Join us on Discord!
You can help CodeWalrus stay online by donating here.

I need help with ELF

Started by DarkestEx, March 08, 2017, 06:17:51 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

DarkestEx

Hello everyone.
This question is directed to anyone who has experience with GCC and the ELF file format and the releated Unix tools.
Maybe one of you, @Sorunome or @Streetwalrus?

Essentially I have a .ELF file for ARM which is not stripped. I need to remove Symbols from it. It could be in any unorthodox way possible, but it needs to be done. Later I need to replace said functions with equivalent ones from .o files.

I would be glad if anyone had an idea or could point out a way to do this.
The ELF file in question can be downloaded from here: http://data.bmuessig.eu/CNC/DDCSV11/Dumps/Files/motion.out
It can also be viewed in ODA: https://www.onlinedisassembler.com/odaweb/H7yyMp7I/0

I just need to remove the main symbol really, so that I can link a custom main or modify the existing main to call my main function and then return. E.g. the original code could first jump to my function and then the rest would be NOP'ed.
  • Calculators owned: TI-84+, Casio 101-S, RPN-Calc, Hewlett-Packard 100LX, Hewlett-Packard 95LX
  • Consoles, mobile devices and vintage computers owned: Original Commodore 64C, C64 DTV, Nintendo GameBoy Color, Nintendo GameCube, Xbox 360, PlayStation 2

Sorunome

  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

novenary

Strip will remove debugging symbols (gcc includes some by default even when you don't compile with -g). What you want is not removing symbols but actual sections. I don't really know how to do that but a possible approach would be to replace the beginning of the main function with a jump to another function that you would add.

Sorunome

Quote from: Streetwalrus on March 08, 2017, 06:52:46 PM
Strip will remove debugging symbols (gcc includes some by default even when you don't compile with -g). What you want is not removing symbols but actual sections. I don't really know how to do that but a possible approach would be to replace the beginning of the main function with a jump to another function that you would add.
We just talked about this on IRC a bit, DarkestEx is using 32-bit embedded ARM.

Those things have at the beginning a vectortable where the first 4-byte entry is the address to load into pc upon startup, so he could modify that.
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Vogtinator

#4
QuoteI need to remove Symbols from it. It could be in any unorthodox way possible, but it needs to be done. Later I need to replace said functions with equivalent ones from .o files.
That is not possible if the ELF file is a EXECUTABLE and was not linked with --emit-relocs as it's impossible to reconstruct where the symbols are used.
You need to find and fixup all references yourself, IDA can tell you where most references are and even has a patch function (although manually assembly is required). This won't work that easily if relative branches were used, that may require using a constant placed in the literal pool.

Edit: You can also just append your modded functions to the ELF file and patch the main function to branch to the modified ones.
  • Calculators owned: TI-Nspie CX CAS, Casio FX-85ES

Powered by EzPortal