When can I edit strings in an executable binary?
I don't know if your version of sed will be binary-clean or if will choke on what it thinks are really long lines in its input, but barring those issues, editing the string in-place should work. To see whether it does, compare the old and new versions with cmp -l. It should tell you whether or not the only three differences between the two files are those 3 bytes.
Editing strings in a compiled executable will indeed work if the strings are of the same length, but it will almost always also work if you are shortening the string, due to the way that strings work in C. In C strings, everything after the NUL terminator does not count, so if you write a new NUL terminator before the position of the old one, you will effectively shorten the string.
In general, there is no way you can lengthen a string using this hack.
Related videos on Youtube
07 : 00
08 : 35
21 : 24
10 : 38
20 : 17
01 : 46
Tam Borine
Updated on September 18, 2022Comments
-
Tam Borine over 1 year
I have an executable binary; let's call it
a.out. I can see the binary contains strings$ strings a.out ... /usr/share/foo ....I need to change the string
/usr/share/footo/usr/share/bar. Can I just replace the string withsed?:sed -i 's@/usr/share/foo@/usr/share/bar@' a.outThis looks like a safe thing to do. Will this also work when the strings are not the same length?
-
Tam Borine about 9 yearsWhat about shortening the string with something like
sed -i 's@longstring@foo@' a.out? This will make the whole binary smaller by 7 bytes, Will this not corrupt the binary ? -
Celada about 9 yearsYes, it will corrupt the binary. That's why you have to translate the string to one of the exact same length, but set aNULterminator at an earlier position as I explained (although maybe too briefly). The trouble is that you can't have aNULbyte on the command line so you have to put yoursedprogram into a file and refer to it with-f. On the other hand, the safer thing to do would be to use a tool that is designed to work with binary data instead ofsedwhich is designed to work with text data. -
gokhan acar about 9 yearsGood answer. sed can do lots of things, but, in general, that's what binary editors were invented for. They can be challenging to use when navigating within a large binary file, but they will let you change things byte by byte. I use
hexeditwhen I have to examine or change a binary file. You can usestrings -t x file | lessto locate the offsets of the (printable) strings you want to change before jumping into the editor. -
user2447506 over 7 yearsLet's say I have a string in my C program: "My name was Mr Robot" and I want to replace 'was' with 'is', then padding
\0will have to be done carefully, because if the replacement does this: "My name is\0 Mr Robot", then while performing operations with the string, the '\0' character will create problems as the length will reduce unintentionally. -
Celada over 7 years@NehalJWani no, in that case you'd have to shift the whole rest of the string forward by one byte so that your new, extra, terminating
NULgoes on the end, adjacent to the existingNUL.
