kisom / binarm

BINARY ARMAGEDDON

If you have to use this, it's probably the end of the world as we know
it --- do you feel fine?

Commands are single lower-case letters, numbers are hexadecimal. Arguments
are separated by spaces, commands are terminated with spaces or
newlines. If the file doesn't exist, it can be created with the -!  <size>
flag. As with all other numbers in this program, this size is hexadecimal.

COMMANDS:

	e offset	Extend file +offset bytes.
	f offset size	Find a size sequence of bytes starting at
			offset. The maximum size is 32 bytes.
	i start		Insert a byte at start. This will create a hole
			at start, setting the byte to 0, and shift the
			remaining data to the right one byte.
	l		Print the current image size.
	q		Quit. This should be the first command you enter.
	r start offset	Read (and print) a hex dump of offset bytes from
			the file starting at start. If offset is 0, the
			remainder of the file (after start) is read. For
			example, `r 0 0` will read the entire file.
	s offset size	Scan for all instances of the size-sized
			fragment starting at offset.
	w start		Start writing to the file at start.


EXAMPLE:
	Don't try this at home.

	$ cat test.txt
	hello world
	$ ls -l test.txt
	-rw-rw-r-- 1 kyle kyle 12 Apr 22 22:28 test.txt
	$ ./binarm test.txt
	
	> r 0 0c 
	00000000 | 68 65 6c 6c 6f 20 77 6f  72 6c 64 0a 
	
	
	> e 08
	EXTENDED 8 BYTES
	
	> w 0b
	W> 21 0a 0a 48 49 21 0a
	WROTE 7 BYTE(S)
	
	> r 0 12 
	00000000 | 68 65 6c 6c 6f 20 77 6f  72 6c 64 21 0a 0a 48 49 
	00000010 | 21 0a 
	

	> f 2 3
	F> 77 6f 72

	FIND FRAG FROM 2 SIZE 3
	FOUND STARTING AT +4 (6)

	> s 0 1
	F> 6c
	SCAN FRAG FROM 0 SIZE 1
	FOUND STARTING AT +0 (0)
	FOUND STARTING AT +0 (1)
	FOUND STARTING AT +0 (3)
	FOUND STARTING AT +0 (7)
	NOT FOUND

	> q
	QUIT
	$ cat test.txt 
	hello world!
	
	HI!
	$ ls -l test.txt 
	-rw-rw-r-- 1 kyle kyle 20 Apr 22 22:32 test.txt
	$ 

There is no backspace. The only undo for a write is to start writing at
the same offset with the bytes you intended.

Alternatively, in the spirit of [1], armageddon may be unleashed on the
example client auth program. The major difference from the post is that
this example was built and run on an AMD64 machine ([1] uses a 32-bit
machine); accordingly, instead of the instruction 01442418, the target
instruction is 0145fc. The relevant instruction look up is found in [2].

First, build the (incorrect) client auth program:

	$ cat test1.c
	/*
	 * client-auth1.c
	 */
	
	#include <stdio.h>
	
	int
	main(void)
	{
	        int             i = 0;
	        unsigned        sum = 0xffff0000;
	        char            c;
	
	        while (0xa != (c = getchar())) {
	                i++;
	                sum += c * i;
	        }
	        printf("%010u\n", sum);
	}
	$ make test1 
	cc     test1.c   -o test1

Run it with the challenge input; this is the wrong input, but it's
useful to immediately compare the output of the modified version to
ensure something useful was changed.

	$ ./test1
	sptjpgzczykbgwogqmbrhsg
	4294931782

It's not strictly required, but it's useful to find main as a starting
point for exploring the program. It's mapped 0x40057d, which places it
at an offset of 0x57d in the image.

	$ readelf -s test1 | grep main$
	    61: 000000000040057d    75 FUNC    GLOBAL DEFAULT   13 main

Invoke binarm: find the desired 3-byte instruction starting from the
main offset in the image. It was found 24 bytes from the search point at
an absolute offset of 0x5a1 bytes in the image.

	$ ./binarm test1
	
	> f 57d 3
	F> 0145fc
	FIND FRAG FROM 57d SIZE 3
	FOUND STARTING AT +24 (5a1)
	
A visual confirmation shows the target instruction where expected; the
alignment isn't required, but it makes finding the instruction a little
easier.

	> r 570 64
	00000570 | e9 7b ff ff ff 0f 1f 00  e9 73 ff ff ff 55 48 89 
	00000580 | e5 48 83 ec 10 c7 45 f8  00 00 00 00 c7 45 fc 00 
	00000590 | 00 ff ff eb 0f 83 45 f8  01 0f be 45 f7 0f af 45 
	000005a0 | f8 01 45 fc e8 c7 fe ff  ff 88 45 f7 80 7d f7 0a 
	000005b0 | 75 e3 8b 45 fc 89 c6 bf  54 06 40 00 b8 00 00 00 
	000005c0 | 00 e8 8a fe ff ff c9 c3  0f 1f 84 00 00 00 00 00 
	000005d0 | 41 57 41 89 
	
The next step is to replace the single byte, a visual check on the
update, and exit.

	> w 5a1
	W> 29
	WROTE 1 BYTE(S)
	
	> r 5a0 32
	000005a0 | f8 29 45 fc e8 c7 fe ff  ff 88 45 f7 80 7d f7 0a 
	000005b0 | 75 e3 8b 45 fc 89 c6 bf  54 06 40 00 b8 00 00 00 
	000005c0 | 00 e8 8a fe ff ff c9 c3  0f 1f 84 00 00 00 00 00 
	000005d0 | 41 57 
	
	> q
	QUIT

The modified program can now be tested. A quick visual check shows the
output has changed, and the answer is the same answer from [1].

	$ ./test1                        
	sptjpgzczykbgwogqmbrhsg
	4294871738


[1] "Introduction to Patching Binaries with the HT Editor"
    http://kyleisom.net/blog/2013/10/19/intro-to-ht/
[2] http://ref.x86asm.net/coder64.html