Removing assembly instructions from ELF

Question

I am working on an obfuscated binary as a part of a crackme challenge. It has got a sequence of push, pop and nop instructions (which repeats for thousands of times). Functionally, these chunks do not have any effect on the program. But, they make generation of CFGs and the process of reversing, very hard.

There are solutions on how to change the instructions to nop so that I can remove them. But in my case, I would like to completely strip off those instructions, so that I can get a better view of the CFG. If instructions are stripped off, I understand that the memory offsets must be modified too. As far as I could see, there were no tools available to achieve this directly.

I am using IDA Pro evaluation version. I am open to solutions using other reverse engineering frameworks too. It is preferable, if it is scriptable.

I went through a similar question but, the proposed solution is not applicable in my case.

Answer 1

I would like to completely strip off those instructions ... I understand that the memory offsets must be modified too ...

In general, this is practically impossible:

1. If the binary exports any dynamic symbols, you would have to update the .dynsym (these are probably the offsets you are thinking of).

2. You would have to find every statically-assigned function pointer, and update it with the new address, but there is no effective way to find such pointers.

3. Computed GOTOs and switch statements create function pointer tables even when none are present in the program source.

4. As Peter Cordes pointed out, it's possible to write programs that use delta between two assembly labels, and use such deltas (small immediate values directly encoded into instructions) to control program flow.

It's possible that your target program is free from all of the above complications, but spending much effort on a technique that only works for that one program seems wasteful.