Questions tagged [elf]
the Executable and Linkable Format is the main executable and object format for Linux, Solaris, *BSD, and many other OSes...
254
questions
1
vote
0
answers
41
views
Is there a way to sync symbol labels in Ghidra Disassembler with its Decompiler?
I swear that in IDA Pro, when I renamed a stack var in the disassembler, that name would port over to the decompiled view, but this doesn't seem to occur in Ghidra. In fact, in Ghidra, when I try to ...
0
votes
2
answers
54
views
Where can I find obfuscated ELF binaries to practice reverse engineering techniques specifically for obfuscated binaries?
I’m trying to get better at reverse engineering obfuscated code (and malware in general) and I’m looking for already obfuscated binaries with increasing levels of difficulty. I’ve looked a bit on ...
0
votes
2
answers
81
views
reduce size of executable ELF program
I'm experimenting on patching my hello world program in order to make it smol.
I started by reducing the size of the program with the following commands:
as --32 ./hello_32.S -o ./hello_32.o
ld -...
1
vote
1
answer
78
views
Inject ELF with an entierly self-contained code section that can statically call standard library functions
What I want to do
What I want to do is inject an existing ELF binary with additional code that runs before the original .text section and then transfers control back to it.
What I can already do
Now, ...
1
vote
1
answer
105
views
Tips for reverse engineering Common Lisp (SBCL) ELF binary
I got to the task of reverse engineering the ELF binary. I found out that it is a compiled SBCL. I have no idea how to do static or dynamic analysis, any tips (where to start, I found basically ...
0
votes
0
answers
61
views
Improving the output of pseudocode C++ code from IDA Pro
I have some specific questions and some general ones about reverse-engineering a dynamic shared library via IDA Pro 8.3:
If I know the compiler used and compiler flags used (via readelf --debug-dump),...
0
votes
0
answers
47
views
Why is an empty binary larger than one with a variable?
On my own self-learning R.E. Starting with understanding ELF and hopefully whats going on with every byte.
I build 2 simple binaries: 1 with a variable and 1 without. For some reason, the one without ...
0
votes
0
answers
57
views
Attempting to auto reverse XOR
Does anyone know of any helpful tools or a way to automate decryption of XOR in IDA? I know that they have a built in function to do some bare XOR encryption but this one seems a bit more ...
1
vote
1
answer
108
views
Where is IDA getting this symbol?
I'm currently researching how a certain malware works and patches some stuff in a certain Android's library.
Inspecting the library -which is stripped- in IDA I was able to get the symbol for a ...
0
votes
1
answer
72
views
Updating legacy library in an already compiled binary
I'm dealing with a reverse engineering challenge involving a binary application that was statically compiled with a legacy library. While the legacy library is not vulnerable, it lacks certain ...
1
vote
1
answer
438
views
Adding a program header to ELF
I am a newbie in this, and I am trying to add a program header to a simple ELF64 "Hello World" program on Ubuntu. All in changing the binary data of the ELF.
I went to the end of the program ...
1
vote
0
answers
58
views
Default linker files and sections: Explain thier origin/history and thier purpose
I have a Linux Ubuntu(20.04) machine with gcc and clang installed. I figured out the directory containing the default linker script:
/usr/lib/x86_64-linux-gnu/ldscripts$ ls
elf32_x86_64.x ...
0
votes
1
answer
96
views
What ELF `e_flags` are defined for TI MSP430(X)
I have an MSP430 ELF executable file whose e_flags field is 0x0000000E. I cannot find any documentation for e_flags for this architecture. The application note "MSP430 Embedded Application Binary ...
0
votes
1
answer
101
views
ELF - Why does objdump provide a wrong byte value in the .got?
I seriously can't tell if I'm misunderstanding something grossly or if this is a bug in objdump. Newbie alert.
$ objdump -s --start-address=0x3fc0 --stop-address=0x3fc1 test
test: file format ...
1
vote
2
answers
592
views
Adding debug symbols with GDB
In CTFs when I'm given some ELF file, it usually wasn't compiled with the -g flag. Is there a way to to somehow edit the file to make it be as if the ELF file was originally compiled with the -g flag?
...
3
votes
1
answer
421
views
What is the ELF .got section used for?
I'm trying to learn how GOT/PLT works in ELF binaries. The way I see it - there's three sections; .got, .plt and .got.plt.
When the program tries to call an imported function which is lazy binded, it ...
2
votes
0
answers
39
views
Please help with striped binary reverse
Not so long ago I was engaged in reverse and pwn, I came across such a task
This is a normal task with a vulnerability on the heap, but it is striped and I don’t understand where which functions are
I ...
1
vote
0
answers
94
views
Program Analysis on a Wargame Binary
I've recently took it upon myself to research more about reverse engineering, I'm currently testing my intermediate skills on various CTF hosting sites. Interestingly enough I have come across a ...
2
votes
0
answers
166
views
Does AnyOne knows how to reverse python file that is encoded into elf binary .cpython-310.so extension? Please Help me Out
Following is the link to the file that I want to reverse. This is the python file that is encoded in cpython or cython and it is now a binary file.
Please help me to decode it as it is very important ...
2
votes
0
answers
111
views
Merge HEX file into existing ELF file in ghidra
I have an Infineon Tricore ELF file. I have a HEX file that has been patched with minor changes and new code appended (e.g. the hex from the ELF was exported and then had changes made to it manually ...
3
votes
1
answer
395
views
How can I verify section -> segment mapping for ELFs on linux?
I'm looking at at ELF on linux and I have readelf --segments ./myELF which shows:
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR ...
3
votes
1
answer
95
views
x64 buffer overflow - tcp shell payload
ASLR: off
Canary: on
I have a binary that when run, it spawns zombie process on port 9191. I've been using ghidra and gdb to reverse engineer this and have found the buffer, canary, found the pop rdi ...
1
vote
0
answers
92
views
determine the PC of code gadgets in PLT section of ELF file
I am trying to parse an ELF file using custom code. With reference to the image below (output displayed is from objdump), I need to get the address of code gadget starting at , for example 401030 for ...
1
vote
0
answers
2k
views
How can i get the address of a function in memory?
I am currently completing a CTF exercise where i must attempt to overwrite a function pointer on the stack through a buffer overflow here is the code:
#include <err.h>
#include <stdio.h>
#...
1
vote
0
answers
173
views
Intercepting a PHP module with frida
I have a PHP module, and I'm trying to hook the functions of that module.
...
39: 0000000000024a60 1858 FUNC LOCAL DEFAULT 12 zim_ClassName_ClassName_exec
...
90: 0000000000028f10 8 ...
1
vote
0
answers
124
views
how to hide all export functions in a elf so library?
I have this game I want to patch, the game server executable loads a elf so library with functions. I want to add new functions into this library so I patched the game server executable with elfpatch ...
0
votes
1
answer
405
views
Reverse engineering ELF: The e_phentsize field in the ELF header is less than the size of an ELF program header
I have extracted the .so binary libTheArmKing.so (located in lib directory in apk file) from a hack of World War Heroes game (an Android game) from Plantimod Forum.
file output:
libTheArmKing.so: ELF ...
2
votes
0
answers
68
views
Wrong EP on an .elf CrackMe
I am trying to solve an elf CrackMe. I opened it with IDA Pro and I saw start function is on address 0x1E8. I opened the elf with HxD and I saw entry point is 0x1E9 (and no results on file for 01E8)......
1
vote
1
answer
73
views
Patching a B(ranch) causes segfault in ARMv7 binary, while the same patch (with JMP) works on x64 binary
Any ideas why trying to patch a ARMv7 binary causes a segfault while basically the same patch on the Win64 version of the software works as expected?
Here is the Win64 version, that works
UPX0:...
6
votes
1
answer
3k
views
What's the format of Mediatek MRE VXP file and how to create a workable VXP binary?
Background
Mediatek's MRE (MAUI Runtime Environment) is the default runtime on Nokia S30+ platform, replacing the J2ME platform on older Nokia. From MRE's page:
MRE (MAUI Runtime Environment) is a ...