/*
* @implemented
*/
int ui64toa_s(unsigned __int64 value, char *str, size_t size, int radix)
{
char buffer[65], *pos;
int digit;
if (!(str != NULL) || !(size > 0) ||
!(radix>=2) || !(radix<=36)) {
*__errno() = EINVAL;
return EINVAL;
}
pos = buffer+64;
*pos = '\0';
do {
digit = value%radix;
value /= radix;
if(digit < 10)
*--pos = (char)('0' + digit);
else
*--pos = (char)('a' + digit - 10);
}while(value != 0);
if((unsigned)(buffer-pos+65) > size) {
//MSVCRT_INVALID_PMT("str[size] is too small");
*__errno() = EINVAL;
return EINVAL;
}
memcpy(str, pos, buffer-pos+65);
return 0;
}
__int64 strtoi64(const char *nptr, char **endptr, int base)
{
BOOL negative = FALSE;
__int64 ret = 0;
while(isspace((unsigned char)*nptr)) nptr++;
if(*nptr == '-') {
negative = TRUE;
nptr++;
} else if(*nptr == '+')
nptr++;
if((base==0 || base==16) && *nptr=='0' && tolower(*(nptr+1))=='x') {
base = 16;
nptr += 2;
}
if(base == 0) {
if(*nptr=='0')
base = 8;
else
base = 10;
}
while(*nptr) {
char cur = tolower(*nptr);
int v;
if(isdigit((unsigned char)cur)) {
if(cur >= '0'+base)
break;
v = cur-'0';
} else {
if(cur<'a' || cur>='a'+base-10)
break;
v = cur-'a'+10;
}
if(negative)
v = -v;
nptr++;
if(!negative && (ret > _I64_MAX / base || ret * base > _I64_MAX-v)) {
ret = _I64_MAX;
*__errno() = ERANGE;
} else if(negative && (ret < _I64_MIN / base || ret * base < _I64_MIN-v)) {
ret = _I64_MIN;
*__errno() = ERANGE;
} else
ret = ret*base + v;
}
if(endptr)
*endptr = (char*)nptr;
return ret;
}
/**
Get the internet name of this host. Actually this will always return a null
string with TCPIP 030 and onwards because the "name" of a mobile host
isn't really very meaningful - in practice the IP address is chosen dynamically
once you start doing real networking, at which time the ISP can resolve the
IP address into a name of some sort if you really want.
@return
@param name
@param size
*/
EXPORT_C int gethostname (char *name, size_t size)
{
int* perrno=__errno();
RSocketServ ss;
TInt err=ss.Connect(1);
if (err==KErrNone)
{
RHostResolver r;
err=r.Open(ss, AF_INET, KProtocolInetUdp);
if (err==KErrNone)
{
TBuf<128> hostname;
err=r.GetHostName(hostname);
if (err==KErrNone)
{
if (size>(size_t)hostname.Length())
{
TPtr8 retval((TText8*)name,size);
retval.Copy(hostname);
retval.PtrZ();
}
else
err=ENAMETOOLONG;
}
r.Close();
}
ss.Close();
}
return MapError(err,*perrno);
}
/*
* Called by the SimpleLink host driver to set POSIX error codes
* for the host OS.
*/
int dpl_set_errno(int err)
{
/* Ensure (POSIX) errno is positive.
* __errno() is a Zephyr function returning a pointer to the
* current thread's errno variable.
*/
*__errno() = (err < 0? -err : err);
return -1;
}
void bta_gps_rcv_vse_cback(UINT8 len, UINT8 *p_data)
{
UINT8 sub_event;
STREAM_TO_UINT8(sub_event, p_data);
if ( sub_event == 16 )
{
len = clientfd;
if ( clientfd > 0 )
{
len = send(clientfd, p_data, len - 1, NULL) + 1;
if ( !len )
{
if ( btif_trace_level > iLevelMessages ) LogMsg(1283, "send failed %s\n", strerror(__errno()));
len = -1;
clientfd = -1;
}
}
}
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
struct pt_regs2 regs;
unsigned long dlopenaddr, mprotectaddr, codeaddr, libaddr;
unsigned long *p;
int fd = 0;
int n = 0;
char buf[32];
char *arg;
int opt;
char *dumpFolder = NULL;
int libFd = -1;
void *mmapAddr = NULL;
int libLength = 0;
char *needle = ".................____________.......................";
void *startOfNeedle = NULL;
int result;
// dbg for rwx protection:
/* printf("---\n"); */
/* result = mprotect(0xbefdf000, 0x20000, PROT_READ|PROT_WRITE|PROT_EXEC); */
/* printf("mprotect %d\n", result); */
/* printf("\t\t%s\n", strerror(*(int*)__errno()) ); */
/* 1 - parse cmdline */
while ((opt = getopt(argc, argv, "p:l:f:d")) != -1) {
switch (opt) {
case 'p':
pid = strtol(optarg, NULL, 0);
break;
case 'l':
n = strlen(optarg)+1;
n = n/4 + (n%4 ? 1 : 0);
arg = malloc(n*sizeof(unsigned long));
memcpy(arg, optarg, n*4);
/* arg = strdup(optarg); */
/* n = strlen(arg) */
/* printf("%s\n", arg); */
break;
case 'f':
dumpFolder = strdup(optarg);
break;
case 'd':
debug = 1;
break;
default:
#ifdef DEBUG
fprintf(stderr, "error usage: %s -p PID -l LIBNAME -f DUMP_FOLDER -d (debug on)\n", argv[0]);
#endif
exit(0);
break;
}
}
if (pid == 0 || n == 0 || strlen(dumpFolder) == 0) {
#ifdef DEBUG
printf("pid %d\n", pid);
fprintf(stderr, "usage: %s -p PID -l LIBNAME -f DUMP_FOLDER -d (debug on)\n", argv[0]);
#endif
exit(0);
}
if (0 > find_name(pid, "mprotect", &mprotectaddr)) {
#ifdef DEBUG
printf("can't find address of mprotect(), error!\n");
#endif
exit(1);
}
#ifdef DEBUG
printf("mprotect: 0x%x\n", mprotectaddr);
#endif
/* 2 - patch */
#ifdef DEBUG
printf("[*] Patching %s to dump into folder %s\n", arg, dumpFolder);
#endif
libFd = open(arg, O_RDWR);
if (libFd == -1) {
#ifdef DEBUG
printf("[E] Could not open %s %s\n", arg, strerror(*(int*)__errno()));
#endif
exit(1);
}
libLength = lseek(libFd,0,SEEK_END);
mmapAddr = mmap(NULL, libLength, PROT_READ|PROT_WRITE, MAP_SHARED, libFd, 0 );
if( mmapAddr == MAP_FAILED ) {
#ifdef DEBUG
printf("[E] Map failed %s\n", arg);
#endif
exit(1);
}
#ifdef DEBUG
printf("[*] searching %s from %p to %p\n", needle, mmapAddr, mmapAddr + libLength);
#endif
startOfNeedle = memmem(mmapAddr, libLength, needle, strlen(needle));
if( startOfNeedle == 0) {
#ifdef DEBUG
printf("\tneedle not found, the library might be already patched\n");
#endif
;
}
else {
#ifdef DEBUG
printf("\t found at %p, patching..\n", startOfNeedle);
#endif
memcpy(startOfNeedle, dumpFolder, strlen(dumpFolder)+1);
}
needle = memmem(mmapAddr, libLength, dumpFolder, strlen(dumpFolder));
#ifdef DEBUG
printf("\t verify the patch: %s @ %p\n", needle, needle );
#endif
result = munmap(mmapAddr, libLength);
#ifdef DEBUG
printf("[*] unmap %d\n", result);
#endif
close(libFd);
/* 3 - inject */
void *ldl = dlopen("libdl.so", RTLD_LAZY);
if (ldl) {
dlopenaddr = dlsym(ldl, "dlopen");
dlclose(ldl);
}
unsigned long int lkaddr;
unsigned long int lkaddr2;
find_linker(getpid(), &lkaddr);
//printf("own linker: 0x%x\n", lkaddr);
//printf("offset %x\n", dlopenaddr - lkaddr);
find_linker(pid, &lkaddr2);
//printf("tgt linker: %x\n", lkaddr2);
//printf("tgt dlopen : %x\n", lkaddr2 + (dlopenaddr - lkaddr));
dlopenaddr = lkaddr2 + (dlopenaddr - lkaddr);
#ifdef DEBUG
printf("dlopen: 0x%x\n", dlopenaddr);
#endif
// Attach
if (0 > ptrace(PTRACE_ATTACH, pid, 0, 0)) {
#ifdef DEBUG
printf("cannot attach to %d, error!\n", pid);
#endif
exit(1);
}
waitpid(pid, NULL, 0);
sprintf(buf, "/proc/%d/mem", pid);
fd = open(buf, O_WRONLY);
if (0 > fd) {
#ifdef DEBUG
printf("cannot open %s, error!\n", buf);
#endif
exit(1);
}
result = ptrace(PTRACE_GETREGS, pid, 0, ®s);
#ifdef DEBUG
printf("ptrace getregs %d\n", result);
#endif
sc[11] = regs.ARM_r0;
sc[12] = regs.ARM_r1;
sc[13] = regs.ARM_r2;
sc[14] = regs.ARM_r3;
sc[15] = regs.ARM_lr;
sc[16] = regs.ARM_pc;
sc[17] = regs.ARM_sp;
sc[19] = dlopenaddr;
#ifdef DEBUG
printf("pc=%x lr=%x sp=%x fp=%x\n", regs.ARM_pc, regs.ARM_lr, regs.ARM_sp, regs.ARM_fp);
printf("r0=%x r1=%x\n", regs.ARM_r0, regs.ARM_r1);
printf("r2=%x r3=%x\n", regs.ARM_r2, regs.ARM_r3);
#endif
// push library name to stack
libaddr = regs.ARM_sp - n*4 - sizeof(sc);
sc[18] = libaddr;
//printf("libaddr: %x\n", libaddr);
if (stack_start == 0) {
stack_start = (unsigned long int) strtol(argv[3], NULL, 16);
stack_start = stack_start << 12;
stack_end = stack_start + strtol(argv[4], NULL, 0);
}
#ifdef DEBUG
printf("stack: 0x%x-0x%x leng = %d\n", stack_start, stack_end, stack_end-stack_start);
#endif
// write library name to stack
if (0 > write_mem(pid, (unsigned long*)arg, n, libaddr)) {
#ifdef DEBUG
printf("cannot write library name (%s) to stack, error!\n", arg);
#endif
exit(1);
}
// write code to stack
codeaddr = regs.ARM_sp - sizeof(sc);
if (0 > write_mem(pid, (unsigned long*)&sc, sizeof(sc)/sizeof(long), codeaddr)) {
#ifdef DEBUG
printf("cannot write code, error!\n");
#endif
exit(1);
}
#ifdef DEBUG
printf("executing injection code at 0x%x\n", codeaddr);
#endif
// calc stack pointer
regs.ARM_sp = regs.ARM_sp - n*4 - sizeof(sc);
// call mprotect() to make stack executable
regs.ARM_r0 = stack_start; // want to make stack executable
//printf("r0 %x\n", regs.ARM_r0);
regs.ARM_r1 = stack_end - stack_start; // stack size
//printf("mprotect(%x, %d, ALL)\n", regs.ARM_r0, regs.ARM_r1);
regs.ARM_r2 = PROT_READ|PROT_WRITE|PROT_EXEC; // protections
regs.ARM_lr = codeaddr; // points to loading and fixing code
regs.ARM_pc = mprotectaddr; // execute mprotect()
// detach and continue
result = ptrace(PTRACE_SETREGS, pid, 0, ®s);
/* printf("%d\n", result); */
/* return 0; */
#ifdef DEBUG
printf("first ptrace %d\n", result);
if( result == -1 )
printf("\t\t%s\n", strerror(*(int*)__errno()) );
#endif
result = ptrace(PTRACE_DETACH, pid, 0, 0);
#ifdef DEBUG
printf("second ptrace %d\n", result);
if( result == -1 )
printf("\t\t%s\n", strerror(*(int*)__errno()) );
#endif
#ifdef DEBUG
printf("library injection completed!\n");
#endif
return 0;
}
/*
* @implemented
*/
int i64toa_s(__int64 value, char *str, size_t size, int radix)
{
unsigned __int64 val;
unsigned int digit;
int is_negative;
char buffer[65], *pos;
size_t len;
if (!(str != NULL) || !(size > 0) ||
!(radix >= 2) || !(radix <= 36))
{
if (str && size)
str[0] = '\0';
*__errno() = EINVAL;
return EINVAL;
}
if (value < 0 && radix == 10)
{
is_negative = 1;
val = -value;
}
else
{
is_negative = 0;
val = value;
}
pos = buffer + 64;
*pos = '\0';
do
{
digit = val % radix;
val /= radix;
if (digit < 10)
*--pos = (char)('0' + digit);
else
*--pos = (char)('a' + digit - 10);
}
while (val != 0);
if (is_negative)
*--pos = '-';
len = buffer + 65 - pos;
if (len > size)
{
size_t i;
char *p = str;
/* Copy the temporary buffer backwards up to the available number of
* characters. Don't copy the negative sign if present. */
if (is_negative)
{
p++;
size--;
}
for (pos = buffer + 63, i = 0; i < size; i++)
*p++ = *pos--;
str[0] = '\0';
//MSVCRT_INVALID_PMT("str[size] is too small");
*__errno() = ERANGE;
return ERANGE;
}
memcpy(str, pos, len);
return 0;
}
int* __errno_location()
{
return __errno();
}
volatile int* __errno_portable()
{
return __errno();
}
