DEV Community: Aaron Rubesh The latest articles on DEV Community by Aaron Rubesh (@aaron_rubesh). https://dev.to/aaron_rubesh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F115037%2Fd373de6c-dc99-4739-ac91-4455aff47541.jpg DEV Community: Aaron Rubesh https://dev.to/aaron_rubesh en Compiling for ARM from x86-64 Aaron Rubesh Mon, 01 Apr 2019 19:21:10 +0000 https://dev.to/aaron_rubesh/compiling-for-arm-from-x86-64-327p https://dev.to/aaron_rubesh/compiling-for-arm-from-x86-64-327p <p>Interacting with low level Linux libraries can make reversing, debugging and analyzing application much simpler. </p> <p>Libraries, such as <code>ptrace</code>, can allow us to attach to running processes and execute functions from the tracee (the process we attach to). </p> <p>Since Android is basically a Linux operating system we can call some of these same libraries to trace android application processes.</p> <p>For example, the following code can be compiled and ran to dump the register values of an attached process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="c1">//main.c</span> <span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/user.h&gt; #include &lt;sys/types.h&gt; #include &lt;sys/ptrace.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">pid_t</span> <span class="n">traced_process</span><span class="p">;</span> <span class="kt">long</span> <span class="n">rt</span><span class="p">;</span> <span class="k">struct</span> <span class="n">user_regs_struct</span> <span class="n">regs</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"usage: %s PID</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="n">traced_process</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="n">rt</span> <span class="o">=</span> <span class="n">ptrace</span><span class="p">(</span><span class="n">PTRACE_SEIZE</span><span class="p">,</span> <span class="n">traced_process</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">rt</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Failed to attach to process. Are you root?</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="n">ptrace</span><span class="p">(</span><span class="n">PTRACE_GETREGS</span><span class="p">,</span> <span class="n">traced_process</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">regs</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"RBP: %llx</span><span class="se">\n</span><span class="s">RBX: %llx</span><span class="se">\n</span><span class="s">RSI: %llx</span><span class="se">\n</span><span class="s">RIP: %llx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rbp</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rbx</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rsi</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rip</span><span class="p">);</span> <span class="n">ptrace</span><span class="p">(</span><span class="n">PTRACE_DETACH</span><span class="p">,</span> <span class="n">traced_process</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>If you compile this with gcc: <code>gcc main.c -o dump-regs</code> and then execute it on a random process running on your machine: <code>sudo ./dump-regs $PID</code> </p> <p>We will get a dump of some of the register values of the process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ sudo ./dump-regs 10245 RBP: 7f7be53dda98 RBX: 0 RSI: 0 RIP: 9 </code></pre> </div> <p>This works perfectly. The problem is that this program is compiled to run on a x86_64 system, not ARM. So we cannot simply transfer this program to our Android device and run it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ file dump-regs dump-regs: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=36122682e0cf5cac23820af5c691d3b2c2aa374b, not stripped </code></pre> </div> <p>Luckily, we can solve this issue with a build of GCC that supports cross compiling to ARM.</p> <p>On Debian based distros, you should be able to install the packages <code>gcc-arm-linux-gnueabi</code> and <code>binutils-arm-linux-gnueabi</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo apt install gcc-arm-linux-gnueabi and binutils-arm-linux-gnueabi </code></pre> </div> <p>Now we have a build of GCC that supports compiling to ARM. However, some of the included headers are different on ARM than on x86_64 Linux so we need to make a few changes to our code before we can compile it. The main difference well note here is the <code>user_regs</code> struct. </p> <p>I'm not going to explain to difference between the registers of two different CPU architectures here but if you are curious I'd read up on ARM CPU architecture. This knowledge will come in handy when we get more into reversing some of the Android processes. </p> <p>You can also look into the headers included for binaries compiled by each <code>gcc</code> and <code>arm-linux-gnueabi-gcc</code> to see some of the differences to see why our code had to change.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="c1">//main.c</span> <span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;sys/user.h&gt; #include &lt;sys/types.h&gt; #include &lt;sys/ptrace.h&gt; </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">pid_t</span> <span class="n">traced_process</span><span class="p">;</span> <span class="kt">long</span> <span class="n">rt</span><span class="p">;</span> <span class="cp">#ifdef __arm__ </span> <span class="k">struct</span> <span class="n">user_regs</span> <span class="n">regs</span><span class="p">;</span> <span class="cp">#endif #ifdef __x86_64__ </span> <span class="k">struct</span> <span class="n">user_regs_struct</span> <span class="n">regs</span><span class="p">;</span> <span class="cp">#endif </span> <span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"usage: %s PID</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="n">traced_process</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="n">rt</span> <span class="o">=</span> <span class="n">ptrace</span><span class="p">(</span><span class="n">PTRACE_SEIZE</span><span class="p">,</span> <span class="n">traced_process</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">rt</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Failed to attach to process. Are you root?</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="n">ptrace</span><span class="p">(</span><span class="n">PTRACE_GETREGS</span><span class="p">,</span> <span class="n">traced_process</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">regs</span><span class="p">);</span> <span class="cp">#ifdef __x86_64__ </span> <span class="n">printf</span><span class="p">(</span><span class="s">"RBP: %llx</span><span class="se">\n</span><span class="s">RBX: %llx</span><span class="se">\n</span><span class="s">RSI: %llx</span><span class="se">\n</span><span class="s">RIP: %llx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rbp</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rbx</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rsi</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">rip</span><span class="p">);</span> <span class="cp">#endif </span> <span class="cp">#ifdef __arm__ </span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">18</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"REG[%d]: %lx</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">i</span><span class="p">,</span> <span class="n">regs</span><span class="p">.</span><span class="n">uregs</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="p">}</span> <span class="cp">#endif </span> <span class="n">ptrace</span><span class="p">(</span><span class="n">PTRACE_DETACH</span><span class="p">,</span> <span class="n">traced_process</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Now, lets compile for ARM: <code>arm-linux-gnueabi-gcc main.c -o arm-dump-regs -static</code></p> <p>We now have an ARM binary ready for running on our Android device!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ file arm-dump-regs arm-dump-regs: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=8b02c787af1e98e974720d1e6822c7ba99dd2e59, not stripped </code></pre> </div> <p>And then, we can push to our Android device via ADB: <code>adb push arm-dump-regs /data/local/tmp</code> </p> <p>[Note: Running this application requires Root on your device!]<br> And Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>OnePlus3:/data/local/tmp # ./arm-dump-regs 2206 REG[0]: 888f4 REG[1]: 88914 REG[2]: 88908 REG[3]: 0 REG[4]: ffd3da73 REG[5]: 2f REG[6]: ffd3da72 REG[7]: 10158 REG[8]: 4990c REG[9]: 0 REG[10]: 87098 REG[11]: 88448 REG[12]: 10b80 REG[13]: 10b28 REG[14]: 10158 REG[15]: 88460 REG[16]: 10158 REG[17]: 0 O </code></pre> </div> <p>And you'll see the register dump! </p> arm reversing android linux