Listing
13-2 shows the _start function from the same binary after it has been stripped.
Listing 13-2
start proc near
xor ebp, ebp
pop esi
mov ecx, esp
and esp, 0FFFFFFF0h
push eax
push esp
push edx
push offset sub_804888C
push offset sub_8048894
push ecx
push esi
push offset loc_8048654
call ___libc_start_main
hlt
start endp
In this second case, we can see that IDA no longer understands the name main.We also
notice that two other function names have been lost as a result of the stripping operation,
while one function has managed to retain its name. It is important to note that the
behavior of _start has not been changed in anyway by the strip operation. As a result,we
can apply what we learned from Listing 13-1, that main is the last argument pushed to
__libc_start_main, and deduce that loc_8046854 must be the start address of main; we
are free to rename loc_8046854 to main as an early step in our reversing process.
One question we need to understand the answer to is why __libc_start_main has
managed to retain its name while all of the other functions we saw in Listing 13-1 lost
theirs. The answer lies in the fact that the binary we are looking at was dynamically
linked (the file command would tell us so) and __libc_start_main is being imported
from libc.
Pages:
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560