Find the answer to your Linux question:
Results 1 to 10 of 10
Hi all, I am in a team managing some unix / linux systems. Recently, we had a case where some gzip files went *missing* - we are not sure wether ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2010
    Posts
    3

    how to decode a c binary


    Hi all,

    I am in a team managing some unix / linux systems. Recently, we had a case where some gzip files went *missing* - we are not sure wether they were not generated by cron at all or were they deleted by a program initially written in C to keep garbage out of that directory.

    Now, since the guilty program is written in C, I just want to know is it possible to -decode- it ie; understand what it does.

    Thanks...

  2. #2
    Linux User
    Join Date
    Nov 2009
    Location
    France
    Posts
    292
    You can run it in strace and grab much information about what it's doing. That's quite a big job however.

    I seems there are more powerful and versatile debuggers than strace, I don't really know about them. A web search will point them out.
    0 + 1 = 1 != 2 <> 3 != 4 ...
    Until the camel can pass though the eye of the needle.

  3. #3
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    You could try objdump but if the program was stripped you'll be following memory addresses instead of labels..
    Make mine Arch Linux

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Feb 2010
    Posts
    3
    Thanks nmset, I looked into strace (thanks to you - it seems real good and I just did'nt knew about it) - but it just shows system call (and not variables). It will be more helpfull for us if some debugger can also show us the variable name. for ex:

    fstat64(<name of dir (in user mode / program variable)>)
    ulink(<file-name>)

    @gerard4143: thanks for response - i am looking into objdump hoping that might help.

  6. #5
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    Here's a good example of objdump usage:

    Code:
    objdump -D binaryfilename>outputfile
    Then open outputfile with your favorite editor...
    Make mine Arch Linux

  7. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,692
    Quote Originally Posted by newbie001 View Post
    Thanks nmset, I looked into strace (thanks to you - it seems real good and I just did'nt knew about it) - but it just shows system call (and not variables). It will be more helpfull for us if some debugger can also show us the variable name. for ex:

    fstat64(<name of dir (in user mode / program variable)>)
    ulink(<file-name>)

    @gerard4143: thanks for response - i am looking into objdump hoping that might help.
    Well, it appears that it removed <file-name> from the system (ulink). Now you know what it did, but not why. Of course, it would be very helpful if you had the source code to that C program...
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  8. #7
    Just Joined!
    Join Date
    Feb 2010
    Posts
    3
    Now you know what it did
    Hi All,

    Sorry for late response,

    Rubberman, that is the problem the original C prog. was indeed written to delete garbage files. So, ulink was found as expected, but the doubt is what were the parameters passed to ulink which we could not get.

    I am not sure even wether we could do it, although the program is in usermode (before calling syscall) and i am checking with the same user.

    Thanks

  9. #8
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,692
    Well, you could run it in the debugger and set a breakpoint on the unlink call. Then you can inspect the arguments passed to it.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  10. #9
    Just Joined!
    Join Date
    Jan 2010
    Posts
    7
    As far as i can remember strace prints out strings if they are passed to the system call, truncated but still. You should be able to see some if not all of the pathname. Can't you ?

    Anyway, rubberman was right you can either insert a breakpoint before the ulink call and inspect it's parameters or you can write your own small program using PTRACE syscalls and break on each syscall and when you encounter ulink (eax will have value 10 decimal stored into it) you then use PTRACE(peekusr,) to inspect the contents of the memory location given to you by the address in ebx. It's complicated but meh.

  11. #10
    Just Joined!
    Join Date
    Feb 2010
    Posts
    18
    Hi,

    get a look at gdb: if the code has symbols, it will show source code, otherwise, just assembly!

    bye
    Last edited by oz; 02-17-2010 at 10:56 PM. Reason: removed spam

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •