Find main() in a linux binary
November 30, 2010 06:54 AM
So I have a binary with debug information (but no source code), so I can step through main() in ddd. I would like to wipe a few instructions to no-ops at certain offsets from main(), but I can't seem to figure out how to get ddd to tell me where main() starts in the binary executable. Any hints?
1,788
November 30, 2010 07:03 AM
Just like any other function, it's difficult to know where main() starts without having debug symbols. However, if you just want to break at the program's entry point, that address is defined in the ELF header.
100
November 30, 2010 07:07 AM
You could load it into gdb
Then list the contents of the source, one is a good starting point for listing the source
Or you can just disassemble to see the main address
gdb ./someExeThen list the contents of the source, one is a good starting point for listing the source
list 1Or you can just disassemble to see the main address
(gdb) disassemble mainDump of assembler code for function main:0x000000010004403e <main+0>: push %rbp0x000000010004403f <main+1>: mov %rsp,%rbp0x0000000100044042 <main+4>: push %r120x0000000100044044 <main+6>: push %rbx0x0000000100044045 <main+7>: sub $0x60,%rsp0x0000000100044049 <main+11>: mov %edi,-0x64(%rbp)0x000000010004404c <main+14>: mov 0x17f865(%rip),%rax # 0x1001c38b80x0000000100044053 <main+21>: movb $0x1,(%rax)0x0000000100044056 <main+24>: lea -0x64(%rbp),%rdiNovember 30, 2010 08:40 PM
Right, so I can see the disassembly. For example, here's one instruction:
0x08048623 <main+67>: sub $0xc,%esp
What I want is where that instruction resides in the original executable file, so I can go and change it. I thought it might just be indexed from 0x08000000 (so it would start at byte 0x48623 in the binary), but it doesn't appear to be the case.
Help?
0x08048623 <main+67>: sub $0xc,%esp
What I want is where that instruction resides in the original executable file, so I can go and change it. I thought it might just be indexed from 0x08000000 (so it would start at byte 0x48623 in the binary), but it doesn't appear to be the case.
Help?
November 30, 2010 10:02 PM
Quote: Original post by BeanDog
Right, so I can see the disassembly. For example, here's one instruction:
0x08048623 <main+67>: sub $0xc,%esp
What I want is where that instruction resides in the original executable file, so I can go and change it. I thought it might just be indexed from 0x08000000 (so it would start at byte 0x48623 in the binary), but it doesn't appear to be the case.
Help?
You need to parse the executable header.
Executables, in windows and linux, are broken up into sections. Each section has a physical offset in the file, a length, and a virtual base address (which the compiler uses for setting up relative addressing).
For Windows this is the PE file format, and there's a bunch of information on [google].
In time the project grows, the ignorance of its devs it shows, with many a convoluted function, it plunges into deep compunction, the price of failure is high, Washu's mirth is nigh.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
