Search code examples
linuxreverse-engineeringbinaryfileselfhexdump

How to examine `elf` file by hexdump?

I'm learning elf file layout, so I'm reading Executable_and_Linkable_Format.

In the beginning, I used readelf -a to exmine elf(.o file), but it provided is not my want, so I used hexdump -C to exmined it binaries form.

I used as -Og -g ... -o ..., ld ... -o ... and hexdump -C ... to examine elf file, below is my code.

.section .data
iary:
    .int 1, 2
lary:
    .long 3, 4

.section .text
.globl  _start

_start:
    movq $0, %rdi
    leaq iary(, %rdi, 4), %rbx
    movl iary(, %rdi, 4), %ecx

    movq $1, %rdi
    leaq iary(, %rdi, 4), %rbx
    movl iary(, %rdi, 4), %ecx

    #===============================
    
    movq $0, %rdi
    leaq lary(, %rdi, 4), %rbx
    movl lary(, %rdi, 4), %ecx

    movq $1, %rdi
    leaq lary(, %rdi, 4), %rbx
    movl lary(, %rdi, 4), %ecx

    movq $60, %rax
    syscall

I'm looking for program header, section header, .etc. But I'm not sure my search method is correct!

[1]: https://i.sstatic.net/5WX6E.png

Please connect with above picture. enter image description here

Solution

  • To find the program header:

    First, byte 0x4 is 2, so this is a 64-bit binary. Then, byte 0x5 is 1, so it is little-endian.

    Since it is 64-bit, the offset of the program header is at 0x20 and is a 64-bit value. The bytes here are 40 00 00 00 00 00 00 00 which is the little-endian number 0x40. So as you circled, the program header starts at offset 0x40 in the file.

    The section header offset is at 0x28, and points to 0x22f0, so that's where the section headers begin, as you have circled. The first one has zeros at offset 0x4 (i.e. 0x22f4 in the file), meaning it is unused, which is why you see zeros in the 0x40 bytes starting at 0x22f0. The first real section header starts at 0x22f0 + 0x40 = 0x2330.

    Offset 0x1000 looks like the start of the program's actual code. It makes sense that it is aligned to a page boundary (0x1000 = 4096 = size of a page). You could confirm by decoding the section headers; this region will probably turn out to be part of .text. These bytes look like machine code and you could use a disassembler to decode them. 48 c7 c7 00 00 00 00 is mov rdi, 0 if I read correctly.

    Offset 0x2000 is probably the start of a data section. The first part looks like an array of 32-bit integers {0x1, 0x2, 0x3, 0x4}. Later on we have what is possibly a section of debug info.

    Perhaps this will help get you started.