MJx0
Crash when searching outside the library range with KittyScanner
In the sample, the search range is specified using ELF.baseSegment().startAddress and ELF.baseSegment().endAddress. However, if I use an arbitrary search range, it crashes. It is most likely that the program is crashing because it is reading an unreadable range. There are no errors when compiling. can get the error with Logcat Error: Fatal signal 11 (SIGSEGV), code 2, fault addr 0xf15b6000 in tid 3825 (android.support)
My Code
KittyScanner::ElfScanner g_il2cppELF; g_il2cppELF = KittyScanner::ElfScanner::createWithPath("libMyLibName.so"); uintptr_t search_start = g_il2cppELF.baseSegment().startAddress; uintptr_t search_end = g_il2cppELF.baseSegment().endAddress + 0xFFFF; std::vector<uintptr_t> found_at_list; found_at_list = KittyScanner::findHexAll(search_start, search_end, "01 01 01 00 01 00 00 00 01 00 00 00 01 00 00 00 01 01 00 00", "xxxxxxxxxxxxxxxxxxxx");
uintptr_t search_end = g_il2cppELF.baseSegment().endAddress + 0xFFFF;
why the + 0xFFFF ?
uintptr_t search_end = g_il2cppELF.baseSegment().endAddress + 0xFFFF;why the + 0xFFFF ?
This is to make it clear that it is outside the range. uintptr_t search_start = 0x0000; uintptr_t search_end = 0xFFFF; didn't work either. I get the same error.
there is no memory permissions checks inside scanner functions. you have to check and provide valid readable memory range by yourself. if you want to scan a full library then use the segments array instead of only the base segment, then check which segment is readable
Is it possible to read the segment from 0x00 to 0xFFFFFFFF and check if it is readable?
Why would you use hardcoded memory range? you can call getAllMaps() function to get all process memory maps then filter them
Because there is no library that can be used to look up byte arrays.
(It's difficult to explain in English, so please refer to the image)
use termux and print process maps
cat /proc/<pid>/maps
it could be malloc memory or bss.
You can get malloc memory path with this, but on older android versions it might be empty
std::string mallocPathname()
{
void *n = malloc(sizeof(void*));
if (auto fMaps = fopen("/proc/self/maps", "r"))
{
char cLine[512] = { 0 };
while (fgets(cLine, sizeof(cLine), fMaps) != nullptr)
{
unsigned long long start = 0, end = 0;
char pathanme[0xff] = { 0 };
sscanf(cLine, "%llx-%llx %*s %*s %*s %*s %s", &start, &end, pathanme);
if (uintptr_t(n) >= start && uintptr_t(n) < end)
{
fclose(fMaps);
return pathanme;
}
}
fclose(fMaps);
}
free(n);
return "";
}
You can scan like this after
auto mallocPath = mallocPathname();
if (!mallocPath.empty())
{
auto maps = KittyMemory::getMapsEqual(mallocPath);
for (const auto &it : maps)
{
// filter out
if (it.offset != 0 && it.perms.compare("rw-p")) continue;
uintptr_t found_at = KittyScanner::findIdaPatternFirst(it.startAddress, it.endAddress, "33 ? 55 66 ? 77 88 ? 99");
KITTY_LOGI("found IDA pattern at: %p", (void *)found_at);
}
}
Hey, An error occurs in it.perms.compare No member named 'perms' in 'KittyMemory::ProcMap'
But... I fixed the code and it worked. Was this ok?
if (it.offset != 0) continue;
offset == 0 is just a check to filter out unnecessary maps to speed up the scan but you don't really need it. for perms you need to check if map has read permission or it will crash upon access. if (!it.readable) continue;
It has been confirmed that it does not work on some devices. Android versions are 7 and 11.