forked from android-rooting-tools/helper_tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathextract_address_and_disassemble
executable file
·81 lines (69 loc) · 2.25 KB
/
extract_address_and_disassemble
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/sh
#
# Author: DooMLoRD@XDA
#
# Script to extract and search for required address for perf_event exploit
#
# Usage:
# extract_address_and_disassemble zImage
#
# Output:
# addresses.txt - this will contain the 5 crucial addresses from the kallsyms
# kernel.dasm - this will contain the disassembelled kernel
#
# Update path to toolchain
echo "Searching for zImage compression"
# following is only for kernels packed with XZ compression
LOC1=`grep -P -a -b -m 1 --only-matching '\xfd7zXZ\x00' $1 | tail -1 | cut -d: -f 1`
if [ $LOC1 ]
then
echo "XZ compression detected"
echo "Unpacking zImage"
dd if=$1 bs=$LOC1 skip=1 | xz -dc > kernel.Image
else
# following is only for kernels packed with LZO compression
LOC1=`grep -P -a -b --only-matching '\x89LZO\x00' $1 | tail -1 | cut -d: -f 1`
if [ $LOC1 ]
then
echo "LZO compression detected"
echo "Unpacking zImage"
dd if=$1 bs=$LOC1 skip=1 | lzop -do kernel.Image
else
# following is only for kernels packed with GZ compression
LOC1=`grep -P -a -b -m 1 --only-matching '\x1f\x8b\x08' $1 | tail -1 | cut -d: -f 1`
if [ $LOC1 ]
then
echo "GZ compression detected"
echo "Unpacking zImage"
dd if=$1 bs=$LOC1 skip=1 | gzip -dc > kernel.Image
else
echo "Unsupported compression!"
fi
fi
fi
LOC=$LOC1
if [ $LOC ]
then
if [ -e kernel.Image ]
then
echo "DONE unpacking zImage"
echo "Grabbing addresses"
./kallsymsprint.x86 kernel.Image > kallsyms.txt
cat kallsyms.txt | grep " prepare_kernel_cred" >> addresses.txt
cat kallsyms.txt | grep " commit_creds" >> addresses.txt
cat kallsyms.txt | grep " remap_pfn_range" >> addresses.txt
echo "Disassembling kernel for specific functions"
./arm7-dasm kernel.Image c0008000 pty_init kallsyms.txt > pty_init.dasm
./arm7-dasm kernel.Image c0008000 sw_perf_event_destroy kallsyms.txt > sw_perf_event_destroy.dasm
echo "searching for ptmx_fops"
ADDR_PTMX_FOPS=`./get-ptmx_fops pty_init.dasm`
echo "$ADDR_PTMX_FOPS = (hexdec addition) ptmx_fops" >> addresses.txt
echo "searching for perf_swevent_enabled"
ADDR_SWPREF=`./get-perf_swevent_enabled sw_perf_event_destroy.dasm`
echo "$ADDR_SWPREF perf_swevent_enabled" >> addresses.txt
else
echo "ERROR! unpacking zImage"
fi
else
echo "ERROR! zImage has different compression"
fi