how to decode a c binary

**newbie001** · 02-07-2010

Hi all,

I am in a team managing some unix / linux systems. Recently, we had a case where some gzip files went *missing* - we are not sure wether they were not generated by cron at all or were they deleted by a program initially written in C to keep garbage out of that directory.

Now, since the guilty program is written in C, I just want to know is it possible to -decode- it ie; understand what it does.

Thanks...

**nmset** · 02-07-2010

You can run it in strace and grab much information about what it's doing. That's quite a big job however.

I seems there are more powerful and versatile debuggers than strace, I don't really know about them. A web search will point them out.

**gerard4143** · 02-07-2010

You could try objdump but if the program was stripped you'll be following memory addresses instead of labels..

**newbie001** · 02-07-2010

Thanks nmset, I looked into strace (thanks to you - it seems real good and I just did'nt knew about it) - but it just shows system call (and not variables). It will be more helpfull for us if some debugger can also show us the variable name. for ex:

fstat64(<name of dir (in user mode / program variable)>)
ulink(<file-name>)

@gerard4143: thanks for response - i am looking into objdump hoping that might help.

**gerard4143** · 02-07-2010

Here's a good example of objdump usage:

Code:

objdump -D binaryfilename>outputfile

Then open outputfile with your favorite editor...

**Rubberman** · 02-07-2010

Originally Posted by newbie001

Thanks nmset, I looked into strace (thanks to you - it seems real good and I just did'nt knew about it) - but it just shows system call (and not variables). It will be more helpfull for us if some debugger can also show us the variable name. for ex:

fstat64(<name of dir (in user mode / program variable)>)
ulink(<file-name>)

@gerard4143: thanks for response - i am looking into objdump hoping that might help.

Well, it appears that it removed <file-name> from the system (ulink). Now you know what it did, but not why. Of course, it would be very helpful if you had the source code to that C program...

**newbie001** · 02-08-2010

Now you know what it did

Hi All,

Sorry for late response,

Rubberman, that is the problem the original C prog. was indeed written to delete garbage files. So, ulink was found as expected, but the doubt is what were the parameters passed to ulink which we could not get.

I am not sure even wether we could do it, although the program is in usermode (before calling syscall) and i am checking with the same user.

Thanks

**Rubberman** · 02-08-2010

Well, you could run it in the debugger and set a breakpoint on the unlink call. Then you can inspect the arguments passed to it.

**hectick** · 02-10-2010

As far as i can remember strace prints out strings if they are passed to the system call, truncated but still. You should be able to see some if not all of the pathname. Can't you ?

Anyway, rubberman was right you can either insert a breakpoint before the ulink call and inspect it's parameters or you can write your own small program using PTRACE syscalls and break on each syscall and when you encounter ulink (eax will have value 10 decimal stored into it) you then use PTRACE(peekusr,) to inspect the contents of the memory location given to you by the address in ebx. It's complicated but meh.

**giammy** · 02-12-2010

Hi,

get a look at gdb: if the code has symbols, it will show source code, otherwise, just assembly!

bye

Thread Tools

Display

how to decode a c binary

Posting Permissions