Integer within C binary: viewing it using readelf, objdump or similar

Question

Integer within C binary: viewing it using readelf, objdump or similar

I have the following C source file, hello.c, compiled on linux via g++ -o hello hello.c:

#include <stdio.h>
const char* p = "Hello world";
const long nn = 0xDEADBEEF;
int main() 
{ 
        printf("%s %ld", p, nn);
        return -1; 
}

(Yes I know I am using g++ for C but that is not the point of this question.)

I would like to use readelf or objdump to see where the constant integer 0xDEADBEEF is being stored within the binary, but I do not know the command switch to facilitate this. I can see my string clearly using these tools, but not the integer. I have tried various command options that I'm not going to list here as it is pointless and am piping the output through grep searching for BEEF.

What command line do I need please?

c

linux

objdump

readelf

asked on Stack Overflow Oct 27, 2019 by

Wad • edited Oct 27, 2019 by

Wad

1 Answer

In computing, endianness refers to the order of bytes (or sometimes bits) within a binary representation of a number.

In little endian representation the most significant bytes are stored last whereas least significant bytes are stored first. So in little endian, 0xDEADBEEF will be stored as 0xef 0xbe 0xad 0xde.

whereas,

In big endian the the most significant bytes are stored first whereas least significant bytes are stored last. In big endian, 0xDEADBEEF will be stored as 0xde 0xad 0xbe 0xef.

Program instructions are stored in .text section.
Global, static data are stored in .data section of the executable.
Global, static constant data are stored in .rodata (read-only data) section of the executable.
Local constant data are also stored in .text section.

For

//#include <stdio.h>
const char* p = "Hello world";

int main() 
{ 
        const long nn = 0xDEADBEEF;
      //printf("%s %ld", p, nn);
        return -1; 
}

When compiled with

gcc hello.c -o hello -nostdlib -e main

(used -nostdlib to reduce the size of the executable)

The hello has following contents:

Contents of section .interp:
 0238 2f6c6962 36342f6c 642d6c69 6e75782d  /lib64/ld-linux-
 0248 7838362d 36342e73 6f2e3200           x86-64.so.2.    
Contents of section .note.gnu.build-id:
 0254 04000000 14000000 03000000 474e5500  ............GNU.
 0264 45c5b659 336be965 5721226a 788a4906  E..Y3k.eW!"jx.I.
 0274 d7528479                             .R.y            
Contents of section .gnu.hash:
 0278 01000000 01000000 01000000 00000000  ................
 0288 00000000 00000000 00000000           ............    
Contents of section .dynsym:
 0298 00000000 00000000 00000000 00000000  ................
 02a8 00000000 00000000                    ........        
Contents of section .dynstr:
 02b0 00                                   .               
Contents of section .rela.dyn:
 02b8 00102000 00000000 08000000 00000000  .. .............
 02c8 e4020000 00000000                    ........        
Contents of section .text:
 02d0 554889e5 b8efbead de488945 f8b8ffff  UH.......H.E....
 02e0 ffff5dc3                             ..].            
Contents of section .rodata:
 02e4 48656c6c 6f20776f 726c6400           Hello world.    
Contents of section .eh_frame_hdr:
 02f0 011b033b 14000000 01000000 e0ffffff  ...;............
 0300 30000000                             0...            
Contents of section .eh_frame:
 0308 14000000 00000000 017a5200 01781001  .........zR..x..
 0318 1b0c0708 90010000 1c000000 1c000000  ................
 0328 a8ffffff 14000000 00410e10 8602430d  .........A....C.
 0338 064f0c07 08000000                    .O......        
Contents of section .dynamic:
 200ef0 f5feff6f 00000000 78020000 00000000  ...o....x.......
 200f00 05000000 00000000 b0020000 00000000  ................
 200f10 06000000 00000000 98020000 00000000  ................
 200f20 0a000000 00000000 01000000 00000000  ................
 200f30 0b000000 00000000 18000000 00000000  ................
 200f40 15000000 00000000 00000000 00000000  ................
 200f50 07000000 00000000 b8020000 00000000  ................
 200f60 08000000 00000000 18000000 00000000  ................
 200f70 09000000 00000000 18000000 00000000  ................
 200f80 1e000000 00000000 08000000 00000000  ................
 200f90 fbffff6f 00000000 01000008 00000000  ...o............
 200fa0 f9ffff6f 00000000 01000000 00000000  ...o............
 200fb0 00000000 00000000 00000000 00000000  ................
 200fc0 00000000 00000000 00000000 00000000  ................
 200fd0 00000000 00000000 00000000 00000000  ................
 200fe0 00000000 00000000 00000000 00000000  ................
 200ff0 00000000 00000000 00000000 00000000  ................
Contents of section .data:
 201000 e4020000 00000000                    ........        
Contents of section .comment:
 0000 4743433a 20285562 756e7475 20372e34  GCC: (Ubuntu 7.4
 0010 2e302d31 7562756e 7475317e 31382e30  .0-1ubuntu1~18.0
 0020 342e3129 20372e34 2e3000             4.1) 7.4.0.

There you can see the deadbeef in little endian starting at offset 02d5 of the .text section.

Read more,
[1]Endianness: https://en.wikipedia.org/wiki/Endianness

answered on Stack Overflow Oct 27, 2019 by

rsonx • edited Oct 28, 2019 by

user4815162342

User contributions licensed under CC BY-SA 3.0