Announcement

Collapse
No announcement yet.

How to build a chrome browser with debugging symbols on android

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to build a chrome browser with debugging symbols on android

    I would like to write a small tip when researching the Chrome browser on Android.
    In general, research in the Chrome browser is divided into two phases.
    The first one is OOB and is related to v8 JavaScript. Most proof of concept usually ends at this stage.
    And the next step is usually Sandbox Escape and most of the time you need to analyze Chrome's internal binaries.
    Probably most of the browser hackers know it, so I don't write it here.
    If you haven't done any research on mobile Chrome browsers, the information you need is one.
    It is a debugging symbol. There is no big difference in Windows.
    On Windows, you can set Google's Chrome symbol server as an environment variable.
    But on mobile it's a bit different and rather easy.
    The following command is a release mode command for building a Chrome browser on Android.
    Code:
    $ gn gen --args="is_debug=false is_clang=true target_os=\"android\" target_cpu=\"arm\"" out/DEBUG_GN_ARM_PACKED
    $ autoninja -C out/DEBUG_GN_ARM_PACKED chrome_public_apk
    When this command completes, the lib.unstripped directory is created in the output directory.
    This directory contains the libchrome.so file without debugging symbols removed.
    You can analyze this file to extract offsets from the stripped libchrome.so file by binary diffing.
    This is all of the trivial tips I'll talk about. This is a very trivial tip.
    However, I'm writing this because hackers who research mobile Chrome browsers for the first time can be confused.
    Perhaps you set "is_debug=true" in the build options. This is true when building on Windows.
    However, this setting in the mobile build option does not generate the libchrome.so file.
    The libchrome.so file is compressed with crazylinker.
    Therefore, if "is_debug=true", it is created as a separate uncompressed so file.
    Although my subjective, it is more useful to calculate the offset by building in release mode and referencing the libchrome.so file in the lib.unstripped directory.
Working...
X