More Related Content
More from Ange Albertini (20)
ELF101 a Linux executable walkthrough
- 1. RLY
wTw
xecutable inkable
yyyyyyyyyyyyyyyyv
ormat
a Linux executable walkthrough
7ngey7lbertini
corkamiIcom
static
Hexadecimalydump
7S&IIydump
w
zissectedyfile
mxvixvRxvzx/px/px/px//x//x//x//x//x//x//x//x//xxfu'ffffffffffff
/_x//x/yx//x/px//x//x//xz/x//x//x/gxv/x//x//x//xxffffffff`fffSfff
R/x//x//x//x//x//x//x//xyvx//x_/x//x/px//x_gx//xxÍfffffffvfffffºf
/vx//x/yx//xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxffff
mxvixvRxvzx/px/px/px//x//x//x//x//x//x//x//x//xx u'ffffffffffff
/_x//x/yx//x/px//x//x//xz/x//x//x/gxv/x//x//x//xxffffffff`fffSfff
R/x//x//x//x//x//x//x//xyvx//x_/x//x/px//x_gx//xxÀfffffffvfffffºf
identifyyasyanyRLYytype
specifyytheyarchitecture
/vx//x/yx//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
RLYyheader
~$uname -p
i686
~$./simple.elf
Hello World!
///,
mxvixvRxvzx/px/px/px//x//x//x//x//x//x//x//x//xx u'ffffffffffff
/_x//x/yx//x/px//x//x//xz/x//x//x/gxv/x//x//x//xxffffffff`fffSfff
R/x//x//x//x//x//x//x//xyvx//x_/x//x/px//x_gx//xxÀfffffffvfffffºf
/vx//x/yx//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
ProgramyHeaderytable
/px//x//x//x//x//x//x//x//x//x//x/gx//x//x//x/gxxffffffffffffffff
T/x//x//x//xT/x//x//x//x/ix//x//x//x//x//x//x//xxffffffffffffffff
Rxecutionyinformation
Header
U
Offset,/xv/:Tddress,/xg////v/
/px//x//x//x//x//x//x//x//x//x//x/gx//x//x//x/gxxxffffffffffffffff
T/x//x//x//xT/x//x//x//x/ix//x//x//ffffxxxxxxxxxxxxxxffffffff
wVU
mxvixvRxvzx/px/px/px//x//x//x//x//x//x//x//x//xx u'ffffffffffff
/_x//x/yx//x/px//x//x//xz/x//x//x/gxv/x//x//x//xxffffffff`fffSfff
R/x//x//x//x//x//x//x//xyvx//x_/x//x/px//x_gx//xxÀfffffffvfffffºf
/vx//x/yx//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
technicalydetailsyfory
identificationyandyexecution
/px//x//x//x//x//x//x//x//x//x//x/gx//x//x//x/gxxffffffffffffffff
T/x//x//x//xT/x//x//x//x/ix//x//x//x//x//x//x//xxffffffffffffffff
/v/,
/px//x//x//x//x//x//x//x//x//x//x/gx//x//x//x/gxxffffffffffffffff
i/x//x//x//xi/x//x//x//x/ix//x//x//x//x//x//x//xxffffffffffffffff
/z/,
Vcxc/x//x//x/gxVTx/Nx//x//x//xVVx/px//x//x//xVgxx¹fxfffºffff»ffff¸
/vx//x//x//xRNxg/xVVx/px//x//x//xVgx/px//x//x//xxffffÍ€»ffff¸ffff
RNxg/x//x//x//x//x//x//x//x//x//x//x//x//x//x//xx̀ffffffffffffff
simpleIelf
/c/,
vgxzixzRxzRxzx_/ximxzxm_xzRxzvx_px/Tx//x//x//xxXellofWorldoffff
/a/,
//x_uxmyxzgxmyxmvxm_xmvxzpxz_x//x_uxmvxzixmgxmvxxffshstrtabfftext
//x_uxm_xzxzvxzpxmvxzpx//x//x//x//x//x//x//x//xxffrodataffffffff
SH7AwBy9:U,*9-:b-:b:X*bwNfd,*bTNXXa,-*TebcadcNb
downloady@yelfwTwIcorkamiIcom
/T/,
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x/Vx//x//x//x/px//x//x//xxffffffffffffffff
/zx//x//x//xz/x//x//x/gxz/x//x//x//x__x//x//x//xxffff`fff`fffdfff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
ppx//x//x//x/px//x//x//x/_x//x//x//xc/x//x//x/gxxffffffffffffxfff
c/x//x//x//x/Nx//x//x//x//x//x//x//x//x//x//x//xxxfffffffffffffff
//x//x//x//x//x//x//x//x/px//x//x//x/yx//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//xT/x//x//x//xpcx//x//x//xxffffffffxfffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
sections
Vcxc/x//x//x/gxVTx/Nx//x//x//xVVx/px//x//x//xVgxx¹fxfffºffff»ffff¸
/vx//x//x//xRNxg/xVVx/px//x//x//xVgx/px//x//x//xxffffÍ€»ffff¸ffff
RNxg/x//x//x//x//x//x//x//x//x//x//x//x//x//x//xx̀ffffffffffffff
Vcxc/x//x//x/gxVTx/Nx//x//x//xVVx/px//x//x//xVgxx¹fxfffºffff»ffff¸
/vx//x//x//xRNxg/xVVx/px//x//x//xVgx/px//x//x//xxffffÍ€»ffff¸ffff
executableyinformation
RNxg/x//x//x//x//x//x//x//x//x//x//x//x//x//x//xx̀ffffffffffffff
&ode
vgxzixzRxzRxzx_/ximxzxm_xzRxzvx_px/Tx//x//x//xxXellofWorldoffff
contentsyofytheyexecutable
//x_uxmyxzgxmyxmvxm_xmvxzpxz_x//x_uxmvxzixmgxmvxxffshstrtabfftext
//x_uxm_xzxzvxzpxmvxzpx//x//x//x//x//x//x//x//xxffrodataffffffff
N
Offset,/xz/:Tddress,/xg////z/
p
zata
vgxzixzRxzRxzx_/ximxzxm_xzRxzvx_px/Tx//x//x//xxXellofWorldoffff
informationyusedybyytheycode
Values
Rxplanation
/xm€xdu'd
pxxxx€p
p
_
y
p
/xg////z/
/xv/
/xR/
/xyv
/x_/
p
/x_g
v
y
constantysignature
NUybits/yLittleARndian
7lwaysyw
Rxecutable
IntelyN-9y0andylater.
7lwaysyw
7ddressywhereyexecutionystarts
ProgramyHeaders1yoffset
SectionyHeaders1yoffset
Rlfyheader1sysize
SizeyofyaysingleyProgramyHeader
&ountyofyProgramyHeaders
SizeyofyaysingleySectionyHeader
&ountyofySectionyHeaders
Indexyofytheynames1ysectionyinytheytable
p_type
p_offset
p_vaddr
p_paddr
p_filesz
p_memsz
p_flags
p
/
/xg//////
/xg//////
/xT/
/xT/
i
u'R'TSSy_
u'NTTT_'SV
uV_RURRuNT
uT_uXuR
uM_ygz
uV_RURRuNT
N
Theysegmentyshouldybeyloadedyinymemory
Offsetywhereyityshouldybeyread
Virtualyaddressywhereyityshouldybeyloaded
Physicalyaddressywhereyityshouldybeyloaded
Sizeyonyfile
Sizeyinymemory
ReadableyandyeXecutable
PT_'OTN
P_R|P_X
Rquivalenty&ycode
x-9yassembly
movxecx€x/xg///c/
movxedx€x/xN
movxebx€xp
movxeax€xv
intx/xg/
msg
MSU_'uN
STNOUT
_
v
Vcxc/x//x//x/gxVTx/Nx//x//x//xVVx/px//x//x//xVgxxffffffffffffffff
/vx//x//x//xRNxg/xVVx/px//x//x//xVgx/px//x//x//xxffffffffffffffff
i
Yields
e_identx
xxuP_MTU
xxuP_R'TSS€xuP_NTTT
xxuP_VuRSPON
e_type
e_machine
e_version
e_entry
e_phoff
e_shoff
e_ehsize
e_phentsize
e_phnum
e_shentsize
e_shnum
e_shstrndx
y
z
m
SR_WRPTu
systemxcall
writeb2Hello6World8r2,6STDOUT,6lenb2Hello6World8r2AA;
g
RNxg/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxff
movxebx€xp
movxeax€xp
intx/xg/
returnxcode
SR_uXPT
systemxcall
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x/Vx//x//x//x/px//x//x//xxffffffffffffffff
/zx//x//x//xz/x//x//x/gxz/x//x//x//x__x//x//x//xxffff`fff`fffdfff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
ppx//x//x//x/px//x//x//x/_x//x//x//xc/x//x//x/gxxffffffffffffxfff
c/x//x//x//x/Nx//x//x//x//x//x//x//x//x//x//x//xxxfffffffffffffff
//x//x//x//x//x//x//x//x/px//x//x//x/yx//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//xT/x//x//x//xpcx//x//x//xxffffffffxfffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x_uxmyxzgxmyxmvxm_xmvxzpxz_x//x_uxmvxzixmgxmvxxffshstrtabfftext
//x_uxm_xzxzvxzpxmvxzpx//x//x//x//x//x//x//x//xxffrodataffffffff
Sections1ynames
Strings
Offset,/xc/:Tddress,/xg////c/
header
UVU
vgxzixzRxzRxzx_/ximxzxm_xzRxzvx_px/Tx//xxxxxxxxXellofWorldoff
technicalydetailsyforylinking
0ignoredyforyexecution.
dXelloxWorldord€x/
Sectionynames
Offset,/xT/
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x/Vx//x//x//x/px//x//x//xxffffffffffffffff
/zx//x//x//xz/x//x//x/gxz/x//x//x//x__x//x//x//xxffff`fff`fffdfff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
ppx//x//x//x/px//x//x//x/_x//x//x//xc/x//x//x/gxxffffffffffffffff
Linkingy0connectingyprogramyobjects.yinformation
c/x//x//x//x/Nx//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x/px//x//x//x/yx//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//xT/x//x//x//xpcx//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
SectionyHeaderytable
//x_uxmyxzgxmyxmvxm_xmvxzpxz_x//x_uxmvxzixmgxmvxxffshstrtabfftext
//x_uxm_xzxzvxzpxmvxzpx//xxxxxxxxxxxxxxxxxxxxxxxffrodataf
exitb1A;
ddxxfshrtrtabxxftextxxxxfrodata
Offset,/xR/
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x/Vx//x//x//x/px//x//x//xxffffffffffffffff
/zx//x//x//xz/x//x//x/gxz/x//x//x//x__x//x//x//xxffff`fff`fffdfff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
ppx//x//x//x/px//x//x//x/_x//x//x//xc/x//x//x/gxxffffffffffffffff
c/x//x//x//x/Nx//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x/px//x//x//x/yx//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//xT/x//x//x//xpcx//x//x//xxffffffffffffffff
//x//x//x//x//x//x//x//x//x//x//x//x//x//x//x//xxffffffffffffffff
SectionyHeaderytable
sh_name
sh_type
theyRLYyheaderyisyparsed
theyProgramyHeaderyisyparsed
sh_addr
sh_offset
sh_size
SXT_NU''xºinactive»
SXT_PROUVPTSxºprogram»
SX_T''ORxºallocated»
SX_uXuRPNSTRxºexecutable»
SXT_PROUVPTSxºprogram»
SX_T''ORxºallocated»
SXT_STRTTVxºstringxtable»
relativexoffsets
inxnames¹xsection
Thisyisytheywholeyfile/yhowever/ymostyRLYyfilesycontainymanyymoreyelementsI
Rxplanationsyareysimplified/yforyconcisenessI
Loadingyprocess
w header
sh_flags
IndexyyyyNameyyyyyyyyyyyyyyyTYPRyyyyyyyyyyyyyyyyyyyyyyYL7ZSyyyyyyyyyyyyyyyyyy7zzRRSSyyyyyyyyyyyyOYYSRTyyyyyyyySIZR
6066<null>6666606
6166.text666666166666666666666666666660x8000060660x606660x22
6266.rodata6666166666666666266666666660x8000090660x906660x0D
6366.shrtrtab6636666666666666666666666666666666660xA06660x19
U Mapping
N Rxecution
theyfileyisymappedyinymemory
accordingytoyitsysegment0s.
Offset
Virtual Address
0Sectionsyareynotyused.
0x00
0xA0
0x80000A0
p_vaddr
p_memsz
LOAD Segment
0x8000000
p_filesz
p_offset
Rntryyisycalled
SyscallsyyyareyaccessedyviaB
yAySyscallynumberyinytheyR7Xyregister
yAycallingyInterruptyTx-T
kernel
services
Trivia
TheyRLYywasyfirstyspecifiedybyyUISIyLI
foryUNIXySystemyV/yinyw**T
nix
ystem
aboratories
,
TheyRLYyisyused/yamongyothers/yinBy
yAyLinux/y7ndroid/y25Sz/ySolaris/y5eOS
yAyPSP/yPlaystationyUAX/yzreamcast/yZame&ube/yWii
AyvariousyOSesymadeybyySamsung/yRricsson/yNokia/
AyMicrocontrollersyfromy7tmel/yTexasyInstruments
versionywIT
UTwNVwwVUT
