Executable File Inspection (Mach-O)
The goal is developer a better mental model of program and memory layout.
A simple C program:
1
2
3
4
5
| #include <stdio.h>
int main() {
printf("hello, world");
return 0;
}
|
Compile program with clang main.c -o main.app,
and objdump the contents with objdump main.app -Dhs
Description of options:
(Corrisponds to output lines 25+)
-D, --disassemble-all
Disassemble all sections found in the input files.
(Corrisponds to output lines 3-9)
-h, --headers, --section-headers
Display summaries of the headers for each section.
(Corrisponds to output lines 11-23)
-s, --full-contents
Display the contents of each section.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| main.app: file format mach-o 64-bit x86-64
Sections:
Idx Name Size VMA Type
0 __text 00000025 0000000100003f70 TEXT
1 __stubs 00000006 0000000100003f96 TEXT
2 __cstring 0000000d 0000000100003f9c DATA
3 __unwind_info 00000048 0000000100003fac DATA
4 __got 00000008 0000000100004000 DATA
Contents of section __TEXT,__text:
100003f70 554889e5 4883ec10 c745fc00 00000048 UH..H....E.....H
100003f80 8d3d1600 0000b000 e8090000 0031c048 .=...........1.H
100003f90 83c4105d c3 ...].
Contents of section __TEXT,__stubs:
100003f96 ff256400 0000 .%d...
Contents of section __TEXT,__cstring:
100003f9c 68656c6c 6f2c2077 6f726c64 00 hello, world.
Contents of section __TEXT,__unwind_info:
100003fac 01000000 1c000000 00000000 1c000000 ................
...
Contents of section __DATA_CONST,__got:
100004000 00000000 00000080 ........
Disassembly of section __TEXT,__text:
0000000100003f70 <_main>:
100003f70: 55 pushq %rbp
100003f71: 48 89 e5 movq %rsp, %rbp
100003f74: 48 83 ec 10 subq $16, %rsp
100003f78: c7 45 fc 00 00 00 00 movl $0, -4(%rbp)
100003f7f: 48 8d 3d 16 00 00 00 leaq 22(%rip), %rdi ## 0x100003f9c <_printf+0x100003f9c>
100003f86: b0 00 movb $0, %al
100003f88: e8 09 00 00 00 callq 0x100003f96 <_printf+0x100003f96>
100003f8d: 31 c0 xorl %eax, %eax
100003f8f: 48 83 c4 10 addq $16, %rsp
100003f93: 5d popq %rbp
100003f94: c3 retq
Disassembly of section __TEXT,__stubs:
0000000100003f96 <__stubs>:
100003f96: ff 25 64 00 00 00 jmpq *100(%rip) ## 0x100004000 <_printf+0x100004000>
Disassembly of section __TEXT,__cstring:
0000000100003f9c <__cstring>:
100003f9c: 68 65 6c 6c 6f pushq $1869376613 ## imm = 0x6F6C6C65
100003fa1: 2c 20 subb $32, %al
100003fa3: 77 6f ja 0x100004014 <_printf+0x100004014>
100003fa5: 72 6c jb 0x100004013 <_printf+0x100004013>
100003fa7: 64 00 <unknown>
Disassembly of section __TEXT,__unwind_info:
0000000100003fac <__unwind_info>:
100003fac: 01 00 addl %eax, (%rax)
...
Disassembly of section __DATA_CONST,__got:
0000000100004000 <__got>:
100004000: 00 00 addb %al, (%rax)
...
|
TEXT Segment
The text segment is the part of the executable file (Mach-o format) which contains read-only data, such as string literals and constant data. Such string literal “hello, world” is shown in the section contents corrisponds to __TEXT,__cstring (line 18, address 100003f9c).
Beside the address, there is hexadecimal data 68656c6c 6f2c2077 6f726c64 00.
This hex-data corrisponds to the ascii character encoding of the string (00 is the null termination character).
1
2
| ascii | h | e | l | l | o | , | _ | w | o | r | l | d |
hex code | 68 | 65 | 6C | 6C | 6F | 2C | 20 | 77 | 6F | 72 | 6C | 64 |
|
cstring Section
The cstring section is one of the major sections that make up the text segment.
As the name implies, the section contains string constants. Notice the data stored in addresses 100003f9c-3fa7 (lines 47-52).
text Section
The text section, not to be confused with the TEXT segment, contains code for the main function of the executable, it’s within this section that the program begins and (ideally) ends/returns. During execution of the program other section are referenced from the text section, such as the cstring section (line 32) and stubs section (line 34).
stubs Section
The stubs section, contains position independant code (pic) stubs. Pic stubs are small chunks of code generated by the compiler that serve to jump to a lazy symbol pointer which themselves are assigned a dylib reference during linking
…