No announcement yet.

Question about crazylinker on Android

  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about crazylinker on Android

    I've been analyzing v8 JavaScript filewriter vulnerabilities for the last few months. I have successfully converted a 64-bit exploit to a 32-bit exploit. But I finally failed in converting the 32-bit exploit to the mobile Android version. I'm analyzing how crazylinker causes problems in computing offsets on Android. But I can't find a clue to solve the problem. Does crazylinker affect the offset calculation? Isn't it? Where are the technical documents related to this? Please help me if someone knows. Why should I do this? I am dizzy. So I have to rest. Watching this crazy video would be better for my mental health.

  • #2
    I researched the operation of CrazyLinker. First of all, I found this information.
    By fixing the offset by 0xAC, I was able to correct the offset value of the variable found by binary analysis.
    Why is there a gap difference of 0xAC in memory mapping?
    I will analyze and write about this reason later.

    The picture image is too large and blurry. After registering, you can download the compressed image file.
    0xAC is the gap offset from the base address of

    Click image for larger version  Name:	maps.png Views:	0 Size:	827.8 KB ID:	91
    Attached Files


    • #3
      Click image for larger version

Name:	crazytest.png
Views:	239
Size:	453.2 KB
ID:	94
      Attached Files


      • #4
        I have successfully enabled mojom option in android chrome. It was very hard because of the begin pointer offset. The node pointer is at position -0x24 from the begin pointer. It seems that about two weeks were spent finding for the offset.
        I think my brain is not so good.. ㅜㅜ