Questions tagged [elf]
the Executable and Linkable Format is the main executable and object format for Linux, Solaris, *BSD, and many other OSes...
254
questions
1
vote
0
answers
41
views
Is there a way to sync symbol labels in Ghidra Disassembler with its Decompiler?
I swear that in IDA Pro, when I renamed a stack var in the disassembler, that name would port over to the decompiled view, but this doesn't seem to occur in Ghidra. In fact, in Ghidra, when I try to ...
- 1,880
0
votes
2
answers
54
views
Where can I find obfuscated ELF binaries to practice reverse engineering techniques specifically for obfuscated binaries?
I’m trying to get better at reverse engineering obfuscated code (and malware in general) and I’m looking for already obfuscated binaries with increasing levels of difficulty. I’ve looked a bit on ...
0
votes
2
answers
81
views
reduce size of executable ELF program
I'm experimenting on patching my hello world program in order to make it smol.
I started by reducing the size of the program with the following commands:
as --32 ./hello_32.S -o ./hello_32.o
ld -...
- 1
1
vote
1
answer
78
views
Inject ELF with an entierly self-contained code section that can statically call standard library functions
What I want to do
What I want to do is inject an existing ELF binary with additional code that runs before the original .text section and then transfers control back to it.
What I can already do
Now, ...
- 111
1
vote
1
answer
105
views
Tips for reverse engineering Common Lisp (SBCL) ELF binary
I got to the task of reverse engineering the ELF binary. I found out that it is a compiled SBCL. I have no idea how to do static or dynamic analysis, any tips (where to start, I found basically ...
- 111
0
votes
0
answers
61
views
Improving the output of pseudocode C++ code from IDA Pro
I have some specific questions and some general ones about reverse-engineering a dynamic shared library via IDA Pro 8.3:
If I know the compiler used and compiler flags used (via readelf --debug-dump),...
- 143
0
votes
0
answers
47
views
Why is an empty binary larger than one with a variable?
On my own self-learning R.E. Starting with understanding ELF and hopefully whats going on with every byte.
I build 2 simple binaries: 1 with a variable and 1 without. For some reason, the one without ...
0
votes
0
answers
57
views
Attempting to auto reverse XOR
Does anyone know of any helpful tools or a way to automate decryption of XOR in IDA? I know that they have a built in function to do some bare XOR encryption but this one seems a bit more ...
1
vote
1
answer
108
views
Where is IDA getting this symbol?
I'm currently researching how a certain malware works and patches some stuff in a certain Android's library.
Inspecting the library -which is stripped- in IDA I was able to get the symbol for a ...
- 13
0
votes
1
answer
72
views
Updating legacy library in an already compiled binary
I'm dealing with a reverse engineering challenge involving a binary application that was statically compiled with a legacy library. While the legacy library is not vulnerable, it lacks certain ...
- 3
1
vote
1
answer
438
views
Adding a program header to ELF
I am a newbie in this, and I am trying to add a program header to a simple ELF64 "Hello World" program on Ubuntu. All in changing the binary data of the ELF.
I went to the end of the program ...
- 111
1
vote
0
answers
58
views
Default linker files and sections: Explain thier origin/history and thier purpose
I have a Linux Ubuntu(20.04) machine with gcc and clang installed. I figured out the directory containing the default linker script:
/usr/lib/x86_64-linux-gnu/ldscripts$ ls
elf32_x86_64.x ...
- 11
0
votes
1
answer
96
views
What ELF `e_flags` are defined for TI MSP430(X)
I have an MSP430 ELF executable file whose e_flags field is 0x0000000E. I cannot find any documentation for e_flags for this architecture. The application note "MSP430 Embedded Application Binary ...
- 1,070
0
votes
1
answer
101
views
ELF - Why does objdump provide a wrong byte value in the .got?
I seriously can't tell if I'm misunderstanding something grossly or if this is a bug in objdump. Newbie alert.
$ objdump -s --start-address=0x3fc0 --stop-address=0x3fc1 test
test: file format ...
1
vote
2
answers
592
views
Adding debug symbols with GDB
In CTFs when I'm given some ELF file, it usually wasn't compiled with the -g flag. Is there a way to to somehow edit the file to make it be as if the ELF file was originally compiled with the -g flag?
...
- 141
3
votes
1
answer
421
views
What is the ELF .got section used for?
I'm trying to learn how GOT/PLT works in ELF binaries. The way I see it - there's three sections; .got, .plt and .got.plt.
When the program tries to call an imported function which is lazy binded, it ...
- 31
2
votes
0
answers
39
views
Please help with striped binary reverse
Not so long ago I was engaged in reverse and pwn, I came across such a task
This is a normal task with a vulnerability on the heap, but it is striped and I don’t understand where which functions are
I ...
- 39
1
vote
0
answers
94
views
Program Analysis on a Wargame Binary
I've recently took it upon myself to research more about reverse engineering, I'm currently testing my intermediate skills on various CTF hosting sites. Interestingly enough I have come across a ...
- 11
2
votes
0
answers
166
views
Does AnyOne knows how to reverse python file that is encoded into elf binary .cpython-310.so extension? Please Help me Out
Following is the link to the file that I want to reverse. This is the python file that is encoded in cpython or cython and it is now a binary file.
Please help me to decode it as it is very important ...
2
votes
0
answers
111
views
Merge HEX file into existing ELF file in ghidra
I have an Infineon Tricore ELF file. I have a HEX file that has been patched with minor changes and new code appended (e.g. the hex from the ELF was exported and then had changes made to it manually ...
- 263
3
votes
1
answer
395
views
How can I verify section -> segment mapping for ELFs on linux?
I'm looking at at ELF on linux and I have readelf --segments ./myELF which shows:
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR ...
- 1,880
3
votes
1
answer
95
views
x64 buffer overflow - tcp shell payload
ASLR: off
Canary: on
I have a binary that when run, it spawns zombie process on port 9191. I've been using ghidra and gdb to reverse engineer this and have found the buffer, canary, found the pop rdi ...
- 31
1
vote
0
answers
92
views
determine the PC of code gadgets in PLT section of ELF file
I am trying to parse an ELF file using custom code. With reference to the image below (output displayed is from objdump), I need to get the address of code gadget starting at , for example 401030 for ...
- 11
1
vote
0
answers
2k
views
How can i get the address of a function in memory?
I am currently completing a CTF exercise where i must attempt to overwrite a function pointer on the stack through a buffer overflow here is the code:
#include <err.h>
#include <stdio.h>
#...
1
vote
0
answers
173
views
Intercepting a PHP module with frida
I have a PHP module, and I'm trying to hook the functions of that module.
...
39: 0000000000024a60 1858 FUNC LOCAL DEFAULT 12 zim_ClassName_ClassName_exec
...
90: 0000000000028f10 8 ...
- 176
1
vote
0
answers
124
views
how to hide all export functions in a elf so library?
I have this game I want to patch, the game server executable loads a elf so library with functions. I want to add new functions into this library so I patched the game server executable with elfpatch ...
0
votes
1
answer
405
views
Reverse engineering ELF: The e_phentsize field in the ELF header is less than the size of an ELF program header
I have extracted the .so binary libTheArmKing.so (located in lib directory in apk file) from a hack of World War Heroes game (an Android game) from Plantimod Forum.
file output:
libTheArmKing.so: ELF ...
- 249
2
votes
0
answers
68
views
Wrong EP on an .elf CrackMe
I am trying to solve an elf CrackMe. I opened it with IDA Pro and I saw start function is on address 0x1E8. I opened the elf with HxD and I saw entry point is 0x1E9 (and no results on file for 01E8)......
- 21
1
vote
1
answer
73
views
Patching a B(ranch) causes segfault in ARMv7 binary, while the same patch (with JMP) works on x64 binary
Any ideas why trying to patch a ARMv7 binary causes a segfault while basically the same patch on the Win64 version of the software works as expected?
Here is the Win64 version, that works
UPX0:...
- 11
6
votes
1
answer
3k
views
What's the format of Mediatek MRE VXP file and how to create a workable VXP binary?
Background
Mediatek's MRE (MAUI Runtime Environment) is the default runtime on Nokia S30+ platform, replacing the J2ME platform on older Nokia. From MRE's page:
MRE (MAUI Runtime Environment) is a ...
- 249
0
votes
0
answers
734
views
Basic buffer-overflow on a remote program with Python/pwntools
I work on a online program in which I should do a buffer Overflow.
When I run the program, I have to complete a sum of two numbers generated randomly) :
>>> 451389913 + 1587598959 =
If I put ...
- 101
1
vote
0
answers
83
views
Normal artifact or something else?
I'm working on a Linux ELF challenge.
I have found this bit of code in the .text disassembly using objdump -d -M intel program
922: 83 c4 10 add esp,0x10
925: c7 45 f4 00 00 00 ...
- 141
1
vote
1
answer
611
views
Ida cannot open. a files of esp32 (Xtensa)
I tried to open this file with IDA Pro
https://github.com/espressif/esp32-wifi-lib/blob/master/esp32/libpp.a
Ida detect that is ELF for Xtensa (relocatable)
But when I tired to open it I got
Undefined ...
- 281
0
votes
2
answers
508
views
Reversing an obfuscation through a long linear switch statement
I have a program (ELF, 32 bits) that is probably quite short and simple, but which have been obfuscated with the following construction:
i = 0
switch(i):
case 0:
one small instruction
...
- 11
1
vote
1
answer
617
views
Figure out method name with _dl_runtime_resolve_xsavec
I have a packed Linux shared library that decrypts function stub with INIT_ARRAY.
When it's decrypted I'm unable to determine the method name. All method calls are redirected with relocation table. ...
- 123
1
vote
0
answers
180
views
silvio packer for shared libray leads to error: "ELF load command address/offset not properly aligned"
I'm trying to implement a packer based on silvio infection. The packer works fine for ET_EXEC. However, it failed with "ELF load command address/offset not properly aligned" error for the ...
- 81
1
vote
0
answers
72
views
failed to trigger packer's loader by overwritting the entry of rela.dyn on aarch64
I have implemented packer of x86_64 shared library.
Briefly, a loader is injected to a shared library, and
the rela.dyn entry is modified such that it points to the address of the loader. Once the ...
- 81
3
votes
1
answer
285
views
Code caves in arm assembly
In a disassembled elf binary i found these arm thumb instructions:
function0
0x002cc3a8 8079 ldrb r0, [r0, #6]
0x002cc3aa 7047 bx lr
In the codecave these were the initial hex ...
- 164
2
votes
0
answers
185
views
How do relocations work for imported functions in SH4 ELF?
I build very simple hello world code with sh4 gcc compiler as shared library:
#include <stdio.h>
void hello()
{
printf("Hello world!\n");
}
But when I load .so file into the ...
- 1,850
0
votes
1
answer
2k
views
Running ELF file built for ARM arhitecture
My goal is to run and debug ELF file (c444) which is compiled for the ARM architecture. I have some experience with x32 and x64 Intel architectures. However, I down know how to proceed with ARM-based ...
- 1
0
votes
1
answer
486
views
What does this function do?
I'm trying to understand what client sends to server. I already did most of the work, but one function left. I can't understand what to do with this function and what it does. I've tried to change ...
- 1
5
votes
2
answers
8k
views
How to decompile external functions of *.so library in ELF with Ghidra?
There are some *.so libraries in my ELF file.
I can see the *.so names in "Imports" directory of "Symbol Tree" Window in Ghidra tool.
I think there are some external functions in ...
- 119
2
votes
1
answer
2k
views
How can I find an external function code correctly in Ghidra and Radare2?
This is a code to call an external function(get_random_name) in the main function
push {fp, lr}
add fp, sp, 4
sub sp, sp, 0x1d8
str r0, [fp, -0x1d8]
str r1, [fp, -0x1dc]
sub r3, fp, 0x44
...
- 119
2
votes
2
answers
1k
views
How to reverse engineering ARM architecture ELF file on AMD linux?
I am reversing an ELF file, it's ARM architecture file.
But my OS is AMD linux.
How can I do reversing work for the ARM ELF file on AMD linux?
- 119
1
vote
2
answers
2k
views
Is it possible to reverse CGI binary file?
I wanna reverse CGI binary file.
Is it possible?
What are the recommended tools and guides?
Thank you for reading my question.
$ file test.cgi
status.cgi: ELF 32-bit LSB executable, ARM, EABI5 ...
- 119
2
votes
1
answer
4k
views
How to disable relro while compilation?
My doubt is how to compile the binary without RELRO? and why it is enabling FULL-RELRO when we are not providing any flags?
This is the code.
#include <stdio.h>
#include <stdlib.h>
int ...
- 33
3
votes
3
answers
5k
views
startup program exits with code 126 when executing program at entrypoint
I want to reverse engineer a program. I managed to find the entry point but every time I want to launch the application I get the same error `During startup program exited with code 126.
Here is what ...
2
votes
0
answers
672
views
Tool/parser for symbol tables produced with objdump -t to be used with IDA / Ghidra?
Working with a binary (arm64) file that seems to be some sort of a broken ELF file. The header data is missing and for some reason it contains a symbol table in a format that to me seem to be equal to ...
- 121
2
votes
1
answer
620
views
Can't modify string in radare2 (.rodata section)
I was following the response to this question to change the string of an elf executable. No matter how many times I try, I just can't modify the string. I notice that probably the issue lies in the ...
- 153
1
vote
1
answer
168
views
Is an ELF SHT_RELA section with a 0 `sh_link` valid?
I have an 64-bit s390x ELF binary with a RELA section named ".rela.plt" whose sh_link field is 0. I was under the impression that the sh_link is a required value, providing the id of the ...
- 1,070