All Questions
45
questions
0
votes
0
answers
61
views
Improving the output of pseudocode C++ code from IDA Pro
I have some specific questions and some general ones about reverse-engineering a dynamic shared library via IDA Pro 8.3:
If I know the compiler used and compiler flags used (via readelf --debug-dump),...
- 143
0
votes
1
answer
72
views
Updating legacy library in an already compiled binary
I'm dealing with a reverse engineering challenge involving a binary application that was statically compiled with a legacy library. While the legacy library is not vulnerable, it lacks certain ...
- 3
1
vote
1
answer
438
views
Adding a program header to ELF
I am a newbie in this, and I am trying to add a program header to a simple ELF64 "Hello World" program on Ubuntu. All in changing the binary data of the ELF.
I went to the end of the program ...
- 111
1
vote
2
answers
592
views
Adding debug symbols with GDB
In CTFs when I'm given some ELF file, it usually wasn't compiled with the -g flag. Is there a way to to somehow edit the file to make it be as if the ELF file was originally compiled with the -g flag?
...
- 141
3
votes
1
answer
395
views
How can I verify section -> segment mapping for ELFs on linux?
I'm looking at at ELF on linux and I have readelf --segments ./myELF which shows:
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR ...
- 1,880
1
vote
1
answer
73
views
Patching a B(ranch) causes segfault in ARMv7 binary, while the same patch (with JMP) works on x64 binary
Any ideas why trying to patch a ARMv7 binary causes a segfault while basically the same patch on the Win64 version of the software works as expected?
Here is the Win64 version, that works
UPX0:...
- 11
0
votes
1
answer
2k
views
Running ELF file built for ARM arhitecture
My goal is to run and debug ELF file (c444) which is compiled for the ARM architecture. I have some experience with x32 and x64 Intel architectures. However, I down know how to proceed with ARM-based ...
- 1
1
vote
1
answer
157
views
How to split bytes into instructions in binary ELF file for x86
I'm working on a static code injector for ELF files. I need to "steal" some bytes in order to write jump to my code on their place and then execute stolen instructions somewhere in the ...
0
votes
1
answer
307
views
Call libc functions from the payload statically injected into ELF binary
I am working on ELF-injector, which given some payload (currently it's an assembly file with .text section only) will inject it into ELF binary. I had related post here.
Now I would like to make it ...
3
votes
1
answer
2k
views
ELF binary injection
I am currently working on an ELF-injector and my approach is standard: find code cave (long enough sequence of 0's), rewrite it with the instructions I want to execute and then jump back to the start ...
2
votes
0
answers
408
views
Shellcode execution segfault
I have been trying to exploit simple buffer overflow caused by scanf. I'm working on x86 Linux. The point is to spawn a shell. I sucesfully overwritten return address and jumped into my shellcode. But ...
- 21
4
votes
1
answer
770
views
IAT vs GOT address resolving: which of them resolve during runtime and which during load time by default?
So based on my knowledge on windows apps, as far as i know the IAT gets filled with correct addresses when the library gets loaded (correct me if I'm wrong)
now in linux, they use GOT, and again ...
- 518
3
votes
1
answer
257
views
What is actually loaded here and different hexdump outputs on util-linux hexdump and on cutter and ghidra's hexdump
I was trying to understand what segment of file gets loaded by fourth LOAD header on phdr array.
First 6 headers are shown below from readelf
Program Headers:
Type Offset ...
- 133
6
votes
1
answer
5k
views
Why have two symbols tables?
Why have two symbol tables if .symtab already contains everything that's in .dynsym ?
- 85
1
vote
1
answer
2k
views
Changing entry-point of and ELF file
I'm trying to conduct a little experiment which basically consists of changing the EP of an ELF file and executing an exit(9) syscall, without returning to the OEP. As shown in the image everything ...
- 427
2
votes
1
answer
171
views
Process Immediately Killed
I'm trying to reverse an ARM executable. It's for an embedded system, but I don't have any details about the normally targeted environment.
Here's what file shows: ELF 32-bit LSB executable, ARM, ...
- 141
2
votes
1
answer
3k
views
Disassemblers resolving (ELF) section names
I'm working with linux executables and was just wondering how it is that section names are resolved to addresses upon disassembly of an ELF.
For example take some random disassembly output from ...
1
vote
0
answers
2k
views
My core dump's backtrace stops to a signal handler, what can I do?
I obtained an ELF core dump that was provoked by fuzzing a proprietary server. As I do not have access anymore to the machine that hosted this server, and the server is part of a tightly coupled set ...
1
vote
1
answer
10k
views
Reverse engineering a golang binary file
I compiled docker by myself with some modifications. I would like to perform some static analysis to the binary. Mostly to see which parts of the code take more memory, etc. It's on linux (elf). Any ...
- 677
1
vote
2
answers
2k
views
IDA Pro - Applying function signatures
I have three files:
ELF executable,
ELF dynamically linked library (.so),
C headers file (.h) with function signatures and related structures for that library.
#1 imports a number of functions from #...
- 111
3
votes
1
answer
5k
views
IDA Pro debugging: follow child process
I'm reverse engineering a malware that creates a number of child processes and I'm trying to do dynamic analysis of the ELF binary with IDA Pro and IDA's Local Linux Debugger, but I can't get IDA to ...
- 31
4
votes
1
answer
3k
views
Is there a way to debug an elf file that runs with no problems with damaged header?
My question is general, but to have an example to work with, let us take one from Whirlwind Tutorial.
; tiny.asm
BITS 32
org 0x00010000
db 0x7F, "ELF" ; ...
- 141
2
votes
2
answers
5k
views
Changing Entrypoint in ELF executable
I wrote some code that does the following:
Searches for and finds an offset in a binary file to add code (looks for a sequence of 00s I can overwrite).
Then, I change the entrypoint of the ELF to ...
- 29
6
votes
1
answer
5k
views
Why are symbols with local binding present in the symbol table of my ELF files?
I found out that there are symbols with binding=LOCAL and visibility=HIDDEN in the symbol table (.symtab) of ELF executables/libraries. What are they needed for? They are not involved in the ...
- 61
6
votes
3
answers
9k
views
How to SUCCESSFULLY add a code section to an executable file in Linux?
I am in Linux, and I have seen this question a few times but never, nobody answered how to really make this work.
I need to add a section to an already compiled binary. Lets say for a moment is an ...
- 243
2
votes
0
answers
467
views
Using __kernel_vsyscall on x64 linux machine [closed]
I am trying to use __kernel_vsyscall instead of syscall/int 80 on linux x64.
I have read that it can be done on Intel chips (I have one), but i can't find how can one do it. I have x32 version:
int ...
- 43
1
vote
1
answer
414
views
Is it possible to rebuild an nexe file if I can read at arbitrary untrusted memory addresses?
Ok, I’m in a remote situation where I don’t have access to the remote filesystem but where I can run arbitrary python code (except I can’t fork processes and I don’t have access to ulimit and uname).
...
- 143
0
votes
2
answers
4k
views
Recognize the library functions of statically linked executable file in IDA Pro
Recently I worked on a Linux program which has all of its symbols stripped. Opening it with IDA resulted in none of its functions identified.
Thus I tried to extract any usable information from the ...
- 3
2
votes
2
answers
2k
views
How to locate module_init() offset from ELF header of Linux kernel module?
The header is self explanatory but to explain myself better.
I have an ELF binary - loadable kernel module, compiled with symbols.
I want to know how to locate the offset of the module_init() function....
1
vote
1
answer
5k
views
Unable to view stack and memory addresses in IDA Pro [duplicate]
I am debugging a 32-bit ELF executable using remote GDB debugging option of IDA Pro. However, I am unable to view the contents of stack in the stack view. Also, the stack pointer value is: 0xFFFFD328
...
- 765