Case file

ELF header anti-analysis patch and static password recovery

Foundations reversing engagement: deliberately broken ELF EI_DATA prevented execution; patching MSB to LSB allowed radare2 analysis that recovered the hardcoded password string.

Foundations18 minReverse Engineering · ELF · Static Analysis
01

Engagement summary

file reported MSB unknown arch. Flipping EI_DATA to LSB restored a runnable x86-64 PIE; main compared input to 2@@25$gfsT&@L.

0X41HAZ delivered a stripped ELF with anti-analysis tampering: EI_DATA set to MSB so loaders and file(1) rejected it as unknown arch 0x3e00. Hex-editing the sixth header byte from 0x02 to 0x01 restored LSB x86-64. After chmod +x, the binary prompted for a password. radare2 aaa → s main → pdf showed a plaintext comparison against 2@@25$gfsT&@L, which the program accepted.

Business impact

Header corruption only slows triage — it is not protection. Hardcoded secrets in binaries are recoverable with static analysis. Ship real crypto comparisons (or remote auth), strip sensitive strings, and expect reverse engineers to fix trivial ELF tricks.

02

Identify and patch EI_DATA

MSB unknown arch fixed by setting ELF data encoding to LSB.

OPERATOR · ELF

savvy@lab:~$ file 0x41haz.bin

ELF 64-bit MSB *unknown arch 0x3e00* (SYSV)

savvy@lab:~$ hexedit 0x41haz.bin # byte 6: 0x02 → 0x01

savvy@lab:~$ file 0x41haz.bin

ELF 64-bit LSB pie executable, x86-64, ... stripped

savvy@lab:~$ chmod +x 0x41haz.bin && ./0x41haz.bin

Enter password:

03

Static recovery of the password

radare2 disassembly of main exposed the comparison string.

OPERATOR · R2

savvy@lab:~$ r2 -A 0x41haz.bin

[0x00000000]> aaa

[0x00000000]> s main; pdf

; strcmp / cmp against 2@@25$gfsT&@L

savvy@lab:~$ ./0x41haz.bin

Enter password: 2@@25$gfsT&@L

Access granted

Remediation

Do not rely on broken headers for IP protection. Use obfuscation only as delay; keep secrets off-device. Prefer challenge-response or server validation over local string compares.