I've been working on this a little bit more.
elfsh happilly access the microprocessor's registers (as in REG_EIP), which
not necessarily exist in other architectures.
I have prepared 2 patches that add the code only if the registers are
present, and that add the registers for amd64.
I haven't yet been able to build elfsh in amd64, though, since after all
the accesses to the registers are ok, it fails with an assembler error, at
the making of the e2dbg:
gcc -fPIC -g3 -Wall -Iinclude -rdynamic -DM32 -I../libhash/include/
-I../libelfsh/include/ -I../libdump/include/ -I../libasm/include/
-DELFSH_INTERN -DUSE_READLN -DELFSH64 -DELFSHNET -c -o elfsh_etdyn.o
elfsh_etdyn.c
elfsh_etdyn.c: In function 'e2dbg_run':
elfsh_etdyn.c:109: warning: format '%016llX' expects type 'long long unsigned
int', but argument 2 has type 'long unsigned int'
elfsh_etdyn.c: In function 'e2dbg_genericbp_ia32':
elfsh_etdyn.c:314: warning: unused variable 'prot'
/tmp/ccgRZXKq.s: Assembler messages:
/tmp/ccgRZXKq.s:16091: Error: suffix or operands invalid for `pop'
/tmp/ccgRZXKq.s:16093: Error: suffix or operands invalid for `pop'
/tmp/ccgRZXKq.s:16094: Warning: indirect jmp without `*'
/tmp/ccgRZXKq.s:16796: Error: suffix or operands invalid for `pop'
/tmp/ccgRZXKq.s:16796: Error: suffix or operands invalid for `push'
make[1]: *** [elfsh_etdyn.o] Error 1
make[1]: Leaving directory
`/home/users/marga/sources/debian/packages/elfsh-0.65rc1/vm'
make: *** [et_dyn] Error 2
But at least, with the patches, the part that's not the debugger does
build.
I'm pretty tired of all this. I don't understand how upstream says that
they can build this code in more than one architecture. I'm giving up
here.
For anyone else that is interested, it's a real challenge to make elfsh
build in any other arch than i386. If you are going to fix this bug,
please check that it fixes more than your desktop-pc.
--
Bessos, (o_
Marga. (\)_
#! /bin/sh /usr/share/dpatch/dpatch-run
## 03_fix_regs.dpatch by Margarita Manterola <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Add the registers conditionally
@DPATCH@
--- elfsh-0.65rc1/vm/dumpregs.c 2005-08-02 03:43:53.000000000 -0300
+++ elfsh-marga/vm/dumpregs.c 2006-08-15 19:32:41.528138491 -0300
@@ -31,15 +31,56 @@
E2DBG_PROFILE_IN(__FILE__, __FUNCTION__, __LINE__);
vm_output(" .:: Registers ::. \n\n");
+// i386+others
+#ifdef REG_EAX
vm_dumpreg("EAX", e2dbgworld.context->uc_mcontext.gregs[REG_EAX]);
+#endif
+#ifdef REG_EBX
vm_dumpreg("EBX", e2dbgworld.context->uc_mcontext.gregs[REG_EBX]);
+#endif
+#ifdef REG_ECX
vm_dumpreg("ECX", e2dbgworld.context->uc_mcontext.gregs[REG_ECX]);
+#endif
+#ifdef REG_EDX
vm_dumpreg("EDX", e2dbgworld.context->uc_mcontext.gregs[REG_EDX]);
+#endif
+#ifdef REG_ESI
vm_dumpreg("ESI", e2dbgworld.context->uc_mcontext.gregs[REG_ESI]);
+#endif
+#ifdef REG_EDI
vm_dumpreg("EDI", e2dbgworld.context->uc_mcontext.gregs[REG_EDI]);
+#endif
+#ifdef REG_ESP
vm_dumpreg("ESP", e2dbgworld.context->uc_mcontext.gregs[REG_ESP]);
+#endif
+#ifdef REG_EBP
vm_dumpreg("EBP", e2dbgworld.context->uc_mcontext.gregs[REG_EBP]);
+#endif
+#ifdef REG_EIP
vm_dumpreg("EIP", e2dbgworld.context->uc_mcontext.gregs[REG_EIP]);
+#endif
+// amd64
+#ifdef REG_GS
+ vm_dumpreg("GS", e2dbgworld.context->uc_mcontext.gregs[REG_GS]);
+#endif
+#ifdef REG_FS
+ vm_dumpreg("FS", e2dbgworld.context->uc_mcontext.gregs[REG_FS]);
+#endif
+#ifdef REG_ES
+ vm_dumpreg("ES", e2dbgworld.context->uc_mcontext.gregs[REG_ES]);
+#endif
+#ifdef REG_DS
+ vm_dumpreg("DS", e2dbgworld.context->uc_mcontext.gregs[REG_DS]);
+#endif
+#ifdef REG_ERR
+ vm_dumpreg("ERR", e2dbgworld.context->uc_mcontext.gregs[REG_ERR]);
+#endif
+#ifdef REG_EFL
+ vm_dumpreg("EFL", e2dbgworld.context->uc_mcontext.gregs[REG_EFL]);
+#endif
+#ifdef REG_UESP
+ vm_dumpreg("UESP", e2dbgworld.context->uc_mcontext.gregs[REG_UESP]);
+#endif
printf("\n");
#! /bin/sh /usr/share/dpatch/dpatch-run
## elfsh_etdyn.dpatch by Margarita Manterola <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Always access the registers conditionally
@DPATCH@
diff -urNad elfsh-0.65rc1~/vm/elfsh_etdyn.c elfsh-0.65rc1/vm/elfsh_etdyn.c
--- elfsh-0.65rc1~/vm/elfsh_etdyn.c 2005-08-02 03:43:53.000000000 -0300
+++ elfsh-0.65rc1/vm/elfsh_etdyn.c 2006-08-15 20:12:19.000000000 -0300
@@ -326,8 +326,12 @@
e2dbgworld.context = context;
if (info->si_code == TRAP_TRACE)
+ {
+#ifdef REG_EIP
printf(" [*] Stepped at addr %08X ! \n",
context->uc_mcontext.gregs[REG_EIP]);
+#endif
+ }
else
e2dbg_entry(1, argv);
@@ -337,24 +341,32 @@
/* A breakpoint happened */
case TRAP_BRKPT:
+#ifdef REG_EIP
snprintf(buf, 32, XFMT, context->uc_mcontext.gregs[REG_EIP] - 1);
+#endif
bp = hash_get(&e2dbgworld.bp, buf);
if (!bp)
{
+#ifdef REG_EIP
printf("Warning: int3 triggered at location %08X which we don't know
about. \n"
"This may be an anti-debug trick, proceed with caution. \n\n",
context->uc_mcontext.gregs[REG_EIP] - 1);
+#endif
//context->uc_mcontext.gregs[REG_EIP] -= 1;
return;
}
+#ifdef REG_EIP
context->uc_mcontext.gregs[REG_EIP] -= 1;
prot = elfsh_munprotect(bp->obj, context->uc_mcontext.gregs[REG_EIP],
1);
*(u_char *) context->uc_mcontext.gregs[REG_EIP] = bp->savedinstr[0];
elfsh_mprotect(context->uc_mcontext.gregs[REG_EIP], 1, prot);
+#ifdef REG_EFL
context->uc_mcontext.gregs[REG_EFL] |= 0x100;
+#endif
past = context->uc_mcontext.gregs[REG_EIP];
+#endif
break;
/* Enable again tracing */
@@ -371,7 +383,9 @@
return;
}
+#ifdef REG_EFL
context->uc_mcontext.gregs[REG_EFL] |= 0x100;
+#endif
break;
}
@@ -392,9 +406,10 @@
argv[0] = "e2dbg";
argv[1] = NULL;
+#ifdef REG_EIP
printf(" [*] step_handler : Stepping at addr %08X \n",
context->uc_mcontext.gregs[REG_EIP]);
-
+#endif
e2dbg_entry(1, argv);
SETSIG;
@@ -409,9 +424,10 @@
argv[0] = "e2dbg";
argv[1] = NULL;
+#ifdef REG_EIP
printf(" [*] cmd_step : Stepping at addr %08X \n",
e2dbgworld.context->uc_mcontext.gregs[REG_EIP]);
-
+#endif
e2dbg_entry(1, argv);
__asm__("pushf;"
