1import angr 2 3###################################### 4# __libc_init 5# 6# Refer to http://androidxref.com/5.1.1_r6/xref/bionic/libc/bionic/libc_init_dynamic.cpp 7# and http://androidxref.com/5.1.1_r6/xref/bionic/libc/private/KernelArgumentBlock.h 8# raw_args points to argc, *argv, and *envp located on the stack 9# unused is always zero 10# slingshot points to main() 11# structors points to PRE_INIT_ARRAY, INIT_ARRAY, and FINI_ARRAY 12###################################### 13class __libc_init(angr.SimProcedure): 14 #pylint:disable=arguments-differ,unused-argument,attribute-defined-outside-init 15 16 ADDS_EXITS = True 17 NO_RET = True 18 local_vars = ('main', 'argc', 'argv', 'envp') 19 20 def run(self, raw_args, unused, slingshot, structors): 21 offset = self.state.arch.bytes 22 readlen = self.state.arch.bytes 23 endness = self.state.arch.memory_endness 24 self.main = slingshot 25 self.argc = self.state.memory.load(raw_args + 0 * offset, readlen, endness=endness) 26 argc_val = self.state.solver.eval(self.argc) 27 self.argv = self.state.memory.load(raw_args + 1 * offset, readlen, endness=endness) 28 self.envp= self.state.memory.load(raw_args + (1 + argc_val + 1) * offset, readlen, endness=endness) 29 # TODO: __cxa_atexit calls for various at-exit needs 30 self.call(self.main, (self.argc, self.argv, self.envp), 'after_slingshot') 31 32 def after_slingshot(self, raw_args, unused, slingshot, structors, exit_addr=0): 33 self.exit(0) 34