Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Fixing elf header

RCE of Linux tools and programs.

Fixing elf header

Post by PnUIC »

Hi people! I'm trying to fix the elf header of tiny-crackme (http://crackmes.de/users/yanisto/tiny_crackme), I also coded a bit of c Code ad hoc for this one, but when I try to run the file the process is killed, can anyone help me? I'm a newbie on elf file format, and I'm reading this http://www.codeproject.com/KB/cpp/share ... ion_1.aspx

This is the code:

Code: Select all

#include <stdio.h>
#include <stdlib.h>
#include <elf.h>

int main(void) {
	FILE *pFile, *pFile2;
	char *buffer;
	unsigned int fSize, phSize;
	Elf32_Ehdr elfHeader;
	Elf32_Phdr progHeader;
	Elf32_Off phOff; 

	pFile = fopen("tiny-crackme", "rb");
	if(pFile == NULL)
		return -1;

	/* read header */
	fread(&elfHeader, sizeof(Elf32_Ehdr), 1, pFile);
	/* read prog header */ 
	fseek(pFile, elfHeader.e_phoff, SEEK_SET);
	fread(&progHeader, sizeof(Elf32_Phdr), 1, pFile);

	/* get segment infos */ 
	phSize = progHeader.p_filesz;
	phOff = progHeader.p_offset;

	/* read segment */
	fseek(pFile, phOff, SEEK_SET);
	buffer = (char*)malloc(phSize);
	fread(buffer, phSize, 1, pFile);


	/* fix Program Header Offset*/
	elfHeader.e_phoff = (Elf32_Off) sizeof(Elf32_Ehdr);
	/* fix Elf header's size*/
	elfHeader.e_ehsize = (Elf32_Half) sizeof(Elf32_Ehdr);
	/*  fix section header's number */
	elfHeader.e_shoff = 0;
	elfHeader.e_shnum = 0;
	/* fix file offset segment */
	progHeader.p_offset = (Elf32_Off)(sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr));

	/* write the new elf file */
	pFile2 = fopen("tiny-crackme-fix", "wb");
	if(pFile2 == NULL) {
		return -1;

	fwrite(&elfHeader, sizeof(Elf32_Ehdr), 1, pFile2);
	fwrite(&progHeader, sizeof(Elf32_Phdr), 1, pFile2);
	fwrite(buffer, phSize, 1, pFile2);

    printf("\nWork done!!\n");	
    return 0;


Post by PnUIC »

Guys I also try to see the Linux Kernel source code, but I don't understand what is the problem, so you don't wait news from me, sorry :thinking:
User avatar
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

i don't know ELF.
but there seems direct offsets used in instructions. OK?

also i see something like self_CRC.
i have attached MZPE header, so you can debug it under odious Wind0z :eek:
(1.02 KiB) Downloaded 83 times

Post by PnUIC »

ahahah thx a lot evaluator, but my purpose was to make this crackme debuggable on linux, so at this point I think that fix gdb is easier than modding this crackme, but this is only an idea :devil:

PS: This is a nice article that I found that could be usefull:
A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux hxxp://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
User avatar
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

as i wrote, there is self_CRC check, so you must not modify file.

trace & dump after decryptors, then analyze.
@200086 there will be conditional jump over
Sorry but the process seems to be traced

Post by PnUIC »

Thx a lot but there're just a lot of solutions on the web(as you can see in crackmes.de page), I just wanted to debug it into gbd, stop.
Posts: 2
Joined: Thu Mar 04, 2010 4:16 pm
Location: nyc

Post by mkfs »

The ELF spec is available from Intel as part of their Tools and Interface Standards (TIS) library. google("Intel TIS ELF").

In regards to the target file, do not try to modify the ELF header in-place.

Use GNU binutils to take apart and reassemble the file. For example, use libbfd to create a new, "correct" version of the file programmatically, or use the GNU linker scripts to extract the necessary sections from the file and re-link them.

The elfsh tool might be useful as well; I've never really gotten past its cumbersome command language.