How to examine `elf` file by hexdump?

OnlyWick

New Member
Joined
May 9, 2022
Messages
1
Reaction score
0
Credits
12
I'm learning elf file layout, so I'm reading Executable_and_Linkable_Format.

In the beginning, I used `readelf -a` to exmine elf(.o file), but it provided is not my want, so I used hexdump -C to exmined it binaries form.

I used `as -Og -g ... -o ..., ld ... -o ...` and `hexdump -C ...` to examine elf file, below is my code.;)

Code:
.section .data

iary:

    .int 1, 2

lary:

    .long 3, 4

.section .text

.globl  _start

_start:

    movq $0, %rdi

    leaq iary(, %rdi, 4), %rbx

    movl iary(, %rdi, 4), %ecx

    movq $1, %rdi

    leaq iary(, %rdi, 4), %rbx

    movl iary(, %rdi, 4), %ecx


    #===============================
 

    movq $0, %rdi

    leaq lary(, %rdi, 4), %rbx

    movl lary(, %rdi, 4), %ecx



    movq $1, %rdi

    leaq lary(, %rdi, 4), %rbx

    movl lary(, %rdi, 4), %ecx



    movq $60, %rax

    syscall

I'm looking for `program header, section header`, .etc. But I'm not sure my search method is correct!
1656555854381.png


Please connect with above picture.
1656555877575.png


notice: `objdump -x can` display all headers, but I guess it maybe analyses binary file then displays something we want. So I try to understand the binary file format!o_O
 


It's likely you'll need more tools to reverse engineer the binary.
A few observations:
The first 8 hex number from the 0 offset on the first line tell the reader that it's an elf file, which is indicated on the right section.
The "40" on the third and fifth line are not the same "40". The first one refers to the ascii character "@" shown in the right and second "40" refers to the offset in the file.
The tools "strings", "objdump" and "strace" are usually used as well as "hexdump" in this sort of quest. Have a look at:
 

Members online


Latest posts

Top