1
00:00:01,070 --> 00:00:02,300
Hello, My name is Stefan.

2
00:00:02,840 --> 00:00:08,690
Now that we have explored the inner workings of an object file, it's time to venture into the disassembly

3
00:00:08,690 --> 00:00:10,460
of a complete binary.

4
00:00:10,490 --> 00:00:14,660
Now, let's begin with an example binary that contains symbols.

5
00:00:14,660 --> 00:00:21,350
And then we will proceed to examine its stripped counterpart to observe the contrasting disassembly

6
00:00:21,350 --> 00:00:22,000
output.

7
00:00:22,010 --> 00:00:30,530
And it's important to note that disassembly and disassembling an object file differs significantly from

8
00:00:30,530 --> 00:00:32,760
disassembling a binary executable.

9
00:00:32,780 --> 00:00:39,410
So when disassembling an object file, we have the luxury of working with symbols that provide valuable

10
00:00:39,410 --> 00:00:41,100
contextual information.

11
00:00:41,120 --> 00:00:49,040
Symbols acts as a guidepost, enabling us to navigate through the code with greater ease.

12
00:00:49,070 --> 00:00:55,370
However, the disassembly of a binary executable presents a unique challenge.

13
00:00:55,370 --> 00:01:03,600
Without the presence of symbols or other symbolic information, we must rely solely on the structure

14
00:01:03,600 --> 00:01:06,000
and patterns with the binary itself.

15
00:01:06,000 --> 00:01:11,730
So this requires a deeper understanding of assembly language and the ability to decipher the code's

16
00:01:11,740 --> 00:01:15,240
logic based on its instructions and data.

17
00:01:15,930 --> 00:01:22,520
Disassembling a binary executable without symbols demands a more meticulous and intricate approach.

18
00:01:22,530 --> 00:01:29,760
We must carefully analyze the code, identify known functions or recognizable patterns, and reconstruct

19
00:01:29,760 --> 00:01:33,450
the program's logic through careful observation.

20
00:01:33,750 --> 00:01:39,570
It requires a keen eye and a solid grasp of assembly language concepts, while disassembling a stripped

21
00:01:39,570 --> 00:01:48,630
binary may be more arduous, it serves as an excellent exercise in honing up reverse engineering skills

22
00:01:48,630 --> 00:01:52,230
and gaining deeper understanding of the code's inner workings.

23
00:01:53,660 --> 00:02:02,090
And here for explaining further, we will use the objdump to disassemble an executable here.

24
00:02:02,090 --> 00:02:08,990
So objdump uppercase m Intel d a dot out here.

25
00:02:09,440 --> 00:02:11,960
And this is our output here.

26
00:02:13,060 --> 00:02:13,800
The first.

27
00:02:13,800 --> 00:02:15,730
Firstly, we have.

28
00:02:16,250 --> 00:02:21,350
The that's this assembling section in it.

29
00:02:21,350 --> 00:02:22,010
Right.

30
00:02:22,340 --> 00:02:23,240
So.

31
00:02:24,140 --> 00:02:25,010
Here.

32
00:02:26,750 --> 00:02:31,720
You can see that the binary has a lot more code than the object file.

33
00:02:31,730 --> 00:02:35,600
So it's no longer just the main function or even just a single code section.

34
00:02:35,630 --> 00:02:38,860
There are multiple sections now.

35
00:02:38,870 --> 00:02:41,150
The names like the init.

36
00:02:41,800 --> 00:02:43,640
Pee pee pee.

37
00:02:44,940 --> 00:02:45,390
Here.

38
00:02:45,420 --> 00:02:46,790
This is a pre init.

39
00:02:46,870 --> 00:02:47,700
PLT.

40
00:02:49,340 --> 00:02:51,260
And text.

41
00:02:53,320 --> 00:02:57,730
Here we have the three main sections that we are interested in.

42
00:02:58,000 --> 00:03:04,900
So these sections all contain codes serving different functions such as programming, initialization

43
00:03:04,900 --> 00:03:06,820
or stubs for calling shared libraries.

44
00:03:06,820 --> 00:03:12,100
So the text sections here, let's actually copy this and.

45
00:03:18,430 --> 00:03:23,020
Let's actually copy this into Notepad and we'll see that better.

46
00:03:29,780 --> 00:03:30,950
And here.

47
00:03:32,460 --> 00:03:33,870
What are we going to do is.

48
00:03:35,430 --> 00:03:37,050
Let's go to the next section.

49
00:03:42,130 --> 00:03:44,280
Assembly of a section text.

50
00:03:44,280 --> 00:03:47,220
So the text section is the main code section.

51
00:03:47,220 --> 00:03:51,120
So and it contains the main function as well as you as you saw here.

52
00:03:51,120 --> 00:03:57,930
So as you can see, this is a main function and it also contains a number of other functions such as

53
00:03:57,930 --> 00:04:05,970
the Start that are responsible for tasks such as setting up the command line arguments and runtime environment

54
00:04:05,970 --> 00:04:10,680
for main and cleaning up after Main.

55
00:04:12,680 --> 00:04:19,520
And these extra functions are standard functions present in any Elf binary produced by GCC.

56
00:04:19,550 --> 00:04:28,190
You can also see that the previously incomplete code and data references have now been resolved by the

57
00:04:28,190 --> 00:04:28,690
linker.

58
00:04:28,700 --> 00:04:32,000
For instance, the call paths here.

59
00:04:33,040 --> 00:04:36,250
Let me find that call.

60
00:04:36,440 --> 00:04:37,210
Here.

61
00:04:38,570 --> 00:04:39,500
But this one.

62
00:04:42,150 --> 00:04:43,050
This one here?

63
00:04:43,050 --> 00:04:43,620
Yeah.

64
00:04:44,250 --> 00:04:48,360
The call here in our main function.

65
00:04:49,780 --> 00:04:54,130
Now points to the proper setup in the PLT.

66
00:04:54,300 --> 00:04:57,040
Set in the PLT here.

67
00:04:57,040 --> 00:04:59,230
Paths at PLT here.

68
00:05:00,250 --> 00:05:01,600
And for this.

69
00:05:02,630 --> 00:05:08,030
Points to a proper setup for the shared library that contains paths itself.

70
00:05:08,030 --> 00:05:11,480
So I will explain the workings of pit stops in next lectures.

71
00:05:11,630 --> 00:05:12,140
Again.

72
00:05:12,140 --> 00:05:12,710
So.

73
00:05:12,710 --> 00:05:20,930
So that the full binary executable contains significantly more code and data that I haven't showed it

74
00:05:21,590 --> 00:05:22,430
for now.

75
00:05:22,580 --> 00:05:24,440
And then the corresponding object file.

76
00:05:24,440 --> 00:05:24,740
So.

77
00:05:24,740 --> 00:05:28,220
But so far the output isn't much more difficult to interpret, right?

78
00:05:28,220 --> 00:05:37,520
So the changes to the binary is stripped, which uses the objdump to disassemble the stripped version

79
00:05:37,520 --> 00:05:38,990
of an example binary.

80
00:05:38,990 --> 00:05:42,800
We're going to use that now let's clear that.

81
00:05:43,600 --> 00:05:45,790
Let's close the backgrounds here.

82
00:05:49,460 --> 00:05:49,730
Come.

83
00:05:55,730 --> 00:05:56,780
And here.

84
00:05:57,170 --> 00:05:58,760
Objdump.

85
00:05:59,540 --> 00:06:00,440
Objdump.

86
00:06:02,180 --> 00:06:06,230
And Intel here and a or.

87
00:06:08,050 --> 00:06:08,880
My app.

88
00:06:08,890 --> 00:06:10,780
My app dot.

89
00:06:13,750 --> 00:06:14,320
Sexually.

90
00:06:14,560 --> 00:06:16,090
I think we had this.

91
00:06:20,850 --> 00:06:22,800
My apt out of.

92
00:06:29,570 --> 00:06:30,410
A dot out.

93
00:06:31,960 --> 00:06:35,320
And here again, have this.

94
00:06:36,780 --> 00:06:37,080
By.

95
00:06:37,470 --> 00:06:38,460
Copy this again.

96
00:06:40,830 --> 00:06:42,000
The new mousepad.

97
00:06:46,440 --> 00:06:53,580
And here the main takeaway of this output is that while the different sections are still clearly distinguishable

98
00:06:53,580 --> 00:06:58,170
like the init, the init the.

99
00:07:00,260 --> 00:07:00,580
Light.

100
00:07:02,010 --> 00:07:04,140
They also have the text here.

101
00:07:06,590 --> 00:07:08,960
Uh, but the functions are not.

102
00:07:09,320 --> 00:07:15,350
Instead, all functions have been merged into one big blob of code.

103
00:07:15,350 --> 00:07:18,860
So the start functions here start.

104
00:07:19,950 --> 00:07:23,400
Start functions begins at here.

105
00:07:24,020 --> 00:07:29,030
And the register or the register here?

106
00:07:30,360 --> 00:07:32,520
The register functions.

107
00:07:32,520 --> 00:07:36,120
The register team clones begins after the start.

108
00:07:36,850 --> 00:07:37,030
Those.

109
00:07:37,070 --> 00:07:42,430
So the main functions start at somewhere bottom here.

110
00:07:42,460 --> 00:07:46,270
Here the main function starts here.

111
00:07:47,140 --> 00:07:49,360
And ends at here.

112
00:07:50,080 --> 00:07:57,160
So but in all of these cases, there's nothing special to indicate that the instructions at these markers

113
00:07:57,160 --> 00:07:58,480
represent function starts.

114
00:07:58,480 --> 00:08:06,640
So the only exceptions are the functions in the PLT sections here, the assembly of section PLT.

115
00:08:09,630 --> 00:08:10,260
And.

116
00:08:14,950 --> 00:08:21,280
And which these sections have their names, as we saw before.

117
00:08:22,190 --> 00:08:23,600
Uh, the before output.

118
00:08:24,510 --> 00:08:30,690
And other than that, you are on your own to try make sense of this disassembly output.

119
00:08:30,720 --> 00:08:34,500
Even in this simple example, things are really confusing.

120
00:08:34,500 --> 00:08:40,260
Imagine trying to make sense of a larger binary containing hundreds of different functions all fused

121
00:08:40,260 --> 00:08:40,800
together.

122
00:08:40,800 --> 00:08:49,650
This is exactly why accurate automated function detection is so important in many areas of reverse engineering,

123
00:08:49,650 --> 00:08:55,950
malware analysis or binary analysis, which you will learn in next lectures.