How can I access the machine code (binaries) of an executable file?
Details
Use objdump
with the option -d
for disassemble. Another useful option is -s
to get a dump of the file. If for some reason -d
does not work, you can also try -D
, this forces objdump
to disassemble the file even if it doesn't look like it contains machine code. Consult the manpage of objdump
for more details. For example, to disassemble and dump a PE executable foo.exe
type:
objdump -sd foo.exe
The output comprises two parts. The first part looks like this:
Contents of section .text:
401000 33c03905 28944200 0f9fc0c3 558bec51 3.9.(.B.....U..Q
401010 568bf16a 01684410 4000c706 30024200 [email protected].
401020 ff15b000 420085c0 75158d45 fc68c00e ....B...u..E.h..
401030 420050c7 45fc9070 4200e8cd bc01008b B.P.E..pB.......
401040 c65ec9c3 837c2404 0575056a 0158eb12 .^...|$..u.j.X..
401050 ff052894 420033c0 833d2894 4200020f ..(.B.3..=(.B...
401060 9cc0c204 00568bf1 e8140000 00f64424 .....V........D$
401070 08017407 56e88b6f 0000598b c65ec204 ..t.V..o..Y..^..
401080 00558bec 516a0068 44104000 c7013002 [email protected].
401090 4200ff15 b0004200 85c07515 8d45fc68 B.....B...u..E.h
4010a0 c00e4200 50c745fc 90704200 e85bbc01 ..B.P.E..pB..[..
4010b0 00c9c3e8 48ffffff f6d81bc0 25044000 ....H.......%.@.
4010c0 80c20c00 e837ffff fff6d81b c0250440 .....7.......%.@
4010d0 0080c208 00558bec 568b7508 68c58240 .....U..V.u.h..@
4010e0 00682072 4200ff75 0c8b4e40 68187242 .h [email protected]
4010f0 00e8d771 00008bc8 e8e87100 008bc8e8 ...q......q.....
This is a dump of the binary's individual sections. The first column is the address of this row, the next four columns show the dumped data in hexadecimal notation and the last column shows the data as ASCII characters with .
substituted for unprintable characters.
The second part looks like this:
00401000 <.text>:
401000: 33 c0 xor %eax,%eax
401002: 39 05 28 94 42 00 cmp %eax,0x429428
401008: 0f 9f c0 setg %al
40100b: c3 ret
40100c: 55 push %ebp
40100d: 8b ec mov %esp,%ebp
40100f: 51 push %ecx
401010: 56 push %esi
401011: 8b f1 mov %ecx,%esi
401013: 6a 01 push $0x1
401015: 68 44 10 40 00 push $0x401044
40101a: c7 06 30 02 42 00 movl $0x420230,(%esi)
401020: ff 15 b0 00 42 00 call *0x4200b0
This is the disassembly of the binary. The first column contains the current address, then you see the instruction in hexadecimal notation and finally the corresponding mnemonic. Notice that this part only exists for sections that are marked as “contains executable code” in the header (in the case of PE files, this applies only to the text section). If you don't like this assembly syntax (AT&T syntax), supply -Mintel
to receive output in Intel syntax:
00401000 <.text>:
401000: 33 c0 xor eax,eax
401002: 39 05 28 94 42 00 cmp DWORD PTR ds:0x429428,eax
401008: 0f 9f c0 setg al
40100b: c3 ret
40100c: 55 push ebp
40100d: 8b ec mov ebp,esp
40100f: 51 push ecx
401010: 56 push esi
401011: 8b f1 mov esi,ecx
401013: 6a 01 push 0x1
401015: 68 44 10 40 00 push 0x401044
40101a: c7 06 30 02 42 00 mov DWORD PTR [esi],0x420230
401020: ff 15 b0 00 42 00 call DWORD PTR ds:0x4200b0
Another useful tool is Agner Fog's objconv which has options more useful for Windows binaries and generally provides more detailed disassembly compared to objdump
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With