A custom dynamic linker that attempts to load some specific memory dumps.
Android NDK: r27 or later
Rust: nightly with target aarch64-linux-android
With qiling framework:
make qiling-
Patch
libunity.soto add a NEEDED entry forliblinkage.so -
Patch
libunity.soto replace dlopen, dlclose, dlsym with myopen, myclose, mysym in the dynamic symbol table -
Add
liblinkage.soto the APK
-
Resolved relocations:
.got.plt -
Resolved
.init_arrayfunctions (43/43) -
Resolved RELATIVE relocations:
.got,.data.rel.ro,.data -
WIP: Resolved some JMP & ABS64 relocation outside of
.got.pltsection
Currently, some ABS64 relocations in .data.rel.ro and .data sections need to be resolved.
To figure them out, you need to setup a native debugging environment. For example:
gdbserveron Android +gdbon host- IDA Debug Server on Android + IDA Pro
After starting debug server, connect to phone with ADB, then use this command to view the log:
adb logcat "*:S,linkage:D"Launch the app, and it will automatically pause to wait for debuggers. Attach the debugger, then modify the regs to break out the while loop.
When you encounter an segfault, look at the backtrace and try to guess the appropriate relocation type.
Always refer to ./3.7_relocs_data.txt and ./3.7_relocs_data_rel_ro.txt to match the relocation type & symbol name.