Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to add arbitrary addresses as exported functions #1040

Closed
localacct opened this issue Apr 8, 2024 · 3 comments
Closed

Unable to add arbitrary addresses as exported functions #1040

localacct opened this issue Apr 8, 2024 · 3 comments
Assignees
@romainthomas
Labels
API Builder MachO

Comments

@localacct
Copy link

Describe the bug
I followed the paper presented at Pass The Salt 2022 (The Poor Man's Obfuscator) to add arbitrary addresses as exported functions (Section 3.3 Export Addresses in the talk). However, I only managed to get one arbitrary address inserted as an exported function in the binary.

To Reproduce
Execute the code to iterate through the application's functions and attempt to add a random address each time as an exported function.

        app = lief.parse("./binary")

	for function in app.functions:
		address = function.address
		address += random.randint(16, 32)
		address -= address % 4
		app.add_exported_function(address,"_fake")

Expected behavior
Depending on the number of functions iterated, we should see the same number of exported functions added at the various random address locations as well. In Ghidra, I only saw two new "_fake" functions added to the binary as listed under Ghidra's Symbol Tree > Functions. However, I do see the correct number of "_fake" labels under Ghidra's Symbol Tree > Labels. However only two of the labels points to somewhere in the code. I cannot navigate to the rest of the "_fake" labels as they are not in memory (as reported by Ghidra).

Environment (please complete the following information):

  • System and Version : Mac OS 14.1 (ARM64)
  • Target format: Mach-O (ARM64)
  • LIEF commit version: 0.14.1-bae887e0

Additional context

NOTICE

If the issue does not contain enough information to be reproduced,
it will be flagged as incomplete
and closed.

/NOTICE
@romainthomas
Copy link
Member

Could you add the ./binary or provide a minimal reproduce case?

@localacct
Copy link
Author

Hi @romainthomas

You mean you need the source code for the binary? This is the source code, it is just a small program.

//clang++ binary.cpp -o binary

#include <stdio.h>
#include <cstdlib>

void tempfunction(int choice)
{
	if(choice == 0)
	{
		printf("inside temp_function\n");
	}
	else
	{
		printf("random number is not 0\n");
	}

	return;
}

void zzzz(int choice2)
{
	if(choice2 == 0)
	{
		printf("inside temp_function2\n");
	}
	else
	{
		printf("random number is not 0\n");
	}

	return;
}

int main(int argc, char *argv[])
{
	printf("inside main\n");

	tempfunction(rand());

	zzzz(rand());

	return 0;
}

@romainthomas
Copy link
Member

I only saw two new "_fake"

Yes because you always give the same names:

app.add_exported_function(address,"_fake")

You should change the name if you want to see more exports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romainthomas romainthomas

Labels
API Builder MachO
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romainthomas @localacct