reversing.kr Easy_ELF
Let's check the type of the file:
file Easy_ELF
Easy_ELF: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=8edb9e400a3882319cd4582f89dd2373b7e1745c, stripped
stripped - means that the symbol table has been removed
... The symbol table is gone, i.e. we have no information about the functions and where they start.
Lets run it to see what it does
strings Easy_ELF | less
. . .
Correct!
Reversing.Kr Easy ELF
Wrong
. . .
objdump -s -j .rodata Easy_ELF
Easy_ELF: file format elf32-i386
Contents of section .rodata:
8048648 03000000 01000200 25730043 6f727265 ........%s.Corre
8048658 6374210a 00526576 65727369 6e672e4b ct!..Reversing.K
8048668 72204561 73792045 4c460a0a 0057726f r Easy ELF...Wro
8048678 6e670a00 ng..
The address of Correct is 0x8048653
The addres of "Wrong" is 0x8048675
objdump -a Easy_EFL
- reveals what we already knew - that this executable has been stripped off its symbols, including main. At least we know that text
has the instructions of our program, so main is in there.
So let's concentrate and disassemble that part of the file:
8048505: c7 44 24 04 53 86 04 movl $0x8048653,0x4(%esp)
804850c: 08
804850d: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048514: e8 47 fe ff ff call 8048360 <write@plt>
We notice that 0x8048653
is being passed as parameter to call a function write
.
Accordng to https://linux.die.net/man/2/write
write() writes up to count bytes from the buffer pointed buf to the file referred to by the file descriptor fd.
Notice that the first parameter passed to write is a 1. https://en.wikipedia.org/wiki/File_descriptor lists standard output as file descriptor 1.
Look at the instructions prior to the call to write:
80484f7: 55 push %ebp
80484f8: 89 e5 mov %esp,%ebp
80484fa: 83 ec 18 sub $0x18,%esp
80484fd: c7 44 24 08 09 00 00 movl $0x9,0x8(%esp)
This looks like the start of a function! Is there a call to this function?? Yes there is
804851b: 55 push %ebp
804851c: 89 e5 mov %esp,%ebp
804851e: 83 e4 f0 and $0xfffffff0,%esp
8048521: 83 ec 10 sub $0x10,%esp
8048524: c7 44 24 08 17 00 00 movl $0x17,0x8(%esp)
804852b: 00
804852c: c7 44 24 04 5d 86 04 movl $0x804865d,0x4(%esp)
8048533: 08
8048534: c7 04 24 01 00 00 00 movl $0x1,(%esp)
804853b: e8 20 fe ff ff call 8048360 <write@plt>
8048540: e8 ef fe ff ff call 8048434 <__isoc99_scanf@plt+0xc4>
8048545: e8 07 ff ff ff call 8048451 <__isoc99_scanf@plt+0xe1>
804854a: 83 f8 01 cmp $0x1,%eax
804854d: 75 0c jne 804855b <__isoc99_scanf@plt+0x1eb>
804854f: e8 a3 ff ff ff call 80484f7 <__isoc99_scanf@plt+0x187> % <---- HERE!
The call 8048360
is most probably printing the "Reversing.Kr"
string. Let's check the address 0x804865d
:
objdump -s -j .rodata --start-address=0x804865d Easy_ELF
Easy_ELF: file format elf32-i386
Contents of section .rodata:
804865d 526576 65727369 6e672e4b 72204561 73 Reversing.Kr Eas
804866d 792045 4c460a0a 0057726f 6e670a00 y ELF...Wrong.
Bingo!
What are the functions at call 8048434
and call 8048451
doing? That's your assignment. Analyze them to deduce what is the input string that makes this program print "Correct!".