It is necessary in the executable file of the ELF format to replace the text block (pointer of the encoding type of the HTML pages of the router) with a larger block. To do this, you need to shift to the right 3 neighboring blocks, within one line. How to find position pointers of these blocks and change them?

    2 answers 2

    Text blocks in an executable elf file are usually stored in the .rodata section (read only data). Links (pointers) to the initial addresses of the positions of the used text blocks are in the .text section of instructions. Therefore, if you need to move the beginning of the block (right or left), you need to change the address pointers accordingly.

    Software problems often come across this problem. For example, the word “save” is longer than its English equivalent “save” . Between adjacent text blocks there must be a separator (at least one zero byte). If a variable text block is placed in the allotted size (at the same time there must be at least one zero byte before the next block), there is no problem - you can correct it. But if the end of the variable block comes to the beginning of the next (right) position, you will have to change the pointers to this position.

    Example with which I worked: executable elf-file, format - big endian, processor - MIPS32:

    0 1 2 3 4 5 6 7 8 9 ABCDEF 4d6a30: 6d696d6f 00000000 73686f77 73734755 mimo....showssGU 4d6a40: 49000000 64736c56 65727369 6f6e0000 I...dslVersion.. 4d6a50: 68746d6c 63686172 73657400 49534f2d htmlcharset.ISO- 4d6a60: 38383539 2d310000 4249472d 35000000 8859-1..BIG-5... 4d6a70: 53757043 484c616e 67000000 636f6e6e SupCHLang...conn 4d6a80: 65637449 6e666f00 636f6e63 6f756e74 ectInfo.concount

    1. It is necessary to move the “BIG-5” block to the left. On the left there are two zero bytes, so you can move. The starting position of 4d6a 68 should change to 4d6a 67 . You need to find a pointer to this position in the .text section. You can do this manually (look for the HEX value 6A 68 ). But it is better to use a disassembler (for example IDA PRO). Disassemble and find the corresponding position in the .rodata section:

      .rodata: 004D6A66 byte_4D6A66: .byte 0 # DATA XREF: cgiGetVar + F8r

      .rodata: 004D6A67 .align 2

      .rodata: 004 D6A68 aBig5: .ascii "BIG-5" <0> # DATA XREF: cgiGetVar + C4o

      .rodata: 004D6A68 # cgiGetVar + C8r ...

      .rodata: 004D6A6E .align 4

      .rodata: 004D6A70 aSupchlang: .ascii "SupCHLang" <0> # DATA XREF: cgiGetVar + 130o

      .rodata: 004D6A7A .align 2

    2. We follow the link ( cgiGetVar +... ) and get into the corresponding section of the .text section:

      .text: 00489060 la $ v0, 0x4D0000

      .text: 00489064 la $ v0, 0x4D0000

      .text: 004 89068 addiu $ v1, $ v0, (aBig5 - 0x4D0000) # "BIG-5"

      .text: 004 8906C lw $ v0, (aBig5 - 0x4D0000) ($ v0) # "BIG-5"

      .text: 00489070 lbu $ a0, (aBig5 + 5 - 0x4D6A68) ($ v1)

      .text: 00489074 lbu $ v1, (aBig5 + 4 - 0x4D6A68) ($ v1)

      .text: 00489078 swl $ v0, 0 ($ s1)

      .text: 0048907C swr $ v0, 3 ($ s1)

      .text: 00489080 sb $ a0,5 ($ s1)

      .text: 00489084 b loc_48A190

      .text: 00489088 sb $ v1,4 ($ s1)

    3. Find the corresponding address HEX editor. Address 00489068 is looking for as 00089068 :

        0 1 2 3 4 5 6 7 8 9 ABCDEF 00089050 8f 82 8a 1c 8c 43 00 00 24 02 00 01 14 62 00 0b |.....C..$....b..| 00089060 8f 82 80 28 8f 82 80 28 24 43 6A 68 8c 42 6a 68 |...(...($Cjh.Bjh| 00089070 90 64 00 05 90 63 00 04 aa 22 00 00 ba 22 00 03 |.d...c..."..."..| 00089080 a2 24 00 05 10 00 04 42 a2 23 00 04 8c 43 6a 5c |.$.....B.#...Cj\| 00089090 24 42 6a 5c 8c 44 00 04 aa 23 00 00 90 45 00 0a |$Bj\.D...#...E..| 000890a0 90 46 00 08 90 42 00 09 ba 23 00 03 aa 24 00 04 |.F...B...#...$..| 000890b0 ba 24 00 07 a2 25 00 0a a2 26 00 08 10 00 04 34 |.$...%...&.....4| 000890c0 a2 22 00 09 8f 85 80 28 8f 99 89 cc 02 40 20 21 |.".....(.....@ !|

      IDA PRO adds 4 to the position address, instead of 0 in the usual HEX.

    4. We immediately see two (!) Pointers to the corresponding position ( D6A68 ) - 24 43 6A 68 8c 42 6a 68 . We change both to 24 43 6A 67 8c 42 6a 67 . Save the file. You can run.

    In the given example, the file is in the format of big endian - the bytes are written in direct order (and without offset by the header value). If there is an offset, it must be taken into account when searching and marking positions. If the little endian format is used, write the bytes in reverse order.

    In the article “Working with offsets - expanding horizons!” [ Archive ] there is a similar example, which inspired to change the elf file.

      You can get the addresses of sections of the elf-file by calling the readelf command or objdump.

      It is relatively difficult to get the addresses of calls in the code that can use this or that section. To do this, you need to analyze the plt and got tables. To understand how to do this exactly, you need to look at the specification.

      In general, moving and resizing sections in some cases is possible with the objcopy command.

      • @ Timur Section I determined (.rodata) I know the address of the beginning of the block. Tell me how to call the table plt / got plz.spsb - Ruslan