0

Recently, I got my hands on a ELF executable intended for ARM-based microcontrollers. To my surprise, when I tried to inspect it by dumping everything with arm-none-eabi-objdump it kept failing with error

File format not recognized

Upon asking the person who supplied the binary, I learned that it's been compiled (and linked) with a proprietary toolchain, which I shan't mention as to avoid giving them extra publicity. Subsequently, I was told that I need utilities from the said proprietary toolchain in order to disassemble the binary. Now this is what got me curious. How is it possible for GNU's objdump to not parse the ELF file? To my knowledge, ELF is a standard free file format. Surely even if the instruction set is not recognised then it should be possible to at least obtain section and symbol table, as well as binary disassembly of the symbols. Perhaps the information is encrypted?

1 Answers1

0

Problably, the ELF header is somehow corrupted to enforce anti debug techniques. You can learn alot from crackme challenges. There is an x86 crackme by Jonathan Salwan which seems to do the same. You can read more about it in his blog article "A binary analysis, count me if you can": http://shell-storm.org/blog/A-binary-analysis-count-me-if-you-can/

Christian Ammann
  • 888
  • 8
  • 19
  • 1
    In addition, you should probably start with `readelf` instead of `objdump`. – Employed Russian Jul 06 '16 at 00:08
  • Great blog, thanks. Following your speculation, I requested from the person who send me the binary to try to disassemble it. Turns out they get the same sort of errors. After some investigation, we discovered that somehow the binary got corrupted. I was then given a new one which works as expected when passed through GNU Binutils. So there's no encryption after all, not intentional at least. Still, the article you linked to was really interesting. –  Jul 06 '16 at 17:16
  • @EmployedRussian readelf does indeed process the ELF header correctly, but then it says: `readelf: Error: Unable to read in 0x2800 bytes of section headers` `readelf: Error: Unable to read in 0x3e80000 bytes of section headers` `readelf: Error: Section headers are not available!` `readelf: Error: Unable to read in 0x800000 bytes of program headers` . Otherwise it correctly recognises the ELF Class, Endianness, ABI, flags, table sizes, etc. –  Jul 06 '16 at 17:17