Objdump
objdump is a standard component of the GNU binutils. It is useful for obtaining all kinds of information from an ELF file. This page describes some of its more common reverse engineering applications
Objdump is a command-line program for displaying various information about object files on Unix-like operating systems. For instance, it can be used as a disassembler to view an executable in assembly form. OBJDUMPINCLUDESOURCE:=0 OBJDUMPFULLCONTENTS:= 0 Edit these options to control the.objdump file according to your preferences for the project: CREATEOBJDUMP—The value 1 directs nios2-elf-objdump to run with the options -disassemble, -syms, -all-header, and -source. OBJDUMPINCLUDESOURCE—The value 1 adds the option -source to the. Objdump displays information about one or more object files. The options control what particular information to display. This information is mostly useful to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work. Are the object files to be examined. Because objdump crashes during the disassembly process. This occurs similarly to Pin when we try to extract PIN trace (including both PIN 2-gram and PIN SysCall) fea-tures. Interestingly, there is no strong correlation between missing objdump 1-gram and PIN trace feature values: for some malware families (e.g., Koobface, Zbot and Zlob), we.
(If you prefer win32 platform, you may find tool dumpbin.exe there (shipped with visual studio) offering similar functionality)
Installation
If you have a standard C/C++ development environment set up on your Linux box, you ought to already have the GNU binutils installed. Type 'objdump' to find out. If it's not there, then you probably need to install the development toolchain for your system. This version of objdump will know how to take apart files built for your particular CPU architecture.
If you want to take apart ELF files compiled for a different architecture, you will need to compile a new copy of the binutils for a separate architecture target:
- get the official binutils distribution: http://www.gnu.org/software/binutils/
- unpack and enter binutils directory
- ./configure --target=<arch> --prefix=<directory> --program-prefix=<prefix>
- make && make install
About the configure options:
Objdump Intel Syntax
- <arch> is the architecture to build for. Examine the file bfd/config.bfd to get an idea of what targets are available. As an example of what the target should look like, the target for PowerPC processor code stored in an ELF file is powerpc-elf.
- <directory> is the base directory for the new binutils toolchain to be stored in. It helps to keep this separate from the native toolchain.
- <prefix> indicates the prefix string that should be prepended to each of the tools on installation. For example, if the program prefix is 'powerpc-' then the built objdump tool will be named powerpc-objdump.
Common Usage
objdump requires that you supply at least some parameter. Here are some of the more interesting options for RE:
To disassemble an executable ELF file:
To disassemble a shared object (.so) ELF file:
The -R option is invaluable for dealing with relocatable code. Without it, there will be a lot of calls that appear to call back to the same location, e.g.:
The actual address will be patched in by the OS when the file is loaded. However, the -R option asks objdump to insert information about the dynamic relocation:
Another useful option available for x86-targeted builds of objdump is the -Mintel option. This asks objdump to use Intel ASM syntax vs. AT&T syntax:
Note the difference in the mov instruction syntax.
To disassemble code from a static library (.a) vs. a shared library (.so) while printing relocation information, use the -r option vs. the -R option.
When dealing with code that was compiled from C++ source and still retains its symbols, those symbols will be mangled. For example:
To demangle, use the -C option (which allows for a number of demangling options, GNU convention being the default). The above example is demangled to:
The standard -d option only disassembles sections of an ELF file that are suspected to contain executable code, usually the .text sections. In order to see other sections that might contain data (e.g., .rodata sections), use the -D option to disassemble all sections, regardless of whether they have legitimate code chunks. Often, they will not and the disassembly will be bogus. But the raw data bytes can be inspected. Further, use the -z option to print long blocks of zeros which objdump would otherwise omit by default:
To put it all together, this command line disassembles all sections of a static library, demangles C++ names, patches in relocation information, shows all blocks of zeros, and prints the disassembly using Intel-standard ASM syntax:
Name
objdump - display information from object files.
Synopsis
objdump [-a|--archive-headers] [-bbfdname|--target=bfdname] [-C|--demangle[=style] ][-d|--disassemble] [-D|--disassemble-all] [-z|--disassemble-zeroes] [-EB|-EL|--endian={big |little }] [-f|--file-headers] [-F|--file-offsets] [--file-start-context] [-g|--debugging][-e|--debugging-tags] [-h|--section-headers|--headers] [-i|--info] [-jsection|--section=section] [-l|--line-numbers] [-S|--source] [-mmachine|--architecture=machine] [-Moptions|--disassembler-options=options][-p|--private-headers] [-r|--reloc] [-R|--dynamic-reloc] [-s|--full-contents] [-W[lLiaprmfFsoR]|--dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,=frames-interp,=str,=loc,=Ranges]] [-G|--stabs][-t|--syms] [-T|--dynamic-syms] [-x|--all-headers] [-w|--wide] [--start-address=address][--stop-address=address] [--prefix-addresses] [--[no-]show-raw-insn] [--adjust-vma=offset] [--special-syms][--prefix=prefix] [--prefix-strip=level] [--insn-width=width] [-V|--version] [-H|--help]objfile...
Description
objdump displays information about one or more object files. The options control what particular information to display. This information is mostlyuseful to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work.
objfile... are the object files to be examined. When you specify archives, objdump shows information on each of the member objectfiles.
Options
The long and short forms of options, shown here as alternatives, are equivalent. At least one option from the list-a,-d,-D,-e,-f,-g,-G,-h,-H,-p,-r,-R,-s,-S,-t,-T,-V,-x must be given.
For example,displays summary information from the section headers (-h) of fu.o, which is explicitly identified (-m) as a VAX objectfile in the format produced by Oasys compilers. You can list the formats available with the -i option.
If the target is an ARM architecture this switch also has the effect of forcing the disassembler to decode pieces of data found in codesections as if they were instructions.
-EL
File segments may be relocated to nonstandard addresses, for example by using the -Ttext, -Tdata, or -Tbss options to ld.However, some object file formats, such as a.out, do not store the starting address of the file segments. In those situations, although ld relocates thesections correctly, using objdump -h to list the file section headers cannot show the correct addresses. Instead, it shows the usual addresses, whichare implicit for the target.
If the target is an ARM architecture then this switch has an additional effect. It restricts the disassembly to only those instructionssupported by the architecture specified by machine. If it is necessary to use this switch because the input file does not contain any architectureinformation, but it is also desired to disassemble all the instructions use -marm.
If the target is an ARM architecture then this switch can be used to select which register name set is used during disassembler. Specifying-M reg-names-std (the default) will select the register names as used in ARM 's instruction set documentation, but with register 13called 'sp', register 14 called 'lr' and register 15 called 'pc'. Specifying -M reg-names-apcs will select the name set used by the ARMProcedure Call Standard, whilst specifying -M reg-names-raw will just use r followed by the register number.
There are also two variants on the APCS register naming scheme enabled by -M reg-names-atpcs and -M reg-names-special-atpcswhich use the ARM/Thumb Procedure Call Standard naming conventions. (Either with the normal register names or the special register names).
This option can also be used for ARM architectures to force the disassembler to interpret all instructions as Thumb instructions by using theswitch --disassembler-options=force-thumb. This can be useful when attempting to disassemble thumb code produced by other compilers.
For the x86, some of the options duplicate functions of the -m switch, but allow finer grained control. Multiple selections from the following may bespecified as a comma separated string. x86-64, i386 and i8086 select disassembly for the given architecture. intel and attselect between intel syntax mode and AT&T syntax mode. intel-mnemonic and att-mnemonic select between intel mnemonic mode andAT&T mnemonic mode. intel-mnemonic implies intel and att-mnemonic implies att. addr64, addr32,addr16, data32 and data16 specify the default address size and operand size. These four options will be overridden if x86-64,i386 or i8086 appear later in the option string. Lastly, suffix, when in AT&T mode, instructs the disassembler to printa mnemonic suffix even when the suffix could be inferred by the operands.
For PowerPC, booke controls the disassembly of BookE instructions. 32 and 64 select PowerPC and PowerPC64 disassembly, respectively.e300 selects disassembly for the e300 family. 440 selects disassembly for the PowerPC 440. ppcps selects disassembly for the paired singleinstructions of the PPC750CL .
For MIPS , this option controls the printing of instruction mnemonic names and register names in disassembled instructions. Multipleselections from the following may be specified as a comma separated string, and invalid options are ignored:
For VAX , you can specify function entry addresses with -M entry:0xf00ba. You can use this multiple times to properly disassembleVAX binary files that don't contain symbol tables (like ROM dumps). In these cases, the function entry mask would otherwise bedecoded as VAX instructions, which would probably lead the rest of the function being wrongly disassembled.
The other common output format, usually seen with ELF based files, looks like this:Here the first number is the symbol's value (sometimes refered to as its address). The next field is actually a set of characters and spaces indicating theflag bits that are set on the symbol. These characters are described below. Next is the section with which the symbol is associated or *ABS* if thesection is absolute (ie not connected with any section), or *UND* if the section is referenced in the file being dumped, but not defined there.
After the section name comes another field, a number, which for common symbols is the alignment and for other symbol is the size. Finally the symbol's nameis displayed.
The flag characters are divided into 7 groups as follows:
'l''g'
'u'
'!'
The symbol is a local (l), global (g), unique global (u), neither global nor local (a space) or both global and local (!). A symbol can be neither local orglobal for a variety of reasons, e.g., because it is used for debugging, but it is probably an indication of a bug if it is ever both local and global. Uniqueglobal symbols are a GNU extension to the standard set of ELF symbol bindings. For such a symbol the dynamic linker will makesure that in the entire process there is just one symbol with this name and type in use.
'w'
The symbol is weak (w) or strong (a space).
'C'
The symbol denotes a constructor (C) or an ordinary symbol (a space).
'W'
The symbol is a warning (W) or a normal symbol (a space). A warning symbol's name is a message to be displayed if the symbol following the warning symbol isever referenced.
'I'
'i'
The symbol is an indirect reference to another symbol (I), a function to be evaluated during reloc processing (i) or a normal symbol (a space).
'd'
'D'
The symbol is a debugging symbol (d) or a dynamic symbol (D) or a normal symbol (a space).
'F'
'f'
'O'
The symbol is the name of a function (F) or a file (f) or an object (O) or just a normal symbol (a space).
-T
Objdump Function Dependencies
How To Use Objdump
Objdump Disassemble
does not exist, orcannot be read, then the option will be treated literally, and not removed.Options in file are separated by whitespace. A whitespace character may be included in an option by surrounding the entire option in either single ordouble quotes. Any character (including a backslash) may be included by prefixing the character to be included with a backslash. The file may itselfcontain additional @file options; any such options will be processed recursively.
See Also
nm(1), readelf(1), and the Info entries for binutils.
Copyright
Copyright © 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,Inc.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 orany later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of thelicense is included in the section entitled ' GNU Free Documentation License'.