Weird function names in disassembly (crackmes)

Question

I'm doing a really easy crackmes exercise (https://crackmes.one/crackme/5e4ec05c33c5d4439bb2dbea) and I can't figure out what the binary is doing because functions have extremely weird names.

Here's a small fragment of the main function disassembly code.

...
0x000000000040102b <+25>:   cmpl   $0x1,-0x84(%rbp)
   0x0000000000401032 <+32>:    jle    0x40107b <main+105>
   0x0000000000401034 <+34>:    mov    $0x401750,%esi
   0x0000000000401039 <+39>:    mov    $0x602200,%edi
   0x000000000040103e <+44>:    callq  0x400e30 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
   0x0000000000401043 <+49>:    mov    $0x400ec0,%esi
   0x0000000000401048 <+54>:    mov    %rax,%rdi
   0x000000000040104b <+57>:    callq  0x400ea0 <_ZNSolsEPFRSoS_E@plt>
   0x0000000000401050 <+62>:    mov    $0x401780,%esi
   0x0000000000401055 <+67>:    mov    $0x602200,%edi
   0x000000000040105a <+72>:    callq  0x400e30 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
...

How should I approach this code?

score 5 · Accepted Answer · edited May 09 '20 at 18:08

5

Those are C++ mangled names. Some tools like Ghidra will automatically demangle them for you. If you want to see what the function should be named try:

c++filt _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc

in your shell to see the demangled name.

edited May 09 '20 at 18:08

multithr3at3d

611
3
15

answered May 09 '20 at 11:25

Melody

66
1

score 1 · Answer 2 · edited May 09 '20 at 19:43

Though objdump is a good utility I would recommend using some better utilities to disassemble, like radare2, ghidra or idafree70.

But if you would prefer objdump, pass it the -C command to demangle those names.

E:\5e4ec05c33c5d4439bb2dbea>f:\msys64\usr\bin\objdump.exe --start-address=0x401012 --stop-address=0x401043 -M intel -d -C Sh4ll10.1.bin

Sh4ll10.1.bin:     file format elf64-x86-64


Disassembly of section .text:

0000000000401012 <main>:
  401012:       55                      push   rbp
  401013:       48 89 e5                mov    rbp,rsp
  401016:       53                      push   rbx
  401017:       48 81 ec 88 00 00 00    sub    rsp,0x88
  40101e:       89 bd 7c ff ff ff       mov    DWORD PTR [rbp-0x84],edi
  401024:       48 89 b5 70 ff ff ff    mov    QWORD PTR [rbp-0x90],rsi
  40102b:       83 bd 7c ff ff ff 01    cmp    DWORD PTR [rbp-0x84],0x1
  401032:       7e 47                   jle    40107b <main+0x69>
  401034:       be 50 17 40 00          mov    esi,0x401750 
  401039:       bf 00 22 60 00          mov    edi,0x602200
  40103e:       e8 ed fd ff ff          call   400e30 <std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*)@plt>

Weird function names in disassembly (crackmes)

2 Answers2