Page 58


2.7.1 THE SYMBOL TABLE When the final program is built, references among objects are managed through the so-called symbolic references. The linker or system linker/loader resolves these symbols and modifies the parts of the code that refer to them so that they point to the actual locations. Symbols are structures that contain the names of objects (encoded as indexes to a table of character strings) and symbol values. Each symbol may be local, global or weak. Local symbols are available only within a single object, while global ones are accessible to other objects as well. Weak symbols are considered global until a global symbol with the same name is encountered. A statically linked binary contain the .symtab symbol table, whereas a dynamically linked binary contains two tables: .symtab and .dynsym. The .dynsym table holds only those symbolic references which are needed for dynamic linking. Statically linked binaries have all references already resolved so the symbol table is not longer required and can be removed. The removal is accomplished by stripping the ELF file (using the strip command). It is a simple method of making the analysis of a binary file more difficult.



Now, let’s get our hands dirty by reverse engineering the program. This time round, I shall use radare to assist us. But you can use ht editor or other tools too.



Issuing the following command will give us something like Listing 1. [root@home Desktop]# radare crkme1-linux32 open ro crkme1-linux32 Message of the day: I like to suck nibbles and make hex Automagically flagging crkme1-linux32 15 symbols added. 17 strings added. 0 syscalls added. [0x00000000]> s sym_main [0x000003C4]> pD 0x000003C4, sym_main: 55 push ebp 0x000003C5 89e5 ebp = esp 0x000003C7 83ec18 esp -= 0x18 ; 24 ‘ ‘ 0x000003CA 83e4f0 esp &= 0xf0 ; 240 ‘ ‘ 0x000003CD b800000000 eax = 0x0 0x000003D2 29c4 esp -= eax 0x000003D4 c745fcf4860408 dword [ebp-0x4] = 0x80486f4 0x000003DB c745f800870408 dword [ebp-0x8] = 0x8048700 0x000003E2 c745f000000000 dword [ebp-0x10] = 0x0 0x000003E9 c745f400000000 dword [ebp-0xc] = 0x0 0x000003F0 837d0801 cmp dword [ebp+0x8], 0x1 0x000003F4 0f8ec3010000 ^ jle dword 0x5BD 1 = sym_main+0x1f9 0x000003FA 8b450c eax = [ebp+0xc]

Handy Primer on Linux Reversing by Gunther


ARTeam ezine 4th  

fourth issue of the arteam ezine

Read more
Read more
Similar to
Popular now
Just for you