How to find illegal instructions in the program?
I have a benchmark that is designed to run on a specific simulator. Some instructions that are added to the test test to communicate with the simulator (no CPU operations are performed) like dump statistics or reset statistics, etc.
Now I need to run the same tests on a different simulator and there is no other work, I have to use the same binaries, of course this does not work as it generates SIGILL
or an Illegal Instruction
error.
Now I want to be able to remove the bad instructions directly from the executable binary (no source code, no recompile, no install from elsewhere) and replace them with NOP
s. So I ran a test in gdb
and used the command layout asm
to find the addresses of the bad instructions. Here's the result:
My question may sound a little silly, but now I opened the binary in a text editor and tried using the addresses I got from gdb
to find illegal instructions in binary, but no luck. the size of the binary is about 1 MB and the addresses start at about 4 MB. How do I find illegal instructions in binary using the addresses I got from gdb
? Here is a snippet from a binary showing its format:
616c 6967 6e00 5f5f 7265 6769 7374 6572
5f66 7261 6d65 5f69 6e66 6f00 5f49 4f5f
7664 7072 696e 7466 005f 5f70 7468 7265
6164 5f73 6574 7370 6563 6966 6963 5f69
6e74 6572 6e61 6c00 7763 7274 6f6d 6200
5f64 6c5f 636f 7272 6563 745f 6361 6368
655f 6964 005f 646c 5f73 6f72 745f 6669
6e69 005f 5f6e 6577 5f66 6f70 656e 0063
6c6f 7365 005f 5f73 7472 6e63 7079 5f73
7365 3200 5f5f 6c69 6263 5f63 6f6e 6e65
6374 005f 5f77 6d65 6d63 7079 005f 494f
5f69 7465 725f 6e65 7874 006d 355f 7061
6e69 6300 5f64 6c5f 636c 6f73 655f 776f
726b 6572 005f 646c 5f70 6167 6573 697a
6500 5f5f 7661 6c6c 6f63 005f 5f6d 656d
616c 6967 6e5f 686f 6f6b 005f 5f70 7468
7265 6164 5f69 6e69 745f 7374 6174 6963
5f74 6c
source to share
Your hex dump is just a bunch of function names, so it doesn't tell us much. And you didn't mention the operating system ...
I assume you can run gdb
on it, you can use GNU binutils as well.
For a start, you can try objdump -h myprog
. It will provide a list of partitions with their sizes, download addresses and file offsets. If it tells you that there is a section that starts at 401000
file offset 400
and is at least in size af4
, then the runtime 401af4
is at file offset 401af4-401000+400
.
If the malicious address is in a shared library, or if the program has performed any reassignment of its address space, the task will be more difficult.
source to share
You did not specify a processor or operating system. It looks like x86 makes it much more difficult, as it is a variable length instruction set, the first time you ask the problem the disassembler, if you are using, can get confusing, depends on the disassembler.
Try to figure out what specific illegal instructions refer to the simulator, find these bit patterns in binary, interact around the disassembly, and if those patterns are found, replacing them with nops and repeating rather than checking, and depending on how that binary was is done, there may be some attempts to prevent such hacking.
Of course, not a trivial task ...
source to share