ELF Unstrip Tool
capstone python-binding https://github.com/aquynh/capstone
pyelftools https://github.com/eliben/pyelftools
python-sqlite
python-msgpack
- Make sure the maximum file open limit >= 65536, since it will open lots of object files during generating db.
- mkdir archobj
- copy
<your .a files.> ex: libc.a, libpthread.a
toarchobj/
. - python2 unstrip.py gendb
- The fingerprints will be stored in
fin.db
.
It's recommended to copy libc.a
and libpthread.a
to archobj/
, they contain the basic object files for analysis.
- python2 unstrip.py
<your binary>
- It will generate the unstripped binary named as
<your binary>.mark
- Greatly improve the matching methods.
- Use symbolic execution to provide better basic block scan.
Source code, compile gcc -static -s test.c -o test
#include<stdio.h>
#include<stdlib.h>
int main(){
puts("Hello world\n");
system("ls");
return 0;
}
objdump -d test
...
40105e: 55 push %rbp
40105f: 48 89 e5 mov %rsp,%rbp
401062: bf 44 44 49 00 mov $0x494444,%edi
401067: e8 84 7b 00 00 callq 0x408bf0
40106c: bf 51 44 49 00 mov $0x494451,%edi
401071: e8 3a 70 00 00 callq 0x4080b0
401076: b8 00 00 00 00 mov $0x0,%eax
40107b: 5d pop %rbp
40107c: c3 retq
...
objdump -d test.mark
...
000000000040105e <main>:
40105e: 55 push %rbp
40105f: 48 89 e5 mov %rsp,%rbp
401062: bf 44 44 49 00 mov $0x494444,%edi
401067: e8 84 7b 00 00 callq 408bf0 <puts>
40106c: bf 51 44 49 00 mov $0x494451,%edi
401071: e8 3a 70 00 00 callq 4080b0 <system>
401076: b8 00 00 00 00 mov $0x0,%eax
40107b: 5d pop %rbp
40107c: c3 retq
...