我正在尝试调试具有奇怪魔术字节的ELF
$ xxd binary | head -2
00000000: 7f45 4c46 4141 4141 4141 4141 4141 4141 .ELFAAAAAAAAAAAA
00000010: 0300 0300 0100 0000 0010 0000 3400 0000 ............4...
$ file binary
file binary: ELF, unknown class 65
$ objdump -D binary
objdump: binary: File format not recognised
$ readelf -h binary
ELF Header:
Magic: 7f 45 4c 46 41 41 41 41 41 41 41 41 41 41 41 41
Class: <unknown: 41>
Data: <unknown: 41>
Version: 65 <unknown: %lx>
OS/ABI: <unknown: 41>
ABI Version: 65
Type: DYN (Shared object file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x1000
Start of program headers: 52 (bytes into file)
Start of section headers: 41836 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 9
Size of section headers: 40 (bytes)
Number of section headers: 29
Section header string table index: 26
我也无法使用GDB进行调试,这是我能够使用它运行的唯一信息>
strace ./binary
这表明正在发生某种联系。有谁知道如何操作二进制文件以便对其进行更好的分析?
我正在尝试调试带有奇怪魔术字节的ELF $ xxd binary |头-2 00000000:7f45 4c46 4141 4141 4141 4141 4141 4141 .ELFAAAAAAAAAAAA 00000010:0300 0300 0100 0000 0010 0000 3400 0000 .........
如果操作系统能够加载并执行二进制文件,则程序头表必须相对正常。尝试readelf -l binary
。查找在偏移量0x1000处加载的代码。您可能必须对这种解包器/反混淆器进行反向工程。也可以尝试使用十六进制编辑器将文件的前16个字节更改为7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
,这可能会使objdump变得更快乐。