116 lines
3 KiB
Groff
116 lines
3 KiB
Groff
.\" $NetBSD: binpatch.1,v 1.2 2013/07/20 21:50:52 wiz Exp $
|
|
.\"
|
|
.\" Copyright (c) 2004 by Andrew Brown <atatat@netbsd.org>
|
|
.\" Absolutely no warranty.
|
|
.\"
|
|
.Dd July 20, 2004
|
|
.Dt BINPATCH 1
|
|
.Sh NAME
|
|
.Nm binpatch
|
|
.Nd trivial binary patch applicator
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Pa file=...
|
|
.Pa size=...
|
|
.Pa offset=...
|
|
.Pa compare=...
|
|
.Pa skip=...
|
|
.Pa replace=...
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility can read and replace a small section of a given file.
|
|
It is designed for use in those instances where a problem exists with
|
|
a given binary that cannot be reconstructed from source code, but the
|
|
required change can be implemented by replacing a few bytes in the
|
|
existing binary.
|
|
All arguments must be given.
|
|
.Sh EXAMPLES
|
|
Given a binary called
|
|
.Dq a.out
|
|
of 10713 bytes in size with the following text segment:
|
|
.Bd -literal -offset indent
|
|
% objdump -h a.out
|
|
.sp
|
|
a.out: file format elf32-i386
|
|
.sp
|
|
Sections:
|
|
Idx Name Size VMA LMA File off Algn
|
|
[...]
|
|
9 .text 00000be4 08048968 08048968 00000968 2**2
|
|
CONTENTS, ALLOC, LOAD, READONLY, CODE
|
|
[...]
|
|
% objdump -d -j .text a.out
|
|
[...]
|
|
8048b0f: 83 ef 04 sub $0x4,%edi
|
|
8048b12: ff d0 call *%eax
|
|
8048b14: 83 fe ff cmp $0xffffffff,%esi
|
|
[...]
|
|
.sp
|
|
.Ed
|
|
where we wish to elide the call through
|
|
.Ar %eax
|
|
by replacing it with a series of
|
|
.Ar nop
|
|
(or
|
|
.Dq no operation )
|
|
instructions (the machine code for this on the i386 platform is 0x90),
|
|
we first calculate the offset into the file of the previous
|
|
.Ar sub
|
|
instruction. To do this, we take the address of the
|
|
.Ar sub
|
|
instruction as given by the dissassembly output, subtract the
|
|
.Dq LMA
|
|
and add the
|
|
.Dq File off
|
|
values from the objdump output (note that
|
|
.Xr bc 1
|
|
expects hexadecimal values to be given using upper case):
|
|
.Bd -literal -offset indent
|
|
% bc
|
|
ibase=16
|
|
8048B0F-08048968+00000968
|
|
2831
|
|
.sp
|
|
.Ed
|
|
The region of the binary we want to compare to before applying the
|
|
patch is the concatenation of the relevant machine codes from the
|
|
dissassembly dump (\c
|
|
.Ar 83ef04ffd083feff )
|
|
and the replacement is simply two
|
|
.Ar nop
|
|
instructions (\c
|
|
.Ar 9090 ) ,
|
|
that will replace the
|
|
.Ar ffd0
|
|
of the original call.
|
|
The offset of the replacement is 3, since that is the number of bytes
|
|
in the
|
|
.Ar sub
|
|
instruction.
|
|
From this we have our patch:
|
|
.Bd -literal -offset indent
|
|
% binpatch file=a.out size=10713 offset=2831 \\
|
|
compare=83ef04ffd083feff skip=3 replace=9090
|
|
% objdump -d -j .text a.out
|
|
[...]
|
|
8048b0f: 83 ef 04 sub $0x4,%edi
|
|
8048b12: 90 nop
|
|
8048b13: 90 nop
|
|
8048b14: 83 fe ff cmp $0xffffffff,%esi
|
|
[...]
|
|
.sp
|
|
.Ed
|
|
And thus the call is removed.
|
|
.Sh DIAGNOSTICS
|
|
The diagnostics are terse and almost unhelpful, but are more verbose
|
|
than users of
|
|
.Xr ed 1
|
|
might be used to.
|
|
They typically mention the command line argument that was in error.
|
|
.Sh SEE ALSO
|
|
.Xr bc 1 ,
|
|
.Xr objdump 1 ,
|
|
.Xr patch 1
|
|
.Sh AUTHORS
|
|
.An Andrew Brown Aq Mt atatat@netbsd.org
|