Segfaults With Polycrypt Tutorial


(Israel) #1

Had a question about this tutorial:

I’ve tried double-checking the code several times. Even tried pulling it off this github to ensure I wasn’t missing anything:

https://raw.githubusercontent.com/0x00pf/0x00sec_code/master/crypter/polycrypt.c

Every time I try to run it I get the following though:

$ ./polycrypt
mprotect:: Cannot allocate memory
Segmentation fault

At first I thought this may be some security feature on my device that was preventing that. However, I was able to execute the code in the link below that also calls mprotect without issue:

https://shanetully.com/2013/12/writing-a-self-mutating-x86_64-c-program/

I was very far from running low on memory with my device, so I do not think this was due to low resources. I suspect that as I’m using x86_64, maybe some of the offsets and code in polycrypt.c were to be used with i386?

That’s just a guess, but I’m interested on anyone’s thoughts on this.


(pico) #2

Hi @ph33r

Looks like the error you are actually getting is ENOMEM (check the mprotect man page for details). This normally means that the address you are passing as a parameter is wrong. So my best guess is that you have generated a PIE binary.

To play with program compile it as a normal binary (-no-pie flag?). Otherwise you can try to fix polycrypt to work with PIE binaries, which is, I think, an interesting exercise.

Let me know if that is the case (a PIE binary). Otherwise I may need more details to figure out what is wrong as the program works fine in all my boxes.


(fxbg) #3

compiled fine for me with gcc with no flags


(Israel) #4

I found ‘-no-pie’ wasn’t in the Makefile from the github, but added it like so:

$ cat Makefile
all:prog crypter_rt polycrypt

crypter_rt:crypter_rt.c
${CC} -no-pie -Wall -o [email protected] $<

prog:prog.c
${CC} -no-pie -Wall -o [email protected] $<

polycrypt:polycrypt.c
${CC} -no-pie -Wall -o [email protected] $<
.PHONY:
clean:
rm prog crypter_rt polycrypt

After that it ran perfect. Much thanks!


(pico) #5

Now you can try to make it work with PIE binaries. Hint: Check /proc/PID/maps to figure out the real address at run-time.

Do not forget to make a PR on my repo if you make it work :wink:


(Israel) #6

Well, I would make a pull request, but it seems github just flagged my account. Guess they don’t like privacy settings. I contacted them, but not sure how long it will take for them to review it. I’ll try to do that when/if they let me back on. lol