如何找到在IDA的二进制文件的内存地址偏移 [英] How to find the memory address offsets from IDA in binary file

问题描述

我试图写一个命令行应用程序可在特定的地址使用十六进制值修改.so文件。

I am trying to write a command line application which can modify a .so file using hex values at specific addresses.

我使用的是IDA演示和HXD十六进制编辑器才能达到的需要更新的地址，但每次我试图修改该文件，无论我使用的语言（bash脚本编程，PHP，Python）的每一次我编辑的文件，它是我从IDA和HXD十六进制编辑器的地址有误偏移更新。

I'm using IDA Demo and HxD Hex Editor to attain the addresses which need to be updated, however, each time I try to modify the file, no matter which language I use (bash scripting, php, python) every time I edit the file, it updates from the wrong address offsets which I have from IDA and HxD Hex Editor.

我已经看到了这方面的几个职位，但截至到目前为止，还没有已经能够给出一个明确的答案，如何才能达到的HXD和国际开发协会没有问题找到地址：（

I have seen a few posts regarding this, but as of yet, none have been able to give a definitive answer as to how to attain the addresses which HxD and IDA have no issue finding :(

在Python中我用MMAP功能尝试这种使用下面的;

In python I have used the mmap function to attempt this using the below;

import mmap
import contextlib
import os

filesize = os.stat("filetomodify.so").st_size
print int(filesize)


with open("filetomodify.so", 'r+b') as f:
    with contextlib.closing(mmap.mmap(f.fileno(),  access=mmap.ACCESS_WRITE)) as m:
        m[0x173596] = "FF 20"
        m[0x18D88E] = "FF 20"
        m.close()

本使用操作系统库，以确定哪些返回为文件的大小10025936 ，但是，每个一次，我将长度=文件大小 之间的参数f.fileno（）和访问= MMAP .ACCESS_WRITE 我总是得到一个 mmap.error：[错误22]无效的参数错误信息，但是当我省略的说法，我收到了 L：类型错误：必需的参数长度（位置2）未找到

This uses the os library to determine the size of the file which is returned as 10025936, however, each time I add the length=filesize argument between f.fileno() and access=mmap.ACCESS_WRITE I always get a mmap.error: [Errno 22] Invalid argument Error Message, but when I omit the argument, I get a m: TypeError: Required argument 'length' (pos 2) not found

我用的bash脚本是其中之一，我发现在这里，这修改文件不错，但更新了错误的地址;

The bash script I have used is one which I found here, which modifies the file okay, but updates the wrong addresses;

#!/bin/bash

# param 1: file
# param 2: offset
# param 3: value
# param 4: Size of Bytes
function replaceByte() {
    printf "$(printf '\\x%02X' $3)" | dd of="$1" bs=$4 seek=$2 count=1 conv=notrunc &> /dev/null
}

# Usage:
replaceByte 'filetomod.so' "0x173596" "95 E5 0A 2F 66 1E 32 EE 4C B8 9A 6E BD EC 01" 15

作为调用上述功能更新文件并写就OK，但是当我更新后的字节串做了查找（例如，95 E5 0A 2F 66 1E 32 EE 4C B8 9A 6E BD EC 01 - 只是一个长唯一的字符串，你不会指望在一个文件中找到），它已被插入到不正确的地址，或者它告诉我，偏移量是文件大小之外。

Calling the function as described above updates the file and writes it ok, but when I do a find for the updated byte string (e.g, 95 E5 0A 2F 66 1E 32 EE 4C B8 9A 6E BD EC 01 -- Just a long unique string which you would not expect to find in a file) it has been inserted at the incorrect address, or it tells me that the offset is outside of the file size.

最后，PHP code我用（我没想到反正有很多成功）是;

Lastly, the php code I used (which I wasn't expecting much success with anyway) was;

<?php
$fp = fopen('binary_file.bin', 'w+b');
fseek($fp, 173596, );   
fwrite($fp, '95 E5 0A 2F 66 1E 32 EE 4C B8 9A 6E BD EC 01');
fclose($fp);
?>

不过，而不是编辑二进制文件的十六进制值，这增加了字符串作为一个字符串到二进制文件在HXD地址 0002A61C 与十六进制code作为 39 35 20 45 35 20 30 41 20 32 46 20 36 36 20 31 45 20 33 32 20 45 45 20 34 43 20 42 38 20 39 41 20 36 45 20 42 44 20 45 43 20 30 31 其中有输出 95 E5 0A 2F 66 1E 32 EE 4C B8 9A 6E BD EC 01

However, rather than editing the Hex values of the binary file, this added the string as a string to the binary file at HxD Address 0002A61C with the hex code as 39 35 20 45 35 20 30 41 20 32 46 20 36 36 20 31 45 20 33 32 20 45 45 20 34 43 20 42 38 20 39 41 20 36 45 20 42 44 20 45 43 20 30 31 which had the output of 95 E5 0A 2F 66 1E 32 EE 4C B8 9A 6E BD EC 01

任何帮助，这将大大AP preciated。我的答案唯一的要求是，它可以从命令行运行，无论是PHP的，bash中，蟒蛇，JAVA等。

Any help with this would be greatly appreciated. My only requirement for the answers would be that it can be run from command line, whether php, bash, python, java etc.

感谢您提前。

推荐答案

一些试验后，我知道了。

After some trials in a virtual machine running Centos 6.5, I got it

function replaceByte() {
    printf "$(printf '\\x%02X' $3)" |
    dd of="$1" ibs=1 count=1 obs=1 seek="$2" conv=notrunc &> /dev/null
}

问题是单位的征求参数：块，而不是字节

当您更改默认块大小，两个输入块大小和输出块的大小被改变。因此，征求参数是指块的大小是价值 BS 参数。

When you change the default block size, both input block size and output block size are changed. Therefore the seek parameter refers to blocks whose size is the value of bs parameter.

要解决这个问题，必须将输入块大小 IBS 为你几乎没有的但输出块大小 OBS 必须设置为1，否则为输出是一个磁盘文件，在观测值被设置为512字节（在磁盘块大小）。

To solve this, you must set the input block size ibs as youd did but the output block size obs must be set to 1. Otherwise, as output is a disk file, the obs value is set to 512 bytes (the disk block size).

您可以试试下面的测试，以检查输出块的大小是512，而不是1：

You can try the following test to check the size of the output block is 512, not 1:

1. 创建包含一个完整的空行的文本文件（file.txt的）（例如，30空格）


2. 检查该文件的大小为近30个字节。


3. 运行回声-e'\\ X41'| DD如果= file.txt的IBS = 1数= 1寻求= 3 =单次转​​换notrunc之外（的0x41是ASCII code对A）



4. 检查file.txt的大小发生了变化：1537字节（每块512字节加1 3个街区 - 3 * 512 + 1）

1. Create a text file (file.txt) containing an entire blank line (for example, 30 white spaces)
2. Check that the size of the file is near 30 bytes.
3. Run echo -e '\x41' | dd if=file.txt ibs=1 count=1 seek=3 conv=notrunc (0x41 is the ASCII code for A)

4. Check that the size of file.txt has changed: 1537 bytes (3 blocks of 512 bytes per block plus 1 -- 3*512+1)

由于file.txt的是损坏，重复步骤1和2。

As file.txt is "corrupted", repeat the steps 1 and 2.

最好的问候。

Pd积：此funcion replaceByte（）应该工作的罚款只是一个字节。如果您需要更改多个连续字节的单呼，则必须更换的printf ，也许，一个循环...和 =肠易激综合征1 通过适当的值。

P.D: this funcion replaceByte() should work fine for just ONE byte. If you need to change several contiguous bytes in a single call, you must replace the printf, perhaps, with a loop... and the ibs=1 with the proper value.

这篇关于如何找到在IDA的二进制文件的内存地址偏移的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！