Jatin devopw

Stripping in Reverse Engineering: A Concept Overview with Code Example

Jatin shankar Srivastava's photo
Jatin shankar Srivastava
·

2 min read

Table of contents

Stripping is a technique used in reverse engineering to remove or obfuscate non-essential metadata from a compiled binary. This process reduces the file size and makes it more challenging for reverse engineers to understand or analyze the executable. Stripping commonly removes symbols, debugging information, and other metadata.

For instance, in Linux, symbols in an ELF (Executable and Linkable Format) file provide function names and variable details, making debugging and reverse engineering easier. Stripping these symbols creates a leaner binary, which is harder to reverse engineer.

Purpose of Stripping

  1. Security: Prevent attackers from easily identifying the purpose of functions or variables in the binary.

  2. Size Reduction: Eliminate unused data to reduce the binary's footprint.

  3. Optimization: Improve performance by removing unnecessary information.

Code Example: Stripping in Linux

Here’s an example of how to strip a binary using Linux tools:

Creating and Stripping a Binary

1. Compile a C Program with Debug Symbols:

// hello.c
#include <stdio.h>

void greet() {
    printf("Hello, Reverse Engineer!\n");
}

int main() {
    greet();
    return 0;
}

Compile the program with debug symbol

gcc -g -o hello hello.c
  1. Check Symbols in the Binary:

Use the nm command to inspect symbols:

nm hello

0000000000001149 T greet
000000000000115b T main
...

This shows symbols like greet and main.

  1. Strip the Binary:

Use the strip command to remove symbols:

bashCopy codestrip hello
  1. Verify Stripped Binary:

Re-run the nm command:

bashCopy codenm hello

Output:

bashCopy codenm: hello: no symbols

Reverse Engineering Challenge After Stripping

Once stripped, tools like Ghidra, IDA Pro, or objdump may still analyze the binary, but understanding the code becomes much harder without symbols. Reverse engineers must rely on heuristic analysis, dynamic tracing, and guesswork.

Python Example: Analyzing Stripped Binary

A Python script using pwntools to analyze a stripped binary:

pythonCopy codefrom pwn import *

# Load the binary
binary = ELF('hello')

# Check for symbols
if binary.symbols:
    print("Symbols:", binary.symbols)
else:
    print("No symbols found. The binary is stripped.")

Output after stripping:

No symbols found. The binary is stripped.

Conclusion

Stripping is a straightforward yet effective technique to hinder reverse engineering efforts. While it doesn’t make a binary entirely secure, it increases the time and resources required to analyze it, adding a layer of obfuscation.

Understanding stripping is crucial for both software developers aiming to protect their applications and reverse engineers working to analyze software for security or research purposes.

Binary StrippingReverse Engineering Toolsreverse engineering#cybersecuritydebuggingsymbollinux-commandsc programmingobfuscation