ELF header anti-analysis patch and static password recovery
Foundations reversing engagement: deliberately broken ELF EI_DATA prevented execution; patching MSB to LSB allowed radare2 analysis that recovered the hardcoded password string.
- Case files
- ELF header anti-analysis patch and static password recovery
file reported MSB unknown arch. Flipping EI_DATA to LSB restored a runnable x86-64 PIE; main compared input to 2@@25$gfsT&@L.
MSB unknown arch fixed by setting ELF data encoding to LSB.
radare2 disassembly of main exposed the comparison string.
Engagement summary
file reported MSB unknown arch. Flipping EI_DATA to LSB restored a runnable x86-64 PIE; main compared input to 2@@25$gfsT&@L.
0X41HAZ delivered a stripped ELF with anti-analysis tampering: EI_DATA set to MSB so loaders and file(1) rejected it as unknown arch 0x3e00. Hex-editing the sixth header byte from 0x02 to 0x01 restored LSB x86-64. After chmod +x, the binary prompted for a password. radare2 aaa → s main → pdf showed a plaintext comparison against 2@@25$gfsT&@L, which the program accepted.
Business impact
Header corruption only slows triage — it is not protection. Hardcoded secrets in binaries are recoverable with static analysis. Ship real crypto comparisons (or remote auth), strip sensitive strings, and expect reverse engineers to fix trivial ELF tricks.
Identify and patch EI_DATA
MSB unknown arch fixed by setting ELF data encoding to LSB.
OPERATOR · ELF
savvy@lab:~$ file 0x41haz.bin
ELF 64-bit MSB *unknown arch 0x3e00* (SYSV)
savvy@lab:~$ hexedit 0x41haz.bin # byte 6: 0x02 → 0x01
savvy@lab:~$ file 0x41haz.bin
ELF 64-bit LSB pie executable, x86-64, ... stripped
savvy@lab:~$ chmod +x 0x41haz.bin && ./0x41haz.bin
Enter password:
Static recovery of the password
radare2 disassembly of main exposed the comparison string.
OPERATOR · R2
savvy@lab:~$ r2 -A 0x41haz.bin
[0x00000000]> aaa
[0x00000000]> s main; pdf
; strcmp / cmp against 2@@25$gfsT&@L
savvy@lab:~$ ./0x41haz.bin
Enter password: 2@@25$gfsT&@L
Access granted
Remediation
Do not rely on broken headers for IP protection. Use obfuscation only as delay; keep secrets off-device. Prefer challenge-response or server validation over local string compares.