Forensic and Incident Response (Cont. 4)
Aug 8, 2017 · 15 min read

Acollection of simple Forensic and Incident Response exercises that I’ve taught in classes in the past years. It’s time to embrace new challenges, learn new tricks and give back to the community.
x07 — Case005 (ELF)
Install gcc and ltrace
dnf -y install gcc ltraceCreate a new folder
mkdir /forensic/case005 && cd /forensic/case005Create a sample file
vim example.cExample contents
#include <stdio.h>
#include <string.h>
int main()
{
char buf[100];
char secret[]= "PASS";
printf("Enter access code: ");
gets(buf);
if (strcmp(buf,secret) == 0)
printf("Access granted!\n");
else
printf("Access denied!\n");
return 0;
}Compile
make exampleTest
./example
Enter access code: SampleCode
Access denied!LDD
ldd exampleOutput
linux-vdso.so.1 => (0x00007fffdfffe000)
libc.so.6 => /lib64/libc.so.6 (0x00007fb51d371000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb51d745000)ReadELF
readelf -a exampleOutput
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400520
Start of program headers: 64 (bytes into file)
Start of section headers: 4480 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 30
Section header string table index: 27
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000400238 00000238
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.ABI-tag NOTE 0000000000400254 00000254
0000000000000020 0000000000000000 A 0 0 4
[ 3] .note.gnu.build-i NOTE 0000000000400274 00000274
0000000000000024 0000000000000000 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0000000000400298 00000298
000000000000001c 0000000000000000 A 5 0 8
[ 5] .dynsym DYNSYM 00000000004002b8 000002b8
00000000000000a8 0000000000000018 A 6 1 8
[ 6] .dynstr STRTAB 0000000000400360 00000360
0000000000000050 0000000000000000 A 0 0 1
[ 7] .gnu.version VERSYM 00000000004003b0 000003b0
000000000000000e 0000000000000002 A 5 0 2
[ 8] .gnu.version_r VERNEED 00000000004003c0 000003c0
0000000000000020 0000000000000000 A 6 1 8
[ 9] .rela.dyn RELA 00000000004003e0 000003e0
0000000000000018 0000000000000018 A 5 0 8
[10] .rela.plt RELA 00000000004003f8 000003f8
0000000000000090 0000000000000018 A 5 12 8
[11] .init PROGBITS 0000000000400488 00000488
000000000000001a 0000000000000000 AX 0 0 4
[12] .plt PROGBITS 00000000004004b0 000004b0
0000000000000070 0000000000000010 AX 0 0 16
[13] .text PROGBITS 0000000000400520 00000520
00000000000001d2 0000000000000000 AX 0 0 16
[14] .fini PROGBITS 00000000004006f4 000006f4
0000000000000009 0000000000000000 AX 0 0 4
[15] .rodata PROGBITS 0000000000400700 00000700
0000000000000043 0000000000000000 A 0 0 8
[16] .eh_frame_hdr PROGBITS 0000000000400744 00000744
0000000000000034 0000000000000000 A 0 0 4
[17] .eh_frame PROGBITS 0000000000400778 00000778
00000000000000f4 0000000000000000 A 0 0 8
[18] .init_array INIT_ARRAY 0000000000600e10 00000e10
0000000000000008 0000000000000000 WA 0 0 8
[19] .fini_array FINI_ARRAY 0000000000600e18 00000e18
0000000000000008 0000000000000000 WA 0 0 8
[20] .jcr PROGBITS 0000000000600e20 00000e20
0000000000000008 0000000000000000 WA 0 0 8
[21] .dynamic DYNAMIC 0000000000600e28 00000e28
00000000000001d0 0000000000000010 WA 6 0 8
[22] .got PROGBITS 0000000000600ff8 00000ff8
0000000000000008 0000000000000008 WA 0 0 8
[23] .got.plt PROGBITS 0000000000601000 00001000
0000000000000048 0000000000000008 WA 0 0 8
[24] .data PROGBITS 0000000000601048 00001048
0000000000000004 0000000000000000 WA 0 0 1
[25] .bss NOBITS 000000000060104c 0000104c
0000000000000004 0000000000000000 WA 0 0 1
[26] .comment PROGBITS 0000000000000000 0000104c
000000000000002c 0000000000000001 MS 0 0 1
[27] .shstrtab STRTAB 0000000000000000 00001078
0000000000000108 0000000000000000 0 0 1
[28] .symtab SYMTAB 0000000000000000 00001900
0000000000000660 0000000000000018 29 45 8
[29] .strtab STRTAB 0000000000000000 00001f60
0000000000000273 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), l (large)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000400040 0x0000000000400040
0x00000000000001f8 0x00000000000001f8 R E 8
INTERP 0x0000000000000238 0x0000000000400238 0x0000000000400238
0x000000000000001c 0x000000000000001c R 1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x000000000000086c 0x000000000000086c R E 200000
LOAD 0x0000000000000e10 0x0000000000600e10 0x0000000000600e10
0x000000000000023c 0x0000000000000240 RW 200000
DYNAMIC 0x0000000000000e28 0x0000000000600e28 0x0000000000600e28
0x00000000000001d0 0x00000000000001d0 RW 8
NOTE 0x0000000000000254 0x0000000000400254 0x0000000000400254
0x0000000000000044 0x0000000000000044 R 4
GNU_EH_FRAME 0x0000000000000744 0x0000000000400744 0x0000000000400744
0x0000000000000034 0x0000000000000034 R 4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 10
GNU_RELRO 0x0000000000000e10 0x0000000000600e10 0x0000000000600e10
0x00000000000001f0 0x00000000000001f0 R 1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .jcr .dynamic .got
Dynamic section at offset 0xe28 contains 24 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x400488
0x000000000000000d (FINI) 0x4006f4
0x0000000000000019 (INIT_ARRAY) 0x600e10
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x600e18
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x400298
0x0000000000000005 (STRTAB) 0x400360
0x0000000000000006 (SYMTAB) 0x4002b8
0x000000000000000a (STRSZ) 80 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x601000
0x0000000000000002 (PLTRELSZ) 144 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x4003f8
0x0000000000000007 (RELA) 0x4003e0
0x0000000000000008 (RELASZ) 24 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffe (VERNEED) 0x4003c0
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x4003b0
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x3e0 contains 1 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000600ff8 000500000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
Relocation section '.rela.plt' at offset 0x3f8 contains 6 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000601018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 puts + 0
000000601020 000200000007 R_X86_64_JUMP_SLO 0000000000000000 printf + 0
000000601028 000300000007 R_X86_64_JUMP_SLO 0000000000000000 __libc_start_main + 0
000000601030 000400000007 R_X86_64_JUMP_SLO 0000000000000000 strcmp + 0
000000601038 000500000007 R_X86_64_JUMP_SLO 0000000000000000 __gmon_start__ + 0
000000601040 000600000007 R_X86_64_JUMP_SLO 0000000000000000 gets + 0
The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.
Symbol table '.dynsym' contains 7 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.2.5 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.2.5 (2)
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strcmp@GLIBC_2.2.5 (2)
5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND gets@GLIBC_2.2.5 (2)
Symbol table '.symtab' contains 68 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000400238 0 SECTION LOCAL DEFAULT 1
2: 0000000000400254 0 SECTION LOCAL DEFAULT 2
3: 0000000000400274 0 SECTION LOCAL DEFAULT 3
4: 0000000000400298 0 SECTION LOCAL DEFAULT 4
5: 00000000004002b8 0 SECTION LOCAL DEFAULT 5
6: 0000000000400360 0 SECTION LOCAL DEFAULT 6
7: 00000000004003b0 0 SECTION LOCAL DEFAULT 7
8: 00000000004003c0 0 SECTION LOCAL DEFAULT 8
9: 00000000004003e0 0 SECTION LOCAL DEFAULT 9
10: 00000000004003f8 0 SECTION LOCAL DEFAULT 10
11: 0000000000400488 0 SECTION LOCAL DEFAULT 11
12: 00000000004004b0 0 SECTION LOCAL DEFAULT 12
13: 0000000000400520 0 SECTION LOCAL DEFAULT 13
14: 00000000004006f4 0 SECTION LOCAL DEFAULT 14
15: 0000000000400700 0 SECTION LOCAL DEFAULT 15
16: 0000000000400744 0 SECTION LOCAL DEFAULT 16
17: 0000000000400778 0 SECTION LOCAL DEFAULT 17
18: 0000000000600e10 0 SECTION LOCAL DEFAULT 18
19: 0000000000600e18 0 SECTION LOCAL DEFAULT 19
20: 0000000000600e20 0 SECTION LOCAL DEFAULT 20
21: 0000000000600e28 0 SECTION LOCAL DEFAULT 21
22: 0000000000600ff8 0 SECTION LOCAL DEFAULT 22
23: 0000000000601000 0 SECTION LOCAL DEFAULT 23
24: 0000000000601048 0 SECTION LOCAL DEFAULT 24
25: 000000000060104c 0 SECTION LOCAL DEFAULT 25
26: 0000000000000000 0 SECTION LOCAL DEFAULT 26
27: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
28: 0000000000600e20 0 OBJECT LOCAL DEFAULT 20 __JCR_LIST__
29: 0000000000400550 0 FUNC LOCAL DEFAULT 13 deregister_tm_clones
30: 0000000000400590 0 FUNC LOCAL DEFAULT 13 register_tm_clones
31: 00000000004005d0 0 FUNC LOCAL DEFAULT 13 __do_global_dtors_aux
32: 000000000060104c 1 OBJECT LOCAL DEFAULT 25 completed.6636
33: 0000000000600e18 0 OBJECT LOCAL DEFAULT 19 __do_global_dtors_aux_fin
34: 00000000004005f0 0 FUNC LOCAL DEFAULT 13 frame_dummy
35: 0000000000600e10 0 OBJECT LOCAL DEFAULT 18 __frame_dummy_init_array_
36: 0000000000000000 0 FILE LOCAL DEFAULT ABS example.c
37: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
38: 0000000000400868 0 OBJECT LOCAL DEFAULT 17 __FRAME_END__
39: 0000000000600e20 0 OBJECT LOCAL DEFAULT 20 __JCR_END__
40: 0000000000000000 0 FILE LOCAL DEFAULT ABS
41: 0000000000600e18 0 NOTYPE LOCAL DEFAULT 18 __init_array_end
42: 0000000000600e28 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC
43: 0000000000600e10 0 NOTYPE LOCAL DEFAULT 18 __init_array_start
44: 0000000000601000 0 OBJECT LOCAL DEFAULT 23 _GLOBAL_OFFSET_TABLE_
45: 00000000004006f0 2 FUNC GLOBAL DEFAULT 13 __libc_csu_fini
46: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
47: 0000000000601048 0 NOTYPE WEAK DEFAULT 24 data_start
48: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@@GLIBC_2.2.5
49: 000000000060104c 0 NOTYPE GLOBAL DEFAULT 24 _edata
50: 00000000004006f4 0 FUNC GLOBAL DEFAULT 14 _fini
51: 0000000000000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.2.5
52: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_
53: 0000000000601048 0 NOTYPE GLOBAL DEFAULT 24 __data_start
54: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strcmp@@GLIBC_2.2.5
55: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
56: 0000000000400708 0 OBJECT GLOBAL HIDDEN 15 __dso_handle
57: 0000000000400700 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used
58: 0000000000000000 0 FUNC GLOBAL DEFAULT UND gets@@GLIBC_2.2.5
59: 0000000000400680 101 FUNC GLOBAL DEFAULT 13 __libc_csu_init
60: 0000000000601050 0 NOTYPE GLOBAL DEFAULT 25 _end
61: 0000000000400520 0 FUNC GLOBAL DEFAULT 13 _start
62: 000000000060104c 0 NOTYPE GLOBAL DEFAULT 25 __bss_start
63: 0000000000400616 104 FUNC GLOBAL DEFAULT 13 main
64: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
65: 0000000000601050 0 OBJECT GLOBAL HIDDEN 24 __TMC_END__
66: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
67: 0000000000400488 0 FUNC GLOBAL DEFAULT 11 _init
Version symbols section '.gnu.version' contains 7 entries:
Addr: 00000000004003b0 Offset: 0x0003b0 Link: 5 (.dynsym)
000: 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5)
004: 2 (GLIBC_2.2.5) 0 (*local*) 2 (GLIBC_2.2.5)
Version needs section '.gnu.version_r' contains 1 entries:
Addr: 0x00000000004003c0 Offset: 0x0003c0 Link: 6 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 1
0x0010: Name: GLIBC_2.2.5 Flags: none Version: 2
Displaying notes found at file offset 0x00000254 with length 0x00000020:
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 2.6.32
Displaying notes found at file offset 0x00000274 with length 0x00000024:
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
Build ID: 6fe30c453a47d993d80ac30933467c181a2695efReadelf program headers
readelf --program-headers exampleOutput
Elf file type is EXEC (Executable file)
Entry point 0x400520
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000400040 0x0000000000400040
0x00000000000001f8 0x00000000000001f8 R E 8
INTERP 0x0000000000000238 0x0000000000400238 0x0000000000400238
0x000000000000001c 0x000000000000001c R 1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x000000000000087c 0x000000000000087c R E 200000
LOAD 0x0000000000000e10 0x0000000000600e10 0x0000000000600e10
0x000000000000023c 0x0000000000000240 RW 200000
DYNAMIC 0x0000000000000e28 0x0000000000600e28 0x0000000000600e28
0x00000000000001d0 0x00000000000001d0 RW 8
NOTE 0x0000000000000254 0x0000000000400254 0x0000000000400254
0x0000000000000044 0x0000000000000044 R 4
GNU_EH_FRAME 0x0000000000000754 0x0000000000400754 0x0000000000400754
0x0000000000000034 0x0000000000000034 R 4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 10
GNU_RELRO 0x0000000000000e10 0x0000000000600e10 0x0000000000600e10
0x00000000000001f0 0x00000000000001f0 R 1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .jcr .dynamic .gotObjdump
objdump -d -M intel exampleOutput
example: file format elf64-x86-64
Disassembly of section .init:
0000000000400488 <_init>:
400488: 48 83 ec 08 sub rsp,0x8
40048c: 48 8b 05 65 0b 20 00 mov rax,QWORD PTR [rip+0x200b65] # 600ff8 <_DYNAMIC+0x1d0>
400493: 48 85 c0 test rax,rax
400496: 74 05 je 40049d <_init+0x15>
400498: e8 63 00 00 00 call 400500 <__gmon_start__@plt>
40049d: 48 83 c4 08 add rsp,0x8
4004a1: c3 ret
Disassembly of section .plt:
00000000004004b0 <puts@plt-0x10>:
4004b0: ff 35 52 0b 20 00 push QWORD PTR [rip+0x200b52] # 601008 <_GLOBAL_OFFSET_TABLE_+0x8>
4004b6: ff 25 54 0b 20 00 jmp QWORD PTR [rip+0x200b54] # 601010 <_GLOBAL_OFFSET_TABLE_+0x10>
4004bc: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
00000000004004c0 <puts@plt>:
4004c0: ff 25 52 0b 20 00 jmp QWORD PTR [rip+0x200b52] # 601018 <_GLOBAL_OFFSET_TABLE_+0x18>
4004c6: 68 00 00 00 00 push 0x0
4004cb: e9 e0 ff ff ff jmp 4004b0 <_init+0x28>
00000000004004d0 <printf@plt>:
4004d0: ff 25 4a 0b 20 00 jmp QWORD PTR [rip+0x200b4a] # 601020 <_GLOBAL_OFFSET_TABLE_+0x20>
4004d6: 68 01 00 00 00 push 0x1
4004db: e9 d0 ff ff ff jmp 4004b0 <_init+0x28>
00000000004004e0 <__libc_start_main@plt>:
4004e0: ff 25 42 0b 20 00 jmp QWORD PTR [rip+0x200b42] # 601028 <_GLOBAL_OFFSET_TABLE_+0x28>
4004e6: 68 02 00 00 00 push 0x2
4004eb: e9 c0 ff ff ff jmp 4004b0 <_init+0x28>
00000000004004f0 <strcmp@plt>:
4004f0: ff 25 3a 0b 20 00 jmp QWORD PTR [rip+0x200b3a] # 601030 <_GLOBAL_OFFSET_TABLE_+0x30>
4004f6: 68 03 00 00 00 push 0x3
4004fb: e9 b0 ff ff ff jmp 4004b0 <_init+0x28>
0000000000400500 <__gmon_start__@plt>:
400500: ff 25 32 0b 20 00 jmp QWORD PTR [rip+0x200b32] # 601038 <_GLOBAL_OFFSET_TABLE_+0x38>
400506: 68 04 00 00 00 push 0x4
40050b: e9 a0 ff ff ff jmp 4004b0 <_init+0x28>
0000000000400510 <gets@plt>:
400510: ff 25 2a 0b 20 00 jmp QWORD PTR [rip+0x200b2a] # 601040 <_GLOBAL_OFFSET_TABLE_+0x40>
400516: 68 05 00 00 00 push 0x5
40051b: e9 90 ff ff ff jmp 4004b0 <_init+0x28>
Disassembly of section .text:
0000000000400520 <_start>:
400520: 31 ed xor ebp,ebp
400522: 49 89 d1 mov r9,rdx
400525: 5e pop rsi
400526: 48 89 e2 mov rdx,rsp
400529: 48 83 e4 f0 and rsp,0xfffffffffffffff0
40052d: 50 push rax
40052e: 54 push rsp
40052f: 49 c7 c0 f0 06 40 00 mov r8,0x4006f0
400536: 48 c7 c1 80 06 40 00 mov rcx,0x400680
40053d: 48 c7 c7 16 06 40 00 mov rdi,0x400616
400544: e8 97 ff ff ff call 4004e0 <__libc_start_main@plt>
400549: f4 hlt
40054a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
0000000000400550 <deregister_tm_clones>:
400550: b8 57 10 60 00 mov eax,0x601057
400555: 55 push rbp
400556: 48 2d 50 10 60 00 sub rax,0x601050
40055c: 48 83 f8 0e cmp rax,0xe
400560: 48 89 e5 mov rbp,rsp
400563: 76 1b jbe 400580 <deregister_tm_clones+0x30>
400565: b8 00 00 00 00 mov eax,0x0
40056a: 48 85 c0 test rax,rax
40056d: 74 11 je 400580 <deregister_tm_clones+0x30>
40056f: 5d pop rbp
400570: bf 50 10 60 00 mov edi,0x601050
400575: ff e0 jmp rax
400577: 66 0f 1f 84 00 00 00 nop WORD PTR [rax+rax*1+0x0]
40057e: 00 00
400580: 5d pop rbp
400581: c3 ret
400582: 66 66 66 66 66 2e 0f data32 data32 data32 data32 nop WORD PTR cs:[rax+rax*1+0x0]
400589: 1f 84 00 00 00 00 00
0000000000400590 <register_tm_clones>:
400590: be 50 10 60 00 mov esi,0x601050
400595: 55 push rbp
400596: 48 81 ee 50 10 60 00 sub rsi,0x601050
40059d: 48 c1 fe 03 sar rsi,0x3
4005a1: 48 89 e5 mov rbp,rsp
4005a4: 48 89 f0 mov rax,rsi
4005a7: 48 c1 e8 3f shr rax,0x3f
4005ab: 48 01 c6 add rsi,rax
4005ae: 48 d1 fe sar rsi,1
4005b1: 74 15 je 4005c8 <register_tm_clones+0x38>
4005b3: b8 00 00 00 00 mov eax,0x0
4005b8: 48 85 c0 test rax,rax
4005bb: 74 0b je 4005c8 <register_tm_clones+0x38>
4005bd: 5d pop rbp
4005be: bf 50 10 60 00 mov edi,0x601050
4005c3: ff e0 jmp rax
4005c5: 0f 1f 00 nop DWORD PTR [rax]
4005c8: 5d pop rbp
4005c9: c3 ret
4005ca: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
00000000004005d0 <__do_global_dtors_aux>:
4005d0: 80 3d 75 0a 20 00 00 cmp BYTE PTR [rip+0x200a75],0x0 # 60104c <_edata>
4005d7: 75 11 jne 4005ea <__do_global_dtors_aux+0x1a>
4005d9: 55 push rbp
4005da: 48 89 e5 mov rbp,rsp
4005dd: e8 6e ff ff ff call 400550 <deregister_tm_clones>
4005e2: 5d pop rbp
4005e3: c6 05 62 0a 20 00 01 mov BYTE PTR [rip+0x200a62],0x1 # 60104c <_edata>
4005ea: f3 c3 repz ret
4005ec: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
00000000004005f0 <frame_dummy>:
4005f0: bf 20 0e 60 00 mov edi,0x600e20
4005f5: 48 83 3f 00 cmp QWORD PTR [rdi],0x0
4005f9: 75 05 jne 400600 <frame_dummy+0x10>
4005fb: eb 93 jmp 400590 <register_tm_clones>
4005fd: 0f 1f 00 nop DWORD PTR [rax]
400600: b8 00 00 00 00 mov eax,0x0
400605: 48 85 c0 test rax,rax
400608: 74 f1 je 4005fb <frame_dummy+0xb>
40060a: 55 push rbp
40060b: 48 89 e5 mov rbp,rsp
40060e: ff d0 call rax
400610: 5d pop rbp
400611: e9 7a ff ff ff jmp 400590 <register_tm_clones>
0000000000400616 <main>:
400616: 55 push rbp
400617: 48 89 e5 mov rbp,rsp
40061a: 48 83 c4 80 add rsp,0xffffffffffffff80
40061e: c7 45 80 43 48 46 49 mov DWORD PTR [rbp-0x80],0x49464843
400625: 66 c7 45 84 76 38 mov WORD PTR [rbp-0x7c],0x3876
40062b: c6 45 86 00 mov BYTE PTR [rbp-0x7a],0x0
40062f: bf 10 07 40 00 mov edi,0x400710
400634: b8 00 00 00 00 mov eax,0x0
400639: e8 92 fe ff ff call 4004d0 <printf@plt>
40063e: 48 8d 45 90 lea rax,[rbp-0x70]
400642: 48 89 c7 mov rdi,rax
400645: e8 c6 fe ff ff call 400510 <gets@plt>
40064a: 48 8d 55 80 lea rdx,[rbp-0x80]
40064e: 48 8d 45 90 lea rax,[rbp-0x70]
400652: 48 89 d6 mov rsi,rdx
400655: 48 89 c7 mov rdi,rax
400658: e8 93 fe ff ff call 4004f0 <strcmp@plt>
40065d: 85 c0 test eax,eax
40065f: 75 0c jne 40066d <main+0x57>
400661: bf 24 07 40 00 mov edi,0x400724
400666: e8 55 fe ff ff call 4004c0 <puts@plt>
40066b: eb 0a jmp 400677 <main+0x61>
40066d: bf 34 07 40 00 mov edi,0x400734
400672: e8 49 fe ff ff call 4004c0 <puts@plt>
400677: b8 00 00 00 00 mov eax,0x0
40067c: c9 leave
40067d: c3 ret
40067e: 66 90 xchg ax,ax
0000000000400680 <__libc_csu_init>:
400680: 41 57 push r15
400682: 41 56 push r14
400684: 41 89 ff mov r15d,edi
400687: 41 55 push r13
400689: 41 54 push r12
40068b: 4c 8d 25 7e 07 20 00 lea r12,[rip+0x20077e] # 600e10 <__frame_dummy_init_array_entry>
400692: 55 push rbp
400693: 48 8d 2d 7e 07 20 00 lea rbp,[rip+0x20077e] # 600e18 <__init_array_end>
40069a: 53 push rbx
40069b: 49 89 f6 mov r14,rsi
40069e: 49 89 d5 mov r13,rdx
4006a1: 31 db xor ebx,ebx
4006a3: 4c 29 e5 sub rbp,r12
4006a6: 48 83 ec 08 sub rsp,0x8
4006aa: 48 c1 fd 03 sar rbp,0x3
4006ae: e8 d5 fd ff ff call 400488 <_init>
4006b3: 48 85 ed test rbp,rbp
4006b6: 74 1e je 4006d6 <__libc_csu_init+0x56>
4006b8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0]
4006bf: 00
4006c0: 4c 89 ea mov rdx,r13
4006c3: 4c 89 f6 mov rsi,r14
4006c6: 44 89 ff mov edi,r15d
4006c9: 41 ff 14 dc call QWORD PTR [r12+rbx*8]
4006cd: 48 83 c3 01 add rbx,0x1
4006d1: 48 39 eb cmp rbx,rbp
4006d4: 75 ea jne 4006c0 <__libc_csu_init+0x40>
4006d6: 48 83 c4 08 add rsp,0x8
4006da: 5b pop rbx
4006db: 5d pop rbp
4006dc: 41 5c pop r12
4006de: 41 5d pop r13
4006e0: 41 5e pop r14
4006e2: 41 5f pop r15
4006e4: c3 ret
4006e5: 66 66 2e 0f 1f 84 00 data32 nop WORD PTR cs:[rax+rax*1+0x0]
4006ec: 00 00 00 00
00000000004006f0 <__libc_csu_fini>:
4006f0: f3 c3 repz ret
Disassembly of section .fini:
00000000004006f4 <_fini>:
4006f4: 48 83 ec 08 sub rsp,0x8
4006f8: 48 83 c4 08 add rsp,0x8
4006fc: c3 retXXD
xxd exampleOutput
0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 3e00 0100 0000 2005 4000 0000 0000 ..>..... .@.....
0000020: 4000 0000 0000 0000 8011 0000 0000 0000 @...............
0000030: 0000 0000 4000 3800 0900 4000 1e00 1b00 ....@.8...@.....
0000040: 0600 0000 0500 0000 4000 0000 0000 0000 ........@.......
0000050: 4000 4000 0000 0000 4000 4000 0000 0000 @.@.....@.@.....
0000060: f801 0000 0000 0000 f801 0000 0000 0000 ................
0000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................
0000080: 3802 0000 0000 0000 3802 4000 0000 0000 8.......8.@.....
0000090: 3802 4000 0000 0000 1c00 0000 0000 0000 8.@.............
00000a0: 1c00 0000 0000 0000 0100 0000 0000 0000 ................
00000b0: 0100 0000 0500 0000 0000 0000 0000 0000 ................
00000c0: 0000 4000 0000 0000 0000 4000 0000 0000 ..@.......@.....
00000d0: 6c08 0000 0000 0000 6c08 0000 0000 0000 l.......l.......
00000e0: 0000 2000 0000 0000 0100 0000 0600 0000 .. .............
00000f0: 100e 0000 0000 0000 100e 6000 0000 0000 ..........`.....
0000100: 100e 6000 0000 0000 3c02 0000 0000 0000 ..`.....<.......
...Strace
strace ./exampleOutput
execve("./example", ["./example"], [/* 27 vars */]) = 0
brk(0) = 0x1f48000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff583dbb000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=87914, ...}) = 0
mmap(NULL, 87914, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff583da5000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\1\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2082456, ...}) = 0
mmap(NULL, 3919744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff5837de000
mprotect(0x7ff583991000, 2097152, PROT_NONE) = 0
mmap(0x7ff583b91000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b3000) = 0x7ff583b91000
mmap(0x7ff583b97000, 16256, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff583b97000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff583da4000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff583da3000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff583da2000
arch_prctl(ARCH_SET_FS, 0x7ff583da3700) = 0
mprotect(0x7ff583b91000, 16384, PROT_READ) = 0
mprotect(0x600000, 4096, PROT_READ) = 0
mprotect(0x7ff583dbc000, 4096, PROT_READ) = 0
munmap(0x7ff583da5000, 87914) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff583dba000
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff583db9000
write(1, "Enter access code: ", 19Enter access code: ) = 19Ltrace
ltrace ./exampleOutput
__libc_start_main([ "./example" ] <unfinished ...>
printf("Enter access code: ") = 19
gets(0x7fffead56790, 0x7f9943191000, 0x7f9942f6ea40, 1024Enter access code:
) = 0x7fffead56790
strcmp("", "CHFIv8") = -67
puts("Access denied!"Access denied!
) = 15
+++ exited (status 0) +++Strings
strings -a ./exampleOutput
/lib64/ld-linux-x86-64.so.2
3F|
libc.so.6
gets
puts
printf
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-P
fffff.
PASS
AWAVA
AUATL
[]A\A]A^A_
Enter access code:
Access granted!
Access denied!
;*3$"
GCC: (GNU) 4.9.2 20150212 (Red Hat 4.9.2-6)
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6636
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
example.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
data_start
puts@@GLIBC_2.2.5
_edata
_fini
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
gets@@GLIBC_2.2.5
__libc_csu_init
_end
_start
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_initAnd we can read the access code PASS in the output of the strings command

This publication is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License (https://creativecommons.org/licenses/by-nc-nd/4.0/)