Search code examples
assemblyx86-64elfdisassemblyobjdump

How do I find a byte of data located at a certain address from the disassembly of an object file?

I have an object file fact.o, which is a binary file. To examine the disassembly of the object file, I ran the following command: objdump -d fact.o. I get the following output:

fact.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <factorial>:
   0:   ba 01 00 00 00          mov    $0x1,%edx
   5:   b8 00 00 00 00          mov    $0x0,%eax
   a:   39 f8                   cmp    %edi,%eax
   c:   7f 08                   jg     16 <factorial+0x16>
   e:   0f af d0                imul   %eax,%edx
  11:   83 c0 01                add    $0x1,%eax
  14:   eb f4                   jmp    a <factorial+0xa>
  16:   89 d0                   mov    %edx,%eax
  18:   c3                      retq   

0000000000000019 <main>:
  19:   48 83 ec 08             sub    $0x8,%rsp
  1d:   bf 05 00 00 00          mov    $0x5,%edi
  22:   e8 00 00 00 00          callq  27 <main+0xe>
  27:   89 c2                   mov    %eax,%edx
  29:   be 05 00 00 00          mov    $0x5,%esi
  2e:   bf 00 00 00 00          mov    $0x0,%edi
  33:   b8 00 00 00 00          mov    $0x0,%eax
  38:   e8 00 00 00 00          callq  3d <main+0x24>
  3d:   b8 00 00 00 00          mov    $0x0,%eax
  42:   48 83 c4 08             add    $0x8,%rsp
  46:   c3                      retq

I know the output is given in three columns: the instruction "address", the machine code (actual bytes stored in the object file), and the disassembly (assembly instructions interpreted from the machine code). My question is how can I find a byte of data located at a certain address? For example: how would I find the byte of data located at the address 0x10? I initially assumed it to be 0x89 from the output, but I'm pretty sure I'm incorrect. Any help is appreciated in helping me figure this out. I'm still trying to get used to assembly and any info will help me out a lot.

Note: I'm using gcc 9.2 if that is relevant for this question.

Solution

  • I believe it should just take a bit of counting.

    So for example finding 0x10, first you find, on the leftmost column, the number closest to 0x10 but lower than that. Here, it's 0xe:

       e:   0f af d0                imul   %eax,%edx
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Then we just count a bit. We know that at 0xe, the byte is 0x0f. 0xf will be 0xaf, the byte right after 0x0f, and 0x10 will be 0xd0.

       e:   0f af d0                imul   %eax,%edx
         e  f 10

    However, these addresses are only relative to the start of the section, not sure if that's what you want. See Peter Cordes's comment.