Elf headers of binary corrupted

lbjksp · 06-30-2015, 06:24 PM

I have a binary (compiled with gcc) with corrupted elf headers.

The file utility shows the following information:

Code:

mybinary: ERROR: ELF 64-bit LSB executable, x86-64, invalid version (SYSV), dynamically linked (uses shared libs)error reading (Invalid argument)

readelf -h ./mybinary shows this at the end of the output:

Code:

readelf: Error: Unable to seek to 0xffffff60e9000000 for string table
readelf: Error: Section 8 has invalid sh_entsize 6c2f343662696c2f (expected 18)
readelf: Error: Section 23 has invalid sh_entsize 0 (expected 10)
readelf: Error: no .dynamic section in the dynamic segment

What can I do to fix this binary? I can not run a file with broken elf headers in gdb for example.

berndbausch · 06-30-2015, 08:58 PM

Quote:

Originally Posted by lbjksp

I have a binary (compiled with gcc) with corrupted elf headers.

The file utility shows the following information:

Code:

mybinary: ERROR: ELF 64-bit LSB executable, x86-64, invalid version (SYSV), dynamically linked (uses shared libs)error reading (Invalid argument)

readelf -h ./mybinary shows this at the end of the output:
[CODE]
readelf: Error: Section 8 has invalid sh_entsize 6c2f343662696c2f (expected 18)

"entsize" looks like a string "l/46bil/". Perhaps the string command helps you get a clue.
I'd say that something overwrote the header.
Or the header is in a different format than expected by readelf or file; perhaps it was created for a different platform.

While I don't know if there are programs that can fix corrupted ELF headers, I am curious: Can you run this binary? Can you recreate it? If not, where did you get it from?

lbjksp · 07-01-2015, 07:09 AM

Quote:

Originally Posted by berndbausch

"entsize" looks like a string "l/46bil/". Perhaps the string command helps you get a clue.
I'd say that something overwrote the header.
Or the header is in a different format than expected by readelf or file; perhaps it was created for a different platform.

While I don't know if there are programs that can fix corrupted ELF headers, I am curious: Can you run this binary? Can you recreate it? If not, where did you get it from?

The ELF headers were corrupted on purpose by the author of this binary to prevent it from being reverse engineered. gdb or objdump or disassembler tools either print an error message (File format not recognized) or crash. I can run this binary perfectly fine. It's a small crackme file for a reverse engineering exercise, which is not easy as debugging or disassembling is not possible to due the corrupted headers.