qiling icon indicating copy to clipboard operation
qiling copied to clipboard
verified publisher icon qilingframework

ARM64 MACOS flag mapping error

Open 90n20 opened this issue 1 year ago • 3 comments

Hi all,

I am getting a crash, trying to emulate a linux x86-64 ELF in a MAC m1 (Sonoma 14.6.1), related to flags mappings not defined for the underlaying SO/Host:

[+] 	Profile: default
[+] 	Mapping GDT at 0x30000 with limit 0x1000
[+] 	Mapped 0x555555554000-0x555555555000
[+] 	Mapped 0x555555555000-0x555555556000
[+] 	Mapped 0x555555556000-0x555555557000
[+] 	Mapped 0x555555557000-0x555555559000
[+] 	mem_start : 0x555555554000
[+] 	mem_end   : 0x555555559000
[+] 	Interpreter path: /lib64/ld-linux-x86-64.so.2
[+] 	Interpreter addr: 0x7ffff7dd5000
[+] 	Mapped 0x7ffff7dd5000-0x7ffff7dfc000
[+] 	Mapped 0x7ffff7ffc000-0x7ffff7fff000
[+] 	mmap_address is : 0x7fffb7dd6000
[+] 	rel name b'_ITM_deregisterTMCloneTable'
[+] 	rel name b'__libc_start_main'
[+] 	rel name b'__gmon_start__'
[+] 	rel name b'_ITM_registerTMCloneTable'
[+] 	rel name b'__cxa_finalize'
[+] 	rel name b'getenv'
[+] 	rel name b'strcpy'
[+] 	rel name b'puts'
[+] 	rel name b'__stack_chk_fail'
[+] 	rel name b'strcmp'
[+] 	rel name b'ptrace'
[+] 	rel name b'strcat'
[+] 	rel name b'exit'
[+] 	0x00007ffff7df0ec7: brk(inp = 0x0) = 0x55555555b000
[+] 	0x00007ffff7df2015: uname(buf = 0x7ffffffff9c0) = 0x0
[+] 	access("/etc/ld.so.nohwcap", 00) = -2
[+] 	0x00007ffff7de47dc: access(path = 0x7ffff7df6082, mode = 0x0) = -0x2 (ENOENT)
[+] 	access("/etc/ld.so.preload", 04) = -2
[+] 	0x00007ffff7df1e25: access(path = 0x7ffff7df8dd0, mode = 0x4) = -0x2 (ENOENT)
[x] 	Syscall ERROR: ql_syscall_openat DEBUG: flags were not defined for hosting ARM64 MACOS

Traceback:

File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/posix.py", line 213, in load_syscall
    retval = syscall_hook(self.ql, *params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 62, in ql_syscall_openat
    regreturn = absvpath if isinstance(absvpath, int) else __do_open(ql, absvpath, flags, mode)
                                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 31, in __do_open
    flags = ql_open_flag_mapping(ql, flags)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/const_mapping.py", line 98, in ql_open_flag_mapping
    raise NotImplementedError(f'flags were not defined for hosting {archtype.name} {ostype.name}')
NotImplementedError: flags were not defined for hosting ARM64 MACOS
Traceback (most recent call last):
  File "/Users/90n20/Projects/CTF/ine.py", line 14, in <module>
    ql.run()
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core.py", line 588, in run
    self.os.run()
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/linux/linux.py", line 178, in run
    self.ql.emu_start(self.ql.loader.entry_point, entry_address, self.ql.timeout)
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core.py", line 768, in emu_start
    raise self.internal_exception
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core_hooks.py", line 141, in wrapper
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core_hooks.py", line 204, in _hook_insn_cb
    ret = hook.call(ql, *hook_args)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/core_hooks_types.py", line 25, in call
    return self.callback(ql, *args)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/linux/linux.py", line 138, in hook_syscall
    return self.load_syscall()
           ^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/posix.py", line 231, in load_syscall
    raise e
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/posix.py", line 213, in load_syscall
    retval = syscall_hook(self.ql, *params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 62, in ql_syscall_openat
    regreturn = absvpath if isinstance(absvpath, int) else __do_open(ql, absvpath, flags, mode)
                                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/syscall/fcntl.py", line 31, in __do_open
    flags = ql_open_flag_mapping(ql, flags)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/90n20/Tools/qilingenv/lib/python3.12/site-packages/qiling/os/posix/const_mapping.py", line 98, in ql_open_flag_mapping
    raise NotImplementedError(f'flags were not defined for hosting {archtype.name} {ostype.name}')
NotImplementedError: flags were not defined for hosting ARM64 MACOS

Any thoughts or ideas to solve this?

90n20 avatar Aug 20 '24 08:08 90n20

assuming that arm and x86 macOS using the same open flag, add this code to const.py:

class macos_arm_open_flags(QlPrettyFlag):
    O_RDONLY    = 0x000000
    O_WRONLY    = 0x000001
    O_RDWR      = 0x000002
    O_NONBLOCK  = 0x000004
    O_APPEND    = 0x000008
    O_ASYNC     = 0x000040
    O_SYNC      = 0x000080
    O_NOFOLLOW  = 0x000100
    O_CREAT     = 0x000200
    O_TRUNC     = 0x000400
    O_EXCL      = 0x000800
    O_NOCTTY    = 0x020000
    O_DIRECTORY = 0x100000
    O_BINARY    = None
    O_LARGEFILE = None

and add macos_arm_open_flags to const_mapping.py :

QL_OS.MACOS: {
            QL_ARCH.X86:   macos_x86_open_flags,
            QL_ARCH.X8664: macos_x86_open_flags,
            QL_ARCH.ARM: macos_arm_open_flags,         <------------- add this line
            QL_ARCH.ARM64: macos_arm_open_flags,         <------------- add this line
        }

this works for me

noopoo avatar Dec 04 '24 05:12 noopoo

assuming that arm and x86 macOS using the same open flag, add this code to const.py:

class macos_arm_open_flags(QlPrettyFlag): O_RDONLY = 0x000000 O_WRONLY = 0x000001 O_RDWR = 0x000002 O_NONBLOCK = 0x000004 O_APPEND = 0x000008 O_ASYNC = 0x000040 O_SYNC = 0x000080 O_NOFOLLOW = 0x000100 O_CREAT = 0x000200 O_TRUNC = 0x000400 O_EXCL = 0x000800 O_NOCTTY = 0x020000 O_DIRECTORY = 0x100000 O_BINARY = None O_LARGEFILE = None and add macos_arm_open_flags to const_mapping.py :

QL_OS.MACOS: { QL_ARCH.X86: macos_x86_open_flags, QL_ARCH.X8664: macos_x86_open_flags, QL_ARCH.ARM: macos_arm_open_flags, <------------- add this line QL_ARCH.ARM64: macos_arm_open_flags, <------------- add this line } this works for me

Worked like a charm, good catch!!

do you consider to create a PR to fix/patch this @noopoo ? If not I could try to handle that giving credits to you ofc.

90n20 avatar Jan 22 '25 11:01 90n20

Hi, that's great if you could create a PR to fix this, cause I don't use git or github very much.

noopoo avatar Jan 23 '25 02:01 noopoo