Hi, I have disassembled an ELF file, and I want to edit a particular string.
I searched the forum and found this:
http://www.woodmann.com/forum/showthread.php?t=5119&highlight=ida+edit

But didn't work.

I select the string near the db instruction, and type backspace or try the edit menu, but nothing happen... Do I make something wrong ?

I'm new to reverse engineering so please excuse me if the problem has alreary been solved, but can't find it...
thanks.

Please do not double post. You already posted in that 6 year old Thread, and just posting in this one, with a reference to the previous post, as you made here, would be sufficient.



Regards,

If it's an unencrypted string, just use another tool like "Hex Workshop" to edit it.

Hi, the fact is that I need to replace the string with a bigger one (2 chars longer). As far as I know (not very far however), If I replace with a longer string, the new executable won't work as it will change the intern structure, right ?

right.
but if you have phantasy.. then.. at other place..

Sorry, but I don't understand what you're saying
I think editing strings in an executable should be quite simple for someone who know how to do that, but I have no clues at all

Hello.

Text files. They don't work on the basis of addresses. Meaning, a word or sentence on the fifth page, does not refer to a word or sentence on the second page. Therefore, you add, delete, insert text at whatever position you want. You can also replace the word AIM with AIMLESS and nothing is wrong.

Executable files. They work on the basis of offsets. Simply put, they work on the basis of ADDRESSES inside the file itself. So if the word AIM REVERSES has AIM beginning at address 00000001 and REVERSES begins at address 00000004, then if you change it to AIMLESS REVERSES then the word REVERSES is pushed back to address 00000008. Now, if the executable wants to display the term REVERSES in a messagebox, it will say: DISPLAY STRING AT ADDRESS 00000004. After all, when it was compiled, the word REVERSES was on 00000004. But because you changed it, it will now show LESS. This becomes worse when instead of the word REVERSES there is an instruction, such as CALL 00003434. Now if you add something before this, when this gets called later on somewhere in the program, it will be somewhere in the middle of the instruction.

Complicated?

Of course. They are not called BINARIES for nothing.

Have Phun

As far as I know, it's not possible to edit the disassembled file from IDA in any way. Also, you've already seen that it won't be possible to replace the string in-place by a longer one. What you will have to do is find an empty, unused spot in the ELF file (a "cave", use a hex editor to place your new string there, and update all references to the old string in the ELF's code so they point to this new string instead.

OK, thanks for your explications, I understand now, but, doesn't it possible to modify the asm code source, imagine that I modify the string at address X, and I add 2 octets. In the ASM code source, If it increment with 2 all references to address > X, and then I recompile the asm code source?

Thanks, I'll try to find nop or null hole in the file

It really depends! If the string is in a place with nothing around it, you can just make it longer, as long as you terminate it with a NULL (00 byte).

So, really, make a copy of the executable, fix the string, and test it! My philosophy is "What's it gonna do? Not work?"

Good Idea, after my string I got some useless strings, maybe I can overwrite them !