Wednesday, November 2, 2016

ALTERATION OF A PROGRAM AT RUNTIME - Example 2 - Changing output - Evans Debugger with Linux

ALTERATION OF A PROGRAM AT RUNTIME - Example 2 - Changing output - Evans Debugger with Linux

EDB-Debugger (Evan's Debugger) is an analyzer, debugger and disassembler for multi architecture binary files with ELF format (executable and linkable format). EFL is the standard format for executable files, object code, shared libraries, and memory dump.

- The goal of the author, Evan Teran, was to create a similar tool to OllyDbg analyzer for usage with Linux systems. Although GDB (GNU Debugger) is available for Linux, this analyzer only works through command line, providing no GUI. 

- In this example EDB-Debugger will be used to alter the runtime operation of a program written in C language.

- First we create a simple program (prueba.c) in C language, the result of which is to print out the string HOLA:

- Compiling:

- Running, and the result is that the program prints the string HOLA in the console:

- To begin the analysis the executable file is loaded in the debugger EDB:

- Running the program, the output is the expected HOLA:

- Then we seek the location of the string HOLA within the program. The path is as follows: Plugins -> Binary Searcher -> Binary String Search Ctrl + F

- EDB allows to enter directly characters searched in ASCII. The result of that search string in hexadecimal is 48 4F 4C 41 = H O L A, located in the memory segment between positions 0804840F and 0804940F:

- Indeed, in previous memory position we find the following statement, one of whose operands is 0x414C4F48.

The operand is stored in Little Endian format (least significant byte at lowest memory position): 

0x414C4F48 = 48 4F 4C 41 = HOLA (in ASCII)

- In order to alter program operation at runtime, right clicking on previous instruction, and in the displayed menu choosing the Edit Bytes option:

This option allows to edit the ASCII code, and where it says HOLA to write BYE:

Instruction is altered, being the operand in Little Endian format 0x455942 the ASCII value of string character BYE:

- After running the program, we see that the output is now BYE: