How to call a Linux Linked Library without any information

Introduction

Moto E2 is a cost-effective Linux smartphone, but it has not opened its local graphics library SDK for some commercial reasons, which greatly reduces its competitiveness and scalability. This article describes how to export the corresponding header file and write the corresponding program code without relevant information based on my experience in writing my applications.

Note: This article is not intended for general mobile phone users. If you want to read this article smoothly, please first learn related C/C ++ knowledge and compilation knowledge. Of course, due to my restrictions, there may be errors or even mistakes, and many experts are welcome to discuss them. In addition, the method described in this article is not limited to the use of the ezx graphics library of Moto E2, but can be applied to any similar environment theoretically.

I. Principles

To crack these dynamically connected libraries without data, you must first understand program compilation in Linux. The following assumes that the dynamic connection library to be cracked is the foundation of a system (for example, the image library of the moto E2 mobile phone is ezx, which is an extended Graphics Library Based on qt2.3.8, that is, the part we need to crack). Otherwise, as non-universal (only for the current system), there is no practical significance.

Linux programs can be used in the Linked Library in three ways.

1. link the. A library file during compilation and copy the startup code to the generated binary file, which is run out of the. A library file.

2. link the. So library file during compilation and use it as a reference to generate a binary file. The file must depend on the. So file during runtime.

3. When the program uses a dynamic link to the library to call related. So library files, the compiler does not rely on these. So files, but needs to rely on these. So files at runtime.

As the status quo, the first method is ruled out first, because as the release version cannot have. A static Link Library. The third method is not suitable, because the compiler does not rely on library files, so we cannot correctly judge the type of the corresponding function, but causes low cracking Efficiency, of course, more important reasons will be mentioned later. Therefore, it is appropriate to select the second method.

So what do we need in the second way to compile a program correctly?

First, the source code is necessary, that is, the program we actually write. Second, the So Link Library, which is the basis for our program running. Finally, it is the header file of the Connection Program and the so Link Library. This header file is used to describe the So Link Library. (Of course, a corresponding GCC is also essential ).

The source file is something we write, and the so file is exported from the target system. What we lack is the corresponding header file. As long as we get this header file, we can freely compile programs based on the target system.

In addition, the connection between the binary executable file generated in this way and the so Link Library depends on the text method of the function name during the call, which is also the basis of our cracking principles.

Ii. Export the function list

Most people can use the simple nm command to export the function list of the so link library because they can find the corresponding GCC and export the So Link Library, you only need to name the so Linked Library (in this example, the Linked Library name is. so)

Arm-Linux-nm-gsdc -- format = BSD-defined-only a. So

Of course, you should set the correct environment variables before running this Code. This article focuses on the principles, and these implementation details are not so rigorous. Of course, you can also use other methods to call the NM command, but the above parameters can achieve at least satisfactory results.

In this way, the export function library of the library file can be exported. For example, the export function library of a so file is:

...

4184cde8 t colortostring (qcolor)

418ab0c4 t setlanguageid (INT)

4184cb70 t stringtocolor (qstring)

....

41a21244 t kbaltitems: initmetaobject ()

41a21358 t kbaltitems: staticmetaobject ()

41a21424 t kbaltitems: signalchooserresults (INT, Int, qstring const &, INT)

41a212b8 t kbaltitems: TR (char const *)

......

Here we can get the corresponding function declaration. The only thing we don't have is the return value. Fortunately, as a basic library function, there are good naming rules. We can generally guess the return value from the function name. Of course, this may require some experience and good luck as the basis.

For example

4184cde8 t colortostring (qcolor)

4184cb70 t stringtocolor (qstring)

These two functions are obviously a pair of paired functions that convert colors and strings, so the correct form can be easily obtained:

Qstring colortostring (qcolor );

Qcolor stringtocolor (qstring );

In this way, such a function is directly declared in our program, and the link to the corresponding so file during compilation can be successfully compiled and used to serve our program.

Of course, in many cases, these functions are not so easy to describe the return value. Sometimes it is a good compromise to directly declare void for some functions.

If your target is a pure C-Linked Library, congratulations! Now you have successfully cracked and can use it. Of course, since you clicked this document, then your target system is not a pure C-written system. So what should I do with the c ++ Linked Library?

3. Process C ++ export functions

Constructing the export function of C ++ into a class can be used normally. This is a long process. During this period, it is not only a good technique and rich experience, good luck and a friendly character are the key to determining whether a system can be handled. (laugh, I just think that the exported SDK is a half-hanging tool because these aspects are lacking ).

First of all, we need to make it clear that in the so link library, it is just a set of function lists. The member functions of any class are just common functions with odd names than C functions. This may be a little different from everyone's imagination, but it is the most fundamental reason we thought we were using the second of the three methods mentioned above.

Therefore, all ideas that hold the correct format information of so classes are unrealistic and impractical, because the root of the So Link Library does not have the so-called C ++ concept, everything is a masterpiece of the compiler.

To avoid these problems, we should first make a class function table into a class form: (as shown in the preceding result segment)

Class kbaltitems

{

Public:

Void initmetaobject ();

Void staticmetaobject ();

Void signalchooserresults (INT, Int, qstring const &, INT );

Void tr (char const *);

};

(Due to the particularity of the system, special processing of some functions is not discussed in this article)

Of course, since it is an export function, the function must be visible and all attributes are public. At this time, a class can be correctly compiled and compiled, but unfortunately, as long as you use this class, no matter how you use it, it will crash immediately, segment fault.

The reason is actually very simple: This class definition does not define the correct member variables.

Whether it is directly declaring a class object or using the new method, the size of an object is determined during the compilation period, and its size is determined based on the class size in the header file, the exported class does not contain the corresponding member variables and the size is 4 (of course, why is there a four-byte size for a class object that does not have anything? This is another story, ). Once these member functions are called but are "considered" as existing member variables, they will access an inappropriate memory unit to trigger system memory exceptions, segment fault is also common.

Since there is no corresponding class format in so, is it impossible to use a class correctly? That is not necessarily the case. In fact, there is a very crude way to avoid this problem. Of course, this is the only point worth showing off in this article:

Add char TMP [x] to the class definition as a member variable.

The size of X can be obtained through a simple test. If so, try again. Is it true that a class that cannot be run before can be correctly run?

The principle is also very simple. Since the object does not have enough space for proper execution, we will allocate enough space for it to be correctly executed.

In this way, the source code, library, and header file are all available. Will the application be far away?

Conclusion

In fact, a successful construction of a class is far more than that. First, we need to figure out the correct usage of the class. Second, the inheritance relationships between classes can be "limited conjecture" only through the correlation between class functions and class names ". Of course, because of the aforementioned crude solution, it is not necessary to ensure that enough space is used to include all the parent classes, perform a thorough analysis of the entire system architecture. Otherwise, the system cannot be connected. Finally, enumeration can be converted by forcibly converting the int value, the pure struct must be abandoned directly, because there is nothing except the name. We only need to thoroughly read the decompiled code to interpret it. It takes too much time to crack the system.

The last tip is a small trick: for classes that are difficult to use (such as dependent on other classes as parameters), just comment out them directly. for functions that are used only for links, unused functions are not processed.

I wish programmers who want to get a satisfactory result ^ o ^ for some systems.