[Old Tutorial] Bypassing PIE security check (Android 5.0 up) (Archived)

Old tutorial by s810car – boards.libre.io. This has been archived here

Hi all pretty new to alphagamers, been checking out the site as I am aspiring to increase my programming/hacking knowledge esp. when it comes to Android so thought I'd join. I had a request from a member to bring over a tutorial I wrote for fixing a new issue on Android 5.0 and up. A few modders ran into this issue using gdb and I recently solved this issue myself after some research, and as I will be trying to gain knowledge here as well, in spirit of the old Scene mantra "no leeching!" will also share knowledge whenever I can.

Bypassing PIE (position independent executable) check
This is a solution for this error specifically - running gdb (or other busybox script) gives this error: "error: only position independent executables (PIE) are supported." If thyats your error, read on.
Background - I ran into this problem recently, trying to debug an app by getting a memory dump first, never had the problem before but this is the first attempt on Android L. After researching, I found an ideal solution supplied (cant do link, google bypass pie check XDA), and, if you happen to have the same type of phone, you can stop reading this as the zip file should work when flashed. It did nothing for me, and after reading the problems people were having after flashing (PSA read comments on files BEFORE putting on your device, I got lucky and had no issue but coulda been worse) decided this wouldn't work for me. after reading more though, I found what I really needed was in this code here (source orig tutorial)

 

3a06:       f8c6 5098       str.w   r5, [r6, #152]  ; 0x98

3a0a:       f8c6 4100       str.w   r4, [r6, #256]  ; 0x100

3a0e:       8a0a            ldrh    r2, [r1, #16]

3a10:       2a03            cmp     r2, #3

3a12:       d007            beq.n   3a24 // change to e007 (b.n)

3a14:       4992            ldr     r1, [pc, #584]  ; (3c60)

3a16:       2002            movs    r0, #2

3a18:       4479            add     r1, pc

 

Specifically, 3a12: d007 beq.n 3a24 // change to e007 (b.n)
So, I decided to dig into it myself and see if I could do anythiung.

What I used:
IDA Pro 32 bit (I used the paid version, its not necessary here, free version can do as well)
Any good hex editor (my fav is Ultraedit, but Winhex, etc. don't matter)
Rooted phone, you need to move files and change permissions
A file explorer WITH root access (ES file explorer, Root Explorer)

Step 1:
Find the file named "linker" in your ./system/bin directory. Copy onto your computer you will be working on.

Step 2:
Fire up IDA Pro 32 bit. When you load the linker file for disassembly, leave default settings (ELF file, metapc engine). Let it do its thing.

Step 3: Go to View -> Open Subviews -> Strings. Look for the string that says

 

.rodata:0000B1F9 00000043 C error: only position independent executables (PIE) are supported.\n

 

your address the line is on may be different but the text won't change (dumb fact: obv the reason the flashed zip I tried failed is my linker has different address to change the value at, duh me lool). Double click the line and itll go to

 

.rodata:0000B1F9 aErrorOnlyPosit DCB "error: only position independent executables (PIE) are supported"

.rodata:0000B1F9                                         ; DATA XREF: __dl___linker_init+3D6o

.rodata:0000B1F9                                         ; .text:off_3BDCo

.rodata:0000B1F9                 DCB ".",0xA,0

 

Again address will be specific to your file. Double click the XREF to go to the actual subroutine, and scroll up like 10-15 lines and you'll see this:

 

.text:0000387C loc_387C                                ; CODE XREF: __dl___linker_init+390j

.text:0000387C                                         ; __dl___linker_init+3B6j

.text:0000387C                 LDR.W           R1, [R4,#0x8C]

.text:00003880                 MOVS            R5, #0

.text:00003882                 MOVS            R6, #1

.text:00003884                 STR.W           R5, [R4,#0x98]

.text:00003888                 STR.W           R6, [R4,#0x100]

.text:0000388C                 LDRH            R3, [R1,#0x10]

.text:0000388E                 CMP             R3, #3

.text:00003890                 BEQ               loc_38A2

.text:00003892 ; ---------------------------------------------------------------------------

.text:00003892                 LDR             R1, =(aErrorOnlyPosit - 0x389A)

.text:00003894                 MOVS            R0, #2

.text:00003896                 ADD             R1, PC  ; "error: only position independent execut"...

.text:00003898                 BL              __dl___libc_format_fd

.text:0000389C                 MOV             R0, R6

.text:0000389E

.text:0000389E loc_389E                                ; CODE XREF: __dl___linker_init+604j

.text:0000389E                 BL              __dl_exit

 

Any of that look familiar? Well if you recall the code from XDA the STR, CMP, and BEQ lines match exactly (if you didn't know, #0x100 is actually 0x100, or #256 from the other disassambly, same with #0x10 = #16). So now we can do the exact same fix, manually! Before you shut down IDA, go to the hex view screen from here to get the address needed. In my example, this is 00003890, yours may be different, but the values on the line should read

 

07 D0 D2 49 02 20 79 44 02 F0 DE FC 30 46 FD F7

 

that's it for IDA, exit (no need to save database unless you want to)

Step 4:
Open your hex editor. Search for the data anyway you want, either by the address (my example 00003890), in my case I just searched the values "07 D0 D2 49" to find the spot (put enough hex values in your search to find the unique spot, don't just put D0 even though thats what we're editing or you may edit the wrong address). Once you're sure you're at the right spot, simply change it to read

 

07 E0 D2 49 02 20 79 44 02 F0 DE FC 30 46 FD F7

 

Only the "D0" to "E0"? Yes it's really that simple ;)

Step 5:
On your phone, temporarily change permissions of your ./system/bin/linker file from 755 (rwxr-xr-x) to 777 (rwxrwxrwx), depending on your mounts you (SHOULD HAVE TO) change the folders permissions as well. DON'T FORGET TO CHANGE PERMISSIONS BACK WHEN DONE!!!! Rename linker file on phone to linker1, linkerbak, or whatever. Then upload the edited linker file from your PC back to your phone. Afterwards SET PERMISSIONS BACK on file and folders.

You should now be able to use gdb, gdbserver, and any old busybox executables that give you the PIE error.
Happy modding!

EDIT #1: added additional info in post below, link: 
https://boards.libre.io/posts/2819196/

"Had to help someone with their linker, if you have issues, you can look in IDA and about two thirds of the way into the file you'll see all the exception handlers, and their output text (you can search for the text as well). Find the PIE error text and read the code directly above, should see the branch within 10 lines above (mine was beq.n , the one i altered today was beq, same hex though, D0 change to E0 needed).

 

Any other issues just post here as for how to alter, any problems happening or soft bricking i cannot guarantee I would know why (this affects process threads, so each situation/bug can vary) and I cannot be help liable, do at your own risk!!"


EDIT #2: People have been posting questions that makes me concerned that people are modifying their file without understanding the severity of what they are doing should they mess up. PSA: MESSING WITH LINKER CAN RENDER YOUR PHONE UNUSABLE, KNOW WHAT YOU ARE DOING!!
Reference links: 
https://en.m.wikipedia.org/wiki/GNU_linker ftp.gnu.org/old-gnu/Manuals/ld-2.9.1
(ld basically same idea as androids linker)

Think of it this way : APK stands for android package, its a zip file, nothing more. So you are simply doing the same as double clicking a zip file on Windows and expecting it to run the program inside it (not winzip/rar but the program inside) when you tap on a program app on your Android. So try it on Windows right now, I'll wait
.... doesn't work does it? So why does it work on Android?....... will finish this post today, have to leave home for a bit

EDIT 3 phew finally home lol so anyways, android installs the extracted files into your filesystem along with the shared libraries (native) or dlls (like c# assemblies). to start your program, it accesses the classes. dex file to start the JIT compiler, which in turn needs to access those libraries and store in memory to run. However those libraries are not java like the dex, and need a 'bridge' to work together (yes i know this is not an accurate explanation, but it's enough for non - programmer types to understand, bite me :P ). This is the linker file, its primary purpose is to link libraries for use in the Dalvik VM. without it, android would have no way to work with those libraries.

ok im tired of breaking this down so Google will help if you have any other questions about linker, tl;dr don't fk that file up lol

 

Credit: s810car – boards.libre.io

Popular Posts

[TOOL] Unity Assets Bundle Extractor

Il2CppDumper GUI Android App