traversing an elf binary ?
Posted: Mon Apr 02, 2012 12:56 pm
I wrote a simple elf 32 exe wanted to know the flow of the code.
objdump -D -M intel hello //note this is dissassembling all the sections including the non-code sections
which gives this
Doing objdump -s ...etc I found that the starting address is at low and behold the <_start>
function in the .text section
To make things alittle bit more read able I will disassembly just the code sections
using objdump -d -M intel hello
gives a subset of the above
My problem is this go thru the code
start does stuff pushs 3 important address on the stack
one being your main address and then calls
which
goes to here
my problem is it does a jmp DWORD PTR ds:0x804a004 where is this going ? Since I cann't few what is in ds:0x804a004 when I do a full objdump -D ?
So more generally my trouble is understanding the Disassemblied functions of the .plt: section those 3 jmp parts or 3 functions just lose it when it comes to the flow
I am assuming the ds:0x804a004 ptrs ,...etc point to a external library but don't know where these libraries return you to in your code when they are finished?
objdump -D -M intel hello //note this is dissassembling all the sections including the non-code sections
which gives this
Code: Select all
hello: file format elf32-i386
Disassembly of section .interp:
08048134 <.interp>:
8048134: 2f das
8048135: 6c ins BYTE PTR es:[edi],dx
8048136: 69 62 2f 6c 64 2d 6c imul esp,DWORD PTR [edx+0x2f],0x6c2d646c
804813d: 69 6e 75 78 2e 73 6f imul ebp,DWORD PTR [esi+0x75],0x6f732e78
8048144: 2e 32 00 xor al,BYTE PTR cs:[eax]
Disassembly of section .note.ABI-tag:
08048148 <.note.ABI-tag>:
8048148: 04 00 add al,0x0
804814a: 00 00 add BYTE PTR [eax],al
804814c: 10 00 adc BYTE PTR [eax],al
804814e: 00 00 add BYTE PTR [eax],al
8048150: 01 00 add DWORD PTR [eax],eax
8048152: 00 00 add BYTE PTR [eax],al
8048154: 47 inc edi
8048155: 4e dec esi
8048156: 55 push ebp
8048157: 00 00 add BYTE PTR [eax],al
8048159: 00 00 add BYTE PTR [eax],al
804815b: 00 02 add BYTE PTR [edx],al
804815d: 00 00 add BYTE PTR [eax],al
804815f: 00 06 add BYTE PTR [esi],al
8048161: 00 00 add BYTE PTR [eax],al
8048163: 00 0f add BYTE PTR [edi],cl
8048165: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .note.gnu.build-id:
08048168 <.note.gnu.build-id>:
8048168: 04 00 add al,0x0
804816a: 00 00 add BYTE PTR [eax],al
804816c: 14 00 adc al,0x0
804816e: 00 00 add BYTE PTR [eax],al
8048170: 03 00 add eax,DWORD PTR [eax]
8048172: 00 00 add BYTE PTR [eax],al
8048174: 47 inc edi
8048175: 4e dec esi
8048176: 55 push ebp
8048177: 00 46 c8 add BYTE PTR [esi-0x38],al
804817a: 2e cs
804817b: aa stos BYTE PTR es:[edi],al
804817c: e8 ad 34 b4 fa call 2b8b62e <len+0x2b8b622>
8048181: 0f c6 c4 2d shufps xmm0,xmm4,0x2d
8048185: 33 b9 82 55 47 ad xor edi,DWORD PTR [ecx-0x52b8aa7e]
804818b: 6d ins DWORD PTR es:[edi],dx
Disassembly of section .gnu.hash:
0804818c <.gnu.hash>:
804818c: 02 00 add al,BYTE PTR [eax]
804818e: 00 00 add BYTE PTR [eax],al
8048190: 03 00 add eax,DWORD PTR [eax]
8048192: 00 00 add BYTE PTR [eax],al
8048194: 01 00 add DWORD PTR [eax],eax
8048196: 00 00 add BYTE PTR [eax],al
8048198: 05 00 00 00 00 add eax,0x0
804819d: 20 00 and BYTE PTR [eax],al
804819f: 20 00 and BYTE PTR [eax],al
80481a1: 00 00 add BYTE PTR [eax],al
80481a3: 00 03 add BYTE PTR [ebx],al
80481a5: 00 00 add BYTE PTR [eax],al
80481a7: 00 .byte 0x0
80481a8: ad lods eax,DWORD PTR ds:[esi]
80481a9: 4b dec ebx
80481aa: e3 c0 jecxz 804816c <len+0x8048160>
Disassembly of section .dynsym:
080481ac <.dynsym>:
...
80481bc: 01 00 add DWORD PTR [eax],eax
...
80481c6: 00 00 add BYTE PTR [eax],al
80481c8: 20 00 and BYTE PTR [eax],al
80481ca: 00 00 add BYTE PTR [eax],al
80481cc: 29 00 sub DWORD PTR [eax],eax
...
80481d6: 00 00 add BYTE PTR [eax],al
80481d8: 12 00 adc al,BYTE PTR [eax]
80481da: 00 00 add BYTE PTR [eax],al
80481dc: 1a 00 sbb al,BYTE PTR [eax]
80481de: 00 00 add BYTE PTR [eax],al
80481e0: 8c 84 04 08 04 00 00 mov WORD PTR [esp+eax*1+0x408],es
80481e7: 00 11 add BYTE PTR [ecx],dl
80481e9: 00 0f add BYTE PTR [edi],cl
...
Disassembly of section .dynstr:
080481ec <.dynstr>:
80481ec: 00 5f 5f add BYTE PTR [edi+0x5f],bl
80481ef: 67 6d ins DWORD PTR es:[di],dx
80481f1: 6f outs dx,DWORD PTR ds:[esi]
80481f2: 6e outs dx,BYTE PTR ds:[esi]
80481f3: 5f pop edi
80481f4: 73 74 jae 804826a <len+0x804825e>
80481f6: 61 popa
80481f7: 72 74 jb 804826d <len+0x8048261>
80481f9: 5f pop edi
80481fa: 5f pop edi
80481fb: 00 6c 69 62 add BYTE PTR [ecx+ebp*2+0x62],ch
80481ff: 63 2e arpl WORD PTR [esi],bp
8048201: 73 6f jae 8048272 <len+0x8048266>
8048203: 2e 36 00 5f 49 cs add BYTE PTR cs:ss:[edi+0x49],bl
8048208: 4f dec edi
8048209: 5f pop edi
804820a: 73 74 jae 8048280 <_init+0xc>
804820c: 64 69 6e 5f 75 73 65 imul ebp,DWORD PTR fs:[esi+0x5f],0x64657375
8048213: 64
8048214: 00 5f 5f add BYTE PTR [edi+0x5f],bl
8048217: 6c ins BYTE PTR es:[edi],dx
8048218: 69 62 63 5f 73 74 61 imul esp,DWORD PTR [edx+0x63],0x6174735f
804821f: 72 74 jb 8048295 <_init+0x21>
8048221: 5f pop edi
8048222: 6d ins DWORD PTR es:[edi],dx
8048223: 61 popa
8048224: 69 6e 00 47 4c 49 42 imul ebp,DWORD PTR [esi+0x0],0x42494c47
804822b: 43 inc ebx
804822c: 5f pop edi
804822d: 32 2e xor ch,BYTE PTR [esi]
804822f: 30 00 xor BYTE PTR [eax],al
Disassembly of section .gnu.version:
08048232 <.gnu.version>:
8048232: 00 00 add BYTE PTR [eax],al
8048234: 00 00 add BYTE PTR [eax],al
8048236: 02 00 add al,BYTE PTR [eax]
8048238: 01 00 add DWORD PTR [eax],eax
Disassembly of section .gnu.version_r:
0804823c <.gnu.version_r>:
804823c: 01 00 add DWORD PTR [eax],eax
804823e: 01 00 add DWORD PTR [eax],eax
8048240: 10 00 adc BYTE PTR [eax],al
8048242: 00 00 add BYTE PTR [eax],al
8048244: 10 00 adc BYTE PTR [eax],al
8048246: 00 00 add BYTE PTR [eax],al
8048248: 00 00 add BYTE PTR [eax],al
804824a: 00 00 add BYTE PTR [eax],al
804824c: 10 69 69 adc BYTE PTR [ecx+0x69],ch
804824f: 0d 00 00 02 00 or eax,0x20000
8048254: 3b 00 cmp eax,DWORD PTR [eax]
8048256: 00 00 add BYTE PTR [eax],al
8048258: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .rel.dyn:
0804825c <.rel.dyn>:
804825c: f0 9f lock lahf
804825e: 04 08 add al,0x8
8048260: 06 push es
8048261: 01 00 add DWORD PTR [eax],eax
...
Disassembly of section .rel.plt:
08048264 <.rel.plt>:
8048264: 00 a0 04 08 07 01 add BYTE PTR [eax+0x1070804],ah
804826a: 00 00 add BYTE PTR [eax],al
804826c: 04 a0 add al,0xa0
804826e: 04 08 add al,0x8
8048270: 07 pop es
8048271: 02 00 add al,BYTE PTR [eax]
...
Disassembly of section .init:
08048274 <_init>:
8048274: 55 push ebp
8048275: 89 e5 mov ebp,esp
8048277: 53 push ebx
8048278: 83 ec 04 sub esp,0x4
804827b: e8 00 00 00 00 call 8048280 <_init+0xc>
8048280: 5b pop ebx
8048281: 81 c3 74 1d 00 00 add ebx,0x1d74
8048287: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]
804828d: 85 d2 test edx,edx
804828f: 74 05 je 8048296 <_init+0x22>
8048291: e8 1e 00 00 00 call 80482b4 <__gmon_start__@plt>
8048296: e8 d5 00 00 00 call 8048370 <frame_dummy>
804829b: e8 a0 01 00 00 call 8048440 <__do_global_ctors_aux>
80482a0: 58 pop eax
80482a1: 5b pop ebx
80482a2: c9 leave
80482a3: c3 ret
Disassembly of section .plt:
080482a4 <__gmon_start__@plt-0x10>:
80482a4: ff 35 f8 9f 04 08 push DWORD PTR ds:0x8049ff8
80482aa: ff 25 fc 9f 04 08 jmp DWORD PTR ds:0x8049ffc
80482b0: 00 00 add BYTE PTR [eax],al
...
080482b4 <__gmon_start__@plt>:
80482b4: ff 25 00 a0 04 08 jmp DWORD PTR ds:0x804a000
80482ba: 68 00 00 00 00 push 0x0
80482bf: e9 e0 ff ff ff jmp 80482a4 <_init+0x30>
080482c4 <__libc_start_main@plt>:
80482c4: ff 25 04 a0 04 08 jmp DWORD PTR ds:0x804a004
80482ca: 68 08 00 00 00 push 0x8
80482cf: e9 d0 ff ff ff jmp 80482a4 <_init+0x30>
Disassembly of section .text:
080482e0 <_start>:
80482e0: 31 ed xor ebp,ebp
80482e2: 5e pop esi
80482e3: 89 e1 mov ecx,esp
80482e5: 83 e4 f0 and esp,0xfffffff0
80482e8: 50 push eax
80482e9: 54 push esp
80482ea: 52 push edx
80482eb: 68 30 84 04 08 push 0x8048430
80482f0: 68 d0 83 04 08 push 0x80483d0
80482f5: 51 push ecx
80482f6: 56 push esi
80482f7: 68 a0 83 04 08 push 0x80483a0
80482fc: e8 c3 ff ff ff call 80482c4 <__libc_start_main@plt>
8048301: f4 hlt
8048302: 90 nop
8048303: 90 nop
8048304: 90 nop
8048305: 90 nop
8048306: 90 nop
8048307: 90 nop
8048308: 90 nop
8048309: 90 nop
804830a: 90 nop
804830b: 90 nop
804830c: 90 nop
804830d: 90 nop
804830e: 90 nop
804830f: 90 nop
08048310 <__do_global_dtors_aux>:
8048310: 55 push ebp
8048311: 89 e5 mov ebp,esp
8048313: 53 push ebx
8048314: 83 ec 04 sub esp,0x4
8048317: 80 3d 1c a0 04 08 00 cmp BYTE PTR ds:0x804a01c,0x0
804831e: 75 3f jne 804835f <__do_global_dtors_aux+0x4f>
8048320: a1 20 a0 04 08 mov eax,ds:0x804a020
8048325: bb 20 9f 04 08 mov ebx,0x8049f20
804832a: 81 eb 1c 9f 04 08 sub ebx,0x8049f1c
8048330: c1 fb 02 sar ebx,0x2
8048333: 83 eb 01 sub ebx,0x1
8048336: 39 d8 cmp eax,ebx
8048338: 73 1e jae 8048358 <__do_global_dtors_aux+0x48>
804833a: 8d b6 00 00 00 00 lea esi,[esi+0x0]
8048340: 83 c0 01 add eax,0x1
8048343: a3 20 a0 04 08 mov ds:0x804a020,eax
8048348: ff 14 85 1c 9f 04 08 call DWORD PTR [eax*4+0x8049f1c]
804834f: a1 20 a0 04 08 mov eax,ds:0x804a020
8048354: 39 d8 cmp eax,ebx
8048356: 72 e8 jb 8048340 <__do_global_dtors_aux+0x30>
8048358: c6 05 1c a0 04 08 01 mov BYTE PTR ds:0x804a01c,0x1
804835f: 83 c4 04 add esp,0x4
8048362: 5b pop ebx
8048363: 5d pop ebp
8048364: c3 ret
8048365: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
8048369: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]
08048370 <frame_dummy>:
8048370: 55 push ebp
8048371: 89 e5 mov ebp,esp
8048373: 83 ec 18 sub esp,0x18
8048376: a1 24 9f 04 08 mov eax,ds:0x8049f24
804837b: 85 c0 test eax,eax
804837d: 74 12 je 8048391 <frame_dummy+0x21>
804837f: b8 00 00 00 00 mov eax,0x0
8048384: 85 c0 test eax,eax
8048386: 74 09 je 8048391 <frame_dummy+0x21>
8048388: c7 04 24 24 9f 04 08 mov DWORD PTR [esp],0x8049f24
804838f: ff d0 call eax
8048391: c9 leave
8048392: c3 ret
8048393: 90 nop
8048394: 90 nop
8048395: 90 nop
8048396: 90 nop
8048397: 90 nop
8048398: 90 nop
8048399: 90 nop
804839a: 90 nop
804839b: 90 nop
804839c: 90 nop
804839d: 90 nop
804839e: 90 nop
804839f: 90 nop
080483a0 <main>:
80483a0: ba 0c 00 00 00 mov edx,0xc
80483a5: b9 10 a0 04 08 mov ecx,0x804a010
80483aa: bb 01 00 00 00 mov ebx,0x1
80483af: b8 04 00 00 00 mov eax,0x4
80483b4: cd 80 int 0x80
80483b6: bb 00 00 00 00 mov ebx,0x0
80483bb: b8 01 00 00 00 mov eax,0x1
80483c0: cd 80 int 0x80
80483c2: 90 nop
80483c3: 90 nop
80483c4: 90 nop
80483c5: 90 nop
80483c6: 90 nop
80483c7: 90 nop
80483c8: 90 nop
80483c9: 90 nop
80483ca: 90 nop
80483cb: 90 nop
80483cc: 90 nop
80483cd: 90 nop
80483ce: 90 nop
80483cf: 90 nop
080483d0 <__libc_csu_init>:
80483d0: 55 push ebp
80483d1: 89 e5 mov ebp,esp
80483d3: 57 push edi
80483d4: 56 push esi
80483d5: 53 push ebx
80483d6: e8 5a 00 00 00 call 8048435 <__i686.get_pc_thunk.bx>
80483db: 81 c3 19 1c 00 00 add ebx,0x1c19
80483e1: 83 ec 1c sub esp,0x1c
80483e4: e8 8b fe ff ff call 8048274 <_init>
80483e9: 8d bb 20 ff ff ff lea edi,[ebx-0xe0]
80483ef: 8d 83 20 ff ff ff lea eax,[ebx-0xe0]
80483f5: 29 c7 sub edi,eax
80483f7: c1 ff 02 sar edi,0x2
80483fa: 85 ff test edi,edi
80483fc: 74 24 je 8048422 <__libc_csu_init+0x52>
80483fe: 31 f6 xor esi,esi
8048400: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]
8048403: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
8048407: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
804840a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
804840e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048411: 89 04 24 mov DWORD PTR [esp],eax
8048414: ff 94 b3 20 ff ff ff call DWORD PTR [ebx+esi*4-0xe0]
804841b: 83 c6 01 add esi,0x1
804841e: 39 fe cmp esi,edi
8048420: 72 de jb 8048400 <__libc_csu_init+0x30>
8048422: 83 c4 1c add esp,0x1c
8048425: 5b pop ebx
8048426: 5e pop esi
8048427: 5f pop edi
8048428: 5d pop ebp
8048429: c3 ret
804842a: 8d b6 00 00 00 00 lea esi,[esi+0x0]
08048430 <__libc_csu_fini>:
8048430: 55 push ebp
8048431: 89 e5 mov ebp,esp
8048433: 5d pop ebp
8048434: c3 ret
08048435 <__i686.get_pc_thunk.bx>:
8048435: 8b 1c 24 mov ebx,DWORD PTR [esp]
8048438: c3 ret
8048439: 90 nop
804843a: 90 nop
804843b: 90 nop
804843c: 90 nop
804843d: 90 nop
804843e: 90 nop
804843f: 90 nop
08048440 <__do_global_ctors_aux>:
8048440: 55 push ebp
8048441: 89 e5 mov ebp,esp
8048443: 53 push ebx
8048444: 83 ec 04 sub esp,0x4
8048447: a1 14 9f 04 08 mov eax,ds:0x8049f14
804844c: 83 f8 ff cmp eax,0xffffffff
804844f: 74 13 je 8048464 <__do_global_ctors_aux+0x24>
8048451: bb 14 9f 04 08 mov ebx,0x8049f14
8048456: 66 90 xchg ax,ax
8048458: 83 eb 04 sub ebx,0x4
804845b: ff d0 call eax
804845d: 8b 03 mov eax,DWORD PTR [ebx]
804845f: 83 f8 ff cmp eax,0xffffffff
8048462: 75 f4 jne 8048458 <__do_global_ctors_aux+0x18>
8048464: 83 c4 04 add esp,0x4
8048467: 5b pop ebx
8048468: 5d pop ebp
8048469: c3 ret
804846a: 90 nop
804846b: 90 nop
Disassembly of section .fini:
0804846c <_fini>:
804846c: 55 push ebp
804846d: 89 e5 mov ebp,esp
804846f: 53 push ebx
8048470: 83 ec 04 sub esp,0x4
8048473: e8 00 00 00 00 call 8048478 <_fini+0xc>
8048478: 5b pop ebx
8048479: 81 c3 7c 1b 00 00 add ebx,0x1b7c
804847f: e8 8c fe ff ff call 8048310 <__do_global_dtors_aux>
8048484: 59 pop ecx
8048485: 5b pop ebx
8048486: c9 leave
8048487: c3 ret
Disassembly of section .rodata:
08048488 <_fp_hw>:
8048488: 03 00 add eax,DWORD PTR [eax]
...
0804848c <_IO_stdin_used>:
804848c: 01 00 add DWORD PTR [eax],eax
804848e: 02 00 add al,BYTE PTR [eax]
Disassembly of section .eh_frame:
08048490 <__FRAME_END__>:
8048490: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .ctors:
08049f14 <__CTOR_LIST__>:
8049f14: ff (bad)
8049f15: ff (bad)
8049f16: ff (bad)
8049f17: ff 00 inc DWORD PTR [eax]
08049f18 <__CTOR_END__>:
8049f18: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .dtors:
08049f1c <__DTOR_LIST__>:
8049f1c: ff (bad)
8049f1d: ff (bad)
8049f1e: ff (bad)
8049f1f: ff 00 inc DWORD PTR [eax]
08049f20 <__DTOR_END__>:
8049f20: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .jcr:
08049f24 <__JCR_END__>:
8049f24: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .dynamic:
08049f28 <_DYNAMIC>:
8049f28: 01 00 add DWORD PTR [eax],eax
8049f2a: 00 00 add BYTE PTR [eax],al
8049f2c: 10 00 adc BYTE PTR [eax],al
8049f2e: 00 00 add BYTE PTR [eax],al
8049f30: 0c 00 or al,0x0
8049f32: 00 00 add BYTE PTR [eax],al
8049f34: 74 82 je 8049eb8 <__FRAME_END__+0x1a28>
8049f36: 04 08 add al,0x8
8049f38: 0d 00 00 00 6c or eax,0x6c000000
8049f3d: 84 04 08 test BYTE PTR [eax+ecx*1],al
8049f40: f5 cmc
8049f41: fe (bad)
8049f42: ff 6f 8c jmp FWORD PTR [edi-0x74]
8049f45: 81 04 08 05 00 00 00 add DWORD PTR [eax+ecx*1],0x5
8049f4c: ec in al,dx
8049f4d: 81 04 08 06 00 00 00 add DWORD PTR [eax+ecx*1],0x6
8049f54: ac lods al,BYTE PTR ds:[esi]
8049f55: 81 04 08 0a 00 00 00 add DWORD PTR [eax+ecx*1],0xa
8049f5c: 45 inc ebp
8049f5d: 00 00 add BYTE PTR [eax],al
8049f5f: 00 0b add BYTE PTR [ebx],cl
8049f61: 00 00 add BYTE PTR [eax],al
8049f63: 00 10 add BYTE PTR [eax],dl
8049f65: 00 00 add BYTE PTR [eax],al
8049f67: 00 15 00 00 00 00 add BYTE PTR ds:0x0,dl
8049f6d: 00 00 add BYTE PTR [eax],al
8049f6f: 00 03 add BYTE PTR [ebx],al
8049f71: 00 00 add BYTE PTR [eax],al
8049f73: 00 f4 add ah,dh
8049f75: 9f lahf
8049f76: 04 08 add al,0x8
8049f78: 02 00 add al,BYTE PTR [eax]
8049f7a: 00 00 add BYTE PTR [eax],al
8049f7c: 10 00 adc BYTE PTR [eax],al
8049f7e: 00 00 add BYTE PTR [eax],al
8049f80: 14 00 adc al,0x0
8049f82: 00 00 add BYTE PTR [eax],al
8049f84: 11 00 adc DWORD PTR [eax],eax
8049f86: 00 00 add BYTE PTR [eax],al
8049f88: 17 pop ss
8049f89: 00 00 add BYTE PTR [eax],al
8049f8b: 00 64 82 04 add BYTE PTR [edx+eax*4+0x4],ah
8049f8f: 08 11 or BYTE PTR [ecx],dl
8049f91: 00 00 add BYTE PTR [eax],al
8049f93: 00 5c 82 04 add BYTE PTR [edx+eax*4+0x4],bl
8049f97: 08 12 or BYTE PTR [edx],dl
8049f99: 00 00 add BYTE PTR [eax],al
8049f9b: 00 08 add BYTE PTR [eax],cl
8049f9d: 00 00 add BYTE PTR [eax],al
8049f9f: 00 13 add BYTE PTR [ebx],dl
8049fa1: 00 00 add BYTE PTR [eax],al
8049fa3: 00 08 add BYTE PTR [eax],cl
8049fa5: 00 00 add BYTE PTR [eax],al
8049fa7: 00 fe add dh,bh
8049fa9: ff (bad)
8049faa: ff 6f 3c jmp FWORD PTR [edi+0x3c]
8049fad: 82 (bad)
8049fae: 04 08 add al,0x8
8049fb0: ff (bad)
8049fb1: ff (bad)
8049fb2: ff 6f 01 jmp FWORD PTR [edi+0x1]
8049fb5: 00 00 add BYTE PTR [eax],al
8049fb7: 00 f0 add al,dh
8049fb9: ff (bad)
8049fba: ff 6f 32 jmp FWORD PTR [edi+0x32]
8049fbd: 82 (bad)
8049fbe: 04 08 add al,0x8
...
Disassembly of section .got:
08049ff0 <.got>:
8049ff0: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .got.plt:
08049ff4 <_GLOBAL_OFFSET_TABLE_>:
8049ff4: 28 9f 04 08 00 00 sub BYTE PTR [edi+0x804],bl
8049ffa: 00 00 add BYTE PTR [eax],al
8049ffc: 00 00 add BYTE PTR [eax],al
8049ffe: 00 00 add BYTE PTR [eax],al
804a000: ba 82 04 08 ca mov edx,0xca080482
804a005: 82 (bad)
804a006: 04 08 add al,0x8
Disassembly of section .data:
0804a008 <__data_start>:
804a008: 00 00 add BYTE PTR [eax],al
...
0804a00c <__dso_handle>:
804a00c: 00 00 add BYTE PTR [eax],al
...
0804a010 <msg>:
804a010: 48 dec eax
804a011: 65 gs
804a012: 6c ins BYTE PTR es:[edi],dx
804a013: 6c ins BYTE PTR es:[edi],dx
804a014: 6f outs dx,DWORD PTR ds:[esi]
804a015: 20 57 6f and BYTE PTR [edi+0x6f],dl
804a018: 72 6c jb 804a086 <_end+0x62>
804a01a: 64 fs
804a01b: 0a .byte 0xa
Disassembly of section .bss:
0804a01c <completed.6155>:
804a01c: 00 00 add BYTE PTR [eax],al
...
0804a020 <dtor_idx.6157>:
804a020: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .comment:
00000000 <.comment>:
0: 47 inc edi
1: 43 inc ebx
2: 43 inc ebx
3: 3a 20 cmp ah,BYTE PTR [eax]
5: 28 55 62 sub BYTE PTR [ebp+0x62],dl
8: 75 6e jne 78 <len+0x6c>
a: 74 75 je 81 <len+0x75>
c: 2f das
d: 4c dec esp
e: 69 6e 61 72 6f 20 34 imul ebp,DWORD PTR [esi+0x61],0x34206f72
15: 2e cs
16: 35 2e 32 2d 38 xor eax,0x382d322e
1b: 75 62 jne 7f <len+0x73>
1d: 75 6e jne 8d <len+0x81>
1f: 74 75 je 96 <len+0x8a>
21: 34 29 xor al,0x29
23: 20 34 2e and BYTE PTR [esi+ebp*1],dh
26: 35 2e 32 00 47 xor eax,0x4700322e
2b: 43 inc ebx
2c: 43 inc ebx
2d: 3a 20 cmp ah,BYTE PTR [eax]
2f: 28 55 62 sub BYTE PTR [ebp+0x62],dl
32: 75 6e jne a2 <len+0x96>
34: 74 75 je ab <len+0x9f>
36: 2f das
37: 4c dec esp
38: 69 6e 61 72 6f 20 34 imul ebp,DWORD PTR [esi+0x61],0x34206f72
3f: 2e cs
40: 35 2e 32 2d 38 xor eax,0x382d322e
45: 75 62 jne a9 <len+0x9d>
47: 75 6e jne b7 <len+0xab>
49: 74 75 je c0 <len+0xb4>
4b: 33 29 xor ebp,DWORD PTR [ecx]
4d: 20 34 2e and BYTE PTR [esi+ebp*1],dh
50: 35 .byte 0x35
51: 2e 32 00 xor al,BYTE PTR cs:[eax]
function in the .text section
To make things alittle bit more read able I will disassembly just the code sections
using objdump -d -M intel hello
gives a subset of the above
Code: Select all
hello: file format elf32-i386
Disassembly of section .init:
08048274 <_init>:
8048274: 55 push ebp
8048275: 89 e5 mov ebp,esp
8048277: 53 push ebx
8048278: 83 ec 04 sub esp,0x4
804827b: e8 00 00 00 00 call 8048280 <_init+0xc>
8048280: 5b pop ebx
8048281: 81 c3 74 1d 00 00 add ebx,0x1d74
8048287: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]
804828d: 85 d2 test edx,edx
804828f: 74 05 je 8048296 <_init+0x22>
8048291: e8 1e 00 00 00 call 80482b4 <__gmon_start__@plt>
8048296: e8 d5 00 00 00 call 8048370 <frame_dummy>
804829b: e8 a0 01 00 00 call 8048440 <__do_global_ctors_aux>
80482a0: 58 pop eax
80482a1: 5b pop ebx
80482a2: c9 leave
80482a3: c3 ret
Disassembly of section .plt:
080482a4 <__gmon_start__@plt-0x10>:
80482a4: ff 35 f8 9f 04 08 push DWORD PTR ds:0x8049ff8
80482aa: ff 25 fc 9f 04 08 jmp DWORD PTR ds:0x8049ffc
80482b0: 00 00 add BYTE PTR [eax],al
...
080482b4 <__gmon_start__@plt>:
80482b4: ff 25 00 a0 04 08 jmp DWORD PTR ds:0x804a000
80482ba: 68 00 00 00 00 push 0x0
80482bf: e9 e0 ff ff ff jmp 80482a4 <_init+0x30>
080482c4 <__libc_start_main@plt>:
80482c4: ff 25 04 a0 04 08 jmp DWORD PTR ds:0x804a004
80482ca: 68 08 00 00 00 push 0x8
80482cf: e9 d0 ff ff ff jmp 80482a4 <_init+0x30>
Disassembly of section .text:
080482e0 <_start>:
80482e0: 31 ed xor ebp,ebp
80482e2: 5e pop esi
80482e3: 89 e1 mov ecx,esp
80482e5: 83 e4 f0 and esp,0xfffffff0
80482e8: 50 push eax
80482e9: 54 push esp
80482ea: 52 push edx
80482eb: 68 30 84 04 08 push 0x8048430
80482f0: 68 d0 83 04 08 push 0x80483d0
80482f5: 51 push ecx
80482f6: 56 push esi
80482f7: 68 a0 83 04 08 push 0x80483a0
80482fc: e8 c3 ff ff ff call 80482c4 <__libc_start_main@plt>
8048301: f4 hlt
8048302: 90 nop
8048303: 90 nop
8048304: 90 nop
8048305: 90 nop
8048306: 90 nop
8048307: 90 nop
8048308: 90 nop
8048309: 90 nop
804830a: 90 nop
804830b: 90 nop
804830c: 90 nop
804830d: 90 nop
804830e: 90 nop
804830f: 90 nop
08048310 <__do_global_dtors_aux>:
8048310: 55 push ebp
8048311: 89 e5 mov ebp,esp
8048313: 53 push ebx
8048314: 83 ec 04 sub esp,0x4
8048317: 80 3d 1c a0 04 08 00 cmp BYTE PTR ds:0x804a01c,0x0
804831e: 75 3f jne 804835f <__do_global_dtors_aux+0x4f>
8048320: a1 20 a0 04 08 mov eax,ds:0x804a020
8048325: bb 20 9f 04 08 mov ebx,0x8049f20
804832a: 81 eb 1c 9f 04 08 sub ebx,0x8049f1c
8048330: c1 fb 02 sar ebx,0x2
8048333: 83 eb 01 sub ebx,0x1
8048336: 39 d8 cmp eax,ebx
8048338: 73 1e jae 8048358 <__do_global_dtors_aux+0x48>
804833a: 8d b6 00 00 00 00 lea esi,[esi+0x0]
8048340: 83 c0 01 add eax,0x1
8048343: a3 20 a0 04 08 mov ds:0x804a020,eax
8048348: ff 14 85 1c 9f 04 08 call DWORD PTR [eax*4+0x8049f1c]
804834f: a1 20 a0 04 08 mov eax,ds:0x804a020
8048354: 39 d8 cmp eax,ebx
8048356: 72 e8 jb 8048340 <__do_global_dtors_aux+0x30>
8048358: c6 05 1c a0 04 08 01 mov BYTE PTR ds:0x804a01c,0x1
804835f: 83 c4 04 add esp,0x4
8048362: 5b pop ebx
8048363: 5d pop ebp
8048364: c3 ret
8048365: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
8048369: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]
08048370 <frame_dummy>:
8048370: 55 push ebp
8048371: 89 e5 mov ebp,esp
8048373: 83 ec 18 sub esp,0x18
8048376: a1 24 9f 04 08 mov eax,ds:0x8049f24
804837b: 85 c0 test eax,eax
804837d: 74 12 je 8048391 <frame_dummy+0x21>
804837f: b8 00 00 00 00 mov eax,0x0
8048384: 85 c0 test eax,eax
8048386: 74 09 je 8048391 <frame_dummy+0x21>
8048388: c7 04 24 24 9f 04 08 mov DWORD PTR [esp],0x8049f24
804838f: ff d0 call eax
8048391: c9 leave
8048392: c3 ret
8048393: 90 nop
8048394: 90 nop
8048395: 90 nop
8048396: 90 nop
8048397: 90 nop
8048398: 90 nop
8048399: 90 nop
804839a: 90 nop
804839b: 90 nop
804839c: 90 nop
804839d: 90 nop
804839e: 90 nop
804839f: 90 nop
080483a0 <main>:
80483a0: ba 0c 00 00 00 mov edx,0xc
80483a5: b9 10 a0 04 08 mov ecx,0x804a010
80483aa: bb 01 00 00 00 mov ebx,0x1
80483af: b8 04 00 00 00 mov eax,0x4
80483b4: cd 80 int 0x80
80483b6: bb 00 00 00 00 mov ebx,0x0
80483bb: b8 01 00 00 00 mov eax,0x1
80483c0: cd 80 int 0x80
80483c2: 90 nop
80483c3: 90 nop
80483c4: 90 nop
80483c5: 90 nop
80483c6: 90 nop
80483c7: 90 nop
80483c8: 90 nop
80483c9: 90 nop
80483ca: 90 nop
80483cb: 90 nop
80483cc: 90 nop
80483cd: 90 nop
80483ce: 90 nop
80483cf: 90 nop
080483d0 <__libc_csu_init>:
80483d0: 55 push ebp
80483d1: 89 e5 mov ebp,esp
80483d3: 57 push edi
80483d4: 56 push esi
80483d5: 53 push ebx
80483d6: e8 5a 00 00 00 call 8048435 <__i686.get_pc_thunk.bx>
80483db: 81 c3 19 1c 00 00 add ebx,0x1c19
80483e1: 83 ec 1c sub esp,0x1c
80483e4: e8 8b fe ff ff call 8048274 <_init>
80483e9: 8d bb 20 ff ff ff lea edi,[ebx-0xe0]
80483ef: 8d 83 20 ff ff ff lea eax,[ebx-0xe0]
80483f5: 29 c7 sub edi,eax
80483f7: c1 ff 02 sar edi,0x2
80483fa: 85 ff test edi,edi
80483fc: 74 24 je 8048422 <__libc_csu_init+0x52>
80483fe: 31 f6 xor esi,esi
8048400: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]
8048403: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
8048407: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
804840a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
804840e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048411: 89 04 24 mov DWORD PTR [esp],eax
8048414: ff 94 b3 20 ff ff ff call DWORD PTR [ebx+esi*4-0xe0]
804841b: 83 c6 01 add esi,0x1
804841e: 39 fe cmp esi,edi
8048420: 72 de jb 8048400 <__libc_csu_init+0x30>
8048422: 83 c4 1c add esp,0x1c
8048425: 5b pop ebx
8048426: 5e pop esi
8048427: 5f pop edi
8048428: 5d pop ebp
8048429: c3 ret
804842a: 8d b6 00 00 00 00 lea esi,[esi+0x0]
08048430 <__libc_csu_fini>:
8048430: 55 push ebp
8048431: 89 e5 mov ebp,esp
8048433: 5d pop ebp
8048434: c3 ret
08048435 <__i686.get_pc_thunk.bx>:
8048435: 8b 1c 24 mov ebx,DWORD PTR [esp]
8048438: c3 ret
8048439: 90 nop
804843a: 90 nop
804843b: 90 nop
804843c: 90 nop
804843d: 90 nop
804843e: 90 nop
804843f: 90 nop
08048440 <__do_global_ctors_aux>:
8048440: 55 push ebp
8048441: 89 e5 mov ebp,esp
8048443: 53 push ebx
8048444: 83 ec 04 sub esp,0x4
8048447: a1 14 9f 04 08 mov eax,ds:0x8049f14
804844c: 83 f8 ff cmp eax,0xffffffff
804844f: 74 13 je 8048464 <__do_global_ctors_aux+0x24>
8048451: bb 14 9f 04 08 mov ebx,0x8049f14
8048456: 66 90 xchg ax,ax
8048458: 83 eb 04 sub ebx,0x4
804845b: ff d0 call eax
804845d: 8b 03 mov eax,DWORD PTR [ebx]
804845f: 83 f8 ff cmp eax,0xffffffff
8048462: 75 f4 jne 8048458 <__do_global_ctors_aux+0x18>
8048464: 83 c4 04 add esp,0x4
8048467: 5b pop ebx
8048468: 5d pop ebp
8048469: c3 ret
804846a: 90 nop
804846b: 90 nop
Disassembly of section .fini:
0804846c <_fini>:
804846c: 55 push ebp
804846d: 89 e5 mov ebp,esp
804846f: 53 push ebx
8048470: 83 ec 04 sub esp,0x4
8048473: e8 00 00 00 00 call 8048478 <_fini+0xc>
8048478: 5b pop ebx
8048479: 81 c3 7c 1b 00 00 add ebx,0x1b7c
804847f: e8 8c fe ff ff call 8048310 <__do_global_dtors_aux>
8048484: 59 pop ecx
8048485: 5b pop ebx
8048486: c9 leave
8048487: c3 ret
My problem is this go thru the code
start does stuff pushs 3 important address on the stack
Code: Select all
push 0x8048430
push 0x80483d0
push 0x80483a0Code: Select all
call 80482c4 <__libc_start_main@plt>goes to here
Code: Select all
080482c4 <__libc_start_main@plt>:
80482c4: ff 25 04 a0 04 08 jmp DWORD PTR ds:0x804a004
80482ca: 68 08 00 00 00 push 0x8
80482cf: e9 d0 ff ff ff jmp 80482a4 <_init+0x30>So more generally my trouble is understanding the Disassemblied functions of the .plt: section those 3 jmp parts or 3 functions just lose it when it comes to the flow
Code: Select all
080482a4 <__gmon_start__@plt-0x10>:
080482b4 <__gmon_start__@plt>:
080482c4 <__libc_start_main@plt>: