0x04. Transform exe into lib
Sometimes, we need to perform Fuzzing on internal functions. This may require bypassing some logic code used to detect input and directly calling the internal functions of the executable program. Binary code snippets can be directly executed through Unicorn Engine, but the disadvantages of this solution are obvious. A large amount of binary code needs to be patched, and constantly debugging the code is a painful process. Now, we can easily export internal functions through elfspirit and convert binary executable files into library files.
For example, for the following program, only when the correct username and password are entered can the correct flag be found.
int check_username(char* input) {
if (strcmp(input, "tom"))
return 0;
else
return 1;
}
int check_password(char* input) {
if (strcmp(input, "654321"))
return 0;
else
return 1;
}
int main(int argc, char** argv) {
if (argc != 3) {
printf("Usage: %s username password\n", argv[0]);
exit(-1);
}
if (!check_username(argv[1])) {
printf("Wrong username!\n");
} else {
if (!check_password(argv[2])) {
printf("Wrong password!\n");
} else {
printf("flag{xxx}!\n");
}
}
return 0;
}The program will first check whether the username is correct. If the username is incorrect, it will not check the password again. So, how to call check_password function directly?
Today's ELF programs often do not have symbol tables. Through the Disassembly Window of IDA, we can determine that 0x119d is the entry address of the check_password function.
$ elfspirit exe2so -s"check_password" -m0x119d -z0x34 crackme.binIn fact, position-independent executables are no different from library files in terms of ELF file type, and both belong to A shared object.
The linker and the file command do not determine the executable program and library file by the ELF file type, but by the DT_FLAGS_1 tag of .dynamic section.
Therefore, to convert PIE ELF into a real shared library, we only need to modify the DT_FLAGS_1 tag.
$ elfspirit edit -L -i20 -j2 -m0 crackme.bin
0x8000000->0x0With just the above two commands, we can actually export the function. The harness program uses dlsym function to directly load check_password function.
