I think this is self made packer for ELF...


I'm trying to reverse linux i386 binary. It is packed with unknown packer.

1. Anybody knows any good linux tools for examine binary (ELF) like PeID for Win?

If I use readelf I get this result
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - Linux
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0xc286b0
  Start of program headers:          52 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         0
  Section header string table index: 0 <corrupt: out of range>

There are no sections in this file.
There are no sections in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00c01000 0x00c01000 0x27e14 0x27e14 R E 0x1000
  LOAD           0x000c00 0x08146c00 0x08146c00 0x00000 0x00000 RW  0x1000

There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
So file is packed with unknown protector.

I think I find OEP at 8049D90...

debug004:08049D90  ; ---------------------------------------------------------------------------
debug004:08049D90           xor       ebp,    ebp
debug004:08049D92           pop       esi
debug004:08049D93           mov       ecx,    esp
debug004:08049D95           and       esp,    0FFFFFFF0h
debug004:08049D98           push       eax
debug004:08049D99           push       esp
debug004:08049D9A           push       edx
debug004:08049D9B           push       offset unk_80992D0
debug004:08049DA0           push       offset unk_80992E0
debug004:08049DA5           push       ecx
debug004:08049DA6           push       esi
debug004:08049DA7           push       offset unk_804FDC0
debug004:08049DAC           call       near    ptr unk_8049880
debug004:08049DB1           hlt
debug004:08049DB1  ; ---------------------------------------------------------------------------
Maybe I'm wrong... But how to dump file on linux?
I change bytes on 8049D90 to EB FE. Run program and do deatach.
Run GDB, attach to program pid and do dump of section I can dump.
I got string table and all code, but no library functions... How to dump this file in right way?

At EP (Maybe I just think is EP, maps look like:

00c01000-00c02000 r-xp 00000000 08:01 472102    LOAD        /home/danci/prog/prog
08048000-080a1000 r-xp 08048000 00:00 0        DEBUG004
080a1000-08147000 rwxp 080a1000 00:00 0         PROG
b7de3000-b7de5000 rwxp b7de3000 00:00 0         DEBUG005
b7de5000-b7f3d000 r-xp 00000000 08:01 246510             /lib/tls/i686/cmov/libc-2.8.90.so
b7f3d000-b7f3f000 r-xp 00158000 08:01 246510             /lib/tls/i686/cmov/libc-2.8.90.so
b7f3f000-b7f40000 rwxp 0015a000 08:01 246510             /lib/tls/i686/cmov/libc-2.8.90.so
b7f40000-b7f43000 rwxp b7f40000 00:00 0         DEBUG006
b7f43000-b7f58000 r-xp 00000000 08:01 246536             /lib/tls/i686/cmov/libpthread-2.8.90.so
b7f58000-b7f59000 r-xp 00014000 08:01 246536             /lib/tls/i686/cmov/libpthread-2.8.90.so
b7f59000-b7f5a000 rwxp 00015000 08:01 246536             /lib/tls/i686/cmov/libpthread-2.8.90.so
b7f5a000-b7f5c000 rwxp b7f5a000 00:00 0         DEBUG007
b7f6d000-b7f6f000 rwxp b7f6d000 00:00 0         DEBUG008
b7f6f000-b7f89000 r-xp 00000000 08:01 228948             /lib/ld-2.8.90.so
b7f89000-b7f8a000 ---p b7f89000 00:00 0         DEBUG002
b7f8a000-b7f8b000 r-xp 0001a000 08:01 228948             /lib/ld-2.8.90.so
b7f8b000-b7f8c000 rwxp 0001b000 08:01 228948             /lib/ld-2.8.90.so
bf877000-bf88c000 rwxp bffeb000 00:00 0         [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0         [vdso]
I can dump only:
08048000-080a1000 r-xp 08048000 00:00 0        DEBUG004
080a1000-08147000 rwxp 080a1000 00:00 0         PROG
But when I start unpacked program - program crash!

Problem is here I think:
LOAD:08049880 sub_8049880     proc near               ; CODE XREF: start+1Cp
LOAD:08049880                 jmp     dword_80A18AC
LOAD:08049880 sub_8049880     endp


LOAD:080A18A8 dword_80A18A8   dd 0                    ; DATA XREF: sub_8049870r
LOAD:080A18AC dword_80A18AC   dd 0                    ; DATA XREF: sub_8049880r ****
LOAD:080A18B0 dword_80A18B0   dd 0                    ; DATA XREF: sub_8049890r
IAT is missing?