2

patching hex strings inside binaries with sed.

how do i use Sed to open a binary file inside a .app, search for a unique string of hex values , replace them with the new string and then save the binary and exit.? i have done alot of research and im stuck.

ultimately i would like to wright this as a script and below i have written some code as terminal commands that basically doesn't work but represents what i want to happen to the best of my ability.

//binary patcher script attempt 

hexdump -ve '1/1 "%.2X"' /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | \
sed "s/\x48\x85\xc0\x75\x33/\x48\x85\xc0\x74\x33/g" | \
xxd -r -p > /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp.Patched | \
cd /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/ | \
mv /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp.Patched /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | \
sudo chmod u+x /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp

//returns 1 if the string is in the file

xxd -p /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | tr -d '\n' | grep -c ‘4885c07533'

(this is not in use in the script at the moment but i tested it and it does return 1 if the sequence is there and so i thought it would be handy when it comes to possibly of making these patches into small applications of their own. implementing by means of something along the lines of :-

'if(xxd -p /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | tr -d '\n' | grep -c ‘4885c07533' == 1){runTheRestOfTheScript;
else if (xxd -p /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | tr -d '\n' | grep -c ‘4885c07533' == 1){ThrowERROR;'

ok so back to the stuff in the script

//First it dumps the binaries hex information into memory 

hexdump -ve '1/1 "%.2X"' /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | \

//calls sed to find the string of values and replace it with the new one.

sed "s/\x48\x85\xc0\x75\x33/\x48\x85\xc0\x74\x33/g" | \

//saves the new patched file as MyApp.Patched

xxd -r -p > /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp.Patched | \

//cds to the directory of the patched file

cd /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/ | \

// renames the file to its original executable name

mv /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp.Patched /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp | \

//sets the new file as executable after a password.

sudo chmod u+x /Users/MiRAGE/Downloads/MyApp.app/Contents/MacOS/MyApp

now this is my first attempt and i am aware some of the functions probably are completely wrong and really, apart from it does not do the patching and it deletes the contents of the binary it works as far as the renaming goes and hopefully gives you an overview of how i need the runtime of the script to work.

now i am a real newbie but i really need to get this done and i really have no idea what to do.

i need this script to basically work by waiting for the user to point the program in the direction of the file that needs patching (as I’m patching the apps iv made preferably it would accept dragging of a .app file into the window and it finding the binary in the macOSX folder by itself (this will come later tho and could also be done in various ways) i then need it to search for the string in the binary and replace it with the edited string in this case :-

original :- 4885c07533
patched:-4885c07433            {its worth re mentioning this string will always be unique but may vary in length depending on the function that needs patching}

I then need to save it with the same name as the original which this script handles by saving the patched file as .patched appended and subsequently renaming it accordingly .

It then makes the file executable and exits leaving the patched .app ready to run.

This method of creating patches would be particularly helpful if i notice i have made a mistake in many of my programs for instance. if the function is unique i could make a single patch that could edit the binaries at the touch of a button while just holding the section of code that is relevant to patch inside.

so to sum up.

what i am looking for is some way of getting this script working and maybe, if any of you can help a little advice on turning this into a little application to make my life easier.

many thanks in advance for any and all help you can offer. i will be checking daily so if i need to clarify something let me know and ill be on it in a flash.

MiRAGE

MiRAGE
  • 95
  • 1
  • 8
  • possible duplicate of [binary sed replacement](http://stackoverflow.com/questions/2604964/binary-sed-replacement) – Barmar Dec 27 '13 at 02:04
  • iv read it and its not relevant as far as i can tell – MiRAGE Dec 27 '13 at 02:09
  • I don't think you can do it with ordinary `sed`. It processes files as lines of text. And it most likely uses C strings internally, so 0 bytes will be treated as string terminators, and will cause bytes after them to be lost. – Barmar Dec 27 '13 at 02:14
  • how can i do this? if sed is not the way i really am at a loss it seams such an easy thing. perhaps convert the whole binary to ascii process it with sed convert it back and save as a binary ? iv seen programs that have done this sort of patching in the past i just really want to make one that fits my needs – MiRAGE Dec 27 '13 at 02:34
  • At https://www.macupdate.com/app/mac/21273/autocomplete-always-on! you can find an AppleScript I used to use that patched the WebKit binary (to override web pages with `autocomplete=off`). It uses `perl`. Take a look at how it works. – Barmar Dec 27 '13 at 02:41
  • so you think perl is a step in the right direction. this seems so simple in my head i just dont know perl and i wish i knew how to code it it would only be a short script im sure. edit> please help me code it..... :) – MiRAGE Dec 27 '13 at 03:21
  • Did you take a look at that AppleScript? It shouldn't be hard for you to adapt what it does. – Barmar Dec 27 '13 at 03:22
  • oh my god if found a command that works perl -pi -e 's/\x48\x85\xc0\x75\x33/\x48\x85\xc0\x74\x33/g' /Users/MiRAGE/Downloads/MY.app/Contents/MacOS/myapp now all i need to do is make it so it asks the user for an input file and deals with the folder highraki of the .app file i.e MY.app/Contents/resources/macosx/myapp – MiRAGE Dec 27 '13 at 03:29
  • thank you @Barmar for bringing an end to al my pointles seding around and given me a perl of a tip :) i guess the question now is how do i turn that command into a script that will request a file to process and then exit with a smile :) – MiRAGE Dec 27 '13 at 03:53
  • yea i just dont know how to add a section that requests the file to be patched i was thinking a dialogue like:- please drag My.app into the window or insert filepath to My.app here :- then (this is still at command line level) you would show it which file it was using with one of the above methods and it will do my "is the string present" check, if yes it will run the script. if no it will say WRONG FILE! or something suchlike. on completion of the script it will say SUCCESS! – MiRAGE Dec 27 '13 at 04:08
  • how do i get the else if statement to work with my perl routine and the grep command? iv written it like this but i gues i need it to return its vlue into an array/ register then do a 'if == 1 {RUNROUTINE}' else if != 1 {ThrowERROR!}. iv written it like this but its not working out for me – MiRAGE Dec 27 '13 at 23:08

1 Answers1

0

With regards to the sed line

sed "s/\x48\x85\xc0\x75\x33/\x48\x85\xc0\x74\x33/g"

Firstly, you can use sed to change around arbitrary binary - but you should beware newlines. sed processes its inputs always newline separated, so if the value \x0a appears in your string you will have problems.

The following will allow you to consider the entire file as pure binary. (call sed with the -n option so that it won't print out lines after processing them by default).

# Append the current line to the hold space
H
# On the last line the hold space contains all of the file - now swap pattern and hold space, operate on the pattern space and print the line
${
    # exchange hold and pattern space
    x
    # do substitution
    s/.../.../g
    # print out result, required due to -n option
    p
}

or, more succinctly

sed -n 'H;${x;s/.../.../g;p}'

When you append the pattern space to hold space the new line will be inserted - so this circumvents issues with new lines.

Also, in your example you used double quotes for your sed expression. Due to shell escaping rules for backslashes and the nature of sed, I would recommend the use of single quotes to avoid complication. Apologies if it is the case that this is not true for your shell.

Lastly about sed, you should beware of special values contained in the hex. If you escape a byte literal in sed with \x.., the way this is interpreted is by first replacing the escapted byte literal with its value, and then executing the line. Importantly, regex special characters still do what they do if they weren't escaped.

Example:

sed 's/\x5e\x2f/foo/'
# becomes
substitute pattern '\x5e\x2f' for 'foo'
# becomes
substitute pattern '^/' for 'foo'
# which matches a / at the beginning of a line as opposed to ^/

So the characters to look out for on the left of a substitution are the usual suspects, and beware \x26 (&) on the right hand side of a substitution.

Hopefully that at least clarifies sed's potential role in your script :-).

xyrix
  • 51
  • 2