IDA has facilities (not well documented) for dealing with exactly this situation.
Listing 13-3 shows what our _start function ends up looking like in a statically
linked, stripped binary.
Listing 13-3
start proc near
xor ebp, ebp
pop esi
mov ecx, esp
and esp, 0FFFFFFF0h
push eax
push esp
push edx
push offset sub_8048AD4
push offset sub_8048B10
push ecx
push esi
push offset sub_8048208
call sub_8048440
start endp
At this point we have lost the names of every function in the binary and we need some
method for locating the main function so that we can begin analyzing the program in
earnest. Based on what we saw in Listings 13-1 and 13-2, we can proceed as follows:
??? Find the last function called from _start; this should be __libc_start_main.
??? Locate the first argument to __libc_start_main; this will be the topmost item
on the stack, usually the last item pushed prior to the function call. In this case,
we deduce that main must be sub_8048208. We are now prepared to start
analyzing the program beginning with main.
Locating main is only a small victory, however. By comparing Listing 13-4 from the
unstripped version of the binary with Listing 13-5 from the stripped version, we can see
that we have completely lost the ability to distinguish the boundaries between user code
and library code.
Pages:
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564