Bypassing PIE check (enables gdb) for Android 5.0+

[Alex]

np at all , a few days ago i was messing with mine and well .. asus devices have linker64 too so i had to mess that one too xD

 

[s810car]

ah, they running 64 in 32 bit mode or actual 64bit? think 8> is gonna be the changer imo

 

[uae00u]

Thanks man i try it

 

[Osuka23]

Hello, I'm trying to patch the linker and linker64 for Galaxy Note 5 with Android Nougat 7.0, can you please help me with these two files? the IDA disassemble seems different from the original's post and yours, there's no immediate BEQ instruction, see 000093F6, I changed the file extensions to .txt only for allow the upload, sorry for my bad english.

.text:000093A2 CMP.W R11, #0
.text:000093A6 BEQ loc_93C4
.text:000093A8 LDR.W R9, =(__dl__ZN18SizeBasedAllocatorILj8EE10allocator_E - 0x93B0)
.text:000093AC ADD R9, PC ; __dl__ZN18SizeBasedAllocatorILj8EE10allocator_E
.text:000093AE
.text:000093AE loc_93AE ; CODE XREF: .text:000093C2j
.text:000093AE LDR.W R5, [R11]
.text:000093B2 MOV R0, R9
.text:000093B4 MOV R1, R11
.text:000093B6 STR.W R5, [R10,#0x70]
.text:000093BA BL __dl__ZN20LinkerBlockAllocator4freeEPv
.text:000093BE MOV R11, R5
.text:000093C0 CMP R5, #0
.text:000093C2 BNE loc_93AE
.text:000093C4
.text:000093C4 loc_93C4 ; CODE XREF: .text:000093A6j
.text:000093C4 MOV R0, R8
.text:000093C6 SUB.W R4, R7, #0xC
.text:000093CA MOV SP, R4
.text:000093CC POP.W {R4-R11,PC}
.text:000093D0 ; ---------------------------------------------------------------------------
.text:000093D0
.text:000093D0 loc_93D0 ; CODE XREF: .text:00008C86j
.text:000093D0 BL __dl___errno
.text:000093D4
.text:000093D4 loc_93D4 ; CODE XREF: .text:00008C82j
.text:000093D4 LDR R0, [R0]
.text:000093D6 BL __dl_strerror
.text:000093DA MOV R2, R0
.text:000093DC LDR R0, =(aUnableToStatFi - 0x93E4)
.text:000093DE MOV R1, R4
.text:000093E0 ADD R0, PC ; "unable to stat file for the executable "...
.text:000093E2 BL __dl___libc_fatal
.text:000093E6
.text:000093E6 loc_93E6 ; CODE XREF: .text:00008CAEj
.text:000093E6 LDR R0, =(aCouldnTAllocat - 0x93EC)
.text:000093E8 ADD R0, PC ; "Couldn't allocate soinfo: out of memory"...
.text:000093EA BL __dl___libc_fatal
.text:000093EE
.text:000093EE loc_93EE ; CODE XREF: .text:00008DB8j
.text:000093EE LDR R0, [R6,#4]
.text:000093F0 LDR R0, [R0,#4]
.text:000093F2 LDR R1, [R0]
.text:000093F4 LDR R0, =(aSErrorOnlyPosi - 0x93FA)
.text:000093F6 ADD R0, PC ; "\"%s\": error: only position independen"...
.text:000093F8 BL __dl___libc_fatal
.text:000093FC

 

[s810car]

.text:000093EE
.text:000093EE loc_93EE ; CODE XREF: .text:00008DB8j
.text:000093EE LDR R0, [R6,#4]
.text:000093F0 LDR R0, [R0,#4]
.text:000093F2 LDR R1, [R0]
.text:000093F4 LDR R0, =(aSErrorOnlyPosi - 0x93FA)
.text:000093F6 ADD R0, PC ; "\"%s\": error: only position independen"...
.text:000093F8 BL __dl___libc_fatal
.text:000093FC

This whole block is the important section, you need to find where the program flow branches to this section, and change it so it wont follow this path, see if you can find that in your linker and let me know if that is an issue and ill try to look at it when i have time

 

[s810car]

I changed permission of linker file and its bin folder to 777 but still I can't paste my edited linker file to system/bin
Could you make a video of replacing linker file? Thank you
Edit: I just copied my linker file to system/bin in recovery menu and it works now
I can run gdb now. Thanks

k, good you got that worked out, for others with this issue, make sure to edit permissions of the folder as well, and edit back permissions when done, do NOT leave at 777, this will leave you no defense against even the simplest virus

 

[Osuka23]

This whole block is the important section, you need to find where the program flow branches to this section, and change it so it wont follow this path, see if you can find that in your linker and let me know if that is an issue and ill try to look at it when i have time

I will appreciate it a lot, becouse I find the loc_93EE reference and replace the branches but this give me another error message and not bypass the PIE check, I cannot find the exact instruction to change and I note that the security system in the Unity game that I am trying to decompile doesn't works in Android 7.0, so I really want to patch my linker to decompyle the Assembly.

 

[s810car]

I will appreciate it a lot, becouse I find the loc_93EE reference and replace the branches but this give me another error message and not bypass the PIE check, I cannot find the exact instruction to change and I note that the security system in the Unity game that I am trying to decompile doesn't works in Android 7.0, so I really want to patch my linker to decompyle the Assembly.

the linker file in nougat is quite a bit different then the one in this tutorial, its possible, but not as easy to find. id recommend set up an emulator with an older os (kitkat to avoid the issue, or marshmallow has an easier linker to mod).
Every phones linker has some minor (or major in nougats case) differences, i couldnt give you exact instruction without seeing the file, and given the sensitivity of editing that file (it CAN brick the phone if not careful), i dont edit other peoples linker file anymore, too much liability. so my best advice, set up an emulator. Good luck!

 

[scibur314r8t]

fortunately ive only bricked mine once, my own fault so in general good track record even learned something that day, hey flashing a system mount with a root script in fastboot does no good without the root script having a system.img of some type, since it wipes out the mount first whoops

Happens to the best of us my friend , it's always awesome wene you gain some knowledge out of your misfortunes .good tutorial

 

[okunas]

Could anyone modify my linker for me please? I tried several times but it always ends up in a bootloop. I'm probably doing something wrong.

 

[Ashley35]

Could anyone modify my linker for me please? I tried several times but it always ends up in a bootloop. I'm probably doing something wrong.

I have patched it for you thank me later

 

[Ashley35]

I have patched it for you thank me later

Your hex address for the linker file is 00006318 ----07 d0 49 02 20 79 44 05 f0 and so I changed the d0 to e0 to bypass pie error. Compare the patched linker file with the Original and that's the one byte I changed.

 

[marwaneB13]

i didn't understtand the steps well , can u please make a video about this or patch my linker if possible

 

[RendyDc]

Hi, would anybody help me to edit my linker please ?
My phone get bootloops when I push the linker was edited by me.