I'll not too advanced in reversing, but how was gdb not able to find the entry point? Is finding the entry point that difficult?

Hey I am the author of the blogpost. I have been reversing for a couple of years.

Usually, GDB just parses the ELF header to get the entry point. $ info file; in gdb should give you entrypoint of the binary almost always. In this case however the program has a corrupted section header, due to which gdb is not able to recognize the entry point. I dont exactly know which bytes in the header was corrupted, but apparently radare2 is able to get the entrypoint without much work. Should be fun to investigate more.

When you say it was undetected on VirusTotal, I suspect you really mean it was unknown, i.e. hadn't been submitted. Currently it has 3 scans and detections from the first.

2019-12-22T12:41:28 11/59

2019-12-22T19:19:28 13/60

2019-12-23T14:37:22 16/60

Thank you for your response. This was a very interesting blog post and I plan on reading more of your posts.

No, it should be easy to get the entry point since it's defined in the ELF file header. The author simply tried to look for the `_start` symbol, which failed because the binary doesn't contain any symbol information (also the entry point doesn't have to be named `_start`, it's just a convention).

Isn't the entrypoint determined by the operating system (_start on Linux if I remember correctly)