Sunday, April 06, 2003
Hacking the D3 Executable
Ok, here's the problem. D3's filesystem osfi is set to create files with 660 permissions (rw ower, rw group, nothing other). This is secure, but if you want to create files that will work for other users, you have to then go in and change the permissions. And if you have a boat load of software that doesn't do this, then it just doesn't work out well. What you'd really like to do is create all files with 777 (rwx for everybody) and let the umask mask out the unwanted bits (umask of 117 will give you the original result).
At first, this seemed easy, Raining Data gives you the source to rp_driverux.c. But alas, they don't give you the rp_driverux.h source, so you can't compile it. And in our special circumstance, we can't build coff files anyway. So I was left with the second alternative -- using a binary editor to change the executable code. The rest of this howto details how I did it.
Within /usr/lib/pick/rp_driverux.c you'll find:
static int
rp_upditm( long fd, rp_hdr *hd, unsigned char *buf, int length )
{
int code = -1;
unsigned char *p, *q;
int localfd;
localfd = RP_FDNUM(fd) - 1; /* Translate FD into table index */
. . .
/* Go open it */
if ((code = rp_retixux(localfd,O_WRONLY | O_TRUNC | O_CREAT,0660)) < 0)
{
hd->rp_rtncd = code;
return code;
}
. . .
}
The code=rp_retixux... line contains the permissions, 0660. This is the trouble spot. To find this in the actual d3 executable is pretty simple. (Note: there is probably a better way, but this worked for me).
First step is to disassemble the d3 executable into a file: dis /usr/bin/d3 > /tmp/d3.dis
This d3.dis file can now be examined. We know that we're looking for a function named rp_upditm, so just vi the file and search for it. For me, it looked something like this:
rp_upditm()
8054ed8: e9 79 03 00 00 jmp 0x379 <8055256>
8054edd: 90 nop
8054ede: c7 45 fc ff ff ff ff movl $0xffffffff,-4(%ebp)
8054ee5: 8b 45 08 movl 8(%ebp),%eax
8054ee8: 25 ff ff 00 00 andl $0xffff,%eax
8054eed: 48 decl %eax
8054eee: 89 45 f0 movl %eax,-16(%ebp)
. . .
Now, search for 1b0 (which is 0660 in hex). Voila, you found the code:
. . .
805504d: ff 48 08 decl 8(%eax)
8055050: 68 b0 01 00 00 pushl $0x1b0
8055055: 68 01 03 00 00 pushl $0x301
...
(NOTE: I showed the line before and after too)
The pushl $0x1b0 is the push of the 0660 onto the stack for the call to rp_retixux(). Now all we need to do is change the 0660 to 0777 (1b0 to 1ff). To do that, we need the offset. I could have probably figured it out using the address (0x8055050), but I decided just to search for it since I had the object code available. To do that, I did "od -x d3 > d3.od" to create a hex dump of the file, then I did a grep for "b068". Here's the output I got:
# grep "b068" d3.od
0025760 0000 b068 12c5 e808 71d4 000c 6859 c1f4
0043260 0812 b068 12cd ff08 6835 12c3 6a08 e800
0044360 b068 12ce 6808 dcec 0814 b9e8 0ba5 8300
0046100 b068 0003 ff00 7c35 12c3 a108 c850 0815
0056420 1de9 0001 9000 b068 0003 6a00 a105 c850
0056560 5900 016a 37e8 0cba 5900 b068 0003 ff00
0056720 b068 0003 a100 c850 0815 000d 0000 5080
0072260 31eb b068 04f4 6a08 e805 a22a 000c c483
0074600 0f6a 11e8 ffff 83ff 0cc4 b068 04f4 6808
0150120 b068 0001 6800 0301 0000 75ff e8f0 101e
0566300 cde8 0995 8300 10c4 c085 0b7d b068 1322
1127720 038b c085 0d74 b068 1552 e808 0a10 0000
1142660 c483 eb10 8325 00c7 b068 1559 0f08 07bf
1227600 ac15 1361 e808 1366 0000 b068 156b 6808
1363440 4875 94a3 1612 eb08 836d 00c7 b068 1579
1477540 c35d 9090 b068 13df e808 d526 ffff c483
1514440 47f8 088b f93b 847e b068 13e8 e808 bb62
3367300 b85f 0001 0000 e58b c35d 9090 b068 1526
Looking through you'll find the one we want is at 0150120. A couple of things to remember: this is a sco machine so the bytes are switched in words (16 bit). Also, you need the context of the object code around it (from the assembly listing) to distinguish the correct line. Also remember, the offset is in octal (0150120 = 0xd050). For awhile I thought it was decimal which threw me off a bit.
Now that you have the offset of the change and the change to make, you just need to make it. You could write a C program to do it, but I just found myself a hex editor and used it. I copied the d3 exec to my laptop and used frhed to modify it. Then I sent it back.
