Twitter Updates

    follow me on Twitter

    List for 4.5% and get 1% cash back on your purchase

    Saturday, January 27, 2024

    Reversing Rust String And Str Datatypes

    Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

    Rust string data-types

    The two first main objects are "str" and String, lets check also the constructors.




    Imports and functions

    Even such a basic program links several libraries and occupy 2,568Kb,  it's really not using the imports and expots the runtime functions even the main. 


    Even a simple string operation needs 544 functions on rust:


    Main function

    If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.


    Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.


    If we jump to main, we see a function call, the first parameter is rust_main as I named it below:



    If we search "hello world" on the Defined Strings sections, matches at the end of a large string


    After doing "clear code bytes" we can see the string and the reference:


    We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
    Let's follow the ref.  [ctrl]+[shift]+[f] and we got the references that points to the rust main function.


    After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
    See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.


    Regarding the string object, the allocator internals will reveal the structure in static.
    alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

    1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
    2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
    3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
    4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
    5. alloc::slice::hack::to_vec::h37a40daa915357ad
    6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
    7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
    8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
    ...


    Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

    At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

    Source code

    Let's explain this group of substructures having rust source code in the hand.
    The string object is defined at string.rs and it's simply an u8 type vector.



    And the definition of vector can be found at vec.rs  and is composed by a raw vector an the len which is the usize datatype.



    The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.



    The cap field is the capacity of the allocation and a is the allocator:



    Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData



    Dynamic analysis

    The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

    So the RDI parĂ¡meter is the pointer to the string object:



    So RDI contains the stack address pointer that points the the heap address 0x5578f030.
    Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

    Having symbols we can do:
    p mystring

    and we get the following structure:

    String::String {
      vec: alloc::vec::Vec {
        buf: alloc::raw_vec::RawVec {
          ptr: core::ptr::unique::Unique {
            pointer: 0x555555790130 "hello world\000",
            _marker: core::marker::PhantomData
         },
         cap: 11,
         a: alloc::alloc::Global
       },
       len: 11
      }
    }

    If the binary was compiled with symbols we can walk the substructures in this way:

    (gdb) p mystring.vec.buf.ptr
    $6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

    (gdb) p mystring.vec.len

    $8 = 11

    If we try to get the pointer of each substructure we would find out that the the pointer is the same:


    If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.


    The pionter to the c string is 0x555555790130




    This seems the c++ string but, let's look a bit deeper:

    RawVector
      Vector:
      (gdb) x/wx 0x7fffffffdf50
      0x7fffffffdf50: 0x55790130  -> low dword c string pointer
      0x7fffffffdf54: 0x00005555  -> hight dword c string pointer
      0x7fffffffdf58: 0x0000000b  -> len

    0x7fffffffdf5c: 0x00000000
    0x7fffffffdf60: 0x0000000b  -> low cap (capacity)
    0x7fffffffdf64: 0x00000000  -> hight cap
    0x7fffffffdf68: 0xf722fe27  -> low a  (allocator)
    0x7fffffffdf6c: 0x00007fff  -> hight a
    0x7fffffffdf70: 0x00000005 

    So in this case the whole object is in stack except the null-terminated string.




    More articles

    1. Hacking App
    2. Growth Hacker Tools
    3. Hacking Tools For Windows Free Download
    4. Usb Pentest Tools
    5. Hacker Hardware Tools
    6. Pentest Tools Open Source
    7. Hacker Tools Mac
    8. Pentest Tools Port Scanner
    9. Hacker Tools For Mac
    10. Hacking Tools Download
    11. Hack Tools
    12. Pentest Tools For Android
    13. Top Pentest Tools
    14. Pentest Tools Url Fuzzer
    15. World No 1 Hacker Software
    16. Pentest Automation Tools
    17. Hacker Tools 2019
    18. Hack Website Online Tool
    19. Hack Tool Apk
    20. Hacker Tools Online
    21. Hacking Tools Name
    22. Hacker Tools Hardware
    23. Hack Tools
    24. How To Make Hacking Tools
    25. Hacker Tools Apk Download
    26. Hacker Tools Online
    27. Hacker Tools Mac
    28. Usb Pentest Tools
    29. Bluetooth Hacking Tools Kali
    30. Github Hacking Tools
    31. Pentest Tools Port Scanner
    32. Android Hack Tools Github
    33. Hacker
    34. Hacker Tools Linux
    35. Hacking Tools For Beginners
    36. Pentest Tools Windows
    37. Hacking Tools Windows
    38. Hacking Tools Online
    39. Pentest Box Tools Download
    40. Game Hacking
    41. Tools 4 Hack
    42. Hacker Search Tools
    43. Hak5 Tools
    44. Pentest Tools For Ubuntu
    45. Hacker Search Tools
    46. Hacker Tools Github
    47. Hacking Tools Kit
    48. Pentest Reporting Tools
    49. Hacker Tools For Mac
    50. Underground Hacker Sites
    51. Hacker Tools Linux
    52. Hacker Tools Hardware
    53. Hacking Tools For Beginners
    54. Hack Tools Github
    55. Tools 4 Hack
    56. Hack Tools For Mac
    57. Pentest Tools Tcp Port Scanner
    58. Hack Tools
    59. Hacking Tools 2020
    60. Hacker Tools Online
    61. Pentest Tools For Ubuntu
    62. Pentest Automation Tools
    63. Hackers Toolbox
    64. How To Make Hacking Tools
    65. Pentest Tools Android
    66. Pentest Box Tools Download
    67. Hacker Techniques Tools And Incident Handling
    68. Hacking Tools For Kali Linux
    69. Best Hacking Tools 2019
    70. Hacker Techniques Tools And Incident Handling
    71. Hack Tools For Games
    72. Hacking Tools For Windows Free Download
    73. World No 1 Hacker Software
    74. Pentest Tools
    75. Growth Hacker Tools
    76. Hack Tools Mac
    77. Game Hacking
    78. Hacking Tools Windows 10
    79. Hacking Tools Free Download
    80. Pentest Tools Review
    81. Pentest Tools Nmap
    82. Hack And Tools
    83. Hack Tools For Windows
    84. Pentest Tools Github
    85. Hack Tools Pc
    86. Hack Tools For Pc
    87. Physical Pentest Tools
    88. Pentest Tools Url Fuzzer
    89. Hack Tools For Pc
    90. Hacker Tools Software
    91. Hacking Tools Hardware
    92. Hacker Tools Apk
    93. Pentest Tools Alternative
    94. Pentest Tools Nmap
    95. Hack Rom Tools
    96. Bluetooth Hacking Tools Kali
    97. Hacker Tools
    98. Hack Tools
    99. What Are Hacking Tools
    100. Hacking Tools For Games
    101. Wifi Hacker Tools For Windows
    102. Hack Tools
    103. Hacker Security Tools
    104. Hacker Hardware Tools
    105. Nsa Hacker Tools
    106. Best Hacking Tools 2020
    107. Hacker Tools For Ios
    108. Hacking Tools Hardware
    109. Pentest Tools For Ubuntu
    110. Growth Hacker Tools
    111. Nsa Hacker Tools
    112. Pentest Tools List
    113. Pentest Tools For Mac
    114. Hacker Tools Apk Download
    115. Pentest Tools Website Vulnerability
    116. Hack Tools
    117. Kik Hack Tools
    118. Hack Tools Download
    119. Tools Used For Hacking
    120. Game Hacking
    121. Hacking Tools For Windows
    122. Hacking Tools Mac
    123. Hacking Tools Kit
    124. Pentest Tools Kali Linux
    125. Hacking Tools Online
    126. Pentest Tools Kali Linux
    127. Hack Tools Download
    128. Beginner Hacker Tools
    129. Pentest Tools Port Scanner
    130. Hacker Tools Hardware
    131. Hacking Tools For Pc
    132. How To Hack
    133. Hack Tools For Mac
    134. Hacker Tools Apk Download
    135. Pentest Tools Find Subdomains
    136. Pentest Tools Windows
    137. Hacker Tools List
    138. Hacking Tools For Windows

    No comments:

    Post a Comment

    Home for sale- $2,000 rebate!

    Ready Real Estate slide show

    Become a fan of my page

    Sheree Dutton, Reatlor, DFW, Texas on Facebook
    Powered By Blogger

    Pandora Faves

    Back on the market, price reduced, 1% cash back rebate offered

    Sheree Dutton | Ready Real Estate | 817-975-0461
    222 Birchwood, Azle, TX
    Back on the market, price reduced and 15 cash back rebate offered!
    3BR/2BA Single Family House
    offered at $102,500
    Year Built 2006
    Sq Footage 1,142
    Bedrooms 3
    Bathrooms 2 full, 0 partial
    Floors 1
    Parking 3 Covered spaces
    Lot Size .225 acres
    HOA/Maint $0 per month

    DESCRIPTION


    Wow, talk about pride of ownership! This house has too many upgrades to count, and is so well cared for. You must see it to believe it! A lot of value in this perfect starter home.

    OPEN HOUSE SUNDAY MAY 3RD 2+5 pm

    see additional photos below
    PROPERTY FEATURES

    - Central A/C - Central heat - Fireplace
    - High/Vaulted ceiling - Walk-in closet - Tile floor
    - Living room - Breakfast nook - Dishwasher
    - Refrigerator - Stove/Oven - Microwave
    - Laundry area - inside - Balcony, Deck, or Patio - Yard

    OTHER SPECIAL FEATURES

    - 1 car garage, covered carport for 2 cars
    - covered wood deck in backyard
    - gutters
    - storage shed
    - newly stained wood fence
    - electric fireplace added, with tile hearth
    - upgraded ceiling fans and light fixtures
    - island in kitchen

    ADDITIONAL PHOTOS


    Fantastic curb appeal

    covered wood deck in back

    living room

    kitchen with island

    breakfast nook

    master bedroom
    Contact info:
    Sheree Dutton
    Ready Real Estate
    817-975-0461
    For sale by agent/broker

    powered by postlets Equal Opportunity Housing
    Posted: Sep 11, 2009, 7:31am PDT

    Blog Archive