Finding main() in Stripped Binary - bin 0x2C
HTML-код
- Опубликовано: 2 окт 2024
- Stripped binaries miss the symbol information of functions and variables. Debugging such a binary is a little bit more tricky, but there is a simple method to find the main() function of the program.
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
echo "set disassembly-flavor intel" >> ~/.gdbinit
@@kreuner11 no, these are gdb commands
@@kreuner11 that's bash
@@kreuner11 thats to set the disassembly flavor by default to intel
@@kreuner11 ahh yeah not sure how to do the same in win
@@kreuner11 ~\.gdbinit would work too? cool
I'm really looking forward to every single haxember video! I love the style of these videos.
Really helpful dude. Reversing is becoming my hobby and this helps a lot.
Keep it 1337!
How did you go about learning Ghidra? I've never used a decompiler before and I'm having a hard time finding beginner resources. This series will be great tho I think.
@@abhisohal4556 I don't use ghidra. I use GDB, Radare2 or Binary Ninja.
There are a lot of beginner tutorials on the internet with a lot of binaries and walkthroughs if you don't look for specific decompilers.
I recommend you doing the Crackme challenges with a walkthrough to follow and try to understand what you are doing and looking and of course, learn the syscalls.
Happy reversing!
That reaction when you saw the AT&T syntax, relatable :D
Love the shorter, simpler videos. Also that hoodie is glorious, where would one acquire such a piece?
4:11 you said RIP is 0x50d but it actually points at the next line so 0x514 is RIP, great video overall though, thank you!
RUclips : LiveOverflow last uploaded 2 days ago
LifeOverflow : I am speed
4:13 RIP will be pointing at the next instruction after 0x50d so it is 0x514. 0x514+0xe6 = 0x5fa
Teddy fresh 😎 Very interesting video! Definitely useful. Does this work for windows binaries as well?
once I wrote int x="cat"; and it compiled. Take that LiveOverflow
not that surprising if you know a bit of C
how string can be an int ?
@@stewiegriffin6503 "cat" isn't returning a string, but the address of that string in memory; if you printf that x as a hexadecimal, you will get the adress of the string "cat" in your ram
@Sascha Retzki
Ooooh, I see. I thought that would throw an error like in C#.
@@stewiegriffin6503 in fact, if you compile for a system where int has the same width as a pointer, this will work:
int x = "cat"; //allocate a zero-terminated string in the readonly data section, store its address in x
printf("%s", x);
a modern compiler will throw a lot of warnings your way, but it is valid C
I see you also like to follow Ben Eater projects ;)
Ohhh thats what that is lol
Quick question: How would you go about creating a separate symbol file? Like, in GDB, say "this address is now the function 'main', interpret it as such" and possibly export it later in the session.
look into this script: github.com/taviso/loadlibrary/blob/master/genmapsym.sh
is there a way to then tell gdb "main is at offset 5fa"?
Probably not, GDB is a debugger. Stuff like renaming functions & variables usually falls under what a de-compiler does.
No. The "main" symbol is just a concept in the C spec. For the actual ELF binaries, the relevant thing is the "Entry" field, which just says where in the file execution should start. This is not where "main" is, but rather the __libc_start_main routine, which runs necessary initializers and basically wraps the main function.
And functions for gdb need to come from the symbol table, otherwise it does not have concrete knowledge where functions are.
Fun fact: You could also just declare a static integer array, call it "main" and compile that and c compilers would give you a warning, but comply and compile a binary that then just starts to execute the array.
I was breaking my head trying to understand how to figure out the start of the main function in a C compiled windows binary for the last 2 days and you come up with this video today. The coincidence is crazy lol.
Just wait until you find a packer that you can't figure out how to decrypt.you can use a debugger and dump the process but it's a pain re-building the import tables (im still new to rev eng/ malware analysis tho)
Any chance you can do a video on the "??" Mnemonics at the bottom of the screen @2:17?
Thanks so much for uploading so many interesting videos recently! It's always nice to come home and learn something new.
Btw, you don't have linked ghidra in the description.
Hoever, in IoT firmware, there is no __libc_start_main function.
how about a stripped windows executable.. they always give me a hard time locating the main func..
c/c++ on windows uses .pdb files for dbg symbols. So if youre not finding main youre either in the wrong module or the binary has been packed.
I didn't realize Beck knew so much about debugging?
you seem to be talking rather calmly in this new format, not sure if it was always like this but you seemed more enthusiastic when you only did voice over. not complaining, just an observation, I still love the videos!
I’m just experimenting. There is obviously a huge difference in scripted vs free speech. A huge advantage is the time I save, but the length of the video and conciseness is suffering. I really wanted to try out daily videos to see what would happen, and that’s the only way to do it. I also get the chance to cover topics that were too short for a regular dedicated video.
But don’t worry. Normal liveoverflow videos are still coming and are my main focus. This haxember period is just experimenting and having some fun :)
me: likes the video
me: relizes it has 0 dislikes
me: relizes it has 69 likes
me: oh shit.jpeg
me: unlikes video
Sick hoodie. Any recommendations for where to start when learning more about hacking?
He made a whole playlist just about this topic :)
You're already there. Best starting point is LiveOverflow by far.
You are there. A hacker is always asking: How can I learn more? You will never be a full expert in all the cybersecurity field. Find what you like (SOC, Forensic, Reversing, Exploiting, Pentesting,...) and read, read and play around.
Get some low/entry lvl courses like Network+, Security+, CEH and read and play.
Being a hacker is not breaking computers, it is learning and learning. Welcome to the 1337 world.
How did you get ghidra to recognize a stripped file?
Whooaaa! I ran across this issue before but just thought I compiled it wrong! I switched to gcc and didn't give it a second thought.
NOW, here I am, just cruising your content because you rock... and BAMM! I found the answer to a problem I didn't know I had!
You rock!
Ubunta for noobs. Archlinux 4ever
My God! This was exactly what I needed, thanks LO :)
I am really enjoying this.. Amazing...
You look like a Michael Cera + Chris (from Skins UK) mashup.
EDIT: And that's a compliment, just clarifying.
I keep seeing Snot from American Dad 😂
@@soundscrispy that's rude 😡
@@ihdenemalek3485 umm how? It's a cartoon character.
My GDB (v8.3.1) doesn't show the parameters or parameter names when breaking at __libc_start_main. Is that a GDB setting or plugin you used to do that?
My output is just:
Breakpoint 1, 0x00007ffff7dfe060 in __libc_start_main () from /usr/lib/libc.so.6
Awesome work dude keep it up
You don't need the JRE if you install the JDK because the JRE comes with the JDK
always perfect
Good contents. Just saying in 4:15 the rip would be 0x514 and not 0x50d
1:28 I feel you
i just use cross references in ghidra/IDA to find out the main() entrypoint, but your technique is better when the binary is diabolically small.
Michael Sera kind of looks like LiveOverflow
Hey man
Would you be interested in making a video on how to secure your wifi? I'm a developer, but I know little about network sniffing and wifi hacking and I'm paranoid about having my home wifi broadcasted to the neighbours so I try to connect almost all devices using wires, but still need wifi for phones!
I thought about using open-source router software such as Open-WRT but it requires knowledge on how to secure it otherwise you will be handing over even easier way to hijack it !
he has a 4 character password! get him! LOL
Do RE on mips arch pliss
... then there is a breakpoint, you get the point!
Hah.
I really enjoy those Videos :)
Keep up the good work!
Hey LiveOverflow, there is no Gihdra download link in the description!
For interested, it is here: ghidra-sre.org/
Great video, I love content you are putting out lately! Although I prefer old-style videos of yours, with hand-drawn black on white drawings instead of face cam.
putting out lately is an exaggeration. This is just an experiment in December and that is the 4th video. I’m just using this style to make daily videos as an experiment - like an advents calendar. Regular videos came before and will still come
can you share the test_stripped file?
these are the kind of tutorials newbs like me need
Loooovvveee that pastel coloured hoodie!
Short but very useful, thanks!
Love your video's. Keep it up.
gamer 😎
Now show how to find the initial entry point of something wacky and hard like a weird embedded architecture or obfuscated malware
I don’t know 🤷♀️
Can you do video about Checkm8 exploit (bootrom) please?
So I tried using this idea in a MinGW gcc compiled windows binary debugged on x64dbg to find the exact address of the main function. x64dbg shows the entrypoint as 0x4012E0, and I figured out the start of the main function to be 0x40148A by calling printf at the beginning and searching for the string reference that I passed as the argument to printf, but if I check all the instructions between the address 4012E0 and 40148A, I can't find a single instruction that calls main at 40148A. Also I can't find any libgcc_start_main reference in the debugger, is this because I'm using a windows compiler or I have to download some extra symbol file or something? Any help from anyone will be super appreciated!
A windows binary isn't going to have __libc_start_main as libc the C standard library for Linux.
@@Njinx_ I did some digging and the windows c library counterpart seems to be the c runtime library which is found in msvcrt.dll. looking at the x32dbg imports I CAN find the executable importing this dll, should debugging the executable with the symbols for this dll loaded from Microsoft website help in understanding where the main function in my source code starts?
@@EvilSapphireR Hmm, I'm not much of a Windows guy but if I had to take a guess I would have to say no.
Are you wearing Teddy Fresh?? 🤔😜
i liked previous video style without cam more, it adds nothing and takes viewer focus from actual code. Also everything seems too big, partial zooms were better imo
It’s just for daily videos as part of haxember. This is only the 4th day. Regular videos are still a thing.
i live for the moment liveoverflow adds peda to gdb
*uses pwndbg instead
4:21
Woow
Hi
Hi
yeet
it was so much better before you got a camera...
Ok boomer
He does what he tweets.
LiveOverflow he isn’t wrong tho, also it was much better before you started milking the December RUclips money (increased CPM and more ads)
Nice Teddy Fresh hoodie!!