Log in

View Full Version : Fixing elf header

PnUIC
January 4th, 2011, 13:16
Hi people! I'm trying to fix the elf header of tiny-crackme ("http://crackmes.de/users/yanisto/tiny_crackme/") (http://crackmes.de/users/yanisto/tiny_crackme), I also coded a bit of c Code ad hoc for this one, but when I try to run the file the process is killed, can anyone help me? I'm a newbie on elf file format, and I'm reading this http://www.codeproject.com/KB/cpp/shared_object_injection_1.aspx

This is the code:
Code:


#include <stdio.h>

#include <stdlib.h>

#include <elf.h>



int main(void) {

	FILE *pFile, *pFile2;

	char *buffer;

	unsigned int fSize, phSize;

	Elf32_Ehdr elfHeader;

	Elf32_Phdr progHeader;

	Elf32_Off phOff; 



	pFile = fopen("tiny-crackme", "rb";

	if(pFile == NULL)

		return -1;



	/* read header */

	fread(&elfHeader, sizeof(Elf32_Ehdr), 1, pFile);

	

	/* read prog header */ 

	fseek(pFile, elfHeader.e_phoff, SEEK_SET);

	fread(&progHeader, sizeof(Elf32_Phdr), 1, pFile);



	/* get segment infos */ 

	phSize = progHeader.p_filesz;

	phOff = progHeader.p_offset;



	/* read segment */

	fseek(pFile, phOff, SEEK_SET);

	buffer = (char*)malloc(phSize);

	fread(buffer, phSize, 1, pFile);



	fclose(pFile);



	/* fix Program Header Offset*/

	elfHeader.e_phoff = (Elf32_Off) sizeof(Elf32_Ehdr);

	/* fix Elf header's size*/

	elfHeader.e_ehsize = (Elf32_Half) sizeof(Elf32_Ehdr);

	/*  fix section header's number */

	elfHeader.e_shoff = 0;

	elfHeader.e_shnum = 0;

	/* fix file offset segment */

	progHeader.p_offset = (Elf32_Off)(sizeof(Elf32_Ehdr)+sizeof(Elf32_Phdr));





	/* write the new elf file */

	pFile2 = fopen("tiny-crackme-fix", "wb";

	if(pFile2 == NULL) {

		free(buffer);

		return -1;

	}



	fwrite(&elfHeader, sizeof(Elf32_Ehdr), 1, pFile2);

	fwrite(&progHeader, sizeof(Elf32_Phdr), 1, pFile2);

	fwrite(buffer, phSize, 1, pFile2);

	

	free(buffer);

	fclose(pFile2);



    printf("\nWork done!!\n";	

    return 0;

}
PnUIC
January 6th, 2011, 18:31
Guys I also try to see the Linux Kernel source code, but I don't understand what is the problem, so you don't wait news from me, sorry
evaluator
January 8th, 2011, 14:35
i don't know ELF.
but there seems direct offsets used in instructions. OK?

also i see something like self_CRC.
i have attached MZPE header, so you can debug it under odious Wind0z
PnUIC
January 8th, 2011, 15:54
ahahah thx a lot evaluator, but my purpose was to make this crackme debuggable on linux, so at this point I think that fix gdb is easier than modding this crackme, but this is only an idea

PS: This is a nice article that I found that could be usefull:
A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux hxxp://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
evaluator
January 8th, 2011, 16:21
as i wrote, there is self_CRC check, so you must not modify file.

trace & dump after decryptors, then analyze.
@200086 there will be conditional jump over
Quote:
Sorry but the process seems to be traced
PnUIC
January 9th, 2011, 03:28
Thx a lot but there're just a lot of solutions on the web(as you can see in crackmes.de page), I just wanted to debug it into gbd, stop.
mkfs
January 13th, 2011, 16:10
The ELF spec is available from Intel as part of their Tools and Interface Standards (TIS) library. google("Intel TIS ELF".

In regards to the target file, do not try to modify the ELF header in-place.

Use GNU binutils to take apart and reassemble the file. For example, use libbfd to create a new, "correct" version of the file programmatically, or use the GNU linker scripts to extract the necessary sections from the file and re-link them.

The elfsh tool might be useful as well; I've never really gotten past its cumbersome command language.