View Full Version : ELF - problem with unpacking

November 19th, 2010, 09:57
I think this is self made packer for ELF...


I'm trying to reverse linux i386 binary. It is packed with unknown packer.

1. Anybody knows any good linux tools for examine binary (ELF) like PeID for Win?

If I use readelf I get this result
ELF Header:
Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - Linux
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0xc286b0
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 0
Section header string table index: 0 <corrupt: out of range>

There are no sections in this file.
There are no sections in this file.

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00c01000 0x00c01000 0x27e14 0x27e14 R E 0x1000
LOAD 0x000c00 0x08146c00 0x08146c00 0x00000 0x00000 RW 0x1000

There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.

So file is packed with unknown protector.

I think I find OEP at 8049D90...

debug004:08049D90 ; ---------------------------------------------------------------------------
debug004:08049D90 xor ebp, ebp
debug004:08049D92 pop esi
debug004:08049D93 mov ecx, esp
debug004:08049D95 and esp, 0FFFFFFF0h
debug004:08049D98 push eax
debug004:08049D99 push esp
debug004:08049D9A push edx
debug004:08049D9B push offset unk_80992D0
debug004:08049DA0 push offset unk_80992E0
debug004:08049DA5 push ecx
debug004:08049DA6 push esi
debug004:08049DA7 push offset unk_804FDC0
debug004:08049DAC call near ptr unk_8049880
debug004:08049DB1 hlt
debug004:08049DB1 ; ---------------------------------------------------------------------------

Maybe I'm wrong... But how to dump file on linux?
I change bytes on 8049D90 to EB FE. Run program and do deatach.
Run GDB, attach to program pid and do dump of section I can dump.
I got string table and all code, but no library functions... How to dump this file in right way?

At EP (Maybe I just think is EP, maps look like:

00c01000-00c02000 r-xp 00000000 08:01 472102 LOAD /home/danci/prog/prog
08048000-080a1000 r-xp 08048000 00:00 0 DEBUG004
080a1000-08147000 rwxp 080a1000 00:00 0 PROG
b7de3000-b7de5000 rwxp b7de3000 00:00 0 DEBUG005
b7de5000-b7f3d000 r-xp 00000000 08:01 246510 /lib/tls/i686/cmov/libc-2.8.90.so
b7f3d000-b7f3f000 r-xp 00158000 08:01 246510 /lib/tls/i686/cmov/libc-2.8.90.so
b7f3f000-b7f40000 rwxp 0015a000 08:01 246510 /lib/tls/i686/cmov/libc-2.8.90.so
b7f40000-b7f43000 rwxp b7f40000 00:00 0 DEBUG006
b7f43000-b7f58000 r-xp 00000000 08:01 246536 /lib/tls/i686/cmov/libpthread-2.8.90.so
b7f58000-b7f59000 r-xp 00014000 08:01 246536 /lib/tls/i686/cmov/libpthread-2.8.90.so
b7f59000-b7f5a000 rwxp 00015000 08:01 246536 /lib/tls/i686/cmov/libpthread-2.8.90.so
b7f5a000-b7f5c000 rwxp b7f5a000 00:00 0 DEBUG007
b7f6d000-b7f6f000 rwxp b7f6d000 00:00 0 DEBUG008
b7f6f000-b7f89000 r-xp 00000000 08:01 228948 /lib/ld-2.8.90.so
b7f89000-b7f8a000 ---p b7f89000 00:00 0 DEBUG002
b7f8a000-b7f8b000 r-xp 0001a000 08:01 228948 /lib/ld-2.8.90.so
b7f8b000-b7f8c000 rwxp 0001b000 08:01 228948 /lib/ld-2.8.90.so
bf877000-bf88c000 rwxp bffeb000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]

I can dump only:
08048000-080a1000 r-xp 08048000 00:00 0 DEBUG004
080a1000-08147000 rwxp 080a1000 00:00 0 PROG

But when I start unpacked program - program crash!

Problem is here I think:
LOAD:08049880 sub_8049880 proc near ; CODE XREF: start+1Cp
LOAD:08049880 jmp dword_80A18AC
LOAD:08049880 sub_8049880 endp


LOAD:080A18A8 dword_80A18A8 dd 0 ; DATA XREF: sub_8049870r
LOAD:080A18AC dword_80A18AC dd 0 ; DATA XREF: sub_8049880r ****
LOAD:080A18B0 dword_80A18B0 dd 0 ; DATA XREF: sub_8049890r

IAT is missing?