Help reversing ELF target

Hello!

Sorry for English, but I don't know russian.

I'm trying to reverse linux i386 binary. It is packed with unknown packer.

1. Anybody knows any good linux tools for examine binary (ELF) like PeID for Win?

If I use readelf I get this result

Код (Text):

1. ELF Header:
2.   Magic:   7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
3.   Class:                             ELF32
4.   Data:                              2's complement, little endian
5.   Version:                           1 (current)
6.   OS/ABI:                            UNIX - Linux
7.   ABI Version:                       0
8.   Type:                              EXEC (Executable file)
9.   Machine:                           Intel 80386
10.   Version:                           0x1
11.   Entry point address:               0xc286b0
12.   Start of program headers:          52 (bytes into file)
13.   Start of section headers:          0 (bytes into file)
14.   Flags:                             0x0
15.   Size of this header:               52 (bytes)
16.   Size of program headers:           32 (bytes)
17.   Number of program headers:         2
18.   Size of section headers:           40 (bytes)
19.   Number of section headers:         0
20.   Section header string table index: 0 <corrupt: out of range>
21.  
22. There are no sections in this file.
23. There are no sections in this file.
24.  
25. Program Headers:
26.   Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
27.   LOAD           0x000000 0x00c01000 0x00c01000 0x27e14 0x27e14 R E 0x1000
28.   LOAD           0x000c00 0x08146c00 0x08146c00 0x00000 0x00000 RW  0x1000
29.  
30. There is no dynamic section in this file.
31. There are no relocations in this file.
32. There are no unwind sections in this file.
33. No version information found in this file.

So file is packed with unknown protector.

2. Disassm

Код (Text):

1. LOAD:00C286B0  ; ---------------------------------------------------------------------------
2. LOAD:00C286B0
3. LOAD:00C286B0               public start
4. LOAD:00C286B0  start:
5. LOAD:00C286B0               call    loc_C28887
6. LOAD:00C286B5               jmp     short loc_C286C5
7. LOAD:00C286B7  ; ---------------------------------------------------------------------------

Ok... trace trace trace...

Код (Text):

1. LOAD:00C287A3  loc_C287A3:                   ; CODE XREF: LOAD:00C287A0j
2. LOAD:00C287A3               sub     edi, [esp+2Ch]
3. LOAD:00C287A7               mov     edx, [esp+30h]
4. LOAD:00C287AB               mov     [edx], edi
5. LOAD:00C287AD               mov     [esp+1Ch], eax
6. LOAD:00C287B1               popa ; return registers from stack
7. LOAD:00C287B2               retn
8. LOAD:00C287B3  ; ---------------------------------------------------------------------------

And after RET:

Код (Text):

1. debug001:00C291EB           add       esp,    10h
2. debug001:00C291EE
3. debug001:00C291EE  loc_C291EE:                   ; CODE XREF:    debug001:00C291CAj
4. debug001:00C291EE                       ; debug001:00C291CEj ...
5. debug001:00C291EE           mov       eax,    [ebp-18h]
6. debug001:00C291F1           add       [esi+4], eax
7. debug001:00C291F4           sub       [esi], eax
8. debug001:00C291F6           jmp       short loc_C29202
9. ...
10. ...
11. ...
12. debug001:00C290C4           push       eax
13. debug001:00C290C5           sub       ecx,    ebx
14. debug001:00C290C7           mov       al, 5Bh
15. debug001:00C290C9           jmp       dword ptr [edi] ;hmmm

Now I'm in debug section... trace trace trace.... And after jump...

Код (Text):

1. debug002:080A072C  ; ---------------------------------------------------------------------------
2. debug002:080A072C           int       80h           ; LINUX - sys_munmap
3. debug002:080A072E           popa
4. debug002:080A072F           retn
5. debug002:080A072F  ; ---------------------------------------------------------------------------

Again popa... And I am in library. Library is static linked.

Код (Text):

1. ld_2.8.90.so:B7F8A7F0  ; ---------------------------------------------------------------------------
2. ld_2.8.90.so:B7F8A7F0               mov     eax, esp
3. ld_2.8.90.so:B7F8A7F2               call    near ptr    unk_B7F8AA20
4. ld_2.8.90.so:B7F8A7F7               mov     edi, eax

Trace ... and finaly I think I'm on EP.

Код (Text):

1. debug004:08049D90  ; ---------------------------------------------------------------------------
2. debug004:08049D90           xor       ebp,    ebp
3. debug004:08049D92           pop       esi
4. debug004:08049D93           mov       ecx,    esp
5. debug004:08049D95           and       esp,    0FFFFFFF0h
6. debug004:08049D98           push       eax
7. debug004:08049D99           push       esp
8. debug004:08049D9A           push       edx
9. debug004:08049D9B           push       offset unk_80992D0
10. debug004:08049DA0           push       offset unk_80992E0
11. debug004:08049DA5           push       ecx
12. debug004:08049DA6           push       esi
13. debug004:08049DA7           push       offset unk_804FDC0
14. debug004:08049DAC           call       near    ptr unk_8049880
15. debug004:08049DB1           hlt
16. debug004:08049DB1  ; ---------------------------------------------------------------------------

Maybe I'm wrong... But how to dump file on linux?
I change bytes on 8049D90 to EB FE. Run program and do deatach.
Run GDB, attach to program pid and do dump of section I can dump.
I got string table and all code, but no library functions... How to dump this file in right way?

 

danci
Hi, can you upload your protected file, e.g. rapidshare ?

 

Memory look like

Код (Text):

1. 00c01000-00c02000 r-xp 00000000 08:01 472102    LOAD        /home/danci/prog/prog
2. 08048000-080a1000 r-xp 08048000 00:00 0        DEBUG004
3. 080a1000-08147000 rwxp 080a1000 00:00 0         PROG
4. b7de3000-b7de5000 rwxp b7de3000 00:00 0         DEBUG005
5. b7de5000-b7f3d000 r-xp 00000000 08:01 246510             /lib/tls/i686/cmov/libc-2.8.90.so
6. b7f3d000-b7f3f000 r-xp 00158000 08:01 246510             /lib/tls/i686/cmov/libc-2.8.90.so
7. b7f3f000-b7f40000 rwxp 0015a000 08:01 246510             /lib/tls/i686/cmov/libc-2.8.90.so
8. b7f40000-b7f43000 rwxp b7f40000 00:00 0         DEBUG006
9. b7f43000-b7f58000 r-xp 00000000 08:01 246536             /lib/tls/i686/cmov/libpthread-2.8.90.so
10. b7f58000-b7f59000 r-xp 00014000 08:01 246536             /lib/tls/i686/cmov/libpthread-2.8.90.so
11. b7f59000-b7f5a000 rwxp 00015000 08:01 246536             /lib/tls/i686/cmov/libpthread-2.8.90.so
12. b7f5a000-b7f5c000 rwxp b7f5a000 00:00 0         DEBUG007
13. b7f6d000-b7f6f000 rwxp b7f6d000 00:00 0         DEBUG008
14. b7f6f000-b7f89000 r-xp 00000000 08:01 228948             /lib/ld-2.8.90.so
15. b7f89000-b7f8a000 ---p b7f89000 00:00 0         DEBUG002
16. b7f8a000-b7f8b000 r-xp 0001a000 08:01 228948             /lib/ld-2.8.90.so
17. b7f8b000-b7f8c000 rwxp 0001b000 08:01 228948             /lib/ld-2.8.90.so
18. bf877000-bf88c000 rwxp bffeb000 00:00 0         [stack]
19. ffffe000-fffff000 r-xp 00000000 00:00 0         [vdso]

I can dump only:

Код (Text):

1. 08048000-080a1000 r-xp 08048000 00:00 0        DEBUG004
2. 080a1000-08147000 rwxp 080a1000 00:00 0         PROG

 

It is not public release so it is not good to share... I can sent it by email if you want. But please don't talk about target, ok?

 

danci
>>But please don't talk about target, ok?
Ok! Could you send me private message on this forum, please(e-mail) ?

 

danci
Please, run this code:
danci->checkEmail();