Use Ghidra to find the offset of SSL_write() in the chrome.dll file from Chrome version 129.0.6668.71

You need to first prepare Chrome version 129.0.6668.71 .

SSL_write() is located in boringssl ( boringssl/ssl/ssl_lib.cc ) , a third-party library used by Chrome.

Finding the location of SSL_write() in the source code first will help locate its offset in chrome.dll later.

Search for the source code of boringssl/ssl/ssl_lib.cc

Now, let's start looking for the source code of Chrome version 129.0.6668.71 . You should be able to directly find the Chromium source code using the following URL:

1
https://chromium.googlesource.com/chromium/src/+refs

Next, by following the links, you can find this location :

1
https://chromium.googlesource.com/chromium/src/+/refs/tags/129.0.6668.71/third_party/boringssl/src

At this step, if everything goes as expected, you will be provided with a commit number. This is the key commit we are looking for. I see the following text:

1
Submodule link to 11f334121fd0d13830fefdf08041183da2d30ef3 of https://boringssl.googlesource.com/boringssl

11f334121fd0d13830fefdf08041183da2d30ef3 should be the corresponding commit for boringssl that we are looking for.

By modifying the URL, you can easily locate the corresponding boringssl/ssl/ssl_lib.cc, which is the file where SSL_write() is located :

1
https://boringssl.googlesource.com/boringssl/+/11f334121fd0d13830fefdf08041183da2d30ef3/ssl/ssl_lib.cc

If you want to inspect the source code locally, you can first clone it and then switch to the specific commit :

1
2
git clone https://boringssl.googlesource.com/boringssl
git checkout 11f334121fd0d13830fefdf08041183da2d30ef3

At this point, we have located SSL_write() in the source code, which will make it easier to find the offset of SSL_write() in chrome.dll .

Analyze the SSL_write() function in the source code of boringssl/ssl/ssl_lib.cc

Upon examining SSL_write() , you will notice OPENSSL_PUT_ERROR() :

1
2
3
4
5
int SSL_write(SSL *ssl, const void *buf, int num) {
    // some code
    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    // some code
}

Analyze the definition of OPENSSL_PUT_ERROR() to identify clues that could facilitate subsequent reverse engineering efforts

Since we've identified the error function ( OPENSSL_PUT_ERROR() ), we can hypothesize that there might be an error message associated with it, which we could potentially use to indirectly locate SSL_write() .

Use the following string to search for the definition of the error message :

1
#define OPENSSL_PUT_ERROR

The definition of OPENSSL_PUT_ERROR() is as follows:

1
2
3
4
// OPENSSL_PUT_ERROR is used by OpenSSL code to add an error to the error
// queue.
#define OPENSSL_PUT_ERROR(library, reason) \
    ERR_put_error(ERR_LIB_#library, 0, reason, __FILE__, __LINE__)

From the code above, we can observe that ERR_put_error() ( the definition of OPENSSL_PUT_ERROR() ) includes __FILE__ and __LINE__ . These values are likely embedded into chrome.dll in some form during the compilation process. Our goal is to reverse-engineer and locate these values, which might serve as clues to find the offset of SSL_write() .

Based on the boringssl/ssl/ssl_lib.cc file where SSL_write() resides:

  • __FILE__ is likely related to boringssl/ssl/ssl_lib.cc.

  • __LINE__ should fall within the range of lines for SSL_write(), i.e., 1068 to 1095 (0x42c to 0x447) .

Use Ghidra for a more detailed analysis, and successfully locate the desired offset

Now, import chrome.dll into Ghidra for analysis and search for the string ssl_lib.cc :

From the above image, we can see that the string matching the characteristics can be found at address 0x18d164ced . By following its references, we can identify the places where it is used :

Using the second clue ( __LINE__ ) to narrow down the search, examine each location and check the __LINE__ value. Eventually, you may find decompiled results similar to the following :

1
2
3
4
5
6
7
8
9
10
11
ulonglong FUN_1807b4d00(char **param_1,undefined8 param_2,uint param_3)
{
    // some code
    // The variable uVar6 can have four possible values:
    // 1072 ( 0x430 )
    // 1098 ( 0x44a )
    // 1092 ( 0x444 )
    // 1077 ( 0x435 )
    FUN_1846171e0(0x10,0,DVar5,"..\\..\\third_party\\boringssl\\src\\ssl\\ssl_lib.cc",uVar6);
    // some code
}

Since the possible values of uVar6 are within the range of 1068 to 1095 ( 0x42c to 0x447 ), it is reasonable to identify FUN_1807b4d00() as SSL_write().

By renaming the function and variables, the function can be restored more clearly :

1
2
3
4
5
6
7
8
9
10
11
ulonglong SSL_write_FUN_1807b4d00(char **param_1,undefined8 param_2,uint param_3)
{
    // some code
    // The variable lineNumber can have four possible values:
    // 1072 ( 0x430 )
    // 1098 ( 0x44a )
    // 1092 ( 0x444 )
    // 1077 ( 0x435 )
    ERR_put_error_FUN_1846171e0(0x10,0,DVar5,"..\\..\\third_party\\boringssl\\src\\ssl\\ssl_lib.cc",lineNumber);
    // some code
}

Finally, by subtracting the base address, you can determine the offset of SSL_write() within chrome.dll :

1
2
offet = 0x1807b4d00 - 0x180000000
      = 0x7b4d00

At this point, we can conclude that in Chrome version 129.0.6668.71 , the offset of the SSL_write() function within chrome.dll is 0x7b4d00 . 🍀👻💻