Debugging of Adobe Reader in Android (Part II)

To follow up on the debugging of the Adobe Reader (https://tthtlc.wordpress.com/2013/04/24/how-do-debug-the-runtime-behavior-of-adobe-reader-in-android):

First, start up the Adobe Reader on the Android device, and then use “adb shell” to attach to the Android device.

Next inside the Android device, running inside “adb shell”, use “tcpdump” or “netstat” to find out the Android device IP address (ifconfig does not gives IP address?):

netstat -nat
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.110:46121 173.194.38.131:443 ESTABLISHED

Now knowing the IP address, we will do a gdbserver to attach to the “com.adobe.reader” process:

Within the device, finding out the pid:

# ps |grep com.adobe
u0_a85 21128 126 698144 139752 ffffffff 400daee4 S com.adobe.reader

so pid is 21182, and then using “gdbserver” to attach (also inside the Android device):

gdbserver :4646 --attach 21128
Attached; pid = 21128
Listening on port 4646

Now, using another terminal, we will use the arm toolchain from Android NDK to attach to the gdbserver (running inside the Android device):

cd /opt/android-ndk-r8c/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/bin

./arm-linux-androideabi-gdb
GNU gdb (GDB) 7.3.1-gg2

(gdb) target remote 192.168.1.110:4646
Remote debugging using 192.168.1.110:4646
0x400daee4 in ?? ()

(gdb) bt
#0 0x400daee4 in ?? ()
#1 0x4012fb0c in ?? ()
#2 0x4012fb0c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) info sharedlibrary
warning: while parsing target library list (at line 2): No segment defined for com.adobe.reader

No shared libraries loaded at this time.

(gdb) x /100i $pc
=> 0x400daee4: pop {r4, r7}
0x400daee8: movs r0, r0
0x400daeec: bxpl lr
0x400daef0: b 0x400fef74
0x400daef4: push {r4, r7}
0x400daef8: mov r7, #316 ; 0x13c
0x400daefc: svc 0x00000000
0x400daf00: pop {r4, r7}
0x400daf04: movs r0, r0
0x400daf08: bxpl lr
0x400daf0c: b 0x400fef74
0x400daf10: push {r4, r7}
0x400daf14: ldr r7, [pc, #16] ; 0x400daf2c
0x400daf18: svc 0x00000000
0x400daf1c: pop {r4, r7}
0x400daf20: movs r0, r0
0x400daf24: bxpl lr
0x400daf28: b 0x400fef74
0x400daf2c: andeq r0, r0, sp, lsr r1
0x400daf30: push {r4, r7}
0x400daf34: ldr r7, [pc, #16] ; 0x400daf4c
0x400daf38: svc 0x00000000
0x400daf3c: pop {r4, r7}

Outstanding problem:

info sharedlibrary
warning: while parsing target library list (at line 2): No segment defined for com.adobe.reader
No shared libraries loaded at this time.
(gdb)

Advertisements

2 responses to this post.

  1. I enumerated all the FT_* freetype APIs inside libAdobeReader.so:

    /opt/CodeSourcery/Sourcery_G++_Lite/bin/arm-none-eabi-objdump -T –demangle libAdobeReader.so |grep .text|grep ” FT_”

    00248718 g DF .text 000000f8 FT_New_Size
    00243914 g DF .text 00000084 FT_GlyphLoader_Add
    002433f4 g DF .text 000000c4 FT_Matrix_Multiply
    002495e0 g DF .text 000000bc FT_Get_Advance
    002439b8 g DF .text 000000b4 FT_Set_Transform
    00246974 g DF .text 00000030 FT_Stream_ExtractFrame
    00243f84 g DF .text 0000008c FT_Get_Track_Kerning

    And the rest of the APIs are:

    http://pastebin.com/s8YGcKiZ

    But questions is how are these APIs ultimately used to call Android’s font APIs?

    https://github.com/android/platform_frameworks_base/blob/master/libs/hwui/FontRenderer.cpp

    Can such fonts implementation leads to vulnerable implementations:

    http://www.computerworld.com/s/article/9240668/Patch_Tuesday_release_handles_malicious_fonts_in_Microsoft_Windows

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: