Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Editing ELF binary call instruction

I am playing around with manipulating a binary's call functions. I have the below code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void myfunc2(char *str2, char *str1);

    enter code here

void myfunc(char *str2, char *str1)
{
    memcpy(str2 + strlen(str2), str1, strlen(str1));
}

int main(int argc, char **argv)
{
    char str1[4] = "tim";
    char str2[10] = "hello ";

    myfunc((char *)&str2, (char *)&str1);

    printf("%s\n", str2);

        myfunc2((char *)&str2, (char *)&str1);

    printf("%s\n", str2);

    return 0;
}

void myfunc2(char *str2, char *str1)
{
    memcpy(str2, str1, strlen(str1));
}

I have compiled the binary and using readelf or objdump I can see that my two functions reside at:

46: 000000000040072c 52 FUNC GLOBAL DEFAULT 13 myfunc2**

54: 000000000040064d 77 FUNC GLOBAL DEFAULT 13 myfunc**

Using the command objdump -D test (my binaries name), I can see that main has two callq functions. I tried to edit the first one to point to myfunc2 using the above address 72c, but that does not work; causes the binary to fail.

000000000040069a <main>:
  40069a:   55                      push   %rbp
  40069b:   48 89 e5                mov    %rsp,%rbp
  40069e:   48 83 ec 40             sub    $0x40,%rsp
  4006a2:   89 7d cc                mov    %edi,-0x34(%rbp)
  4006a5:   48 89 75 c0             mov    %rsi,-0x40(%rbp)
  4006a9:   64 48 8b 04 25 28 00    mov    %fs:0x28,%rax
  4006b0:   00 00 
  4006b2:   48 89 45 f8             mov    %rax,-0x8(%rbp)
  4006b6:   31 c0                   xor    %eax,%eax
  4006b8:   c7 45 d0 74 69 6d 00    movl   $0x6d6974,-0x30(%rbp)
  4006bf:   48 b8 68 65 6c 6c 6f    movabs $0x206f6c6c6568,%rax
  4006c6:   20 00 00 
  4006c9:   48 89 45 e0             mov    %rax,-0x20(%rbp)
  4006cd:   66 c7 45 e8 00 00       movw   $0x0,-0x18(%rbp)
  4006d3:   48 8d 55 d0             lea    -0x30(%rbp),%rdx
  4006d7:   48 8d 45 e0             lea    -0x20(%rbp),%rax
  4006db:   48 89 d6                mov    %rdx,%rsi
  4006de:   48 89 c7                mov    %rax,%rdi
  4006e1:   e8 67 ff ff ff          callq  40064d <myfunc>
  4006e6:   48 8d 45 e0             lea    -0x20(%rbp),%rax
  4006ea:   48 89 c7                mov    %rax,%rdi
  4006ed:   e8 0e fe ff ff          callq  400500 <puts@plt>
  4006f2:   48 8d 55 d0             lea    -0x30(%rbp),%rdx
  4006f6:   48 8d 45 e0             lea    -0x20(%rbp),%rax
  4006fa:   48 89 d6                mov    %rdx,%rsi
  4006fd:   48 89 c7                mov    %rax,%rdi
  400700:   e8 27 00 00 00          callq  40072c <myfunc2>
  400705:   48 8d 45 e0             lea    -0x20(%rbp),%rax
  400709:   48 89 c7                mov    %rax,%rdi
  40070c:   e8 ef fd ff ff          callq  400500 <puts@plt>
  400711:   b8 00 00 00 00          mov    $0x0,%eax
  400716:   48 8b 4d f8             mov    -0x8(%rbp),%rcx
  40071a:   64 48 33 0c 25 28 00    xor    %fs:0x28,%rcx
  400721:   00 00 
  400723:   74 05                   je     40072a <main+0x90>
  400725:   e8 f6 fd ff ff          callq  400520 <__stack_chk_fail@plt>
  40072a:   c9                      leaveq 
  40072b:   c3                      retq 

I suspect I need to do something with calculating the address information through relative location or using the lea/mov instructions.

Any assistance to learn how to modify the call function would be greatly appreciated - please no pointers on editing strings like the howtos all over most of the internet...

like image 311
mcdoomington Avatar asked Oct 31 '14 10:10

mcdoomington


1 Answers

In order to rewrite the address, you have to know the exact way the callq instructions are encoded.

Let's take the disassembly output of the first call:

4006e1: e8 67 ff ff ff          callq  40064d <myfunc>
4006e6: ...

You can clearly see that the instruction is encoded with 5 bytes. The e8 byte is the instruction opcode, and 67 ff ff ff is the address to jump to. At this point, one would ask the question, what has 67 ff ff ff to do with 0x40064d?

Well, the answer is that e8 encodes a so-called "relative call" and the jump is performed relative to the location of the next instruction. You have to calculate the distance between 4006e6 and the called function in order to rewrite the address. Had the call been absolute (ff), you could just put the function address in these 4 bytes.

To prove that this is the case, consider the following arithmetic:

0x004006e6 + 0xffffff67 == 0x10040064d
like image 195
Blagovest Buyukliev Avatar answered Oct 11 '22 23:10

Blagovest Buyukliev