Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Analysis of string information of statically linked executable ELF-file

RCE of Linux tools and programs.
Locked
Cristianu
Junior Member
Posts: 7
Joined: Mon Apr 09, 2012 11:13 am

Analysis of string information of statically linked executable ELF-file

Post by Cristianu »

Operational system: Ubuntu Linux
Device architecture: ARM

I have a statically linked executable file without any symbolic information. Moreover, it is obfuscated.
But, thanks God, it is possible to get some useful information about this file with help of one interesting utility "strings".
As "man" says:
strings - print the strings of printable characters in files
.

The result of
strings ./my_executable

Code: Select all

ElfData::ElfData(): ELF data storage is broken
ElfData::addToSection(): can't create the output section data
ElfSection::ElfSection(): ELF data storage is broken
ElfSection::ElfSection(): NULL section name
ElfSection::addToElf(): can't allocate the new section
ElfSection::addToElf(): can't get the new section header
ElfSection::addToElf(): can't create the output section data for BSS


	...


UnwindStructure::Fragment::readStandardDescriptors: impossible combination
UnwindStructure::Fragment::writeStandardDescriptors: undefined action = 

	...


UnwindStructure::Fragment::readStandardDescriptors: impossible combination
UnwindStructure::Fragment::writeStandardDescriptors: undefined action = 

	...


vector::_M_insert_aux
vector::_M_fill_insert
vector::_M_range_insert

	...

java Class for 

	...

java resource 

	...
etc.


I was really surprised of two last lines. What do they do in executable ELF file for ARM architecture?
Does it mean that executable uses Java in some way or these strings have some other purpose?

I guess, that with help of this "string-information" it is possible to detect what libraries were used to link this file. It is very important, because in this case
I can use IDA FLIRT and FLAIR tools to separate the library functions from regular functions even when the file has no symbolic information.
What else It is possible to get from all these strings? Any ideas? It would be interesting to hear somebody's experience.

Another question is :
libc.a = standart C library
What static file corresponds to standart C++ library?
As far, as I understood, executable uses STL (STL is a part of a standart C++ library, as far as I know), may be boost-library or something other.
Is the way to detect the static or dynamic library by the name of functions, or variables, or header files (any string information from executable file).


Any help would be appreciated.
With best regards, Cristianu! :yay:
Locked