Objdump: Difference between revisions

objdump is a standard component of the GNU binutils. It is useful for obtaining all kinds of information from an ELF file. This page describes some of its more common reverse engineering applications

Installation

If you have a standard C/C++ development environment set up on your Linux box, you ought to already have the GNU binutils installed. Type 'objdump' to find out. If it's not there, then you probably need to install the development toolchain for your system. This version of objdump will know how to take apart files built for your particular CPU architecture.

If you want to take apart ELF files compiled for a different architecture, you will need to compile a new copy of the binutils for a separate architecture target:

• get the official binutils distribution: http://www.gnu.org/software/binutils/
• unpack and enter binutils directory
• ./configure --target=<arch> --prefix=<directory> --program-prefix=<prefix>
• make && make install

About the configure options:

• <arch> is the architecture to build for. Examine the file bfd/config.bfd to get an idea of what targets are available. As an example of what the target should look like, the target for PowerPC processor code stored in an ELF file is powerpc-elf.
• <directory> is the base directory for the new binutils toolchain to be stored in. It helps to keep this separate from the native toolchain.
• <prefix> indicates the prefix string that should be prepended to each of the tools on installation. For example, if the program prefix is "powerpc-" then the built objdump tool will be named powerpc-objdump.

Common Usage

objdump requires that you supply at least some parameter. Here are some of the more interesting options for RE:

 -d, --disassemble        Display assembler contents of executable sections
 -D, --disassemble-all    Display assembler contents of all sections
 -T, --dynamic-syms       Display the contents of the dynamic symbol table
 -r, --reloc              Display the relocation entries in the file
 -R, --dynamic-reloc      Display the dynamic relocation entries in the file

To disassemble an executable ELF file:

 objdump -d <binary>

To disassemble a shared object (.so) ELF file:

 objdump -dr <library.so>

The -r option is invaluable for dealing with relocatable code. Without it, there will be a lot of calls that appear to call back to the same location, e.g.:

   5752:       e8 fc ff ff ff          call   5753 <free@plt+0xb3>
   5757:       89 c3                   mov    %eax,%ebx

The actual address will be patched in by the OS when the file is loaded. However, the -r option asks objdump to insert information about the relocation:

   5752:       e8 fc ff ff ff          call   5753 <free@plt+0xb3>
                       5753: R_386_PC32        malloc
   5757:       89 c3                   mov    %eax,%ebx

Another useful option available for x86-targeted builds of objdump is the -Mintel option. This asks objdump to use Intel ASM syntax vs. AT&T syntax:

 objdump -dr -Mintel <library.so>

   5752:       e8 fc ff ff ff          call   5753 <free@plt+0xb3>
                       5753: R_386_PC32        malloc
   5757:       89 c3                   mov    ebx,eax

Note the difference in the mov instruction syntax.