all repos — site @ f55fc2f7d72477266abfbfefa9c2fc2003c8cc8b

source for my site, found at icyphox.sh

build/blog/python-for-re-1/index.html (view raw)

  1<!DOCTYPE html>
  2<html lang=en>
  3<link rel="stylesheet" href="/static/style.css" type="text/css">
  4<link rel="stylesheet" href="/static/syntax.css" type="text/css">
  5<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico">
  6<meta name="description" content="Building your own disassembly tooling for — that’s right — fun and profit">
  7<meta name="viewport" content="initial-scale=1">
  8<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  9<meta content="#021012" name="theme-color">
 10<meta name="HandheldFriendly" content="true">
 11<meta name="twitter:card" content="summary_large_image">
 12<meta name="twitter:site" content="@icyphox">
 13<meta name="twitter:title" content="Python for Reverse Engineering #1: ELF Binaries">
 14<meta name="twitter:description" content="Building your own disassembly tooling for — that’s right — fun and profit">
 15<meta name="twitter:image" content="/static/icyphox.png">
 16<meta property="og:title" content="Python for Reverse Engineering #1: ELF Binaries">
 17<meta property="og:type" content="website">
 18<meta property="og:description" content="Building your own disassembly tooling for — that’s right — fun and profit">
 19<meta property="og:url" content="https://icyphox.sh">
 20<meta property="og:image" content="/static/icyphox.png">
 21<html>
 22  <title>
 23    Python for Reverse Engineering #1: ELF Binaries
 24  </title>
 25<script src="//instant.page/1.1.0" type="module" integrity="sha384-EwBObn5QAxP8f09iemwAJljc+sU+eUXeL9vSBw1eNmVarwhKk2F9vBEpaN9rsrtp"></script>
 26<div class="container-text">
 27  <header class="header">
 28    
 29        <a href="/">home</a>
 30        <a href="/blog">blog</a>
 31        <a href="/reading">reading</a>
 32        <a href="https://twitter.com/icyphox">twitter</a>
 33        <a href="/about">about</a>
 34
 35  </header>
 36<body> 
 37   <div class="content">
 38    <div align="left">
 39      <p> 2019-02-08 </p>
 40      <h1 id="python-for-reverse-engineering-1-elf-binaries">Python for Reverse Engineering 1: ELF Binaries</h1>
 41
 42<h2 id="building-your-own-disassembly-tooling-for-thats-right-fun-and-profit">Building your own disassembly tooling for — that’s right — fun and profit</h2>
 43
 44<p>While solving complex reversing challenges, we often use established tools like radare2 or IDA for disassembling and debugging. But there are times when you need to dig in a little deeper and understand how things work under the hood.</p>
 45
 46<p>Rolling your own disassembly scripts can be immensely helpful when it comes to automating certain processes, and eventually build your own homebrew reversing toolchain of sorts. At least, that’s what I’m attempting anyway.</p>
 47
 48<h3 id="setup">Setup</h3>
 49
 50<p>As the title suggests, you’re going to need a Python 3 interpreter before
 51anything else. Once you’ve confirmed beyond reasonable doubt that you do,
 52in fact, have a Python 3 interpreter installed on your system, run</p>
 53
 54<div class="codehilite"><pre><span></span><code><span class="gp">$</span> pip install capstone pyelftools
 55</code></pre></div>
 56
 57<p>where <code>capstone</code> is the disassembly engine we’ll be scripting with and <code>pyelftools</code> to help parse ELF files.</p>
 58
 59<p>With that out of the way, let’s start with an example of a basic reversing
 60challenge.</p>
 61
 62<div class="codehilite"><pre><span></span><code><span class="cm">/* chall.c */</span>
 63
 64<span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"></span>
 65<span class="cp">#include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"></span>
 66<span class="cp">#include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"></span>
 67
 68<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span>
 69   <span class="kt">char</span> <span class="o">*</span><span class="n">pw</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">9</span><span class="p">);</span>
 70   <span class="n">pw</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;a&#39;</span><span class="p">;</span>
 71   <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">8</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">){</span>
 72       <span class="n">pw</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">pw</span><span class="p">[</span><span class="n">i</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
 73   <span class="p">}</span>
 74   <span class="n">pw</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;\0&#39;</span><span class="p">;</span>
 75   <span class="kt">char</span> <span class="o">*</span><span class="n">in</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span>
 76   <span class="n">printf</span><span class="p">(</span><span class="s">&quot;password: &quot;</span><span class="p">);</span>
 77   <span class="n">fgets</span><span class="p">(</span><span class="n">in</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span>        <span class="c1">// &#39;abcdefghi&#39;</span>
 78   <span class="k">if</span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">in</span><span class="p">,</span> <span class="n">pw</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
 79       <span class="n">printf</span><span class="p">(</span><span class="s">&quot;haha yes!</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">);</span>
 80   <span class="p">}</span>
 81   <span class="k">else</span> <span class="p">{</span>
 82       <span class="n">printf</span><span class="p">(</span><span class="s">&quot;nah dude</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">);</span>
 83   <span class="p">}</span>
 84<span class="p">}</span>
 85</code></pre></div>
 86
 87<p>Compile it with GCC/Clang:</p>
 88
 89<div class="codehilite"><pre><span></span><code><span class="gp">$</span> gcc chall.c -o chall.elf
 90</code></pre></div>
 91
 92<h3 id="scripting">Scripting</h3>
 93
 94<p>For starters, let’s look at the different sections present in the binary.</p>
 95
 96<div class="codehilite"><pre><span></span><code><span class="c1"># sections.py</span>
 97
 98<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span>
 99
100<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./chall.elf&#39;</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
101    <span class="n">e</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
102    <span class="k">for</span> <span class="n">section</span> <span class="ow">in</span> <span class="n">e</span><span class="o">.</span><span class="n">iter_sections</span><span class="p">():</span>
103        <span class="k">print</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">section</span><span class="p">[</span><span class="s1">&#39;sh_addr&#39;</span><span class="p">]),</span> <span class="n">section</span><span class="o">.</span><span class="n">name</span><span class="p">)</span>
104</code></pre></div>
105
106<p>This script iterates through all the sections and also shows us where it’s loaded. This will be pretty useful later. Running it gives us</p>
107
108<div class="codehilite"><pre><span></span><code><span class="go">› python sections.py</span>
109<span class="go">0x238 .interp</span>
110<span class="go">0x254 .note.ABI-tag</span>
111<span class="go">0x274 .note.gnu.build-id</span>
112<span class="go">0x298 .gnu.hash</span>
113<span class="go">0x2c0 .dynsym</span>
114<span class="go">0x3e0 .dynstr</span>
115<span class="go">0x484 .gnu.version</span>
116<span class="go">0x4a0 .gnu.version_r</span>
117<span class="go">0x4c0 .rela.dyn</span>
118<span class="go">0x598 .rela.plt</span>
119<span class="go">0x610 .init</span>
120<span class="go">0x630 .plt</span>
121<span class="go">0x690 .plt.got</span>
122<span class="go">0x6a0 .text</span>
123<span class="go">0x8f4 .fini</span>
124<span class="go">0x900 .rodata</span>
125<span class="go">0x924 .eh_frame_hdr</span>
126<span class="go">0x960 .eh_frame</span>
127<span class="go">0x200d98 .init_array</span>
128<span class="go">0x200da0 .fini_array</span>
129<span class="go">0x200da8 .dynamic</span>
130<span class="go">0x200f98 .got</span>
131<span class="go">0x201000 .data</span>
132<span class="go">0x201010 .bss</span>
133<span class="go">0x0 .comment</span>
134<span class="go">0x0 .symtab</span>
135<span class="go">0x0 .strtab</span>
136<span class="go">0x0 .shstrtab</span>
137</code></pre></div>
138
139<p>Most of these aren’t relevant to us, but a few sections here are to be noted. The <code>.text</code> section contains the instructions (opcodes) that we’re after. The <code>.data</code> section should have strings and constants initialized at compile time. Finally, the <code>.plt</code> which is the Procedure Linkage Table and the <code>.got</code>, the Global Offset Table. If you’re unsure about what these mean, read up on the ELF format and its internals.</p>
140
141<p>Since we know that the <code>.text</code> section has the opcodes, let’s disassemble the binary starting at that address.</p>
142
143<div class="codehilite"><pre><span></span><code><span class="c1"># disas1.py</span>
144
145<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span>
146<span class="kn">from</span> <span class="nn">capstone</span> <span class="kn">import</span> <span class="o">*</span>
147
148<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./bin.elf&#39;</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
149    <span class="n">elf</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
150    <span class="n">code</span> <span class="o">=</span> <span class="n">elf</span><span class="o">.</span><span class="n">get_section_by_name</span><span class="p">(</span><span class="s1">&#39;.text&#39;</span><span class="p">)</span>
151    <span class="n">ops</span> <span class="o">=</span> <span class="n">code</span><span class="o">.</span><span class="n">data</span><span class="p">()</span>
152    <span class="n">addr</span> <span class="o">=</span> <span class="n">code</span><span class="p">[</span><span class="s1">&#39;sh_addr&#39;</span><span class="p">]</span>
153    <span class="n">md</span> <span class="o">=</span> <span class="n">Cs</span><span class="p">(</span><span class="n">CS_ARCH_X86</span><span class="p">,</span> <span class="n">CS_MODE_64</span><span class="p">)</span>
154    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">md</span><span class="o">.</span><span class="n">disasm</span><span class="p">(</span><span class="n">ops</span><span class="p">,</span> <span class="n">addr</span><span class="p">):</span>        
155        <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="s1">&#39;0x{i.address:x}:</span><span class="se">\t</span><span class="s1">{i.mnemonic}</span><span class="se">\t</span><span class="s1">{i.op_str}&#39;</span><span class="p">)</span>
156</code></pre></div>
157
158<p>The code is fairly straightforward (I think). We should be seeing this, on running</p>
159
160<div class="codehilite"><pre><span></span><code><span class="go">› python disas1.py | less      </span>
161<span class="go">0x6a0: xor ebp, ebp</span>
162<span class="go">0x6a2: mov r9, rdx</span>
163<span class="go">0x6a5: pop rsi</span>
164<span class="go">0x6a6: mov rdx, rsp</span>
165<span class="go">0x6a9: and rsp, 0xfffffffffffffff0</span>
166<span class="go">0x6ad: push rax</span>
167<span class="go">0x6ae: push rsp</span>
168<span class="go">0x6af: lea r8, [rip + 0x23a]</span>
169<span class="go">0x6b6: lea rcx, [rip + 0x1c3]</span>
170<span class="go">0x6bd: lea rdi, [rip + 0xe6]</span>
171<span class="go">**0x6c4: call qword ptr [rip + 0x200916]**</span>
172<span class="go">0x6ca: hlt</span>
173<span class="go">... snip ...</span>
174</code></pre></div>
175
176<p>The line in bold is fairly interesting to us. The address at <code>[rip + 0x200916]</code> is equivalent to <code>[0x6ca + 0x200916]</code>, which in turn evaluates to <code>0x200fe0</code>. The first <code>call</code> being made to a function at <code>0x200fe0</code>? What could this function be?</p>
177
178<p>For this, we will have to look at <strong>relocations</strong>. Quoting <a href="http://refspecs.linuxbase.org/elf/gabi4+/ch4.reloc.html">linuxbase.org</a></p>
179
180<blockquote>
181  <p>Relocation is the process of connecting symbolic references with symbolic definitions. For example, when a program calls a function, the associated call instruction must transfer control to the proper destination address at execution. Relocatable files must have “relocation entries’’ which are necessary because they contain information that describes how to modify their section contents, thus allowing executable and shared object files to hold the right information for a process’s program image.</p>
182</blockquote>
183
184<p>To try and find these relocation entries, we write a third script.</p>
185
186<div class="codehilite"><pre><span></span><code><span class="c1"># relocations.py</span>
187
188<span class="kn">import</span> <span class="nn">sys</span>
189<span class="kn">from</span> <span class="nn">elftools.elf.elffile</span> <span class="kn">import</span> <span class="n">ELFFile</span>
190<span class="kn">from</span> <span class="nn">elftools.elf.relocation</span> <span class="kn">import</span> <span class="n">RelocationSection</span>
191
192<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;./chall.elf&#39;</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
193    <span class="n">e</span> <span class="o">=</span> <span class="n">ELFFile</span><span class="p">(</span><span class="n">f</span><span class="p">)</span>
194    <span class="k">for</span> <span class="n">section</span> <span class="ow">in</span> <span class="n">e</span><span class="o">.</span><span class="n">iter_sections</span><span class="p">():</span>
195        <span class="k">if</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">section</span><span class="p">,</span> <span class="n">RelocationSection</span><span class="p">):</span>
196            <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="s1">&#39;{section.name}:&#39;</span><span class="p">)</span>
197            <span class="n">symbol_table</span> <span class="o">=</span> <span class="n">e</span><span class="o">.</span><span class="n">get_section</span><span class="p">(</span><span class="n">section</span><span class="p">[</span><span class="s1">&#39;sh_link&#39;</span><span class="p">])</span>
198            <span class="k">for</span> <span class="n">relocation</span> <span class="ow">in</span> <span class="n">section</span><span class="o">.</span><span class="n">iter_relocations</span><span class="p">():</span>
199                <span class="n">symbol</span> <span class="o">=</span> <span class="n">symbol_table</span><span class="o">.</span><span class="n">get_symbol</span><span class="p">(</span><span class="n">relocation</span><span class="p">[</span><span class="s1">&#39;r_info_sym&#39;</span><span class="p">])</span>
200                <span class="n">addr</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">relocation</span><span class="p">[</span><span class="s1">&#39;r_offset&#39;</span><span class="p">])</span>
201                <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="s1">&#39;{symbol.name} {addr}&#39;</span><span class="p">)</span>
202</code></pre></div>
203
204<p>Let’s run through this code real quick. We first loop through the sections, and check if it’s of the type <code>RelocationSection</code>. We then iterate through the relocations from the symbol table for each section. Finally, running this gives us</p>
205
206<div class="codehilite"><pre><span></span><code><span class="go">› python relocations.py</span>
207<span class="go">.rela.dyn:</span>
208<span class="go"> 0x200d98</span>
209<span class="go"> 0x200da0</span>
210<span class="go"> 0x201008</span>
211<span class="go">_ITM_deregisterTMCloneTable 0x200fd8</span>
212<span class="go">**__libc_start_main 0x200fe0**</span>
213<span class="go">__gmon_start__ 0x200fe8</span>
214<span class="go">_ITM_registerTMCloneTable 0x200ff0</span>
215<span class="go">__cxa_finalize 0x200ff8</span>
216<span class="go">stdin 0x201010</span>
217<span class="go">.rela.plt:</span>
218<span class="go">puts 0x200fb0</span>
219<span class="go">printf 0x200fb8</span>
220<span class="go">fgets 0x200fc0</span>
221<span class="go">strcmp 0x200fc8</span>
222<span class="go">malloc 0x200fd0</span>
223</code></pre></div>
224
225<p>Remember the function call at <code>0x200fe0</code> from earlier? Yep, so that was a call to the well known <code>__libc_start_main</code>. Again, according to <a href="http://refspecs.linuxbase.org/LSB_3.1.0/LSB-generic/LSB-generic/baselib&#8212;libc-start-main-.html">linuxbase.org</a></p>
226
227<blockquote>
228  <p>The <code>__libc_start_main()</code> function shall perform any necessary initialization of the execution environment, call the <em>main</em> function with appropriate arguments, and handle the return from <code>main()</code>. If the <code>main()</code> function returns, the return value shall be passed to the <code>exit()</code> function.</p>
229</blockquote>
230
231<p>And its definition is like so</p>
232
233<div class="codehilite"><pre><span></span><code><span class="kt">int</span> <span class="nf">__libc_start_main</span><span class="p">(</span><span class="kt">int</span> <span class="o">*</span><span class="p">(</span><span class="n">main</span><span class="p">)</span> <span class="p">(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span><span class="p">),</span> 
234<span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span> <span class="o">*</span> <span class="n">ubp_av</span><span class="p">,</span> 
235<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">init</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span> 
236<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">fini</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span> 
237<span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">rtld_fini</span><span class="p">)</span> <span class="p">(</span><span class="kt">void</span><span class="p">),</span> 
238<span class="kt">void</span> <span class="p">(</span><span class="o">*</span> <span class="n">stack_end</span><span class="p">));</span>
239</code></pre></div>
240
241<p>Looking back at our disassembly</p>
242
243<pre><code>0x6a0: xor ebp, ebp
2440x6a2: mov r9, rdx
2450x6a5: pop rsi
2460x6a6: mov rdx, rsp
2470x6a9: and rsp, 0xfffffffffffffff0
2480x6ad: push rax
2490x6ae: push rsp
2500x6af: lea r8, [rip + 0x23a]
2510x6b6: lea rcx, [rip + 0x1c3]
252**0x6bd: lea rdi, [rip + 0xe6]**
2530x6c4: call qword ptr [rip + 0x200916]
2540x6ca: hlt
255... snip ...
256</code></pre>
257
258<p>but this time, at the <code>lea</code> or Load Effective Address instruction, which loads some address <code>[rip + 0xe6]</code> into the <code>rdi</code> register. <code>[rip + 0xe6]</code> evaluates to <code>0x7aa</code> which happens to be the address of our <code>main()</code> function! How do I know that? Because <code>__libc_start_main()</code>, after doing whatever it does, eventually jumps to the function at <code>rdi</code>, which is generally the <code>main()</code> function. It looks something like this</p>
259
260<p><img src="https://cdn-images-1.medium.com/max/800/0*oQA2MwHjhzosF8ZH.png" alt="" /></p>
261
262<p>To see the disassembly of <code>main</code>, seek to <code>0x7aa</code> in the output of the script we’d written earlier (<code>disas1.py</code>).</p>
263
264<p>From what we discovered earlier, each <code>call</code> instruction points to some function which we can see from the relocation entries. So following each <code>call</code> into their relocations gives us this</p>
265
266<pre><code>printf 0x650
267fgets  0x660
268strcmp 0x670
269malloc 0x680
270</code></pre>
271
272<p>Putting all this together, things start falling into place. Let me highlight the key sections of the disassembly here. It’s pretty self-explanatory.</p>
273
274<pre><code>0x7b2: mov edi, 0xa  ; 10
2750x7b7: call 0x680    ; malloc
276</code></pre>
277
278<p>The loop to populate the <code>*pw</code> string</p>
279
280<pre><code>0x7d0:  mov     eax, dword ptr [rbp - 0x14]
2810x7d3:  cdqe    
2820x7d5:  lea     rdx, [rax - 1]
2830x7d9:  mov     rax, qword ptr [rbp - 0x10]
2840x7dd:  add     rax, rdx
2850x7e0:  movzx   eax, byte ptr [rax]
2860x7e3:  lea     ecx, [rax + 1]
2870x7e6:  mov     eax, dword ptr [rbp - 0x14]
2880x7e9:  movsxd  rdx, eax
2890x7ec:  mov     rax, qword ptr [rbp - 0x10]
2900x7f0:  add     rax, rdx
2910x7f3:  mov     edx, ecx
2920x7f5:  mov     byte ptr [rax], dl
2930x7f7:  add     dword ptr [rbp - 0x14], 1
2940x7fb:  cmp     dword ptr [rbp - 0x14], 8
2950x7ff:  jle     0x7d0
296</code></pre>
297
298<p>And this looks like our <code>strcmp()</code></p>
299
300<pre><code>0x843:  mov     rdx, qword ptr [rbp - 0x10] ; *in
3010x847:  mov     rax, qword ptr [rbp - 8]    ; *pw
3020x84b:  mov     rsi, rdx             
3030x84e:  mov     rdi, rax
3040x851:  call    0x670                       ; strcmp  
3050x856:  test    eax, eax                    ; is = 0? 
3060x858:  jne     0x868                       ; no? jump to 0x868
3070x85a:  lea     rdi, [rip + 0xae]           ; "haha yes!" 
3080x861:  call    0x640                       ; puts
3090x866:  jmp     0x874
3100x868:  lea     rdi, [rip + 0xaa]           ; "nah dude"
3110x86f:  call    0x640                       ; puts  
312</code></pre>
313
314<p>I’m not sure why it uses <code>puts</code> here? I might be missing something; perhaps <code>printf</code> calls <code>puts</code>. I could be wrong. I also confirmed with radare2 that those locations are actually the strings “haha yes!” and “nah dude”.</p>
315
316<p><strong>Update</strong>: It&#8217;s because of compiler optimization. A <code>printf()</code> (in this case) is seen as a bit overkill, and hence gets simplified to a <code>puts()</code>.</p>
317
318<h3 id="conclusion">Conclusion</h3>
319
320<p>Wew, that took quite some time. But we’re done. If you’re a beginner, you might find this extremely confusing, or probably didn’t even understand what was going on. And that’s okay. Building an intuition for reading and grokking disassembly comes with practice. I’m no good at it either.</p>
321
322<p>All the code used in this post is here: <a href="https://github.com/icyphox/asdf/tree/master/reversing-elf">https://github.com/icyphox/asdf/tree/master/reversing-elf</a></p>
323
324<p>Ciao for now, and I’ll see ya in #2 of this series — PE binaries. Whenever that is.</p>
325 
326    </div>
327    <hr />
328    <p class="muted">Questions or comments? Open an issue at <a href="https://github.com/icyphox/site">this repo</a>, or send a plain-text email to <a href="mailto:icyph0x@pm.me">icyph0x@pm.me</a>.</p>
329    <footer>
330      <img src="https://licensebuttons.net/p/zero/1.0/80x15.png">
331    </footer>
332  </body>
333  </div>
334 </html>