Skip to content

Latest commit

 

History

History
118 lines (72 loc) · 3.3 KB

compiling-assembling-linking-loading-dumping-memory-delinking-disassemble-and-more.md

File metadata and controls

118 lines (72 loc) · 3.3 KB
description cover coverY
10/27/2023
22

Compiling, Assembling, Linking, Loading, Dumping Memory, Delinking, Disassemble, and more

A Binary's Lifecycle

Reverse engineering involves three main steps:

  1. Gather information (enumeration): strings, nm, ldd, & /proc
  2. Determine program behavior: ltrace & strace
  3. Intercept library calls: LD_PRELOAD & LD_LIBRARY_PATH

"Always draft out pseudocode for forward and reverse engineering to better "paint the picture".

Compiling C to ASM

Take C source code and convert to ASM code (source).

{% code overflow="wrap" %}

gcc -S -masm=intel -fno-stack-protector -fno-pie -fcf-protections=none -fno-asynchronous-unwind-tables <binary.c> -o <assembly-code.s>

{% endcode %}

Upon running file on the .s file, we will see that the file signature is of "assembler source".

Assembly to Object

Convert ASM source code to an object.

gcc -c <asm_code.s> -o <object_file.o>

We can run hexdump on this file w/ -C to obtain a hexdump of the object file in Little-Endian format.

We can also obtain the disassembly of the object file with objdump -d <object_file.o>.

(e.g.) objdump -d main -M intel object_file.o

This will allow us to view the disassembly of main() in the Intel-based format.

Linking an Object to an Executable

Link an object file to an executable.

gcc <object_file.o> -nostartfiles -o <executable.exe>

Running file will show our executable is compiled as an ELF binary.

View disassembly:

objdump -d main -M intel <executable.exe>

We can see .plt section in the disassembly since the libc library has now been linked to the executable!

Loading an Executable to Process

We can automate behavior in gdb with a .txt file and create a process memory dump via .core files.

file will indicate the file signature as a corefile.

Dumping Memory & Process2Executable

We can utilize the following binary, core2ELF and take a process, dump it, and create a "rebuilt" binary.

Yes, we can actually utilize it and run it normally.

{% embed url="https://github.com/enbarberis/core2ELF64" %}

Delinking an Executable to an Object

For the delinking process we will be utilizing the Witchcraft Compiler Collection (WCC).

{% embed url="https://github.com/endrazine/wcc" %}

wcc -c <executable.exe> -o <unlinked.o>

Disassembling an Object to ASM

Here, we can utilize IDA, Ghidra, Objdump, radare2, gdb, and objconv.

(e.g.) objdump -d -M intel <unlinked.o> > <disassembly.s>

cat <disassembly.s>

Decompiling ASM to C

Converting machine code to decompiled C-like pseudo code.

Ghidra Headless comes in handy here -- analyzeHeadless.

Essentially, this performs: binary -> decomp.c

Note:

At this point, it would be a fantastic idea to put the decompiled function in ChatGPT and ask what it is doing:

"What does the following C program do?"

void foo()

{

bar;

}