CS183 Lab 4: Have Fun With Shared Library

DISCLAIMER: BY READING THIS FURTHER, YOU AGREED TO USE THE KNOWLEDGE PRESENTED HERE FOR GOOD CAUSES. WE, AS AN INDIVIDUAL AND THE AFFILIATED ORGANIZATIONS, ARE NOT RELIABLE AND RESPONSIBLE FOR ANY DAMAGES OR LOSSES CAUSED BY THE MISUSE OF THE KNOWLEDGE PRESENTED ON THIS PAGE.

Goal: Assuming you just got hired by a company, Macrohard Inc., to fill in an Unix System Administrator position. The previous employee was fired recently because he/she recommended the use of the closed-source and proprietary systems during the dot-com blooming era. With most of the companies dot-gone nowadays, your company were left with lot of unsupported software and systems. For better or worst, since you are taking my class, you are able (I'm crossing my fingers here :) to migrate most of the existing systems to open-source counterparts, except one: eon_only_tue (for Tue's lab) or eon_only_wed (for Wed's lab). From now on, unless explicitly stated, eon_only will be used to refer to either eon_only_tue or eon_only_wed depends on which lab you are in.

eon_only, a software that runs only on eon, is an internal core business software that generates most of the revenue for your company. Its main function is to display "You are promoted and WeeSan is so cool :)" (sorry, can't help it :) so that the business of your company can go on. On the other hand, if you run eon_only on other machines, such as orpheus or any lab machines, it would display "You are fired!" instead, which is really bad.

One storm night, eon got hit hard and there was no way to bring it back up again. Your immediate challenge is to get eon_only up and running on another machine in 3 hours or you are fired. The problem is that the provider of eon_only has disappeared a couple months ago and your company does not have the source code for it. To make the matter worst, the license of eon_only will be expired at 2:30pm today.

So, your goal is to hack er... find a workaround temporary to resolve this crisis and save your company -- more importantly, your job -- before a long term solution is in place.

Details: Not only was eon_only hard-coded such that it would check the hostname and hostid of the machine on which it is run against a piece of internal data it stores in the code, but also it would check the local time of the machine to determine if itself has expired. In the real world, instead of being told about the 3 protections mentioned above, with a little of luck, and hours of trial and error, you should be able to obtain those information by using the command 'strace' to trace your program and figure out what system calls/functions the program uses to implement the protections.

For the purpose of this lab, let's assume you have figured out that eon_only calls the following 3 functions from the C library to do the tricks:

Follow the steps below to save your job:
  1. Download eon_only_tue from here if you are in the Tue's lab or eon_only_wed from here otherwise.
  2. Run eon_only (make it executable if necessary) on both eon and orpheus before 2:30pm to see the output from both. The first 3 lines represent the protection methods used by the software. The status of each protection is shown in front of each line: V means check or OK; whereas X means BAD. You should see 3 Vs from eon while at least 2 Xs from orpheus.
  3. Run 'ltrace eon_only' to see if gethostname(), gethostid() and localtime() get called as a way to verify what I stated above.
  4. Determine if eon_only is statically or dynamically linked by using the 'file' command.
  5. If it is statically linked, you cannot use this method. Pack your stuff and print lot of copies of your resume before leaving :)
  6. If it is dynamically linked, whew!
  7. Use 'ldd' command to display the required shared libraries. Make sure it uses a version of C library.
  8. Use manpage to figure out the declaration of gethostname(), gethostid() and localtime()
  9. On orpheus, create a file called hack.c workaround.c with all 3 functions in there. Each of which outputs (use printf()) something different.
  10. Create a shared library called libworkaround.so by doing the following: 
    $ gcc -c -fPIC workaround.c
$ gcc -shared -o libworkaround.so workaround.o
  11. Again, on orpheus, with Bash as your default login shell, run eon_only by doing the following: 
    $ LD_PRELOAD=./libworkaround.so ./eon_only
    You should see the "something" from each function. Which is a good sign. It means your workaround was in action.
  12. Now, for each function, figure out a way to return the "right" thing. For example, gethostname() supposes to return the hostname of the computer. Try the command 'hostname' on eon to figure that out. Return that piece of information in your gethostname(). Recompile the libworkaround.so and try to run eon_only again on orpheus. You should see that the first protection gets removed. The reason being that your shared library "cheated" eon_only by returning something it was looking for. Of course LD_PRELOAD plays a very important role in this.
  13. Do the same thing for your gethostid() and return a reasonable time for your localtime().
  14. Rename eon_only to eon_only_nomore. Create a Bash script named eon_only which in turn calls eon_only_nomore with your libworkaround.so preloaded.
  15. Run your script to show it works.
  16. Have fun and good luck to save your job.

Questions:

  1. Copy and paste (or create a stronger disclaimer) at the top of your report!!!
  2. Google and explain in your report regarding exactly what LD_PRELOAD does in this case.
  3. Research the following Unix commands, possibly with given command line options, briefly explain each of them using your own words (DO NOT CUT AND PASTE FROM THE MANPAGE) and give an example showing how each command works. For instance:
    NAME
    paste - merge files into a new file such that each column of the new file is the content of each file being merged.
    EXAMPLE 
    $ seq 1 2 > a
$ seq 1 3  > b
$ paste a b
1       1
2       2
        3
    The Unix commands are as follows:

Scoring

Notes & Tips: