2

I have the following ASM code from a simple obfuscated C program given to me as an assignment.

   0x00000000004006a0 <+147>:   lea    -0x20(%rbp),%rax
   0x00000000004006a4 <+151>:   mov    %rdx,%rsi
   0x00000000004006a7 <+154>:   mov    %rax,%rdi
   0x00000000004006aa <+157>:   callq  0x400713 <SECRET>   <======
   0x00000000004006af <+162>:   movl   $0x0,-0x24(%rbp)
   0x00000000004006b6 <+169>:   jmp    0x4006d8 <main+203>
   0x00000000004006b8 <+171>:   mov    -0x24(%rbp),%eax

The goal is find and remove a function (patch the program binary) that is causing a Segmentation Fault. I have found what function is causing the segfault, but I don't know how to patch the binary.

My problem is how to patch 

 0x00000000004006aa <+157>:   callq  0x400713 <SECRET>

so that I wont call SECRET function.

If I use gdb to skip/jump SECRET by modifying the program counter while single-stepping at run-time, the program finishes execution and gives me the the output I want.

What I want is a permanently-modified copy of the executable binary file that always skips without using a debugger.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Lum Zhaveli
  • 175
  • 2
  • 18
  • is there a way to skip it or jump that when i execute the program without gdb – Lum Zhaveli Sep 16 '16 at 21:06
  • Skipping over it in GDB doesn't count as solving your assignment, but yes, gdb can jump wherever you want. Check the gdb manual. You could even overwrite the `call` instruction with NOPs during that debugging session. If this is something like a binary bomb-lab assignment, you're supposed to give it different input so execution never reaches that block. – Peter Cordes Sep 16 '16 at 21:07
  • Yes i can do that with program counter, however i am looking for a way to edit the binary and remove that function call and save the patched file. – Lum Zhaveli Sep 16 '16 at 21:08
  • 1
    Don't remove it, just overwrite the address. – Jose Manuel Abarca Rodríguez Sep 16 '16 at 21:09
  • 2
    @JoseManuelAbarcaRodríguez: If you overwrite the address but not the opcode, it will still CALL somewhere. Much easier to NOP-out the whole call. – Peter Cordes Sep 16 '16 at 21:10
  • Can you please tell me how to do it. for me it is the first time using GDB and I am still a bit lost in it. I am sorry – Lum Zhaveli Sep 16 '16 at 21:10
  • That's the idea, call anyway, but call where you want to. – Jose Manuel Abarca Rodríguez Sep 16 '16 at 21:10
  • 1
    GDB can't edit the permanent copy of the binary on disk. Do you just want to modify the machine code in-memory for this run of the program? Otherwise, this sounds like [an X-Y problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem), and you actually want a hex editor. Post more of the exact wording of your assignment, because you're not making it clear what you're supposed to be doing. – Peter Cordes Sep 16 '16 at 21:10
  • I need to modify that line and overwrite the address so I will have a patch and save it. Is this somehow the right command to change the address: set { unsigned char } 0 x804856f = 0 x7f – Lum Zhaveli Sep 16 '16 at 21:14
  • Something like that could modify the in-memory image, but gdb won't help you much in creating a patch. Do you literally need a binary patch? Or is it ok to have a modified copy of the whole binary? Either way, you should use a hex editor. There are some that include an assembler / disassembler, so you can more easily find the asm instruction you want to patch. – Peter Cordes Sep 16 '16 at 21:23
  • I need to submit the modified copy of the whole binary. I downloaded GHex but it doesn't include an assembler. Is there a good one that I can use. – Lum Zhaveli Sep 16 '16 at 21:30
  • You don't actually *need* an editor that understands asm, you can just hex-edit the binary. See this answer explaining what's what in an ELF executable. http://stackoverflow.com/questions/26294034/how-to-make-an-executable-elf-file-in-linux-using-a-hex-editor/30648229#30648229. Also, you should edit your question to ask about what you actually want to do, not the GDB false start. – Peter Cordes Sep 16 '16 at 22:10

1 Answers1

1

I was curious on what else I can do with GDB. I managed to change the assembly with GDB and the patched program is working as it should.

I tried using nop but it didn't work then I looked to jump function. How my patch works is:

(gdb) set {unsigned char *}0x4006aa = 0xEB
(gdb) set {unsigned char *}0x4006ab = 0x0C

I am doing is a short jump. Short jump opcode is EB XX where XX is the relative jump from the IP / PC. So in this case I have to jump ahead 12 bytes, also the instruction is 2 bytes, so I write it in consecutive memory locations. I write the new modified binary to hard drive and everything great.

It took me a day of experimentation but at the end I learned a lot. :D

Lum Zhaveli
  • 175
  • 2
  • 18