patching a binary file

Question

I wrote a simple C program that displays "Hello World!" to stdout. Then I compiled it, and deleted the source code.

I have set myself to the project of patching the program in such a way that it displays something other than "Hello World!" To do this I found the string stored in the binary file, and replaced the ASCII for 'e' with 'a' at the offset in the binary (I assume it's the data section) where the string is stored, using vi's hex editor.

I only changed one single byte of the binary, 0x65 to 0x61, 'e'->'a', and yet, when I run the program I get this:

./simple: line 1: 0000000:: command not found
./simple: line 2: 0000010:: command not found
./simple: line 3: 0000020:: command not found
./simple: line 4: 0000030:: command not found
./simple: line 5: 0000040:: command not found
./simple: line 6: 0000050:: command not found
./simple: line 7: syntax error near unexpected token `('
./simple: line 7: `0000060: 0000 0000 0000 0000 1900 0000 2802 0000  ............(...'

Does anyone know why this is happening? ie why a single-byte replacement can render an otherwise-executable binary (I ran it fine before) non-executable? The byte was merely part of the string - it wasn't part of an instruction - so I don't see why this is happening.

Thanks for all feedback.

Answer 1

What your editor saved was not the original bytes, but the hexadecimal representation of them. The first line of the file looks like this:

00000000:   45 4C 46 7F ...

That's the reason for the error message by the shell. It reads that line and tries to interpret it as a script for /bin/sh , since it doesn't start with the bytes ELF\\x7F but with the bytes 00000000 .

Use a proper hex editor, and you will be fine.

Answer 2

You need to exit 'hexedit mode' via

:%!xxd -r

before saving a binary file with vi.

Answer 3

I'm not sure why this happened, but I would first want to make absolutely certain that you only changed one byte, and that you didn't accidently insert or delete anything (the file is still the same size). You can use a program like my Cygnus Hex Editor to determine the exact different between two files.

If that still doesn't work, then it may have something to do with the file's checksum. Although I didn't think they were always used, I believe EXEs do have a checksum. Although I'd be surprised for it to produce the results you're seeing.

Answer 4

To know exactly what's happening here is difficult, you'd need to be 100% certain that you changed the correct byte (and trusted your hex editor 100% too), because if you did, there would be no problem.

I've just created a similar binary with GCC on OSX and edited it with HexFiend.app and get the desired result.

(changed the text to Jello World :) )

Answer 5

Sounds like vi is not binary-clean. Yet another reason to choose emacs over vi.. ;-)