I tried to rewrite the pre-built executable file in C language.
environment
Mac / gcc / gdb / binutils
Build the target code
main.c
#include <stdio.h>
#include <stdbool.h>
static bool superduperUltimateCheckMethod() {
bool response = false; //I made a mistake, and it was correct to return true. .. ..
return response;
}
int main() {
printf("%s", superduperUltimateCheckMethod() ? ";D" : ":(");
return 0;
}
thus
gcc -g main.c -o bin
Zudon. Operation check for the time being.
./bin
:(
Of course, superduperUltimateCheckMethod is an implementation that always returns ** false **, so a bitter emoticon is output.
The correct behavior you want is to output **; D **. Originally it is a place to modify the code, but this time I will play with this binary itself to realize the correct behavior.
** "Code ... I got a bug ... ///" **
wait! It's too early to give up!
(Omitted)
Check which Hex is actually modified.
gobjdump -d bin
(Omitted) 0000000100000f70 <_superduperUltimateCheckMethod>: (Omitted) 100000f74: c6 45 ff 00 movb $ 0x0, -0x1 (% rbp) // This is it!
The part that doesn't work properly unless it is ** $ 0x1 ** correctly is ** $ 0x0 ** due to a mistake in the above code.
The purpose is just to cure "00" on Hex to "01"!
Now let's take a look at the contents of the binary with vi for correction.
vi bin
:%!xxd
42 0000290: 626f 6c5f 7074 7200 5f5f 4441 5441 0000 bol_ptr.__DATA.. 43 00002a0: 0000 0000 0000 0000 0010 0000 0100 0000 ................ 44 00002b0: 1000 0000 0000 0000 0010 0000 0300 0000 ................ 45 00002c0: 0000 0000 0000 0000 0600 0000 0100 0000 ................ 46 00002d0: 0000 0000 0000 0000 5f5f 6c61 5f73 796d ........__la_sym 47 00002e0: 626f 6c5f 7074 7200 5f5f 4441 5441 0000 bol_ptr.__DATA.. 48 00002f0: 0000 0000 0000 0000 1010 0000 0100 0000 ................ 49 0000300: 0800 0000 0000 0000 1010 0000 0300 0000 ................ 50 0000310: 0000 0000 0000 0000 0700 0000 0300 0000 ................ 51 0000320: 0000 0000 0000 0000 1900 0000 4800 0000 ............H... 52 0000330: 5f5f 4c49 4e4b 4544 4954 0000 0000 0000 __LINKEDIT......
~~ ** I see! !! ** ~~
:%s/00/&/gn
8803 matches on 551 lines
** I see, I don't know! ** **
Find out where the offset is
gobjdump -x bin
(Omitted) Index name size ** VMA ** LMA ** File off ** Algn 0 .text 00000062 0000000100000f20 0000000100000f20 00000f20 2**4 (Omitted) SYMBOL TABLE: (Omitted) 0000000100000f70 d 24 FUN 01 0000 _superduperUltimateCheckMethod
The important part is in bold.
To summarize the results in my environment in an easy-to-read manner
VMA = 0000000100000f20 fileOff = 00000f20 targetSymbol = 0000000100000f70
It will be.
targetOffset = fileOff + (targetSymbol - VMA)
Calculated based on the formula in my environment The result is ** f70 **.
In other words, ** "The offset position where 00 needs to be changed to 01 is" f70 "" **.
Actually play with Hex.
vi bin
:%!xxd
:/f70
248 0000f70: 5548 89e5 c645 ff 00 8a45 ff24 010f b6c0 UH...E...E.$....
I did it.
This time, the target of correction is ** "00" **, so it is obvious.
Change this to ** "01" ** in vi and save.
248 0000f70: 5548 89e5 c645 ff 01 8a45 ff24 010f b6c0 UH...E...E.$....
:%!xxd -r
Let's check what you played with.
gobjdump -d bin
(Omitted) 0000000100000f70 <_superduperUltimateCheckMethod>: (Omitted) 100000f74: c6 45 ff 01 movb $ 0x1, -0x1 (% rbp) // It has changed to ** $ 0x1 ** properly! !!
Zudon
./bin
;D
** I had a smile ... **
Reference: http://dev.ariel-networks.com/wp/archives/1107
Recommended Posts