I've heard that LD_PRELOAD doesn't work with wine, but after reading the man page for dlopen() it started working for me, although I'm not sure why. :) As a test, I'll use the simple password challenge from http://neworder.box.sk/newsread.php?newsid=13857 To make things more readable for my tired eyes, I'll use the C code "pythonizer" from http://thenerdshow.com/pysces.html Code: /* * pass.p.c password challenge */ #include <stdio.h> #include <string.h> int main int argc, char **argv char passwd[] = "wine" if argc < 2 printf "usage: %s <password>\n", argv[0] return 0 if !strcmp(passwd, argv[1]) printf "PASS\n" return 1 printf "FAIL\n" return 0 Code: #hijack.spec @ stdcall strcmp(str str) Code: /* * hijack.p.c ALL YOUR STRING ARE BELONG TO US! */ #include <stdio.h> #include <string.h> #include <limits.h> int strcmp const char *s1, const char *s2 /* The if statement suppresses a lot of output for this test */ /* Remove it and see how often Wine uses this function! */ if !strncmp(s1,"wine",5) printf "S1 = '%s'\n", s1 printf "S2 = '%s'\n", s2 return strncmp s1,s2,UINT_MAX Compiling for both Winelib and Linux (-m32 produces 32 bit binaries on 64 bit linux): Code: pycc gcc pass.p.c -o pass -m32 pycc gcc -fPIC -shared -m32 hijack.p.c -o hijack.so pycc winegcc pass.p.c -o pass -m32 pycc winegcc -fPIC -shared -m32 hijack.p.c -o hijack.dll.so hijack.spec And testing... Code: wine pass.exe.so usage: pass.exe.so <password> ./pass huh??? FAIL Notice that there is no difference between hijack.so and hijack.dll.so. Both behave like and are loaded like Linux shared objects because they are Linux shared objects! As far as ld is concerned, they are interchangeable! The only apparent difference is the "Winelib" shared object compiled with winegcc is 75K in size... So what's so special about the Winelib shared object? Somebody help me out here. I'm guessing it has extra code so wine can treat it like a regular windows DLL within the wine environment. Code: # Preloading Wine shared object with wine binary LD_PRELOAD=$(pwd)/hijack.dll.so wine pass.exe.so wrongpassword S1 = 'wine' S2 = 'wrongpassword' FAIL # Preloading Linux shared object works with wine binary! LD_PRELOAD=$(pwd)/hijack.so wine pass.exe.so wrongpassword S1 = 'wine' S2 = 'wrongpassword' FAIL Since we hijacked strcmp to tell us the password, we can now gain entry. Code: ./pass wine PASS
