In the previous post we conquered compilation by constructing a small program that can be compiled without using libc. Understanding object code and the details of an ELF executable are the next step in our adventure.

We left off with the following program pieces:

jesstess@kid-charlemagne:~$ cat stubstart.S

.globl _start

_start: call main movl $ 1 , % eax xorl % ebx , % ebx int $ 0x80

jesstess@kid-charlemagne:~$ cat hello.c int main() { char *str = "Hello World"; return 0; }

jesstess@kid-charlemagne:~/c$ gcc -nostdlib stubstart.S hello.c -o hello

jesstess@kid-charlemagne:~/c$ wc -c hello 1373 hello jesstess@kid-charlemagne:~$ objdump -D hello | wc -l 93

objdump -D

.text

_start

main

.rodata

.eh_frame_hdr

.eh_frame

.comment

Step 1: Back up - what the heck is a "section"?

readelf -l

readelf -S



Figure 1: our ELF segments and sections Figure 1: our ELF segments and sections

Step 2: What goes in our sections?

.eh_frame

.eh_frame

.eh_frame

.eh_frame_hdr

-fno-asynchronous-unwind-tables

--remove-section

.comment

_start

main

Step 3: Understand the symbols and why they live where they live.

objdump -t

jesstess@kid-charlemagne:~/c$ objdump -t hello

hello : file format elf64-x86-64 SYMBOL TABLE : 00000000004000e8 l d . text 0000000000000000 . text 0000000000400107 l d . rodata 0000000000000000 . rodata 0000000000400114 l d . eh_frame_hdr 0000000000000000 . eh_frame_hdr 000000000040012 8 l d . eh_frame 0000000000000000 . eh_frame 0000000000000000 l d . comment 0000000000000000 . comment 0000000000000000 l df * ABS * 0000000000000000 hello . c 00000000004000e8 g . text 0000000000000000 _start 0000000000600f e8 g * ABS * 0000000000000000 __bss_start 00000000004000f 4 g F . text 0000000000000013 main 0000000000600f e8 g * ABS * 0000000000000000 _edata 0000000000600f e8 g * ABS * 0000000000000000 _end

main

hello.c

_start

main

.text

__bss_start

_edata

_end

gcc

ld

ld --verbose

_edata

.data

__bss_start

_end

.bss

str

str

.rodata

char *str = "Hello, World";

.rodata

str

jesstess@kid-charlemagne:~$ objdump -s hello

hello : file format elf64-x86-64 Contents of section . text : 4000e8 e80b0000 00 b80100 000031 db cd809090 ......... .1 ..... 4000f 8 554889e5 48 c745f8 0 b014000 b8000000 UH .. H . E ... @ ..... 400108 00 c9c3 ... Contents of section . rodata : 40010 b 48656 c6c 6f20576f 726 c6400 Hello World . Contents of section . eh_frame_hdr : 400118 011 b033b 14000000 01000000 e0ffffff ...;............ 400128 30000000 0. .. Contents of section . eh_frame : 400130 14000000 00000000 017 a5200 017 81001 ......... zR .. x .. 400140 030 c0708 90010000 1 c000000 1 c000000 ................ 400150 f8004000 13000000 00410e10 8602430 d .. @ ...... A .... C . 400160 06000000 00000000 ........ Contents of section . comment : 0000 00474343 3 a202855 62756e74 7520342 e . GCC : ( Ubuntu 4. 0010 332e332 d 35756275 6e747534 2920342 e 3.3 - 5u buntu4 ) 4. 0020 332e3300 3.3 .

.rodata

.comment

Step 4: Trim the fat and put it all together

.text

.rodata

.eh_frame_hdr

.eh_frame

.comment

.text

objdump -d

objdump -D

.text

.rodata

.comment

objdump -D

objdump

.comment

>>> "" . join ( chr ( int ( x , 16 )) for x in "47 43 43 3a 20 28 55 62 75 6e 74 75" . split ()) 'GCC: (Ubuntu' In .text , _start calls main , and in main a pointer to the memory location where "Hello World" is stored, 0x40010b (where .rodata starts, as seen in the obdjump -D output), is pushed onto the stack. We then return from main to _start , which takes care of returning from the program, as described in Part I.





And that's everything! All sections and symbols are accounted for.

Nothing is magic (and I mean magic in a good I-would-ace-this-test way,

not a sorry-Jimmy-Santa-isn't-real way). Whew.





Looking at and really understanding the core parts of an ELF executable

means that we can add complexity now without cheating our way around

parts we don't understand. To that end, stay tuned for Part 3, where

we'll stuff this program with a veritable variable smörgåsbord and see where everything ends up in the program's memory. ~jesstess