All Questions
Tagged with elf disassembly
30
questions
1
vote
0
answers
41
views
Is there a way to sync symbol labels in Ghidra Disassembler with its Decompiler?
I swear that in IDA Pro, when I renamed a stack var in the disassembler, that name would port over to the decompiled view, but this doesn't seem to occur in Ghidra. In fact, in Ghidra, when I try to ...
1
vote
1
answer
105
views
Tips for reverse engineering Common Lisp (SBCL) ELF binary
I got to the task of reverse engineering the ELF binary. I found out that it is a compiled SBCL. I have no idea how to do static or dynamic analysis, any tips (where to start, I found basically ...
2
votes
0
answers
39
views
Please help with striped binary reverse
Not so long ago I was engaged in reverse and pwn, I came across such a task
This is a normal task with a vulnerability on the heap, but it is striped and I don’t understand where which functions are
I ...
3
votes
1
answer
95
views
x64 buffer overflow - tcp shell payload
ASLR: off
Canary: on
I have a binary that when run, it spawns zombie process on port 9191. I've been using ghidra and gdb to reverse engineer this and have found the buffer, canary, found the pop rdi ...
1
vote
0
answers
83
views
Normal artifact or something else?
I'm working on a Linux ELF challenge.
I have found this bit of code in the .text disassembly using objdump -d -M intel program
922: 83 c4 10 add esp,0x10
925: c7 45 f4 00 00 00 ...
3
votes
1
answer
285
views
Code caves in arm assembly
In a disassembled elf binary i found these arm thumb instructions:
function0
0x002cc3a8 8079 ldrb r0, [r0, #6]
0x002cc3aa 7047 bx lr
In the codecave these were the initial hex ...
13
votes
1
answer
3k
views
Extracting strings from Go binaries
Is there an easy way to extract all of the strings from Go binaries that will work cross architecture?
The problem with Go is that strings are stored without a null terminator, so you can't use the &...
3
votes
1
answer
257
views
What is actually loaded here and different hexdump outputs on util-linux hexdump and on cutter and ghidra's hexdump
I was trying to understand what segment of file gets loaded by fourth LOAD header on phdr array.
First 6 headers are shown below from readelf
Program Headers:
Type Offset ...
3
votes
1
answer
451
views
ELF x86 - Why is return address pushed twice?
I reverse an ELF x86, and I would like to understand why the return address is pushed again on the stack? It should be already present there.
main:
lea ecx, [esp+0x4 {argc}]
and esp, 0xfffffff0
...
4
votes
2
answers
4k
views
Edit an .so file
I have here an .so file that contains a language pack and I want to edit them. My problem is that I don't always have enough space for a clean translation.
I know that I can change the texts if they ...
1
vote
2
answers
6k
views
Can't find the password anywhere in the binary
This is my first post here. I was recently involved in a capture the flag preparation test which involved decompiling an ELF 32-bit LSB executable, Intel 80386 file for Linux compiled with GCC. The ...
1
vote
1
answer
2k
views
Radare2 - Insert asm instructions without overwriting
In order to patch a x86 elf file on Linux, I'm struggling to insert a specific assembler instruction into the binary file without overwriting any of the preexisting instructions.
I've been reading ...
3
votes
1
answer
756
views
Radare2 create section
Radare2 has S* commands, that can show, delete, modify sections. Is it possible to create new section in executable file and save it?
2
votes
1
answer
3k
views
Disassemblers resolving (ELF) section names
I'm working with linux executables and was just wondering how it is that section names are resolved to addresses upon disassembly of an ELF.
For example take some random disassembly output from ...
0
votes
1
answer
949
views
ARM ELF Obfuscation [closed]
Metamorphic is a technique to obfuscate a binary and change the opcode sequence and create new samples with same functionality. In my case, I have some elf binary of ARM processor type and their ...