[HELP!] Re-compile ELF executable

guferr · Post by **guferr** » Sat Aug 27, 2011 6:02 pm

Hi, i have a little question:
I need to change something on the code of an ELF file, but i don`t have the source code of it, so i disassembled it on ida pro free, but i didn`t found any compiler that uses the same syntax of the disassembled source code made by ida pro free.
In short, what i need is an way to disassemble the ELF executable, edit it and then compile it again.
Thanks by the help.

Obs.: The kernel version is 2.4.20-8smp (RHL 9) and the processor type is i686.

Combuster · Post by **Combuster** » Sun Aug 28, 2011 4:44 am

you can disassemble using objdump, afterwards you can filter the assembly through a filter to remove the offsets and data bytes and reassemble. The biggest problem you will get is that you need to keep all pointer offsets intact, as well as function and section sizes, so it might be easier to just hack the ELF file and add an additional code section at the end. You can then replace the first 5 bytes of the functions you want to change with a hardcoded jump into that section.

Point is that existing tools are not at all designed to support what you are doing, since you need to keep everything (including symbol and relocation/dynamic linking tables) intact except for a very specific portion of a binary. The process you mentioned is typically performed by virus software and other hacking/patching tools so you may want to use that as a starting point for further searches.

guferr · Post by **guferr** » Sun Aug 28, 2011 9:10 am

Yes, i understood, but the question is that the file is 423Kb long, and the disassembled code gets so big that it's crashing any text editor program to wich i try to copy it (word, notepad etc.)
So i'm having troubles to edit it.
And wich compiler can create ELF files? i think that the nasm can't.
And you said that i must do a hardcoded jump, but all that i wanna do is disable the function, i mean, skip it, so i just have to jump to its end.

Brynet-Inc · Post by **Brynet-Inc** » Sun Aug 28, 2011 10:14 am

guferr · Post by **guferr** » Mon Aug 29, 2011 1:37 pm

I'm still waiting the answer...
Anyone have any idea of how to tranform the disassembled code in a .txt file without copying it to an text editor?
The disassembled code is getting so big, that it's crashing all text editors.
My computer have 1.5Gb of RAM memory + 2Gb of virtual memory, and a optimized S.O., the disassembled code fits in the memory, so the problem isn't the clipboard size.
I already have tryed to copy it, quit ida pro and then place it in the text editor, but it still crashes.
I did let the text editor opened by 3 hours after copying and it didn't respond anymore.

guferr · Post by **guferr** » Wed Aug 31, 2011 9:46 am

I used Objdump with the option "-D" and it disassembled almost instantly, but then i remembered that the file has a lot of zeroes, so i used the option "-zD" to disassemble the zeroes too, but then i left it disassembling by 16 hours and nothing, so i canceled it, and after canceling the disassembled file was 101Mb long! Note that the original file was just 438Kb long.
Is possible that the file have some trick to fool objdump?
And is there any compiler that uses the same syntax of objdump? Also, I did not find the filter options in Objdump.

OSDev.org

[HELP!] Re-compile ELF executable

[HELP!] Re-compile ELF executable

Re: Re-compile ELF executable

Re: Re-compile ELF executable

Re: Re-compile ELF executable

Re: Re-compile ELF executable

Re: [HELP!] Re-compile ELF executable