CodeWalrus

General => General Help & Troubleshooting => Topic started by: DarkestEx on March 08, 2017, 06:17:51 PM

Title: I need help with ELF
Post by: DarkestEx on March 08, 2017, 06:17:51 PM
Hello everyone.
This question is directed to anyone who has experience with GCC and the ELF file format and the releated Unix tools.
Maybe one of you, @Sorunome or @Streetwalrus?

Essentially I have a .ELF file for ARM which is not stripped. I need to remove Symbols from it. It could be in any unorthodox way possible, but it needs to be done. Later I need to replace said functions with equivalent ones from .o files.

I would be glad if anyone had an idea or could point out a way to do this.
The ELF file in question can be downloaded from here: http://data.bmuessig.eu/CNC/DDCSV11/Dumps/Files/motion.out
It can also be viewed in ODA: https://www.onlinedisassembler.com/odaweb/H7yyMp7I/0

I just need to remove the main symbol really, so that I can link a custom main or modify the existing main to call my main function and then return. E.g. the original code could first jump to my function and then the rest would be NOP'ed.
Title: Re: I need help with ELF
Post by: Sorunome on March 08, 2017, 06:21:10 PM
try

strip myfile


More info on that: https://sourceware.org/binutils/docs/binutils/strip.html
Title: Re: I need help with ELF
Post by: novenary on March 08, 2017, 06:52:46 PM
Strip will remove debugging symbols (gcc includes some by default even when you don't compile with -g). What you want is not removing symbols but actual sections. I don't really know how to do that but a possible approach would be to replace the beginning of the main function with a jump to another function that you would add.
Title: Re: I need help with ELF
Post by: Sorunome on March 08, 2017, 06:57:34 PM
Quote from: Streetwalrus on March 08, 2017, 06:52:46 PM
Strip will remove debugging symbols (gcc includes some by default even when you don't compile with -g). What you want is not removing symbols but actual sections. I don't really know how to do that but a possible approach would be to replace the beginning of the main function with a jump to another function that you would add.
We just talked about this on IRC a bit, DarkestEx is using 32-bit embedded ARM.

Those things have at the beginning a vectortable where the first 4-byte entry is the address to load into pc upon startup, so he could modify that.
Title: Re: I need help with ELF
Post by: Vogtinator on March 08, 2017, 07:30:02 PM
QuoteI need to remove Symbols from it. It could be in any unorthodox way possible, but it needs to be done. Later I need to replace said functions with equivalent ones from .o files.
That is not possible if the ELF file is a EXECUTABLE and was not linked with --emit-relocs as it's impossible to reconstruct where the symbols are used.
You need to find and fixup all references yourself, IDA can tell you where most references are and even has a patch function (although manually assembly is required). This won't work that easily if relative branches were used, that may require using a constant placed in the literal pool.

Edit: You can also just append your modded functions to the ELF file and patch the main function to branch to the modified ones.