add elf_find_function_pointer and sshd_host_keys field

xzre.c

@@ -251,6 +251,8 @@ void main_shared(){
 				item->xref ? PTRDIFF(item->xref, elf_addr) : 0);
 	}
 
+	printf("BASE ADDR: %p\n", einfo.elfbase);
+
 
 	u64 code_size = 0, data_size = 0;
 	void *data_start = elf_get_data_segment(&einfo, &data_size, 0);
@@ -272,6 +274,20 @@ void main_shared(){
 	int score = sshd_get_host_keys_score(ssh_host_keys1, &einfo, &strings);
 	printf("sshd_get_host_keys_score(): %d\n", score);
 
+	void *keyVerify_start = NULL;
+	void *keyVerify_end = NULL;
+	void *keyVerify_fptr_addr = NULL;
+	BOOL checkPrologue = TRUE;
+	if(elf_find_function_pointer(XREF_mm_answer_keyverify,
+		&keyVerify_start, &keyVerify_end, &keyVerify_fptr_addr,
+		&einfo, &strings, &checkPrologue
+	)){
+		printf("keyVerify: start=%p, end=%p, fptr_addr=%p\n",
+			keyVerify_start,
+			keyVerify_end,
+			keyVerify_fptr_addr);
+	}
+
 	//xzre_backdoor_setup();
 	puts("main_shared(): OK");
 }

xzre.h

@@ -73,6 +73,9 @@ typedef Elf64_Xword Elf64_Relr;
 
 typedef int BOOL;
 
+#define TRUE 1
+#define FALSE 0
+
 typedef enum {
 	// has lock prefix
 	DF_LOCK = 1,
@@ -670,7 +673,9 @@ typedef struct __attribute__((packed)) global_context {
 	 * It's likely both a safety check and an anti tampering mechanism.
 	 */
 	BOOL disable_backdoor;
-	PADDING(0x64);
+	PADDING(12);
+	void *sshd_host_keys;
+	PADDING(0x50);
 	/**
 	 * @brief 
 	 * the shifter will use this address as the minimum search address
@@ -710,6 +715,7 @@ typedef struct __attribute__((packed)) global_context {
 assert_offset(global_context_t, imported_funcs, 0x8);
 assert_offset(global_context_t, libc_imports, 0x10);
 assert_offset(global_context_t, disable_backdoor, 0x18);
+assert_offset(global_context_t, sshd_host_keys, 0x28);
 assert_offset(global_context_t, code_range_start, 0x80);
 assert_offset(global_context_t, code_range_end, 0x88);
 assert_offset(global_context_t, secret_data, 0x108);
@@ -1606,6 +1612,26 @@ extern void *elf_get_plt_symbol(elf_info_t *elf_info, EncodedStringId encoded_st
  */
 extern void *elf_get_got_symbol(elf_info_t *elf_info, EncodedStringId encoded_string_id);
 
+/**
+ * @brief this function searches for a function pointer, pointing to a function
+ * designated by the given @p xref_id
+ * 
+ * @param xref_id the index to use to retrieve the function from @p xrefs
+ * @param pOutCodeStart output variable that will receive the function start address
+ * @param pOutCodeEnd output variable that will receive the function end address
+ * @param pOutFptrAddr output variable that will receive the address of the function pointer
+ * @param elf_info sshd elf context
+ * @param xrefs array of resolved functions, filled by @ref elf_find_string_references
+ * @param pCheckPrologue if the BOOL pointed to by this variable is TRUE, an endbr64 will be expected at the beginning
+ * @return BOOL TRUE if the function pointer was found, FALSE otherwise
+ */
+extern BOOL elf_find_function_pointer(
+	StringXrefId xref_id,
+	void **pOutCodeStart, void **pOutCodeEnd,
+	void **pOutFptrAddr, elf_info_t *elf_info,
+	string_references_t *xrefs,
+	BOOL *pCheckPrologue);
+
 /**
  * @brief Locates a string in the ELF .rodata section
  * 

xzre.lds.in

@@ -42,6 +42,7 @@ SECTIONS_BEGIN()
 	DEFSYM(main_elf_parse, .text.lzma_filter_decoder_is_supportea)
 	DEFSYM(check_argument, .text.lzma_encoder_inia)
 	DEFSYM(elf_symbol_get, .text.crc_inia)
+	DEFSYM(elf_find_function_pointer, .text.reverse_seez)
 	DEFSYM_START(.text.crc64_generia)
 		DEFSYM2(elf_symbol_get_addr, 0)
 		DEFSYM2(c_memmove, 0x1B20 - 0x1AF0)