4

So, this is a noob question, I am a complete beginner in this field, so sorry if I'm wasting your time in any way.

I wanted to know, if there is a way to edit an ELF binary without using a hex editor. More specifically, I want to get the Assembly code, and then edit it directly, and then assemble it again.

Normally, I would use objdump and wxHexEditor to patch a few values, but there is a problem - how can I write new instructions, without overwriting the next ones? This is why I wanted to know if I could edit the Assembly code instead of the hex data.

(Please please please note - 80% of what I just said is unclear to me, because I just started to do this stuff. If you can, excuse my lack of knowledge.)

InxaneNinja
  • 141
  • 1
  • 3
    So I flag this question as duplicate. You are actually trying to patch a given binary. I would recommend to study some of the following references and then eventually try to refine your question. Recommended reads are the IDA-Pro Book - Chapter 'Binary Patching' (explains the IDA based workflow of patching a binary via instructions + internal assembler). Ḿore tool-resources are perhaps the documentation or code from patchkit, the-backdoor-factory, peinjector.... A good start is also the given answer by blabb in the re-post. In essence: trampoline / resize sections / use alignment bytes. – knx Mar 16 '19 at 15:31
  • 2
    If you know how to patch with a hex editor, then maybe this: "objdump -M intel -D" to get a disassembly, find the instructions and offset you want to patch out, use an online assembler (google it) to assemble the instructions you want to replace with. If the latter is smaller than the former, just include enough NOPs to fill the space. If the latter is larger than the former, you'll have to do look at that link from kn0x – knowmalware Mar 17 '19 at 01:07
  • 1
    I believe this post is not a dupe. The question is clearly specific to the ELF/GNU/Linux environment, the orig is specific to the PE/Windows world. Consequently, the accepted (and only) answer there does not really answer this question. If you have the required privilege, please initiate a reopen review. – peterh May 26 '20 at 20:51

0 Answers0