How objdump disassemble elf binary

elf reverse-engineering
37,026

objdump shows the disassembled code because that's its job. It knows the format of the executable file. Executables are not just a straight sequence of instructions: they have structure. Executables typically start with a header containing various metadata and are organized in sections. Dynamically linked executables necessarily contain enough information for the dynamic linker, so they must indicate what symbols the executable needs and an indication of where those symbols will be loaded so that the program can find them when it runs.

For example, most Unix systems use ELF (other formats exist). If objdump detects an ELF binary (by checking the magic number at the beginning of the file), it parses the file header, which lets it know where the program header and the section tables are located. Each section contains an indication of what type of content it contains. objdump further parses each section according to its type. When it sees a section that's supposed to contain code, it runs a disassembler on it.

Disassembly is fairly simple in principle: code is a list of instructions, and disassembly is just translating from a binary representation of instructions to a textual one. The disassembler just takes the instructions in order. In practice, things can be more complicated on architectures where instructions have a variable size, and because data can be embedded in code sections. objdump generally works on “normal” executables, but may not produce sensible output on binaries that have been deliberately obfuscated.

objdump does not perform any static analysis. It just makes a direct parsing and translation, it doesn't do any analysis of what the instructions mean.

Share:
37,026

Related videos on Youtube

Mustakimur Khandaker
Author by

Mustakimur Khandaker

Hi I am Dr. Mustakimur Rahman Khandaker. I am an assistant professor in the department of computer science at the university of georgia.

Updated on September 18, 2022

Comments

  • Mustakimur Khandaker
    Mustakimur Khandaker almost 2 years

    I have a quick question. I have generated a ELF binary from a c code using following code:

    gcc -o simple simple.c

    Then I do objdump for that ELF binary:

    objdump --disassemble-all simple

    I have checked my directory with ls -a that there is no .o file there. My question still how objdump show me the full disassemble code? Does objdump do static analysis in the binary to cover all the code?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Any tool/software in windows for viewing ELF file format?
Processing ELF relocations - understanding the relocs, symbols, section data, and how they work together
Will Flutter code be reverse-engineered easily without obfuscation?
Decompiling .dart.snapshot into Dart source code
Bomb lab phase 5 - 6 char string, movzbl load, and $0xf, %ecx, and index an array with that?
How hard is it (really) to decompile assembly code?
can you debug 64bit target apps with Ollydbg 1.1?
Free plugin to generate a class diagram from a XML file?
MIPS to C Translation
Reverse Engineering in Java