elf magic: elf header corruption (section information)
[ nonsense ]
steph already has a boyfriend and xiao long nu is about to marry another man. *sigh* my heart will explode anytime soon.
[ back to topic ]
solved two crackmes.
cli3nt’s mycrk
intsig’s Easy_Math
the second crackme (easymath) is quite interesting! as reported by the file command, it has a corrupted section header size, outlined below:
steph@heaven ~/git/reverse/easymath $ file easymath easymath: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, \ dynamically linked (uses shared libs), corrupted section header size steph@heaven ~/git/reverse/easymath $ readelf -h easymath ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048380 Start of program headers: 52 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 7 Size of section headers: 0 (bytes) Number of section headers: 0 Section header string table index: 0
unfortunately, i can’t find articles/essays outlining elf header corruption in detail. from the dump above, i saw that the section start, size, number, and string table index are set to null. so after i made my reconstruction program, i made another program that corrupts the relevant elf header fields.
/* a simple elf headear corruption program
* nullifies the section information of an elf binary
* to break some disassemblers.
*
* tested with :
* GNU objdump 2.15.92.0.2 20040927
* GNU gdb 6.4
* ldasm 0.04
*
* cheers,
* - niel
*/
#include <elf.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys /types.h>
Elf32_Ehdr *ehead;
int main(int t, char **c)
{
int bin;
int bytes;
if (t < 2) {
printf("usage: %s \n", *c);
goto quit;
}
if ((bin = open(c[1], O_RDWR)) == -1)
goto quit;
ehead = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
bytes = read(bin, ehead, sizeof(Elf32_Ehdr));
printf("read: %d bytes from %s\n", bytes, c[1]);
/* just a magic number check */
if (ehead->e_ident[0] != 0x7f && ehead->e_ident[1] != 0x45
&& ehead->e_ident[2] != 0x4c && ehead->e_ident[3] != 0x46) {
printf("not an ELF file. quitting…\n");
goto clean;
}
printf("e_shoff: %d\n", ehead->e_shoff);
printf("e_phentsize: %d\n", ehead->e_shentsize);
printf("e_shstrndx: %d\n", ehead->e_shnum);
printf("e_shoff: %d\n", ehead->e_shstrndx);
ehead->e_shoff = \
ehead->e_shentsize = \
ehead->e_shnum = \
ehead->e_shstrndx = 0;
if (lseek(bin, 0, SEEK_SET) == -1) {
printf("error : ");
printf("%s\n", strerror(errno));
goto clean;
}
bytes = write(bin, ehead, sizeof(Elf32_Ehdr));
printf("wrote: %d bytes to %s\n", bytes, c[1]);
clean:
free(ehead);
close(bin);
quit:
return 0;
}
tested it out on my crackme reconstruction and it manages to work somehow.
steph@heaven ~/git/null/c/elf-corruption $ ./elfcorrupt easymath-recon read: 52 bytes from easymath-recon e_shoff: 3528 e_phentsize: 40 e_shstrndx: 32 e_shoff: 29 wrote: 52 bytes to easymath-recon steph@heaven ~/git/null/c/elf-corruption $ objdump -d easymath-recon hello: file format elf32-i386lida has resistance against elf corruption and is able to disassemble “easymath-recon” correctly. i’ve also tried using ida pro 4.1 and it wouldn’t disassemble. will try out on higher IDA pro versions…
hi neil!!! ehehehe.. how are u na?? nice blogggg!!! guess daw tu kien iyo??? ehehehehehe… i was surfin friendster den saw ur profile.. ehehehe guess daw???
^Veaniz^^ here!!!/.. take care!!
Comment by guess who — June 15, 2006 @ 6:32 pm
yeah! i still remember you miss vea.
me? hmm.. same old same old. bitter and lonely. :p thanks for dropping by my dear. 
Comment by sleepy jenkins — June 16, 2006 @ 5:11 am