Reverse Engineering

Executable Symbols

Tables

Symbols are names identifying addresses of a binary.

  • Have a type, such as Function, and including Undefined.

  • E.g. functions create symbols, especially external functions (puts).

ELF files have two symbol tables.

  • .dynsym: symbols which will be allocated to memory when the program loads.

    • In the example, puts is provided by libc, required for operation, and exists as a dynamic symbol.

  • .symtab: contains all symbols, including many used for linking and debugging, but not related to code required for execution.

    • These areas will not be allocated (mapped) to RAM.

    • Extremely useful to identify the name of functions/sections when reversing!

Stripping

Only symbols in the .dyntab are required.

  • Identify allocated sections.

  • Identify symbols that must be resolved in external libraries.

  • Used for Dynamic Linking when the program is loaded.

Stripping is the process of removing unused symbols and code from a binary.

  • Stripped binaries take less space, and are not reversed so easily.

    • There is no hints about the purpose of a function from its name.

PreviousBinary ObjectsNextWhat is inside an Object File?

Last updated