ELF Unstrip Tool
capstone python-binding https://github.com/aquynh/capstone
pyelftools https://github.com/eliben/pyelftools
python-sqlite
python-msgpack
- Make sure the maximum file open limit >= 65536, since it will open lots of object files during generating db.
- mkdir archobj
- copy
<your .a files.> ex: libc.a, libpthread.atoarchobj/. - python2 unstrip.py gendb
- The fingerprints will be stored in
fin.db.
It's recommended to copy libc.a and libpthread.a to archobj/, they contain the basic object files for analysis.
- python2 unstrip.py
<your binary> - It will generate the unstripped binary named as
<your binary>.mark
- Greatly improve the matching methods.
- Use symbolic execution to provide better basic block scan.
Source code, compile gcc -static -s test.c -o test
#include<stdio.h>
#include<stdlib.h>
int main(){
puts("Hello world\n");
system("ls");
return 0;
}objdump -d test
...
40105e: 55 push %rbp
40105f: 48 89 e5 mov %rsp,%rbp
401062: bf 44 44 49 00 mov $0x494444,%edi
401067: e8 84 7b 00 00 callq 0x408bf0
40106c: bf 51 44 49 00 mov $0x494451,%edi
401071: e8 3a 70 00 00 callq 0x4080b0
401076: b8 00 00 00 00 mov $0x0,%eax
40107b: 5d pop %rbp
40107c: c3 retq
...objdump -d test.mark
...
000000000040105e <main>:
40105e: 55 push %rbp
40105f: 48 89 e5 mov %rsp,%rbp
401062: bf 44 44 49 00 mov $0x494444,%edi
401067: e8 84 7b 00 00 callq 408bf0 <puts>
40106c: bf 51 44 49 00 mov $0x494451,%edi
401071: e8 3a 70 00 00 callq 4080b0 <system>
401076: b8 00 00 00 00 mov $0x0,%eax
40107b: 5d pop %rbp
40107c: c3 retq
...