How reverse a stripped binary (Find the main function)

Question

I'm learning the reverse, and I'm trying to reverse a stripped binary (flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped). I manage to go to the entry address that points to the _start function. But impossible to know where is libc_start_main (for locate main).

_start: https://ibb.co/nDpQyvv

sub_44a770: https://ibb.co/dK74pG5

sub_44a560: https://ibb.co/7S76m7t

All your advice is good, if you have articles on the subject, I'm interested. Thank you

Here's what you can try in radare2 https://hackmd.io/ghwjAcW-Qnqux6Kq_sRURQ#r2-strip — sudhackar, Jun 03 '19 at 16:44

score 2 · Accepted Answer · answered May 27 '19 at 06:40

Try to find libc_start_main with its signature (the types of its arguments), this is what we do when everything has been stripped out.

And, this is most likely sub_44a705. Look at the value of rdi at the start of the function and you should find main().

How reverse a stripped binary (Find the main function)

1 Answers1