* WalrusIRC

You need to have 5 posts and not be part of restricted usergroups in order to use the WalrusIRC embedded shoutbox. However, you can also access our IRC channel called #CodeWalrus via EFnet.

Author Topic: I need help with ELF  (Read 507 times)

0 Members and 1 Guest are viewing this topic.

Offline DarkestEx

  • Super User
  • Join Date: Jan 2015
  • Location: Germany
  • Posts: 1326
  • Post Rating Ratio: +10/-2
    • @0xbmuessig
    • @muessigb
    • My homepage
  • Gender: Male
I need help with ELF
« on: March 08, 2017, 06:17:51 pm »
Hello everyone.
This question is directed to anyone who has experience with GCC and the ELF file format and the releated Unix tools.
Maybe one of you, @Sorunome or @Streetwalrus?

Essentially I have a .ELF file for ARM which is not stripped. I need to remove Symbols from it. It could be in any unorthodox way possible, but it needs to be done. Later I need to replace said functions with equivalent ones from .o files.

I would be glad if anyone had an idea or could point out a way to do this.
The ELF file in question can be downloaded from here: http://data.bmuessig.eu/CNC/DDCSV11/Dumps/Files/motion.out
It can also be viewed in ODA: https://www.onlinedisassembler.com/odaweb/H7yyMp7I/0

I just need to remove the main symbol really, so that I can link a custom main or modify the existing main to call my main function and then return. E.g. the original code could first jump to my function and then the rest would be NOP'ed.


  • Calculators owned: TI-84+, Casio 101-S, RPN-Calc, Hewlett-Packard 100LX, Hewlett-Packard 95LX
  • Consoles, mobile devices and vintage computers owned: Hewlett-Packard 100LX, Hewlett-Packard 95LX, Original Commodore 64C, Tektronix AWG2021, IBM X60s, IBM X60t, Nintendo DS Lite, Nintendo GameBoy Color, Nintendo GameCube, Xbox 360, Palm m5

Offline Sorunome

  • Full User
  • CodeWalrus Supporter
  • *
  • Safe-haven access
  • 2016 Yearly CW Project Winner
  • *
  • Join Date: Mar 2015
  • Location: Equestria
  • Posts: 162
  • Post Rating Ratio: +6/-0
  • Keep calm and fox on
    • @sorunome
    • @sorunome
    • /u/sorunome
    • Sorunome
    • 110/11005
    • My Website
  • Gender: Female
Re: I need help with ELF
« Reply #1 on: March 08, 2017, 06:21:10 pm »
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Offline Streetwalrus

  • Professional slacker
  • Super User
  • Original 5
  • Join Date: Nov 2014
  • Location: Israel
  • Posts: 2903
  • Post Rating Ratio: +20/-0
  • ƎW∀⅁ ƎH⊥
  • Gender: Male
Re: I need help with ELF
« Reply #2 on: March 08, 2017, 06:52:46 pm »
Strip will remove debugging symbols (gcc includes some by default even when you don't compile with -g). What you want is not removing symbols but actual sections. I don't really know how to do that but a possible approach would be to replace the beginning of the main function with a jump to another function that you would add.
  • Calculators owned: TI-80, HP 40G, TI-84 Plus rev G (yay 128k RAM), TI-83 Plus Silver Edition (broken LCD), TI-82 Stats.fr (black), TI-Nspire CX rev C (yay Nlaunchy), TI-83+ SE ViewScreen



Offline Sorunome

  • Full User
  • CodeWalrus Supporter
  • *
  • Safe-haven access
  • 2016 Yearly CW Project Winner
  • *
  • Join Date: Mar 2015
  • Location: Equestria
  • Posts: 162
  • Post Rating Ratio: +6/-0
  • Keep calm and fox on
    • @sorunome
    • @sorunome
    • /u/sorunome
    • Sorunome
    • 110/11005
    • My Website
  • Gender: Female
Re: I need help with ELF
« Reply #3 on: March 08, 2017, 06:57:34 pm »
Strip will remove debugging symbols (gcc includes some by default even when you don't compile with -g). What you want is not removing symbols but actual sections. I don't really know how to do that but a possible approach would be to replace the beginning of the main function with a jump to another function that you would add.
We just talked about this on IRC a bit, DarkestEx is using 32-bit embedded ARM.

Those things have at the beginning a vectortable where the first 4-byte entry is the address to load into pc upon startup, so he could modify that.
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Offline Vogtinator

  • Full User
  • Join Date: Dec 2014
  • Location: Germany
  • Posts: 109
  • Post Rating Ratio: +4/-0
  • Instruction counter
    • @UCii1mkxAsrIGvjFwS80YSmg
    • /u/Vogtinator
    • Vogtinator
    • ../../../cgi-bin/acct-view.cgi?userid=87663#
Re: I need help with ELF
« Reply #4 on: March 08, 2017, 07:30:02 pm »
Quote
I need to remove Symbols from it. It could be in any unorthodox way possible, but it needs to be done. Later I need to replace said functions with equivalent ones from .o files.
That is not possible if the ELF file is a EXECUTABLE and was not linked with --emit-relocs as it's impossible to reconstruct where the symbols are used.
You need to find and fixup all references yourself, IDA can tell you where most references are and even has a patch function (although manually assembly is required). This won't work that easily if relative branches were used, that may require using a constant placed in the literal pool.

Edit: You can also just append your modded functions to the ELF file and patch the main function to branch to the modified ones.
« Last Edit: March 08, 2017, 07:33:50 pm by Vogtinator »
  • Calculators owned: TI-Nspie CX CAS, Casio FX-85ES

 


You can also use the following HTML or bulletin board code to share it on your page or forum signature!


Also do not forget to check our affiliates below.
Planet Casio TI-Planet Calc.news BroniesQC BosaikNet Velocity Games