StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
5520318
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
14
CommunityOwnedDate
CreationDate
2011-04-02T00:48:04.550
FavoriteCount
0
LastActivityDate
2011-04-02T02:55:12.013
LastEditDate
2011-04-02T02:55:12.013
LastEditorUserId
670521
OwnerUserId
670521
ParentId
5475790
PostTypeId
2
Score
42
ViewCount
0
LastEditorDisplayName
text
Body
Ok, here a big edition of my previous answer. I think I found a way now. You (still :) have this specific problem: <pre><code>(gdb) disas main No symbol table is loaded. Use the "file" command. </code></pre> Now, if you compile the code (I added a <code>return 0</code> at the end), you will get with <code>gcc -S</code>: <pre><code> pushq %rbp movq %rsp, %rbp movl $.LC0, %edi call puts movl $0, %eax leave ret </code></pre> Now, you can see that your binary gives you some info: Striped: <pre><code>(gdb) info files Symbols from "/home/beco/Documents/fontes/cpp/teste/stackoverflow/distrip". Local exec file: `/home/beco/Documents/fontes/cpp/teste/stackoverflow/distrip', file type elf64-x86-64. Entry point: 0x400440 0x0000000000400238 - 0x0000000000400254 is .interp ... 0x00000000004003a8 - 0x00000000004003c0 is .rela.dyn 0x00000000004003c0 - 0x00000000004003f0 is .rela.plt 0x00000000004003f0 - 0x0000000000400408 is .init 0x0000000000400408 - 0x0000000000400438 is .plt 0x0000000000400440 - 0x0000000000400618 is .text ... 0x0000000000601010 - 0x0000000000601020 is .data 0x0000000000601020 - 0x0000000000601030 is .bss </code></pre> The most important entry here is <code>.text</code>. It is a common name for a assembly start of code, and from our explanation of main bellow, from its size, you can see that it includes main. If you disassembly it, you will see a call to __libc_start_main. Most important, you are disassembling a good entry point that is real code (you are not misleading to change DATA to CODE). <pre><code>disas 0x0000000000400440,0x0000000000400618 Dump of assembler code from 0x400440 to 0x400618: 0x0000000000400440: xor %ebp,%ebp 0x0000000000400442: mov %rdx,%r9 0x0000000000400445: pop %rsi 0x0000000000400446: mov %rsp,%rdx 0x0000000000400449: and $0xfffffffffffffff0,%rsp 0x000000000040044d: push %rax 0x000000000040044e: push %rsp 0x000000000040044f: mov $0x400540,%r8 0x0000000000400456: mov $0x400550,%rcx 0x000000000040045d: mov $0x400524,%rdi 0x0000000000400464: callq 0x400428 <__libc_start_main@plt> 0x0000000000400469: hlt ... 0x000000000040046c: sub $0x8,%rsp ... 0x0000000000400482: retq 0x0000000000400483: nop ... 0x0000000000400490: push %rbp .. 0x00000000004004f2: leaveq 0x00000000004004f3: retq 0x00000000004004f4: data32 data32 nopw %cs:0x0(%rax,%rax,1) ... 0x000000000040051d: leaveq 0x000000000040051e: jmpq *%rax ... 0x0000000000400520: leaveq 0x0000000000400521: retq 0x0000000000400522: nop 0x0000000000400523: nop 0x0000000000400524: push %rbp 0x0000000000400525: mov %rsp,%rbp 0x0000000000400528: mov $0x40062c,%edi 0x000000000040052d: callq 0x400418 <puts@plt> 0x0000000000400532: mov $0x0,%eax 0x0000000000400537: leaveq 0x0000000000400538: retq </code></pre> The call to <a href="http://refspecs.freestandards.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic/baselib---libc-start-main-.html">__libc_start_main</a> gets as its first argument a pointer to main(). So, the last argument in the stack just immediately before the call is your main() address. <pre><code> 0x000000000040045d: mov $0x400524,%rdi 0x0000000000400464: callq 0x400428 <__libc_start_main@plt> </code></pre> Here it is 0x400524 (as we already know). Now you set a breakpoint an try this: <pre><code>(gdb) break *0x400524 Breakpoint 1 at 0x400524 (gdb) run Starting program: /home/beco/Documents/fontes/cpp/teste/stackoverflow/disassembly/d2 Breakpoint 1, 0x0000000000400524 in main () (gdb) n Single stepping until exit from function main, which has no line number information. hello 1 __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fffffffdc38) at libc-start.c:258 258 libc-start.c: No such file or directory. in libc-start.c (gdb) n Program exited normally. (gdb) </code></pre> Now you can disassembly it using: <pre><code>(gdb) disas 0x0000000000400524,0x0000000000400600 Dump of assembler code from 0x400524 to 0x400600: 0x0000000000400524: push %rbp 0x0000000000400525: mov %rsp,%rbp 0x0000000000400528: sub $0x10,%rsp 0x000000000040052c: movl $0x1,-0x4(%rbp) 0x0000000000400533: mov $0x40064c,%eax 0x0000000000400538: mov -0x4(%rbp),%edx 0x000000000040053b: mov %edx,%esi 0x000000000040053d: mov %rax,%rdi 0x0000000000400540: mov $0x0,%eax 0x0000000000400545: callq 0x400418 <printf@plt> 0x000000000040054a: mov $0x0,%eax 0x000000000040054f: leaveq 0x0000000000400550: retq 0x0000000000400551: nop 0x0000000000400552: nop 0x0000000000400553: nop 0x0000000000400554: nop 0x0000000000400555: nop ... </code></pre> This is primarily the solution. BTW, this is a different code, to see if it works. That is why the assembly above is a bit different. The code above is from this c file: <pre><code>#include <stdio.h> int main(void) { int i=1; printf("hello %d\n", i); return 0; } </code></pre> But! <hr> if this does not work, then you still have some hints: You should be looking to set breakpoints in the beginning of all functions from now on. They are just before a <code>ret</code> or <code>leave</code>. The first entry point is <code>.text</code> itself. This is the assembly start, but not the main. The problem is that not always a breakpoint will let your program run. Like this one in the very <code>.text</code>: <pre><code>(gdb) break *0x0000000000400440 Breakpoint 2 at 0x400440 (gdb) run Starting program: /home/beco/Documents/fontes/cpp/teste/stackoverflow/disassembly/d2 Breakpoint 2, 0x0000000000400440 in _start () (gdb) n Single stepping until exit from function _start, which has no line number information. 0x0000000000400428 in __libc_start_main@plt () (gdb) n Single stepping until exit from function __libc_start_main@plt, which has no line number information. 0x0000000000400408 in ?? () (gdb) n Cannot find bounds of current function </code></pre> So you need to keep trying until you find your way, setting breakpoints at: <pre><code>0x400440 0x40046c 0x400490 0x4004f4 0x40051e 0x400524 </code></pre> <hr> From the other answer, we should keep this info: In the non-striped version of the file, we see: <pre><code>(gdb) disas main Dump of assembler code for function main: 0x0000000000400524 <+0>: push %rbp 0x0000000000400525 <+1>: mov %rsp,%rbp 0x0000000000400528 <+4>: mov $0x40062c,%edi 0x000000000040052d <+9>: callq 0x400418 <puts@plt> 0x0000000000400532 <+14>: mov $0x0,%eax 0x0000000000400537 <+19>: leaveq 0x0000000000400538 <+20>: retq End of assembler dump. </code></pre> Now we know that main is at <code>0x0000000000400524,0x0000000000400539</code>. If we use the same offset to look at the striped binary we get the same results: <pre><code>(gdb) disas 0x0000000000400524,0x0000000000400539 Dump of assembler code from 0x400524 to 0x400539: 0x0000000000400524: push %rbp 0x0000000000400525: mov %rsp,%rbp 0x0000000000400528: mov $0x40062c,%edi 0x000000000040052d: callq 0x400418 <puts@plt> 0x0000000000400532: mov $0x0,%eax 0x0000000000400537: leaveq 0x0000000000400538: retq End of assembler dump. </code></pre> So, unless you can get some tip where the main starts (like using another code with symbols), another way is if you can have some info about the firsts assembly instructions, so you can disassembly at specifics places and look if it matches. If you have no access at all to the code, you still can read the <a href="http://www.x86-64.org/documentation/abi.pdf">ELF definition</a> to understand how many sections should appear in the code and try a calculated address. Still, you need info about sections in the code! That is hard work, my friend! Good luck! Beco
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POHow to disassemble the main function of a stripped application?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USDr Beco
UserOwnerUserId
1. USDr Beco
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POHow to disassemble the main function of a stripped application?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.