Reverse Engineering Asked on December 30, 2021
Given C code, are the function addresses from the ELF the same as those in the stripped version?
I don’t have any specific code in mind. Just trying to learn in general how to find the function beginning (and possibly end) in the stripped binary given the original code.
In a nutshell, stripping a binary means removing sections containing symbol and debug information from the file. These sections lie at the end of the binary, separate from the code. Removing this information has no bearing on the code itself, so the locations of functions in the file (their file offsets) will be the same after stripping the binary. Function addresses (their location in virtual memory), on the other hand, may either be hardcoded or position independent; it depends on how the binary was compiled (this is also unaffected by stripping symbol info).
Finding the boundaries of functions in stripped binaries is an undecidable problem, but workarounds and heuristics exist, such as a signature-based approach to function detection. Here are some examples:
Here is an interesting article on the subject: Architecture Agnostic Function Detection in Binaries
Answered by julian on December 30, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP