{"id":204,"date":"2022-09-28T08:56:13","date_gmt":"2022-09-28T11:56:13","guid":{"rendered":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/?p=204"},"modified":"2022-09-28T08:57:56","modified_gmt":"2022-09-28T11:57:56","slug":"como-utilizar-o-objdump-como-ferramenta-de-analise","status":"publish","type":"post","link":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/2022\/09\/28\/como-utilizar-o-objdump-como-ferramenta-de-analise\/","title":{"rendered":"Como utilizar o ObjDump como ferramenta de an\u00e1lise"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Ter acesso a uma ferramenta de an\u00e1lise enquanto est\u00e1 trabalhando com arquivos execut\u00e1veis \u00e9 sempre muito \u00fatil. Em sistemas POSIX (Linux, WSL, Cygwin, etc.) ObjDump \u00e9 uma destas ferramentas. A mesma pode ser utilizada para extrair informa\u00e7\u00e3o de arquivos objetos.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Aqui veremos como utilizar tal ferramenta e ter uma vis\u00e3o geral de como a mesma se comporta juntamente com a linguagem assembly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>O que \u00e9 o ObjDump?<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\" id=\"tw-target-text\">Conforme mencionado no in\u00edcio do artigo, ObjDump \u00e9 uma ferramenta bastante \u00fatil para extrair informa\u00e7\u00f5es de arquivos objetos. Esta ferramenta vem pr\u00e9-instalada com a maioria das distribui\u00e7\u00f5es Linux. A seguir est\u00e3o as op\u00e7\u00f5es de ajuda dispon\u00edveis ao executar (em ingl\u00eas):<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"bash\" class=\"language-bash\">$ objdump\nUsage: objdump <option(s)> <file(s)>\n Display information from object <file(s)>.\n At least one of the following switches must be given:\n  -a, --archive-headers    Display archive header information\n  -f, --file-headers       Display the contents of the overall file header\n  -p, --private-headers    Display object format specific file header contents\n  -P, --private=OPT,OPT... Display object format specific contents\n  -h, --[section-]headers  Display the contents of the section headers\n  -x, --all-headers        Display the contents of all headers\n  -d, --disassemble        Display assembler contents of executable sections\n  -D, --disassemble-all    Display assembler contents of all sections\n      --disassemble=<sym>  Display assembler contents from <sym>\n  -S, --source             Intermix source code with disassembly\n      --source-comment[=<txt>] Prefix lines of source code with <txt>\n  -s, --full-contents      Display the full contents of all sections requested\n  -g, --debugging          Display debug information in object file\n  -e, --debugging-tags     Display debug information using ctags style\n  -G, --stabs              Display (in raw form) any STABS info in the file\n  -W, --dwarf[a\/=abbrev, A\/=addr, r\/=aranges, c\/=cu_index, L\/=decodedline,\n              f\/=frames, F\/=frames-interp, g\/=gdb_index, i\/=info, o\/=loc,\n              m\/=macro, p\/=pubnames, t\/=pubtypes, R\/=Ranges, l\/=rawline,\n              s\/=str, O\/=str-offsets, u\/=trace_abbrev, T\/=trace_aranges,\n              U\/=trace_info]\n                           Display the contents of DWARF debug sections\n  -Wk,--dwarf=links        Display the contents of sections that link to\n                            separate debuginfo files\n  -WK,--dwarf=follow-links\n                           Follow links to separate debug info files (default)\n  -WN,--dwarf=no-follow-links\n                           Do not follow links to separate debug info files\n  -L, --process-links      Display the contents of non-debug sections in\n                            separate debuginfo files.  (Implies -WK)\n      --ctf[=SECTION]      Display CTF info from SECTION, (default '.ctf')\n  -t, --syms               Display the contents of the symbol table(s)\n  -T, --dynamic-syms       Display the contents of the dynamic symbol table\n  -r, --reloc              Display the relocation entries in the file\n  -R, --dynamic-reloc      Display the dynamic relocation entries in the file\n  @<file>                  Read options from <file>\n  -v, --version            Display this program's version number\n  -i, --info               List object formats and architectures supported\n  -H, --help               Display this information<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Como extrair o c\u00f3digo assembly<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A ferramenta ObjDump pode ser usada para extrair c\u00f3digo assembly de um bin\u00e1rio j\u00e1 montado. Vamos come\u00e7ar analisando o seguinte programa em assembly para entender melhor a abordagem que pode ser usada. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">No exemplo vamos utilizar um programa que demonstra a concorr\u00eancia utilizando threads (concorrencia.c):<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"cpp\" class=\"language-cpp\">#include <stdio.h>\n#include <stdlib.h>\n#include <pthread.h>\n\nvolatile int contador = 0;\nint loops;\n\nvoid *worker(void *arg) {\n    int i;\n    for (i = 0; i < loops; i++) {\n        contador++;\n    }\n    return NULL;\n}\n\nint main(int argc, char *argv[]) {\n    if (argc != 2) {\n        fprintf(stderr, \"uso: concorrencia <loops>\\n\");\n        exit(1);\n    }\n    loops = atoi(argv[1]);\n    pthread_t p1, p2;\n    printf(\"Valor inicial : %d\\n\", contador);\n    pthread_create(&p1, NULL, worker, NULL);\n    pthread_create(&p2, NULL, worker, NULL);\n    pthread_join(p1, NULL);\n    pthread_join(p2, NULL);\n    printf(\"Valor final   : %d\\n\", contador);\n    return 0;\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Para compilar digite em um terminal:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"bash\" class=\"language-bash\">gcc -o concorrencia.exe main.c -O2 -Wall -pthread -pg<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Para visualizar o conte\u00fado de um bin\u00e1rio, podemos utilizar a op\u00e7\u00e3o -x como mostrado a seguir:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"bash\" class=\"language-bash\">$ objdump.exe -x concorrencia.exe\n\nconcorrencia.exe:     file format pei-x86-64\nconcorrencia.exe\narchitecture: i386:x86-64, flags 0x0000013b:\nHAS_RELOC, EXEC_P, HAS_DEBUG, HAS_SYMS, HAS_LOCALS, D_PAGED\nstart address 0x0000000100401000\n\nCharacteristics 0x26\n        executable\n        line numbers stripped\n        large address aware\n\nTime\/Date               Tue Sep 20 08:11:12 2022\nMagic                   020b    (PE32+)\nMajorLinkerVersion      2\nMinorLinkerVersion      39\nSizeOfCode              0000000000001800\nSizeOfInitializedData   0000000000003600\nSizeOfUninitializedData 0000000000000400\nAddressOfEntryPoint     0000000000001000\nBaseOfCode              0000000000001000\nImageBase               0000000100400000\nSectionAlignment        00001000\nFileAlignment           00000200\nMajorOSystemVersion     4\nMinorOSystemVersion     0\nMajorImageVersion       0\nMinorImageVersion       0\nMajorSubsystemVersion   5\nMinorSubsystemVersion   2\nWin32Version            00000000\nSizeOfImage             00023000\nSizeOfHeaders           00000600\nCheckSum                00021ce5\nSubsystem               00000003        (Windows CUI)\nDllCharacteristics      00008000\n                                        TERMINAL_SERVICE_AWARE\nSizeOfStackReserve      0000000000200000\nSizeOfStackCommit       0000000000001000\nSizeOfHeapReserve       0000000000100000\nSizeOfHeapCommit        0000000000001000\nLoaderFlags             00000000\nNumberOfRvaAndSizes     00000010\n\nThe Data Directory\nEntry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]\nEntry 1 0000000000009000 000006c0 Import Directory [parts of .idata]\nEntry 2 000000000000a000 000004e8 Resource Directory [.rsrc]\nEntry 3 0000000000006000 0000018c Exception Directory [.pdata]\nEntry 4 0000000000000000 00000000 Security Directory\nEntry 5 000000000000b000 0000000c Base Relocation Directory [.reloc]\nEntry 6 0000000000005000 0000001c Debug Directory\nEntry 7 0000000000000000 00000000 Description Directory\nEntry 8 0000000000000000 00000000 Special Directory\nEntry 9 0000000000000000 00000000 Thread Storage Directory [.tls]\nEntry a 0000000000000000 00000000 Load Configuration Directory\nEntry b 0000000000000000 00000000 Bound Import Directory\nEntry c 00000000000091bc 00000180 Import Address Table Directory\nEntry d 0000000000000000 00000000 Delay Import Directory\nEntry e 0000000000000000 00000000 CLR Runtime Header\nEntry f 0000000000000000 00000000 Reserved\n\nThere is an import table in .idata at 0x100409000\n\nThe Import Tables (interpreted .idata section contents)\n vma:            Hint    Time      Forward  DLL       First\n                 Table   Stamp     Chain    Name      Thunk\n 00009000       0000903c 00000000 00000000 0000966c 000091bc\n\n        DLL Name: cygwin1.dll\n        vma:  Hint\/Ord Member-Name Bound-To\n        933c        7  __assert_func\n        934c       15  __cxa_atexit\n        935c       22  __errno\n        9368       35  __getreent\n        9378       46  __main\n        9384      108  _dll_crt0\n        9390      115  _impure_ptr\n        93a0      236  atoi\n        93a8      258  calloc\n        93b4      323  close\n        93bc      380  cygwin_detach_dll\n        93d0      382  cygwin_internal\n        93e4      410  dll_dllcrt0\n        93f4      468  exit\n        93fc      586  free\n        9404      627  fwrite\n        9410      654  getenv\n        941c      688  getpid\n        9428      712  gettimeofday\n        9438      916  malloc\n        9444      933  memcpy\n        9450      938  memset\n        945c     1005  open\n        9464     1020  perror\n        9470     1028  posix_memalign\n        9484     1059  printf\n        9490     1065  pthread_atfork\n        94a4     1108  pthread_create\n        94b8     1120  pthread_join\n        94c8     1213  realloc\n        94d4     1444  strlen\n        94e0     1693  write\n\n 00009014       00009144 00000000 00000000 000096b0 000092c4\n\n        DLL Name: KERNEL32.dll\n        vma:  Hint\/Ord Member-Name Bound-To\n        94e8      141  CloseHandle\n        94f6      197  CreateEventA\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Como mencionado anteriormente, usamos o programa \u201c<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">concorrencia.exe<\/mark>\u201d como nosso alvo. A sa\u00edda anterior mostra as informa\u00e7\u00f5es extra\u00eddas do cabe\u00e7alho. Isso inclui os metadados do bin\u00e1rio do tipo elf (com os detalhes como formato de arquivo, arquitetura, etc.), cabe\u00e7alho do programa, se\u00e7\u00f5es dispon\u00edveis no bin\u00e1rio (.text, .rodata) e a tabela de s\u00edmbolos do execut\u00e1vel.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Exibindo o conte\u00fado de uma se\u00e7\u00e3o execut\u00e1vel de um c\u00f3digo assembler<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A se\u00e7\u00e3o .text \u00e9 utilizada em um c\u00f3digo Assembly na pr\u00e9 constru\u00e7\u00e3o do bin\u00e1rio. Isso pode ser feito utilizando a op\u00e7\u00e3o <strong>-d<\/strong> como mostrado a seguir:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"bash\" class=\"language-bash\">$ objdump -d concorrencia.exe\n\nconcorrencia:     file format elf32-i386\n\nDisassembly of section .text:\n\n08049000 <_start>:\n8049000: ba 0e 00 00 00       mov    $0xe,%edx\n8049005: b9 00 a0 04 08       mov    $0x804a000,%ecx\n804900a: bb 01 00 00 00       mov    $0x1,%ebx\n804900f: b8 04 00 00 00       mov    $0x4,%eax\n8049014: cd 80                int    $0x80\n8049016: b8 01 00 00 00       mov    $0x1,%eax\n804901b: bb 00 00 00 00       mov    $0x0,%ebx\n8049020: cd 80                int    $0x80<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Como pode ser visto no exemplo acima o c\u00f3digo assembly est\u00e1 no formato de sintax da AT&T, por\u00e9m o mesmo pode ser modificado e mostrar seu conte\u00fado no formato x86 da Intel com a op\u00e7\u00e3o <strong>-M<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"bash\" class=\"language-bash\">$ objdump -d concorrencia.exe -M intel\n\nconcorrencia:     file format elf32-i386\n\nDisassembly of section .text:\n\n08049000 <_start>:\n8049000: ba 0e 00 00 00       mov    edx,0xe\n8049005: b9 00 a0 04 08       mov    ecx,0x804a000\n804900a: bb 01 00 00 00       mov    ebx,0x1\n804900f: b8 04 00 00 00       mov    eax,0x4\n8049014: cd 80                int    0x80\n8049016: b8 01 00 00 00       mov    eax,0x1\n804901b: bb 00 00 00 00       mov    ebx,0x0\n8049020: cd 80                int    0x80<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Como podemos observar a sa\u00edda no formato Intel \u00e9 similar a AT&T. No caso descrito o formato Intel n\u00e3o \u00e9 o padr\u00e3o de sa\u00edda. Por\u00e9m dependendo do ambiente em que voc\u00ea esteja utilizando o mesmo poder\u00e1 ser. Neste caso \u00e9 bom conhecer quais os registradores que comp\u00f5e a sa\u00edda ou utilizar a op\u00e7\u00e3o -M explicitamente.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Se precisar mostrar todas as se\u00e7\u00f5es do c\u00f3digo assembly no padr\u00e3o Intel digite a op\u00e7\u00e3o <strong>-D<\/strong> conforme a seguir.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code lang=\"bash\" class=\"language-bash\">$ objdump -D concorrencia.exe -M intel\n\nconcorrencia:     file format elf32-i386\n\nDisassembly of section .text:\n\n08049000 <_start>:\n8049000: ba 0e 00 00 00       mov    edx,0xe\n8049005: b9 00 a0 04 08       mov    ecx,0x804a000\n804900a: bb 01 00 00 00       mov    ebx,0x1\n804900f: b8 04 00 00 00       mov    eax,0x4\n8049014: cd 80                int    0x80\n8049016: b8 01 00 00 00       mov    eax,0x1\n804901b: bb 00 00 00 00       mov    ebx,0x0\n8049020: cd 80                int    0x80\nDisassembly of section .rodata:\n\n0804a000 <msg>:\n\n804a000: 48                   dec    eax\n\n804a001: 65 6c                gs ins BYTE PTR es:[edi],dx\n\n804a003: 6c                   ins    BYTE PTR es:[edi],dx\n\n804a004: 6f                   outs   dx,DWORD PTR ds:[esi]\n\n804a005: 2c 20                sub    al,0x20\n\n804a007: 77 6f                ja     804a078 <msg+0x78>\n\n804a009: 72 6c                jb     804a077 <msg+0x77>\n\n804a00b: 64 21 0a             and    DWORD PTR fs:[edx],ecx<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Exibindo informa\u00e7\u00f5es de depura\u00e7\u00e3o<\/strong> <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Podemos tamb\u00e9m utilzar a op\u00e7\u00e3o <strong>-g<\/strong> para exibir informa\u00e7\u00f5es a respeito de depura\u00e7\u00e3o de um bin\u00e1rio. O resultado a seguir mostra estas informa\u00e7\u00f5es de um arquivo compilado de um c\u00f3digo C.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code class=\"\">$ objdump -g mem\n\nmem:     file format elf64-x86-64\n\nContents of the .eh_frame section (loaded from mem):\n\n00000000 0000000000000014 00000000 CIE\nVersion:               1\n\nAugmentation:          \u201czR\u201d\nCode alignment factor: 1\nData alignment factor: -8\nReturn address column: 16\nAugmentation data:     1b\nDW_CFA_def_cfa: r7 (rsp) ofs 8\nDW_CFA_offset: r16 (rip) at cfa-8\nDW_CFA_nop\nDW_CFA_nop<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Ter acesso a uma ferramenta de an\u00e1lise enquanto est\u00e1 trabalhando com arquivos execut\u00e1veis \u00e9 sempre muito \u00fatil. Em sistemas POSIX (Linux, WSL, Cygwin, etc.) ObjDump \u00e9 uma destas ferramentas. A mesma pode ser utilizada para extrair informa\u00e7\u00e3o de arquivos objetos. Aqui veremos como utilizar tal ferramenta e ter uma vis\u00e3o geral de como a mesma [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-204","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/posts\/204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/comments?post=204"}],"version-history":[{"count":7,"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/posts\/204\/revisions"}],"predecessor-version":[{"id":211,"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/posts\/204\/revisions\/211"}],"wp:attachment":[{"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/media?parent=204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/categories?post=204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gpads.recife.ifpe.edu.br\/alsm\/csin\/index.php\/wp-json\/wp\/v2\/tags?post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}