starting point of ELF executable file?

3
votes

I compile following C program on lubuntu 12.10 with anjuta

int main()
{
return 0;
}

the file name is foobar

then I open up terminal and write command

ndisasm foobar -b 32 1>asm.txt

(disassemble foobar with 32 bit instruction option and save disassembled result to asm.txt)

I open up asm.txt there are many 0x0000 and miss-understandable code.

the instruction jg 0x47(0x7F45) on 0x00000000 and dec esp(0x4C) on 0x00000002 seems ELF file format signature. (because the hex code 0x454c46 is 'ELF' in ascii)

the Linux might load this code to memory and don't jump to 0x00000000 because there is no executable code.

I have questions here.

  1. how do I know the address of starting address?
  2. which code is OK to ignore?(maybe many 0x0000 would be OK to ignore but what else?)
1
linuxdisassemblyentry-point
Why not objdump -d foobar? It will disassemble only executable (text) sections of elf file. Also try readelf -e foobar to get info about sections and to find entry address.osgx
is it possible to get starting point by hands?kim taeyun
Check Elf Header: sco.com/developers/gabi/1998-04-29/ch4.eheader.html - e_entry field. But you need also parse Program header sco.com/developers/gabi/1998-04-29/ch5.pheader.html and find all PT_LOAD segments to translate virtual address to file offset. Here is quick intro into ELF and loading process: wiki.osdev.org/ELFosgx

1 Answers

4
votes

Even for the simplest program like yours, gcc is linking some libraries and some object files (notably crt0.o which calls your main and contains _start, the ELF starting point). And your binary is probably dynamically linked to some libc.so.6 so needs the dynamic linker (use ldd foobar to find out). Use gcc -v to understand what gcc is doing. And objdump has a lot of interesting flags or options.

You may also want to read the Assembly Howto, the X86 calling conventions, this question, the X86-64 ABI, these notes on X86-64 programming, etc