Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Machine code of file (executable)?

How can I access the machine code (binaries) of an executable file?

Details

  • I'm on Ubuntu (Linux)
  • I want to access the machine code (binaries) of .exe files (the files follow PE format)
  • I am using C for implementation
like image 813
Arulx Z Avatar asked Dec 18 '22 22:12

Arulx Z


1 Answers

Use objdump with the option -d for disassemble. Another useful option is -s to get a dump of the file. If for some reason -d does not work, you can also try -D, this forces objdump to disassemble the file even if it doesn't look like it contains machine code. Consult the manpage of objdump for more details. For example, to disassemble and dump a PE executable foo.exe type:

objdump -sd foo.exe

The output comprises two parts. The first part looks like this:

Contents of section .text:
 401000 33c03905 28944200 0f9fc0c3 558bec51  3.9.(.B.....U..Q
 401010 568bf16a 01684410 4000c706 30024200  [email protected].
 401020 ff15b000 420085c0 75158d45 fc68c00e  ....B...u..E.h..
 401030 420050c7 45fc9070 4200e8cd bc01008b  B.P.E..pB.......
 401040 c65ec9c3 837c2404 0575056a 0158eb12  .^...|$..u.j.X..
 401050 ff052894 420033c0 833d2894 4200020f  ..(.B.3..=(.B...
 401060 9cc0c204 00568bf1 e8140000 00f64424  .....V........D$
 401070 08017407 56e88b6f 0000598b c65ec204  ..t.V..o..Y..^..
 401080 00558bec 516a0068 44104000 c7013002  [email protected].
 401090 4200ff15 b0004200 85c07515 8d45fc68  B.....B...u..E.h
 4010a0 c00e4200 50c745fc 90704200 e85bbc01  ..B.P.E..pB..[..
 4010b0 00c9c3e8 48ffffff f6d81bc0 25044000  ....H.......%.@.
 4010c0 80c20c00 e837ffff fff6d81b c0250440  .....7.......%.@
 4010d0 0080c208 00558bec 568b7508 68c58240  .....U..V.u.h..@
 4010e0 00682072 4200ff75 0c8b4e40 68187242  .h [email protected]
 4010f0 00e8d771 00008bc8 e8e87100 008bc8e8  ...q......q.....

This is a dump of the binary's individual sections. The first column is the address of this row, the next four columns show the dumped data in hexadecimal notation and the last column shows the data as ASCII characters with . substituted for unprintable characters.

The second part looks like this:

00401000 <.text>:
  401000:   33 c0                   xor    %eax,%eax
  401002:   39 05 28 94 42 00       cmp    %eax,0x429428
  401008:   0f 9f c0                setg   %al
  40100b:   c3                      ret    
  40100c:   55                      push   %ebp
  40100d:   8b ec                   mov    %esp,%ebp
  40100f:   51                      push   %ecx
  401010:   56                      push   %esi
  401011:   8b f1                   mov    %ecx,%esi
  401013:   6a 01                   push   $0x1
  401015:   68 44 10 40 00          push   $0x401044
  40101a:   c7 06 30 02 42 00       movl   $0x420230,(%esi)
  401020:   ff 15 b0 00 42 00       call   *0x4200b0

This is the disassembly of the binary. The first column contains the current address, then you see the instruction in hexadecimal notation and finally the corresponding mnemonic. Notice that this part only exists for sections that are marked as “contains executable code” in the header (in the case of PE files, this applies only to the text section). If you don't like this assembly syntax (AT&T syntax), supply -Mintel to receive output in Intel syntax:

00401000 <.text>:
  401000:   33 c0                   xor    eax,eax
  401002:   39 05 28 94 42 00       cmp    DWORD PTR ds:0x429428,eax
  401008:   0f 9f c0                setg   al
  40100b:   c3                      ret    
  40100c:   55                      push   ebp
  40100d:   8b ec                   mov    ebp,esp
  40100f:   51                      push   ecx
  401010:   56                      push   esi
  401011:   8b f1                   mov    esi,ecx
  401013:   6a 01                   push   0x1
  401015:   68 44 10 40 00          push   0x401044
  40101a:   c7 06 30 02 42 00       mov    DWORD PTR [esi],0x420230
  401020:   ff 15 b0 00 42 00       call   DWORD PTR ds:0x4200b0

Another useful tool is Agner Fog's objconv which has options more useful for Windows binaries and generally provides more detailed disassembly compared to objdump.

like image 133
fuz Avatar answered Dec 21 '22 12:12

fuz