Tips and useful commands for analyse binaries from determining the file to debugging.


The purpose of this post is have a easy and fast guide for the firsts steps of reversing. Obviously reverse engineering is a world and also if you play CTF this guide will not be useful for you, at lest for the normal tasks where you have to look the assembly code in functions to understand what the program is doing.

  1. Determining file type
  2. Exploring dependencies
  3. Parsing the ELF binary
  4. Dynamic analysis
  5. Reversing tools
  6. Recommended books


1. Determining file type:


file. Determine file type

$ file /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dd8a6756f63270ea0c6a15c47d82c30e30fb8096, stripped


xxd, head and google. Extract the magic header and search it in Google (or other searcher). e.g.

$ xxd /usr/bin/id | head -n 10
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
00000010: 0300 3e00 0100 0000 4029 0000 0000 0000  ..>.....@)......
00000020: 4000 0000 0000 0000 28a4 0000 0000 0000  @.......(.......
00000030: 0000 0000 4000 3800 0900 4000 1e00 1d00  ....@.8...@.....
00000040: 0600 0000 0500 0000 4000 0000 0000 0000  ........@.......
00000050: 4000 0000 0000 0000 4000 0000 0000 0000  @.......@.......
00000060: f801 0000 0000 0000 f801 0000 0000 0000  ................
00000070: 0800 0000 0000 0000 0300 0000 0400 0000  ................
00000080: 3802 0000 0000 0000 3802 0000 0000 0000  8.......8.......
00000090: 3802 0000 0000 0000 1c00 0000 0000 0000  8...............


binwalk. It is a tool for searching binary images for embedded files and executable code but we also can use this to determine the file type of the binary we have to analyse.

$ binwalk /usr/bin/id

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV)
27309         0x6AAD          Unix path: /usr/share/locale
31360         0x7A80          Copyright string: "Copyright %s %d Free Software Foundation, Inc."
31717         0x7BE5          Unix path: /usr/lib/x86_64-linux-gnu


2. Exploring dependencies:

ldd (program which prints the shared libraries):


$ ldd /usr/bin/id
        linux-vdso.so.1 (0x00007ffe581fe000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f51fbb73000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f51fb9b2000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f51fb93e000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f51fb939000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f51fbdd0000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f51fb918000)


readelf (tool to display information about ELF files):

$ readelf -d /usr/bin/id


3. Parsing the ELF binary

readelf

Show file header:

$ readelf -h /usr/bin/id
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x3010
  Start of program headers:          64 (bytes into file)
  Start of section headers:          41952 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         11
  Size of section headers:           64 (bytes)
  Number of section headers:         29
  Section header string table index: 28


Show section headers table:

$ readelf -S /usr/bin/id


Show segment headers table:

$ readelf -l /usr/bin/id


Show symbol table:

$ readelf -s /usr/bin/id


Show relocation entries:

$ readelf -r /usr/bin/id


Show dynamic section:

$ readelf -d /usr/bin/id<

objdump:

Show raw of a section:

$ objdump -j .comment -s /usr/bin/id


Show all symbols:

$ objdump -Tt /usr/bin/id


nm:

List symbols:

$ nm /usr/bin/id


When ELF file has overloaded functions:

$ nm -D --demangle /usr/bin/id



4. Dynamic analysis

strace (trace syscalls):

$ strace /usr/bin/id

ltrace (trace libraries):

$ ltrace /usr/bin/id


gdb (debugger):

$ gdb /usr/bin/id

5. Reversing tools

IDA - Since it is quite expensive, I only use IDA in job environment.

Radare2 - Very good and useful tool for CTFs. At the begining is more difficult than others but when you learn the commands everything changes.

Hopper - Works very well with ARM binaries, also the decompiler is respectable.

Ghidra - For personal use works very well and also for job environment.


5. Recommended books

Learning Linux Binary Analysis - Ryan "elfmaster" O'Neill

Practical Binary Analisys - Dennis Andriesse