使用十六进制编辑器在ELF可执行文件中查找整数声明的变量 [英] finding integer declared variables in ELF executable using a hex editor

问题描述

我想通过使用十六进制编辑器来更改可执行文件中整数声明变量的值，这仅是假设我知道代码中声明了一个变量类型为int且该变量是这样的：

i want to change the value of an integer declared variable in an executable, by using the hex editor only suppose i know that there's a variable type int declared in the code and the variable is this:

int值= 1337;

int value = 1337;

我要使用以下命令编辑可执行文件十六进制编辑器搜索值1337并将其更改为其他值，我在ubuntu中尝试了ghex，但我不知道如何搜索，我将其转换为十六进制，但是我找不到它，在此先感谢您。 / p>

i want to edit the executable using a hex editor search for the value 1337 and change it to something else, i tried ghex in ubuntu but i don't know how to search for it i converted it to hexadecimal but i didn't find it, thanks in advance guys.

推荐答案

首先，您将使用 readelf 来确定变量（程序加载后位于内存中的位置）。 -s 将显示符号表，我们将用grep表示您的变量名称。

First, you would use readelf to determine the virtual address of the variable (where it lives in memory after the program is loaded). -s will show you the symbol table, and we'll grep for the name of your variable.

readelf -s a.out | grep value

这将输出如下所示的行：

This will output a line that looks like:

    64: 000000000060102c     4 OBJECT  GLOBAL DEFAULT   24 value

所以在这里，文件中的第64个符号是 value 。它的加载地址为0x60102c，大小为4个字节。现在我们有了虚拟地址，但这并不能告诉我们它在文件中的位置。为此，我们需要做三件事：

So here, the 64th symbol in the file is value. Its load address is 0x60102c, and it's 4 bytes in size. Now we have the virtual address, but this doesn't tell us where it's at in the file. To do that, we need to do three things:

1. 弄清楚它所在的部分，
>

2. 找出该值的节偏移量


3. 将其节偏移量添加到该节的文件偏移量中，获取项目的实际文件偏移量（如果打开ELF文件，则在十六进制编辑器中会看到地址）。

1. Figure out which section it's in,
2. Figure out this value's section offset
3. Add its section offset to that section's file offset, to get your item's actual file offset (the "address" you would see in a hex editor, if you opened the ELF file).

让我们再次运行 readelf 。 -S 将列出这些部分。

Let's run readelf again. -S will list the sections.

readelf -S a.out

这是输出的摘要。请记住，变量的地址为 60102c ，我们正在寻找 60102c 位于其地址及其地址+大小。由于这是一个读写变量，因此我们可以猜测它会位于 .data 部分。

Here's a snippet of the output. Remember the address of our variable is at 60102c, and we're looking for the section where 60102c lies between its Address and its Address + Size. Since this is a read-write variable, we can take a guess that it will be in the .data section.

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  ...
  [21] .dynamic          DYNAMIC          0000000000600e28  00000e28
       00000000000001d0  0000000000000010  WA       6     0     8
  [22] .got              PROGBITS         0000000000600ff8  00000ff8
       0000000000000008  0000000000000008  WA       0     0     8
  [23] .got.plt          PROGBITS         0000000000601000  00001000
       0000000000000028  0000000000000008  WA       0     0     8
  [24] .data             PROGBITS         0000000000601028  00001028
       0000000000000008  0000000000000000  WA       0     0     4
  [25] .bss              NOBITS           0000000000601030  00001030
       0000000000000008  0000000000000000  WA       0     0     4
  [26] .comment          PROGBITS         0000000000000000  00001030
       000000000000002c  0000000000000001  MS       0     0     1

果然， .data 在内存中位于 601028 601028 + 8 = 601030 。从本节的地址中减去值的地址，我们得到：

Sure enough, .data lives in memory at 601028 to 601028+8 = 601030. Subtracting value's address from this section's address, we get:

  60102c       Address of `value`
- 601028       Start address of .data section
--------
       4

因此，值与 .data 部分。现在， .data 部分在文件中的什么位置？这就是 Offset 列告诉我们的。 .data 从文件偏移量 1028 开始。知道这一点，我们可以找到 value 的文件偏移量：

Thus, value is at offset 4 from the start of the .data section. Now, where in the file is the .data section? That's what the Offset column tells us. .data begins at file offset 1028. Knowing this, we can find the file offset of value:

  1028         File offset of .data section
+    4         Offset of `value` in .data section
-------
  102c         File offset of `value`

---

我们已将文件偏移了，现在确保我们知道会发生什么。您的变量的值为1337。以十六进制表示的是0x539。但是，我们需要调出 字节顺序 （或 endianness ）。英特尔x86系统是 little endian 。这意味着，当将大于一个字节的整数存储在一个地址时，该值的最低有效字节（或小端）位于该地址，而其余字节位于后续地址（

---

We've got our file offset, now let's make sure we know what to expect. Your variable has the value 1337. In hex, that's 0x539. But, we need to bring up byte order (or "endianness"). Intel x86 systems are little endian. That means when an integer larger than one byte is stored at an address, the least-signifiant byte (or "little" end) of the value is at that address, and the remaining bytes are at subsequent (increasing address).

所以您的1337将以4字节 int 的形式存储在以下文件中

So your 1337 will be stored (as a 4-byte int) in the file like this:

39 05 00 00

在大端系统（例如Motorola 68k）上，该值将以相反的顺序显示在文件中：

On a "big endian" system (e.g. Motorola 68k), the value would be seen in the file in the opposite order:

00 00 05 39

---

总而言之，如果您在十六进制编辑器中打开ELF文件，然后转到偏移102c，则将看到您的值：

---

That all said, if you open your ELF file in a hex editor, an go to offset 102c, you will see your value:

ELF文件没有校验和或CRC，因此您应该可以在十六进制编辑器中简单地编辑该值，并且在程序执行时它将具有新值！

ELF files have no checksum or CRC, so you should be able to simply edit that value in your hex editor, and it will have the new value when your program executes!

这篇关于使用十六进制编辑器在ELF可执行文件中查找整数声明的变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！