[eresi-dev] Loader Document

Julien Vanegue jvanegue at gmail.com
Fri May 15 19:33:50 UTC 2009 

Short answer: I dont know where BX(r6) points to and I dont have a machine
to check it now (and also no time).

Long answer:

0. Disable ASLR
1. Determine with elfsh or objdump what is the relative address for that
instruction in ld.so.
2. Fire up gdb on some arm program and put a breakpoint on main.
3. Do "info target" and determine what is the base address of ld.so.
4. Compute the absolute address of the BX instruction using base + offset
5. Do a gdb script that put a breakpoint on the BX instruction (execute it
using gdb -x) with the previously gathered absolute addr, then step the
program until that address is reached (using a while loop in the gdb script)
6. When the breakpoint is reached, step the instruction. You now know the
destination.

You also have another solution which is to look at the initialization code
of the loader (there is some assembler part in it, some asembler ARM code
must be there..) and determine from there what is the value of R6. There
must be some previous instruction that is setting the register, but again I
dont have time right now to check it out.

Note that you cannot use kedbg for that because kedbg is for -kernel mode
debugging-, and what you talk is a userland problem.

Good luck!

Julien



On Wed, May 13, 2009 at 7:27 AM, naveen yadav <yad.naveen at gmail.com> wrote:

>
>
>
>
> Hi ,
>
> I have gone through Loader Documentation and it is very good documentation.
>
> I have small question of flow in Loader and executtable.
>
> 1. In dl_machine.h there is _start function which is entry point of Loader.
>
>
> it execute _dl_start() and _dl_init() . and
>
>
> it execute " BX(r6) "\n\ in ARM case. (my question is where it  BX(r6) jump
> .
>
> 1.is it jump _start function of executable.
> 2. If my executable have Global constructor where it gets initilise. is it
> in loader or is it after _start
>
> thanks & regards
>
> Naveen
>
>
>
>
>
>
> _______________________________________________
> eresi-dev mailing list
> eresi-dev at lists.einherjar.de
> http://lists.einherjar.de/mailman/listinfo/eresi-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.einherjar.de/pipermail/eresi-dev/attachments/20090515/d230dfcd/attachment.html>

More information about the eresi-dev mailing list