阅读说明：本技术 一种快速修改elf格式文件的方法 (Method for rapidly modifying ELF format file ) 是由 何俭飞 于 2021-09-03 设计创作，主要内容包括：本发明公开了一种快速修改ELF格式文件的方法,确定需要修改的地方；查看原文件大小,进行初期文件大小分配规划；进行文件切割：切割出3个文件,即为：开始较大文件、中间较小文件、末尾较大文件,待修改之处在中间较小文件之中；修改中间较小文件：利用编辑器与十六进制处理工具配合进行ELF文件片段修改；重新组装可执行文件：将切割出来的开始较大文件、末尾较大文件和修改后的中间较小文件重新按照原来的顺序进行组装,并将其输出内容重定向到一个文件；再次对重组后的文件进行检验。本发明不用修改源码,不用重新编译,通过直接修改ELF文件即可获得与修改源码、重新编译相同的二进制文件,极大的提升了修改ELF文件的速度。(The invention discloses a method for quickly modifying an ELF format file, which determines a place needing to be modified; checking the size of the original file, and performing initial file size distribution planning; and (3) cutting the file: cutting out 3 files, namely: starting a larger file, a middle smaller file and a tail larger file, wherein the file to be modified is positioned in the middle smaller file; modifying the intermediate smaller file: modifying the ELF file fragments by utilizing the cooperation of an editor and a hexadecimal processing tool; reassembling the executable file: the cut large file at the beginning, the large file at the end and the modified small file in the middle are assembled again according to the original sequence, and the output content of the files is redirected to one file; and checking the recombined file again. According to the invention, the source code is not required to be modified, the recompilation is not required, and the binary file which is the same as the source code modification and the recompilation can be obtained by directly modifying the ELF file, so that the speed of modifying the ELF file is greatly improved.)

1. A method for rapidly modifying an ELF format file is characterized in that: the method comprises the following steps:

step 1, determining the place needing to be modified: observing the position to be modified by using a disassembling tool and technology;

step 2, checking the size of the original file, and performing initial file size distribution planning: according to the offset where the file is to be modified and the size of the ELF file,

reasonably planning the size of the cutting file;

and step 3, cutting the file: cut out 3 files, these 3 files are: starting a larger file, a middle smaller file and a tail larger file, wherein the file to be modified is positioned in the middle smaller file;

step 4, modifying the middle small file: modifying the ELF file fragments by utilizing the cooperation of an editor and a hexadecimal processing tool;

step 5, reassembling the executable file: after the middle small file is modified, the cut start large file, the tail large file and the modified middle small file are assembled again according to the original sequence, and the output content of the cut start large file, the tail large file and the modified middle small file is redirected to one file;

and 6, checking the recombined file again: the modification effect and the new execution effect are observed again by the disassembling tool.

2. The method of claim 1, wherein the step of rapidly modifying the ELF format file comprises: under the Linux system, the disassembling tool in the step 1 is objdump.

3. The method of claim 1, wherein the step of rapidly modifying the ELF format file comprises: in the step 3, a byte copying tool dd under Linux is used for reading the specified number of bytes to cut the file.

4. The method of claim 1, wherein the step of rapidly modifying the ELF format file comprises: under the Linux system, the editor in step 4 is vim, and the hexadecimal processing tool is xxd.

5. The method of claim 1, wherein the step of rapidly modifying the ELF format file comprises: the ELF file fragment in step 4 is exposed in assembly code when opened using vim + xxd.

Technical Field

The invention relates to the technical field of communication, in particular to a method for quickly modifying an ELF format file.

Background

Under the Unix system and the Linux system, an elf (executable and Linkable format) file format is a very popular file format, which can be used for binary files, object codes, executable files, shared libraries, core dump files, and the like.

Generally, when an ELF format file needs to be modified, the corresponding source code needs to be modified and then recompiled to obtain the modified ELF file.

In the prior art, the ELF format file is modified by modifying the source code and recompiling, and the method has the following disadvantages:

(1) the compiling time is long: after some source files are modified, recompilation consumes a lot of time, usually several hours;

(2) some ELFs cannot see source codes and cannot be compiled;

therefore, a method for rapidly modifying an ELF format file is a problem to be solved urgently.

Disclosure of Invention

The technical problem to be solved by the invention is that the binary file which is the same as the source code modification and recompilation can be obtained by directly modifying the ELF file without modifying the source code or recompilation.

In order to solve the technical problems, the technical scheme provided by the invention is as follows: a method for rapidly modifying an ELF format file comprises the following steps:

step 1, determining the place needing to be modified: observing the position to be modified by using a disassembling tool and technology;

step 2, checking the size of the original file, and performing initial file size distribution planning: reasonably planning the size of the cutting file according to the offset of the position to be modified and the size of the ELF file;

and step 3, cutting the file: cut out 3 files, these 3 files are: starting a larger file, a middle smaller file and a tail larger file, wherein the file to be modified is positioned in the middle smaller file;

step 4, modifying the middle small file: modifying the ELF file fragments by utilizing the cooperation of an editor and a hexadecimal processing tool;

step 5, reassembling the executable file: after the middle small file is modified, the cut start large file, the tail large file and the modified middle small file are assembled again according to the original sequence, and the output content of the cut start large file, the tail large file and the modified middle small file is redirected to one file;

and 6, checking the recombined file again: the modification effect and the new execution effect are observed again by the disassembling tool.

As an improvement, under the Linux system, the disassembling tool in the step 1 is objdump.

As an improvement, in the step 3, a byte copying tool dd under Linux is used to read a specified number of bytes for file cutting.

As an improvement, under the Linux system, the editor in step 4 is vim, and the hexadecimal processing tool is xxd.

As an improvement, the ELF file fragment in the step 4 is displayed in the form of assembly code when being opened by using vim + xxd.

Compared with the prior art, the invention has the advantages that: according to the invention, the source code is not required to be modified, the recompilation is not required, and the binary file which is the same as the source code modification and the recompilation can be obtained by directly modifying the ELF file, so that the speed of modifying the ELF file is greatly improved.

Detailed Description

The working principle of the invention is as follows:

when the binary file to be modified is modified in a relatively simple manner, for example, modifying "b-12" to "b-6" somewhere, the binary file can be directly operated to modify using vim, xxd and assembly knowledge.

Where vim is used to load this binary file, xxd is used to modify the data, and finally vim is used for file saving.

The operation is very simple and smooth for a small binary file, but once the binary file is large, such as 100MB +, the operation is very unsmooth when vim and xxd are directly used; in this case, dd may be used to cut the file first, then modify a part of the cut file, and finally, cat or dd may be used to join the files together, and add the "x" authority.

Generally, data to be modified is located in the middle of a file, and is not at the beginning or the end, so a file is generally cut into 3 small files, and the cut small files are modified.

The method for rapidly modifying an ELF format file according to the present invention is described in further detail below.

A method for rapidly modifying an ELF format file comprises the following steps:

step 1, determining the place needing to be modified:

the ELF file is a binary file, is not a source code file, is compiled from the source code file through a compiler, and when determining a place to be modified, a disassembling technology and a tool are needed to observe the place to be modified; under a Linux system, the most common disassembling tool is objdump, and under observation of the objdump, the position of a code to be modified can be determined more conveniently;

step 2, checking the size of the original file, and performing initial file size distribution planning:

after the code to be modified is determined, the size of an ELF file needs to be observed, and the size of a cutting file is reasonably planned according to the offset of the position to be modified and the size of the ELF file; the reason why the ELF file is cut is that the general ELF file has a large volume, and if the ELF file is directly opened by using an editor, the editor is very blocked and is not beneficial to operation;

and step 3, cutting the file:

after the size of the file is planned, a byte copying tool dd under Linux can be used for reading the specified number of bytes to cut the file; generally, 3 files are cut out, namely: the editor starts a large file, a small file in the middle and a large file at the tail, wherein the part to be modified is in the small file in the middle, so that the editor can be operated smoothly without jamming;

step 4, modifying the middle small file:

vim is the most commonly used editor under Linux, and ELF file fragment modification can be conveniently carried out by matching xxd which is a hexadecimal processing tool; in addition, the modification here needs to have some assembly knowledge, since this fragment file is exposed in assembly code when opened using vim + xxd;

step 5, reassembling the executable file:

after the middle small file is modified, the previously cut first large file, last large file and modified file need to be assembled again according to the sequence, assuming that the size of the original ELF file is 600 bytes, the original ELF file is cut into 3 files of a + B + C, wherein a is 300 bytes, B is 100 bytes, and C is 200 bytes, and after the B file is modified, A, B (after modification) and 3C files need to be assembled again into one file according to the sequence of A, B, C; the operation mode of the reassembly is that A, B (modified) files and C files are read in sequence, and the output content of the C files is redirected to one file, so that the aim of reassembly can be fulfilled;

and 6, checking the recombined file again:

for the reassembled file, i.e. the modified ELF file, the modification effect can be observed again by the objdump tool, and the new execution effect.

The specific implementation process of the method for quickly modifying the file in the ELF format comprises the following steps:

1) prepare an example program: modify _ elf _ file _ test.c (not containing row number);

2) compiling the program: generating an executable file modify _ elf _ file _ test;

gcc-g3-O0-o modify_elf_file_test modify_elf_file_test.c

3) determining where modifications are needed: modify "b-12" to "b-6";

objdump-S modify_elf_file_test|nl

4) checking the original file size, and performing initial file size distribution planning:

the size of the original file is as follows: 29384, respectively;

to modify the offset: 5bb +0 ═ 5bb ═ 1467; namely, 1467 bytes of 0-5 bb are totally obtained from the beginning of the file to the end of 00;

and modifying the size of the part: generally, 100 bytes are taken;

the remaining file sizes: 29384-;

5) file cutting using dd:

cutting out a first file: 1467 bytes total from scratch;

dd if＝modify_elf_file_test of＝part1 ibs＝1 count＝1467

cutting out a second file, skipping over 1467 bytes at the beginning, and cutting out 100 bytes; the file only has 100 bytes and is a part to be modified;

dd if＝modify_elf_file_test of＝part2 ibs＝1 obs＝1 skip＝1467 count＝100

cutting out a third file, and skipping the first (1467+100 ═ 1567) bytes; the last one can be read to the end by default without adding a count;

dd if＝modify_elf_file_test of＝part3 ibs＝1 obs＝1 skip＝1567

merging firstly, and then checking: from the results, it is found that there is no problem in the operation results of the file size, md5 value.

cat part1 part2 part3>modify_elf_file_test_MD

md5sum modify_elf_file_test modify_elf_file_test_MD

./modify_elf_file_test

./modify_elf_file_test_MD

6) Modify intermediate file part 2:

copy one copy first: cp part2 part2.bak

vim opens the copy directly: vim part2.bak

xxd are opened: %! xxd-c 16-g 1

Locate and modify in the window opened at xxd: the '0 c' in the file is the data to be changed, the last '0 a' is a line feed character which is automatically added after the file is opened when the vim has no 'set nonendoflex bank' setting, and the line feed character is processed in the subsequent steps;

modify the value of b to 6: namely, the '0 c' is modified into '06';

xxd resume: %! xxd-r

And (4) vim preservation: after the storage, one more byte can be found, and the byte is the line break character: "0 a"; it should be noted here that: "100" appears on the previous line with one more byte, i.e., output "101" byte, because the new file size minus "1" is not the true output result.

The line feed character "0 a" is processed:

dd if＝part2.bak of＝part2.bak.new ibs＝1 obs＝1 count＝100

7) reassembling the executable file: it can be seen that there is no problem in the operation result, and the modify _ ELF _ file _ test _ MD _ new is a new ELF file;

cat part1 part2.bak.new part3>modify_elf_file_test_MD_new

ll modify_elf_file_test*

md5sum modify_elf_file_test*

./modify_elf_file_test

./modify_elf_file_test_MD

./modify_elf_file_test_MD_new

8) the check is again performed using "obj dump-S modification _ elf _ file _ test _ MD _ new": the modification is successful;

the symbol information of "b-12" still appears in the running process, which is caused by that the symbol information is not updated, and the normal execution of the program is not influenced.

The present invention and the embodiments thereof have been described above without limitation, and it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is not limited to the embodiments and the embodiments without inventive design without departing from the spirit of the present invention.