Solved: The solution was calling personality(0x40000). See details below in the comments.
Where does the ASLR flag resides within an ELF file? I need to disable ASLR for a specific library (.so). I've tried using objdump but I couldn't find out how to do so.
I can't use /proc because it doesn't appear to work on my Android 4.4.4, so I'm trying to modify the binary.
Edit: I've compiled the following:
#include <stdio.h>
void* getEIP()
{
return __builtin_return_address(0) - 0x5;
}
int main(int argc, char** argv)
{
printf("EIP located at: %p\n", getEIP());
return 0;
}
without ASLR (PIE):
arm-linux-androideabi-gcc.exe code.c -o noPIE --sysroot=%NDK%\platforms\android-3\arch-arm
with ASLR (PIE):
arm-linux-androideabi-gcc.exe -fPIE -pie code.c -o withPIE --sysroot=%NDK%\platforms\android-3\arch-arm
The noPIE binary indeed isn't being randomized, even though:
# cat /proc/sys/kernel/randomize_va_space
2
I need to disable ASLR for a specific library (.so).
You can't (and the ASLR does not reside anywhere in the ELF file because it's not a property of the ELF, it's a property of the kernel).
What you can do is disable randomization for a given process. setarch -R is your friend.