Cristianu
April 23rd, 2012, 10:19
Operational system: Ubuntu Linux
Device architecture: ARM
I have a statically linked executable file without any symbolic information. Moreover, it is obfuscated.
But, thanks God, it is possible to get some useful information about this file with help of one interesting utility "strings".
As "man" says:
.
The result of
etc.
I was really surprised of two last lines. What do they do in executable ELF file for ARM architecture?
Does it mean that executable uses Java in some way or these strings have some other purpose?
I guess, that with help of this "string-information" it is possible to detect what libraries were used to link this file. It is very important, because in this case
I can use IDA FLIRT and FLAIR tools to separate the library functions from regular functions even when the file has no symbolic information.
What else It is possible to get from all these strings? Any ideas? It would be interesting to hear somebody's experience.
Another question is :
libc.a = standart C library
What static file corresponds to standart C++ library?
As far, as I understood, executable uses STL (STL is a part of a standart C++ library, as far as I know), may be boost-library or something other.
Is the way to detect the static or dynamic library by the name of functions, or variables, or header files (any string information from executable file).
Any help would be appreciated.
With best regards, Cristianu!
Device architecture: ARM
I have a statically linked executable file without any symbolic information. Moreover, it is obfuscated.
But, thanks God, it is possible to get some useful information about this file with help of one interesting utility "strings".
As "man" says:
Quote:
| strings - print the strings of printable characters in files |
The result of
Quote:
| strings ./my_executable |
Code:
ElfData::ElfData(): ELF data storage is broken
ElfData::addToSection(): can't create the output section data
ElfSection::ElfSection(): ELF data storage is broken
ElfSection::ElfSection(): NULL section name
ElfSection::addToElf(): can't allocate the new section
ElfSection::addToElf(): can't get the new section header
ElfSection::addToElf(): can't create the output section data for BSS
...
UnwindStructure::Fragment::readStandardDescriptors: impossible combination
UnwindStructure::Fragment::writeStandardDescriptors: undefined action =
...
UnwindStructure::Fragment::readStandardDescriptors: impossible combination
UnwindStructure::Fragment::writeStandardDescriptors: undefined action =
...
vector::_M_insert_aux
vector::_M_fill_insert
vector::_M_range_insert
...
java Class for
...
java resource
...
I was really surprised of two last lines. What do they do in executable ELF file for ARM architecture?
Does it mean that executable uses Java in some way or these strings have some other purpose?
I guess, that with help of this "string-information" it is possible to detect what libraries were used to link this file. It is very important, because in this case
I can use IDA FLIRT and FLAIR tools to separate the library functions from regular functions even when the file has no symbolic information.
What else It is possible to get from all these strings? Any ideas? It would be interesting to hear somebody's experience.
Another question is :
libc.a = standart C library
What static file corresponds to standart C++ library?
As far, as I understood, executable uses STL (STL is a part of a standart C++ library, as far as I know), may be boost-library or something other.
Is the way to detect the static or dynamic library by the name of functions, or variables, or header files (any string information from executable file).
Any help would be appreciated.
With best regards, Cristianu!