so
Module loaded: libui.so
Module loaded: libnativehelper.so
Module loaded: libnativeloader.so
Module loaded: libEGL.so
Module loaded: libgui.so
Module loaded: libcamera_client.so
Module loaded: libdrmframework.so
Module loaded: libicui18n.so
Module loaded: libicuuc.so
Module loaded: libpowermanager.so
Module loaded: libstagefright_foundation.so
Module loaded: libmediautils.so
Module loaded: libcrypto.so
Module loaded: libandroidfw.so
Module loaded: libopencv_core.so
<cannot encode ldaex at pc 0xe7b94b82> -- print by dynamorio
<Source operand #0 has wrong type/size> -- print by dynamorio
<copy_pc is NULL at PC 0xe7b94b82> -- print by me
<copy_pc is NULL at PC 0xe7b94b82> -- print by me
<Application /data/bar300/license_crack_android/build/license_crack_interceptor (15213). Tool internal crash at PC 0xb7468514. Please report this at your tool's issue tracker. Program aborted.
Received SIGSEGV at pc 0xb7468514 in thread 15213
Base: 0xb7689688
Registers: r0 =0x00000000 r1 =0xe7b94b82 r2 =0x00000004 r3 =0x00000041
r4 =0xb7633b88 r5 =0x3f26dc2c r6 =0x00000002 r7 =0x3f26d968
r8 =0xe7c4505c r9 =0xe7c45064 r10=0x3f25d000 r11=0xb70b4711
r12=0x00000000 r13=0x3f26d968 r14=0xb71e06af r15=0xb7468514
eflags=0x20050010
version 11.0.0, custom build
-logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' - no_native_exec_managed_code -no_indcall2direct
0xb70b4711 0x78af04b0>
<Invoking fault handler for application /data/bar300/license_crack_android/build/license_crack_interceptor (15213).>
255|rk3399_all:/data/bar300 # export DYNAMORIO_OPTIONS="-logdir /data/bar300/logs -stderr_mask 15 -loglevel 4 -logmask 0xffffffff -checklevel 0 -native_exec -native_exec_list libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libopencv_flann.so;libopencv_highgui.so;libopencv_imgcodecs.so;libopencv_imgproc.so;libopencv_video.so;libopencv_videoio.so"
pencv_imgproc.so;libopencv_video.so;libopencv_videoio.so" <
rk3399_all:/data/bar300 #
there is ldaex instuction in libopencv_core indeed, the followling is the decompiled code :
do
v11 = __ldrex(dword_24CFF4);
while ( __strex(v11 + 1, (unsigned int *)&unk_24D010) );
how can i resolve this problem ?
2、Then I try another method to skip libopencv_core.so by using native_exec,It also crashes, it seems that native_exec mode does not work properly
255|rk3399_all:/data/bar300 # export DYNAMORIO_OPTIONS="-logdir /data/bar300/logs -stderr_mask 15 -loglevel 4 -logmask 0xffffffff -checklevel 0 -native_exec -native_exec_list libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libopencv_flann.so;libopencv_highgui.so;libopencv_imgcodecs.so;libopencv_imgproc.so;libopencv_video.so;libopencv_videoio.so"
rk3399_all:/data/bar300 # license_crack_android/build/license_crack_interceptoricense_crack_android/build/license_crack_interceptor <
rk3399_all:/data/bar300 # license_crack_android/build/license_crack_interceptoricense_crack_android/build/license_crack_interceptor <<log dir=/data/bar300/logs/license_crack_interceptor.20127.00000000>
<Starting application /data/bar300/license_crack_android/build/license_crack_interceptor (20127)>
<unable to determine lib path for cross-arch execve>
<Initial options = -logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec -native_exec_default_list '' -native_exec_list 'libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libopencv_flann.so;libopencv_highgui.so;libopencv_imgcodecs.so;libopencv_imgproc.so;libopencv_video.so;libopencv_videoio.so' -no_native_exec_managed_code -no_indcall2direct >
Client initializing...
Client initialized successfully
Module loaded: license_crack_interceptor
Module loaded: libc++.so
Module loaded: libpreload.so
Module loaded: libc.so
Module loaded: libm.so
Module loaded: libnetd_client.so
Module loaded: linker
Client started successfully
Symbol in default namespace: 0xf1676198
<(1+x) Handling our fault in a TRY at 0xb4188ae2>
Module loaded: libASRParse.so
Module loaded: libstdc++.so
Module loaded: libmedia.so
Module loaded: libfuzzy_match.so
Module loaded: welink
Module loaded: libtup_logone.so
Module loaded: libtup_socket.so
Module loaded: libsecurec.so
Module loaded: libtup_os_adapter.so
Module loaded: libtup_login.so
Module loaded: libtup_call_audio.so
Module loaded: libtup_call_mediaservice.so
Module loaded: libtup_call_bfcp.so
Module loaded: libtup_confctrl.so
Module loaded: libtup_ai_face.so
Module loaded: libbase.so
Module loaded: libutils.so
Module loaded: libbinder.so
Module loaded: libstagefright.so
Module loaded: libui.so
Module loaded: libnativehelper.so
Module loaded: libnativeloader.so
Module loaded: libEGL.so
Module loaded: libgui.so
Module loaded: libcamera_client.so
Module loaded: libdrmframework.so
Module loaded: libicui18n.so
Module loaded: libicuuc.so
Module loaded: libpowermanager.so
Module loaded: libstagefright_foundation.so
Module loaded: libmediautils.so
Module loaded: libcrypto.so
Module loaded: libandroidfw.so
Module loaded: libopencv_core.so
<module libopencv_core.so set up for native execution> -- print by dynamorio
<A predicate is required> -- print by dynamorio
<copy_pc is NULL at PC 0x00000000> -- print by me
<copy_pc is NULL at PC 0x00000000> -- print by me
<Exit stub offset 9c78 exceeds fragment size b4 at 0x454f6388> -- print by me in function : emit_fragment_common
<Application /data/bar300/license_crack_android/build/license_crack_interceptor (20127). Tool internal crash at PC 0xb4129876. Please report this at your tool's issue tracker. Program aborted.
Received SIGSEGV at pc 0xb4129876 in thread 20127
Base: 0xb45ce688
Registers: r0 =0x450b4040 r1 =0x00000000 r2 =0x00000fa1 r3 =0x00000000
r4 =0xb4578b88 r5 =0x01000080 r6 =0xf10c7550 r7 =0x450dad80
r8 =0xf17d85dc r9 =0xf17e85f0 r10=0x450ca000 r11=0xb3ff9711
r12=0xb45b2c18 r13=0x450dad58 r14=0xb412afd7 r15=0xb4129876
eflags=0x200b0030
version 11.0.0, custom build
-logdir '/data/bar300/logs' -logmask 0xffffffff -loglevel 4 -checklevel 0 -stderr_mask 15 -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec -native_exec_default_list '' - native_exec_list 'libopencv_calib3d.so;libopencv_core.so;libopencv_features2d.so;libope
0xb3ff9711 0x78af04b0>
<Invoking fault handler for application /data/bar300/license_crack_android/build/license_crack_interceptor (20127).>
crash point function analysis:
void *vmlist, bool link_fragment, bool add_to_htable,
fragment_t *replace_fragment)
{
static fragment_t *
emit_fragment_common(dcontext_t *dcontext, app_pc tag, instrlist_t *ilist, uint flags,void *vmlist, bool link_fragment, bool add_to_htable,
fragment_t *replace_fragment)
{
......
/* emit the exit stub code */
for (l = FRAGMENT_EXIT_STUBS(f); l; l = LINKSTUB_NEXT_EXIT(l)) {
// add boundary check by me
if (l->cti_offset >= f->size) {
SYSLOG_INTERNAL_ERROR("Exit stub offset %x exceeds fragment size %x at %p",
l->cti_offset, f->size, f->start_pc); // <Exit stub offset 9c78 exceeds fragment size b4 at 0x454f6388>
return NULL;
}
if (TEST(FRAG_COARSE_GRAIN, flags) && LINKSTUB_DIRECT(l->flags)) {
/* Coarse-grain fragments do not have direct exit stubs.
* Instead they have entrance stubs, created when linking.
*/
continue;
}
if (!EXIT_HAS_STUB(l->flags, flags)) {
/* there is no stub */
continue;
}
if (final_cbr_single_stub && LINKSTUB_FINAL(l)) {
no_stub = true;
if (!TEST(LINK_SEPARATE_STUB, l->flags)) {
/* still need to patch the cti, so set pc back to prev stub pc */
pc = prev_stub_pc;
}
LOG(THREAD, LOG_EMIT, 3, "final exit sharing prev exit's stub @ " PFX "\n",
prev_stub_pc);
}
if (TEST(LINK_SEPARATE_STUB, l->flags)) {
if (no_stub) {
if (LINKSTUB_NORMAL_DIRECT(l->flags)) {
direct_linkstub_t *dl = (direct_linkstub_t *)l;
dl->stub_pc = prev_stub_pc;
} else {
ASSERT(LINKSTUB_CBR_FALLTHROUGH(l->flags));
/* stub pc computation should return prev pc */
ASSERT(EXIT_STUB_PC(dcontext, f, l) == prev_stub_pc);
}
} else {
separate_stub_create(dcontext, f, l);
}
prev_stub_pc = EXIT_STUB_PC(dcontext, f, l);
ASSERT(prev_stub_pc != NULL);
/* pointing at start of stub is the unlink entry */
ASSERT(linkstub_unlink_entry_offset(dcontext, f, l) == 0);
patch_branch(FRAG_ISA_MODE(f->flags), EXIT_CTI_PC(f, l),
EXIT_STUB_PC(dcontext, f, l), false); -- crash in patch_branch because EXIT_CTI_PC(f, l) exceed boundary
continue;
}
ASSERT(EXIT_HAS_LOCAL_STUB(l->flags, flags));
if (PAD_FRAGMENT_JMPS(flags)) {
pc = pad_for_exitstub_alignment(dcontext, l, f, pc);
}
if (LINKSTUB_NORMAL_DIRECT(l->flags)) {
direct_linkstub_t *dl = (direct_linkstub_t *)l;
dl->stub_pc = pc;
}
/* relocate the exit branch target so it takes to the unlink
* entry to the stub
*/
patch_branch(FRAG_ISA_MODE(f->flags), EXIT_CTI_PC(f, l),
pc + linkstub_unlink_entry_offset(dcontext, f, l), false); -- crash in patch_branch because EXIT_CTI_PC(f, l) exceed boundary
LOG(THREAD, LOG_EMIT, 3,
"Exit cti " PFX " is targeting " PFX " + 0x%x => " PFX "\n",
EXIT_CTI_PC(f, l), pc, linkstub_unlink_entry_offset(dcontext, f, l),
pc + linkstub_unlink_entry_offset(dcontext, f, l));
DODEBUG({
uint shift = bytes_for_exitstub_alignment(dcontext, l, f, pc);
if (shift > 0) {
ASSERT(!PAD_FRAGMENT_JMPS(flags));
STATS_PAD_JMPS_ADD(flags, unaligned_stubs, 1);
STATS_PAD_JMPS_ADD(flags, unaligned_stubs_bytes, shift);
}
});
/* insert an exit stub */
prev_stub_pc = pc;
if (!no_stub)
stub_size = insert_exit_stub(dcontext, f, l, pc);
/* note that we don't do proactive linking here since it may
* depend on whether this is a trace fragment, which is marked
* by the caller, who is responsible for calling link_new_fragment
*/
/* if no_stub we assume stub_size is still what it was for prev stub,
* and yes we do need to adjust it back to the end of the single stub
*/
pc += stub_size;
}
for (l = FRAGMENT_EXIT_STUBS(f); l; l = LINKSTUB_NEXT_EXIT(l)) {
// add boundary check by me
if (l->cti_offset >= f->size) {
SYSLOG_INTERNAL_ERROR("Exit stub offset %x exceeds fragment size %x at %p",
l->cti_offset, f->size, f->start_pc); // <Exit stub offset 9c78 exceeds fragment size b4 at 0x454f6388>
return NULL;
}
if (TEST(FRAG_COARSE_GRAIN, flags) && LINKSTUB_DIRECT(l->flags)) {
/* Coarse-grain fragments do not have direct exit stubs.
* Instead they have entrance stubs, created when linking.
*/
continue;
}
if (!EXIT_HAS_STUB(l->flags, flags)) {
/* there is no stub */
continue;
}
if (final_cbr_single_stub && LINKSTUB_FINAL(l)) {
no_stub = true;
if (!TEST(LINK_SEPARATE_STUB, l->flags)) {
/* still need to patch the cti, so set pc back to prev stub pc */
pc = prev_stub_pc;
}
LOG(THREAD, LOG_EMIT, 3, "final exit sharing prev exit's stub @ " PFX "\n",
prev_stub_pc);
}
if (TEST(LINK_SEPARATE_STUB, l->flags)) {
if (no_stub) {
if (LINKSTUB_NORMAL_DIRECT(l->flags)) {
direct_linkstub_t *dl = (direct_linkstub_t *)l;
dl->stub_pc = prev_stub_pc;
} else {
ASSERT(LINKSTUB_CBR_FALLTHROUGH(l->flags));
/* stub pc computation should return prev pc */
ASSERT(EXIT_STUB_PC(dcontext, f, l) == prev_stub_pc);
}
} else {
separate_stub_create(dcontext, f, l);
}
prev_stub_pc = EXIT_STUB_PC(dcontext, f, l);
ASSERT(prev_stub_pc != NULL);
/* pointing at start of stub is the unlink entry */
ASSERT(linkstub_unlink_entry_offset(dcontext, f, l) == 0);
patch_branch(FRAG_ISA_MODE(f->flags), EXIT_CTI_PC(f, l),
EXIT_STUB_PC(dcontext, f, l), false); -- crash in patch_branch because EXIT_CTI_PC(f, l) exceed boundary
continue;
}
ASSERT(EXIT_HAS_LOCAL_STUB(l->flags, flags));
if (PAD_FRAGMENT_JMPS(flags)) {
pc = pad_for_exitstub_alignment(dcontext, l, f, pc);
}
if (LINKSTUB_NORMAL_DIRECT(l->flags)) {
direct_linkstub_t *dl = (direct_linkstub_t *)l;
dl->stub_pc = pc;
}
/* relocate the exit branch target so it takes to the unlink
* entry to the stub
*/
patch_branch(FRAG_ISA_MODE(f->flags), EXIT_CTI_PC(f, l),
pc + linkstub_unlink_entry_offset(dcontext, f, l), false); -- crash in patch_branch because EXIT_CTI_PC(f, l) exceed boundary
LOG(THREAD, LOG_EMIT, 3,
"Exit cti " PFX " is targeting " PFX " + 0x%x => " PFX "\n",
EXIT_CTI_PC(f, l), pc, linkstub_unlink_entry_offset(dcontext, f, l),
pc + linkstub_unlink_entry_offset(dcontext, f, l));
DODEBUG({
uint shift = bytes_for_exitstub_alignment(dcontext, l, f, pc);
if (shift > 0) {
ASSERT(!PAD_FRAGMENT_JMPS(flags));
STATS_PAD_JMPS_ADD(flags, unaligned_stubs, 1);
STATS_PAD_JMPS_ADD(flags, unaligned_stubs_bytes, shift);
}
});
/* insert an exit stub */
prev_stub_pc = pc;
if (!no_stub)
stub_size = insert_exit_stub(dcontext, f, l, pc);
/* note that we don't do proactive linking here since it may
* depend on whether this is a trace fragment, which is marked
* by the caller, who is responsible for calling link_new_fragment
*/
/* if no_stub we assume stub_size is still what it was for prev stub,
* and yes we do need to adjust it back to the end of the single stub
*/
pc += stub_size;
}
......
Derek Bruening
Jan 2, 2025, 11:03:50 AMJan 2
to DynamoRIO Users
This looks like https://github.com/DynamoRIO/dynamorio/issues/3161.
Derek Bruening
Jan 17, 2025, 3:57:51 PMJan 17
to DynamoRIO Users
This was fixed by https://github.com/DynamoRIO/dynamorio/pull/7177.
Reply all
Reply to author
Forward
0 new messages