If we
assume, which can be dangerous, that programmers tend to name functions and variables
according to their purpose, then we can learn a tremendous amount of information
simply by having these symbol names available to us. The process of ???stripping??? a
binary involves removing all symbol information that is no longer required once the
binary has been built. Stripping is generally performed by using the command-line strip
utility and, as a result of removing extraneous information, has the side effect of yielding
a smaller binary. From a reverse-engineering perspective, however, stripping makes a
binary slightly more difficult to analyze as a result of the loss of all of the symbols. In
this regard, stripping a binary can be seen as a primitive form of obfuscation. The most
immediate impact of dealing with a stripped binary in IDA is that IDA will be unable to
locate the main function and will instead initially position the disassembly view at the
program??™s true entry point, generally named _start.
NOTE Contrary to popular belief, main is not the first thing executed in a
compiled C or C++ program. A significant amount of initialization must take
place before control can be transferred to main. Some of the startup tasks
include initialization of the C libraries, initialization of global objects, and
creation of the argv and envp arguments expected by main.
Pages:
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558