Reputation: 19
How can I find out if this code is encrypted or compiled and then reverse engineer it?
I want to see the code of a file, it is either encrypted or compiled and I can't find out which one it is. The code is probably c but I can't even find a c decompiler. I can see two types of code, one is when I open it with sublime text and it shows some numbers and letters in columns and the other is when I open it with visual studio code and it shows some unknown characters with some normal text that isn't code that would be compiled (ex: text that it should print) The visual studio code can't be pasted here but I found something interesting that maybe will help: "GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4"
Sublime Text code sample:
7f45 4c46 0201 0100 0000 0000 0000 0000
0200 3e00 0100 0000 d00a 4000 0000 0000
4000 0000 0000 0000 2822 0000 0000 0000
0000 0000 4000 3800 0900 4000 1e00 1b00
0600 0000 0500 0000 4000 0000 0000 0000
4000 4000 0000 0000 4000 4000 0000 0000
f801 0000 0000 0000 f801 0000 0000 0000
0800 0000 0000 0000 0300 0000 0400 0000
3802 0000 0000 0000 3802 4000 0000 0000
3802 4000 0000 0000 1c00 0000 0000 0000
1c00 0000 0000 0000 0100 0000 0000 0000
0100 0000 0500 0000 0000 0000 0000 0000
0000 4000 0000 0000 0000 4000 0000 0000
bc18 0000 0000 0000 bc18 0000 0000 0000
0000 2000 0000 0000 0100 0000 0600 0000
101e 0000 0000 0000 101e 6000 0000 0000
101e 6000 0000 0000 e002 0000 0000 0000
3067 0000 0000 0000 0000 2000 0000 0000
0200 0000 0600 0000 281e 0000 0000 0000
281e 6000 0000 0000 281e 6000 0000 0000
Upvotes: 0
Views: 303
Answers (1)
Reputation: 555
You are viewing a GCC compiled ELF Linux executable file's hexdump, based on the start of the file(Magic Number). It is not an encrypted file in itself, but may use cryptographic functions.
Depending on the OS you are using, you can try Ghidra, IDA or GDB(for debugging Assembly code, you should first however know, if the file is safe to actually run).
As a RE starter, I would recommend installing Ghidra, as it can give you a C like pseudocode, helping you to understand what the binary is doing, which libraries it is using, etc.
If you want to learn more, try taking an RE course, or play around writing very small C programs, compiling and debugging them, and trying for instance reading coreutils:
https://github.com/coreutils/coreutils/blob/master/src/whoami.c
and compare it with the binaries, for instance(showing you some tools helping with RE, but omitted most of the output):
$ cat /usr/bin/whoami | less
$ xxd /usr/bin/whoami | less
$ xxd -b /usr/bin/whoami | less
$ readelf -a /usr/bin/whoami
$ file /usr/bin/whoami
/bin/rm: ELF 64-bit LSB executable, x86-64, version1 (SYSV), dynamically linked (uses shared libs), .....
$ man elf
$ objdump -d /usr/bin/whoami | less
$ binwalk /pathto/yourfile
You can also read more about the ELF file format:
https://linuxhint.com/understanding_elf_file_format/
Upvotes: 1
Related Questions
- Can anyone identify the programming language of this code snippet?
- Java decryption on an app, decompiled source code
- What is the decompiled (C) code construct of this assembly x86 code?
- Reverse engineer assembler which probably encrypts code?
- What algorithm is this Java code decrypting?
- How would I reverse engineer a cryptographic algorithm?
- Disassemble to identify encryption algorithm
- reverse engineering simple encryption algorithm
- Trying to determine whether a file is encrypted of just binary
- How does one go about reverse engineering an algorithm?