8

I have a quick question. I have generated a ELF binary from a c code using following code:

gcc -o simple simple.c

Then I do objdump for that ELF binary:

objdump --disassemble-all simple

I have checked my directory with ls -a that there is no .o file there. My question still how objdump show me the full disassemble code? Does objdump do static analysis in the binary to cover all the code?

asked Feb 6, 2017 at 23:06
4
  • ELF files have headers that describe their layout. objdump uses the bdf library to parse those headers and then it dissasembles those ELF sections that contain executable instructions. Commented Feb 6, 2017 at 23:11
  • Can you give a little bit details how it disassembles ELF sections to retrieve the executable instructions? Commented Feb 6, 2017 at 23:15
  • 1
    github.com/aeste/binutils/blob/develop/binutils/objdump.c Commented Feb 6, 2017 at 23:18
  • gcc wouldn't generate a .o file in the invocation you gave. As for assembly you might consider gcc -S. I realise maybe you're only after objdump but if not... Commented May 28, 2018 at 22:18

2 Answers 2

13

objdump shows the disassembled code because that's its job. It knows the format of the executable file. Executables are not just a straight sequence of instructions: they have structure. Executables typically start with a header containing various metadata and are organized in sections. Dynamically linked executables necessarily contain enough information for the dynamic linker, so they must indicate what symbols the executable needs and an indication of where those symbols will be loaded so that the program can find them when it runs.

For example, most Unix systems use ELF (other formats exist). If objdump detects an ELF binary (by checking the magic number at the beginning of the file), it parses the file header, which lets it know where the program header and the section tables are located. Each section contains an indication of what type of content it contains. objdump further parses each section according to its type. When it sees a section that's supposed to contain code, it runs a disassembler on it.

Disassembly is fairly simple in principle: code is a list of instructions, and disassembly is just translating from a binary representation of instructions to a textual one. The disassembler just takes the instructions in order. In practice, things can be more complicated on architectures where instructions have a variable size, and because data can be embedded in code sections. objdump generally works on "normal" executables, but may not produce sensible output on binaries that have been deliberately obfuscated.

objdump does not perform any static analysis. It just makes a direct parsing and translation, it doesn't do any analysis of what the instructions mean.

answered Feb 7, 2017 at 0:07
1

objdump "GNU utility" is a tool to disassemble object, also executable, files using Linear Sweep approach. Meaning that it parses the file linearly in static fashion and decode each instruction. However, serious limitation there are. Objdump is not able to differentiate between code and data bytes within the code, for example there is not ideal rule to decode padding bytes.

Objdump generally starts from the entry point of a program (present in ELF header) and decodes the instructions linearly. Below is the Linear sweep algorithm...

enter image description here

answered Dec 15, 2019 at 6:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.