This is an open ended question, but essentially, I wrote a program in x86 assembly and compiled it to an executable. I accidentally ran the command cp program program.s while attempting to move files around, and I overwrote my asm source code with the binary. I am trying to recover the source file in its original form
I want to note that I also am working in a wsl linux environment and using vscode, and so maybe it's possible to directly recover the file through other ways, like I don't know if vscode saves some kind of cache in case this happens, and please let me know if this train of thought is viable, but I figure my best bet is to disassemble the binary.
I know I can do objdump -d program and get the assembly, but it is not in gas form, and there are a lot of other information in this output, so it would be a lot of manual labor to recover the original .s file with the output of this command. Are there any other ways to better disassemble an exe into the original assembly file?
Thanks
Related
Edit: The actual problem is with the method by which the binary is updated and isn't due to an issue with gdb. Please see the answer below for details.
Original question:
Somewhat recently, I can no longer compile a program while gdb is running the program and stopped at a breakpoint. Trying to write to the binary again will result in a "text file busy" error.
This is on Ubuntu 16.04 LTS 64-bit, kernel 4.4.0-75.
I don't think I'm looking for the right thing, as a few searches for "gdb text file busy" or similar isn't yielding any results. The gdb manual specifically mentions this behavior (compile again while running gdb) is supported and indeed I have done this many times previously.
Would appreciate any pointers on what has changed and how to prevent this from happening.
Some further searching indicates this excellent post https://unix.stackexchange.com/a/188041/10847 which explains that the method by which the binary is updated is relevant here. In this case, the build system is copying the binary using cp a b which will fail. cp -f a b will delete b, then overwrite with a, allowing gdb to continue debugging the old binary while the new one is written to disk.
for example, i've got a uboot copy and compiled it with a target platform. but i dont have the hardware and debug tool to run the step by step debug.
so, I wonder is there a GUI tool(win/linux) can load these source and elf file ,then i can read the 'compiled c code'.
Use IDA PRO + Hex-Rays decompiler.
Additionally one can use Ghidra. It also is equipped with decompiler.
It will give you not the exact C program but what it would try to do to reconstruct C source from the assembly. It is actually not that bad in doing that but it's not a cheap solution.
You can run objdump -d -M intel path/to/CompiledCprogram in the terminal window to read the compiled program in assembly code from the main: section in the assembly code.
Other than that, you may not able to do much about an already compiled C program.
The Wikipedia page on Core dump says
In Unix-like systems, core dumps generally use the standard executable
image-format:
a.out in older versions of Unix,
ELF in modern Linux, System V, Solaris, and BSD systems,
Mach-O in OS X, etc.
Does this mean a core dump is executable by itself? If not, why not?
Edit: Since #WumpusQ.Wumbley mentions a coredump_filter in a comment, perhaps the above question should be: can a core dump be produced such that it is executable by itself?
In older unix variants it was the default to include the text as well as data in the core dump but it was also given in the a.out format and not ELF. Today's default behavior (in Linux for sure, not 100% sure about BSD variants, Solaris etc.) is to have the core dump in ELF format without the text sections but that behavior can be changed.
However, a core dump cannot be executed directly in any case without some help. The reason for that is that there are two things missing from a simple core file. One is the entry point, the other is code to restore the CPU state to the state at or just before the dump occurred (by default also the text sections are missing).
In AIX there used to be a utility called undump but I have no idea what happened to it. It doesn't exist in any standard Linux distribution I know of. As mentioned above (#WumpusQ) there's also an attempt at a similar project for Linux mentioned in above comments, however this project is not complete and doesn't restore the CPU state to the original state. It is, however, still good enough in some specific debugging cases.
It is also worth mentioning that there exist other ELF formatted files that cannot be executes as well which are not core files. Such as object files (compiler output) and .so (shared object) files. Those require a linking stage before being run to resolve external addresses.
I emailed this question the creator of the undump utility for his expertise, and got the following reply:
As mentioned in some of the answers there, it is possible to include
the code sections by setting the coredump_filter, but it's not the
default for Linux (and I'm not entirely sure about BSD variants and
Solaris). If the various code sections are saved in the original
core-dump, there is really nothing missing in order to create the new
executable. It does, however, require some changes in the original
core file (such as including an entry point and pointing that entry
point to code that will restore CPU registers). If the core file is
modified in this way it will become an executable and you'll be able
to run it. Unfortunately, though, some of the states are not going to
be saved so the new executable will not be able to run directly. Open
files, sockets, pips, etc are not going to be open and may even point
to other FDs (which could cause all sorts of weird things). However,
it will most probably be enough for most debugging tasks such running
small functions from gdb (so that you don't get a "not running an
executable" stuff).
As other guys said, I don't think you can execute a core dump file without the original binary.
In case you're interested to debug the binary (and it has debugging symbols included, in other words it is not stripped) then you can run gdb binary core.
Inside gdb you can use bt command (backtrace) to get the stack trace when the application crashed.
I have a .exe which is compiled from a combination of .for (fortran), and .c source files.
It does not run on anything later than Win98, due to an error with the graphics server:
“access violation error in User 32.dll at Ox7e4467a9”
Unless there is some other way around the above error (?), I assume I have to recompile the .exe from source using a more modern graphics server. I have all the files to do this bar one .lib file!
Is it possible to pull any info on the missing lib file out of the current .exe I have?
It is possible to dis-assemble the .exe, but I don't think I gain much from this?
You probably can't "cut" the lib file from an executable. Even if you could somehow get the code from it, standard compilers and linker wouldn't know how to link against it, since it won't have the linking information needed (they are not included in the result binary).
However, if your problem is that your program works on Win98, but doesn't run on NT-based systems (XP, Vista, Win7), I think it would be easier to find out, what incompatibility is there that crashes the program. You mentioned that the access violation occurs in user32.dll. Start your program inside a debugger, take a look at which function the crash occurs. Make sure you have your PDB symbols loaded (so you can see names of internal non-public functions). Trace down which Win32 API is called and what are its parameters. Try to figure out, what should be at the memory that cannot be accessed.
Also without any other information, it's impossible to help you with that.
Once integrated into an image file (your exe), a library (your .lib) which is statically bound to an application (which is done by your linker) cannot be separated, differentiated from your own code, and thus, one cannot retrieve the code from a lib by decompiling the exe.
Until now I've always used resources under MSVC++ to get access to raw data from inside of my programs and I've never worked with a linker directly, but now I'm under Linux and I'm using a cross-compiler to produce elf files. A friend and I are working on a toy OS.
One thing we need to get accomplished at some point is for a rather large piece of arbitrary raw data to be linked into the executable. We want the data to be located near the end of the executable and need to be able to get a pointer to that raw data as well. It's probably worth noting that GRUB is loading the kernel into memory at boot time.
One of our previous ideas was to just write a program to convert the data into a C source file where the data was represented as an array of bytes, but we figure that's a little bit messy and we'd rather have it linked in directly.
Any insights? I don't need the gruesome details just a broad overview of what needs to be done. I figure we probably have to make some changes to our linker script.
Take a look at calling objdump --add-section after you complete the link to add the arbitrary data to the ELF file.
Alternatively, if you are writing a kernel, you can do what Linux does to load an initrd and just have GRUB load your kernel and then load the data seperately to a known memory location and access it that way.