Results 1 to 7 of 7

Thread: Fixing elf header

  1. #1
    PnUIC
    Guest

    Fixing elf header

    Hi people! I'm trying to fix the elf header of tiny-crackme (http://crackmes.de/users/yanisto/tiny_crackme), I also coded a bit of c Code ad hoc for this one, but when I try to run the file the process is killed, can anyone help me? I'm a newbie on elf file format, and I'm reading this http://www.codeproject.com/KB/cpp/shared_object_injection_1.aspx

    This is the code:
    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <elf.h>
    
    int main(void) {
    	FILE *pFile, *pFile2;
    	char *buffer;
    	unsigned int fSize, phSize;
    	Elf32_Ehdr elfHeader;
    	Elf32_Phdr progHeader;
    	Elf32_Off phOff; 
    
    	pFile = fopen("tiny-crackme", "rb");
    	if(pFile == NULL)
    		return -1;
    
    	/* read header */
    	fread(&elfHeader, sizeof(Elf32_Ehdr), 1, pFile);
    	
    	/* read prog header */ 
    	fseek(pFile, elfHeader.e_phoff, SEEK_SET);
    	fread(&progHeader, sizeof(Elf32_Phdr), 1, pFile);
    
    	/* get segment infos */ 
    	phSize = progHeader.p_filesz;
    	phOff = progHeader.p_offset;
    
    	/* read segment */
    	fseek(pFile, phOff, SEEK_SET);
    	buffer = (char*)malloc(phSize);
    	fread(buffer, phSize, 1, pFile);
    
    	fclose(pFile);
    
    	/* fix Program Header Offset*/
    	elfHeader.e_phoff = (Elf32_Off) sizeof(Elf32_Ehdr);
    	/* fix Elf header's size*/
    	elfHeader.e_ehsize = (Elf32_Half) sizeof(Elf32_Ehdr);
    	/*  fix section header's number */
    	elfHeader.e_shoff = 0;
    	elfHeader.e_shnum = 0;
    	/* fix file offset segment */
    	progHeader.p_offset = (Elf32_Off)(sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr));
    
    
    	/* write the new elf file */
    	pFile2 = fopen("tiny-crackme-fix", "wb");
    	if(pFile2 == NULL) {
    		free(buffer);
    		return -1;
    	}
    
    	fwrite(&elfHeader, sizeof(Elf32_Ehdr), 1, pFile2);
    	fwrite(&progHeader, sizeof(Elf32_Phdr), 1, pFile2);
    	fwrite(buffer, phSize, 1, pFile2);
    	
    	free(buffer);
    	fclose(pFile2);
    
        printf("\nWork done!!\n");	
        return 0;
    }
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    PnUIC
    Guest
    Guys I also try to see the Linux Kernel source code, but I don't understand what is the problem, so you don't wait news from me, sorry
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    i don't know ELF.
    but there seems direct offsets used in instructions. OK?

    also i see something like self_CRC.
    i have attached MZPE header, so you can debug it under odious Wind0z
    Attached Files Attached Files
    Last edited by evaluator; January 8th, 2011 at 14:52.

  4. #4
    PnUIC
    Guest
    ahahah thx a lot evaluator, but my purpose was to make this crackme debuggable on linux, so at this point I think that fix gdb is easier than modding this crackme, but this is only an idea

    PS: This is a nice article that I found that could be usefull:
    A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    as i wrote, there is self_CRC check, so you must not modify file.

    trace & dump after decryptors, then analyze.
    @200086 there will be conditional jump over
    Sorry but the process seems to be traced

  6. #6
    PnUIC
    Guest
    Thx a lot but there're just a lot of solutions on the web(as you can see in crackmes.de page), I just wanted to debug it into gbd, stop.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Old, retired, and lame
    Join Date
    Mar 2010
    Location
    nyc
    Posts
    2
    The ELF spec is available from Intel as part of their Tools and Interface Standards (TIS) library. google("Intel TIS ELF").

    In regards to the target file, do not try to modify the ELF header in-place.

    Use GNU binutils to take apart and reassemble the file. For example, use libbfd to create a new, "correct" version of the file programmatically, or use the GNU linker scripts to extract the necessary sections from the file and re-link them.

    The elfsh tool might be useful as well; I've never really gotten past its cumbersome command language.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. pe header problem
    By cse_india in forum OllyDbg Support Forums
    Replies: 5
    Last Post: March 25th, 2007, 13:11
  2. Need Help in IAT Fixing on an Armadillo Protected App
    By Angstzustand in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: July 29th, 2005, 14:26
  3. ocx unpack header?
    By OcxUnpacker in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: June 30th, 2004, 17:28
  4. Fixing PE headers to run under XP?
    By Dr Apocalypse in forum Malware Analysis and Unpacking Forum
    Replies: 15
    Last Post: November 27th, 2001, 12:52
  5. Fixing an vb app to run in windows2000
    By sixaxis in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: February 5th, 2001, 11:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •