After patchelf is used to modify the elf file, the heap and bin commands cannot be used

[D1ag0n-Young]

I did the following:

1. patchelf --set-interpreter $libc_dir/ld-$LIBC_VERSION.so --set-rpath $libc_dir/ tsh

View binary file: ldd tsh

linux-vdso.so.1 (0x00007fff4fcfc000)
libc.so.6 => /glibc/2.31/64/lib/libc.so.6 (0x00007f7f994f2000)
/glibc/2.31/64/lib/ld-2.31.so => /lib64/ld-linux-x86-64.so.2 (0x00007f7f996ec000)

2. run command gdb tsh

pwndbg> r
Starting program: /home/yrl/Desktop/gdbtest/tsh 
warning: the debug information found in "/glibc/2.31/64/lib/.debug/ld-2.31.so" does not match "/glibc/2.31/64/lib/ld-2.31.so" (CRC mismatch).

ERROR: Could not find ELF base!
warning: the debug information found in "/glibc/2.31/64/lib/.debug/libc-2.31.so" does not match "/glibc/2.31/64/lib/libc.so.6" (CRC mismatch).

warning: the debug information found in "/glibc/2.31/64/lib/.debug/libc-2.31.so" does not match "/glibc/2.31/64/lib/libc.so.6" (CRC mismatch).

Prompt the debug information does not match，Then run the bin command：

pwndbg> bin
bins: This command only works with libc debug symbols.
They can probably be installed via the package manager of your choice.
See also: https://sourceware.org/gdb/onlinedocs/gdb/Separate-Debug-Files.html

E.g. on Ubuntu/Debian you might need to do the following steps (for 64-bit and 32-bit binaries):
sudo apt-get install libc6-dbg
sudo dpkg --add-architecture i386
sudo apt-get install libc-dbg:i386

This seems to be unable to find the symbol table for debugging，I try to do this:

pwndbg> set debug-file-directory /glibc/2.31/64/lib/
pwndbg> r

Did not solve the problem
Note: I use patchelf to modify the binary file, and use the libc provided by glibc-all-in-one, which contains the .debug folder

Which step did I do wrong? Or pwngdb can only use the debug symbol table of system libc？

[WeSeekAfterKnowledge]

Can you upload a zipped copy of your before / after binary so that we can take a look?

This (using patchelf) isn't something I've seen before, and it's possible it's leaving remnants behind of the old interpreter.

[D1ag0n-Young]

hello.zip

Above is the binary file before and after patchelf
@WeSeekAfterKnowledge

[IdanBanani]

What are your thoughts on these kind of "Quick Fixes" ?
(downloading a specific libc version resources with debug symbols)
https://www.buaq.net/go-13408.html
https://bbs.pediy.com/thread-254868-1.htm
https://github.com/matrix1001/glibc-all-in-one
https://github.com/ray-cp/pwn_debug/blob/master/build.sh

[disconnect3d]

Is this still the case? I think this should work now, after we have an option of resolving heap symbols via heuristic.

[gsingh93]

I think this should be fixed, and if not I recommend using libcdb.unstrip() from pwntools or use pwninit to unstrip the libc. I've had issues with glibc-all-in-one.

[gsingh93]

I'm going to close this, if anyone believes this is still an issue please let me know.

[k4lizen]

This is still an issue. Run pwninit --bin junior_formatter to get junior_formatter_patched. Run both with pwndbg. Run info func main for both. One result returned for junior_formatter, zero results returned for junior_formatter_patched. main can be found in junior_formatter_patched with readelf and pwntools (via elf.symbols['main']). Although unrelated specifically to heap and bins, I'm assuming the issue is related (could be wrong).
Here are the files: bad.zip

[k4lizen]

@gsingh93

[disconnect3d]

cc: @lebr0nli :)

[lebr0nli]

Run info func main for both. One result returned for junior_formatter, zero results returned for junior_formatter_patched. main can be found in junior_formatter_patched with readelf and pwntools (via elf.symbols['main']).

I'm not sure the reason why info func main can't find main after patchelf, but at least this is not the pwndbg's issue I guess.
This can be reproduced with:

$ gdb -q -nx ./junior_formatter_patched -ex 'starti'
...
(gdb) info func main
All functions matching regular expression "main":
(gdb) 

Regarding the original issue about our heap and bins commands, it seems to work fine with the libc and ld you provided after patchelf.
This can be verified with:

$ cat a.c
#include <stdlib.h>

int main(){
    free(malloc(0x10));
}
$ gcc a.c
$ pwninit
bin: ./a.out
libc: ./libc.so.6
ld: ./ld-linux.so

copying ./a.out to ./a.out_patched
running patchelf on ./a.out_patched
$ ldd a.out_patched
	linux-vdso.so.1 (0x00007ffe52fc7000)
	libc.so.6 => ./libc.so.6 (0x00007f8aff2eb000)
	./ld-linux.so => /lib64/ld-linux-x86-64.so.2 (0x00007f8aff51c000)
$ gdb -q a.out_patched -ex 'set debug-file-directory' -ex 'start' -ex 'next' -ex 'next' -ex 'next' -ex 'next' -ex 'heap' -ex 'bins'
...
Allocated chunk | PREV_INUSE
Addr: 0x55855568d000
Size: 0x290 (with flag bits: 0x291)

Free chunk (tcachebins) | PREV_INUSE
Addr: 0x55855568d290
Size: 0x20 (with flag bits: 0x21)
fd: 0x55855568d

Top chunk | PREV_INUSE
Addr: 0x55855568d2b0
Size: 0x20d50 (with flag bits: 0x20d51)

tcachebins
0x20 [  1]: 0x55855568d2a0 ◂— 0x0
fastbins
empty
unsortedbin
empty
smallbins
empty
largebins
empty
...

[k4lizen]

Oh I see, my bad. I will pull an issue on GDB and if it doesn't work out I will pull a feature request here for improved symbol parsing, okay?

[anthraxx]

Which version of pwninit are you using, this is supposed to be fixed in 3.1.1 with a workaround io12/pwninit@ca34d07 The real issue seems to be in patchelf where it produces a broken result if multiple options are used at the same call.

[k4lizen]

pwninit 3.3.0

[anthraxx]

Sorry I had a typo. I fixed it in 3.3.1 so please upgrade your pwninit and try again 😊

[k4lizen]

Seems to work now! Thanks.

pwndbg> info func main
All functions matching regular expression "main":

Non-debugging symbols:
0x00000000000012bb  main
pwndbg>

[disconnect3d]

Is this issue still valid or was it fixed? cc: @k4lizen @lebr0nli @D1ag0n-Young pls, re-check.

[k4lizen]

Re-checked, works. The issue wasn't with pwndbg but with patchelf anyways, so should be good to close.