[vox-tech] late night musings: stripping

Mitch Patenaude vox-tech@lists.lugod.org
Thu, 26 Feb 2004 08:49:54 -0800 

Hi Pete,


The difference you're seeing is one of debugging information vs. symbol 
table.

The symbol table is used during linking, and contains the addresses of 
function entry points and global variables.  gdb can use this to decode 
the stack frames to tell what the call stack is, but can't give you 
more detailed information.

The debugging info will tell you much more, since it will allow gdb to 
tie the PC to the source, so you can see what source line is actually 
executing.  It will also give symbolic access to local automatic and 
static variables, as well as allow the debugger to display more 
complicated data structures intelligently.

The -g option only give minimal information.  Better to use -ggdb

As for disabling copy protection/license checking/etc.... You're 
right..though you need to set the appropriate return value as well, and 
cracked versions of programs much use that technique.  However, the 
developers know that, and they take steps to make this more difficult.  
It starts with stripping the executable, burying the check deep in a 
library somewhere, and making more than one check.  There are bunches 
of other techniques as well...

   -- Mitch

On Thursday, Feb 26, 2004, at 06:08 US/Pacific, Peter Jay Salzman wrote:

> there's no point to this post, other than to share some things i found
> interesting while playing around with some code last night.
>
>
>
> here's some code that i compiled WITHOUT an enhanced symbol table:
>
>
>    #include <stdio.h>
>    void myfunction(void);
>
>    int main(void)
>    {
>       myfunction();
>       return 0;
>    }
>
>
>    void myfunction(void)
>    {
>       printf("hello world\n");
>    }
>
>
> i can still set a breakpoint at main, since that's a libc thing.  every
> program has a main function, even ones that don't have a main function
> are given a main function (like fortran):
>
>    (gdb) break main
>    Breakpoint 1 at 0x804836a
>    (gdb) run
>    Starting program: /home/p/stuff/hello2
>
>    Breakpoint 1, 0x0804836a in main ()
>    (gdb) stepi
>    0x0804836d in main ()
>    (gdb)
>    0x08048372 in main ()
>    (gdb)
>    0x08048374 in main ()
>    (gdb)
>    0x08048380 in myfunction ()
>    (gdb)
>    0x08048381 in myfunction ()
>    (gdb)
>    0x08048383 in myfunction ()
>    (gdb)
>    0x08048386 in myfunction ()
>    (gdb)
>    0x0804838d in myfunction ()
>    (gdb)
>    0x08048288 in printf ()
>    ...
>
>
> i found it odd that gdb has any concept of what i name my functions 
> when
> i don't specify -g.  but it obviously does:
>
>    (gdb) info functions
>    All defined functions:
>
>    Non-debugging symbols:
>    0x08048250  _init
>    0x08048278  __libc_start_main
>    0x08048288  printf
>    0x080482c4  call_gmon_start
>    0x080482f0  __do_global_dtors_aux
>    0x08048330  frame_dummy
>    0x08048364  main
>    0x08048380  myfunction
>    0x080483a0  __libc_csu_init
>    0x08048400  __libc_csu_fini
>    0x08048450  __i686.get_pc_thunk.bx
>    0x08048460  __do_global_ctors_aux
>    0x08048490  _fini
>
> although i didn't compile the function with "-g", file reports the
> executable as unstripped:
>
>    p@satan$ file hello2
>    hello2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
> for
>    GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
>
> so let's strip it:
>
>    p@satan$ strip hello2
>
> function names are gone:
>
>    p@satan$ gdb hello2
>    (no debugging symbols found)...(gdb)
>    (gdb) info functions
>    All defined functions:
>
>    Non-debugging symbols:
>    0x08048278  __libc_start_main
>    0x08048288  printf
>
>
> i'm not sure what stripped is, but my little experiment certainly hints
> at what it is.
>
> i have mathematica installed on my system (legally).  it is statically
> linked and unstripped.
>
> i also have the intel fortran compiler on my system (legally).  it is
> unstripped and dynamically linked.  it's also protected by a license
> manager called flexlm (which i've had many bad experiences with.  i've
> had other software (legally) where flexlm decided to stop working out 
> of
> the blue, and at the worst possible moments).  it SHOULD be possible to
> be be able to step through compiler, figure out the flexlm function 
> that
> grants access to the program and NOP it out.
>
> not that i would do that.  i believe this would be illegal under the
> DMCA.  and i have the compiler installed on my system legally.  but it
> is an interesting thought.
>
> yet another thing to put on my google/reading list....
>
> pete
>
> ps- the intel compiler / debugger is non-free (it's free as in beer, 
> not
> free as in liberty) but very good.  i've been able to get DDD to use
> intel's debugger (idb) as a backend.  it's not perfect, but it works
> well enough.
>
> although it doesn't "support" debian, i was able to install it within
> minutes.  a combination of "alien" and looking at some bash scripts to
> discover where certain directories are made it a snap to install.
>
> -- 
> Make everything as simple as possible, but no simpler.  -- Albert 
> Einstein
> GPG Instructions: http://www.dirac.org/linux/gpg
> GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>