The starting point for ELF executables?
I compiled the following C program with anjuta on lubuntu 12.10
int main()
{
return 0;
}
The file name is foobar
Then I open the terminal and write the command
ndisasm foobar -b 32 1>asm.txt
(Use the 32-bit instruction option to disassemble foobar and save the disassembly result to ASM .txt).
I open the asm .txt
There is a lot of 0x0000 and incomprehensible code.
Instruction JG 0x47(0x7F45) on 0x00000000 and dec ESP(0x4C) on 0x00000002
It seems to be a signature in ELF file format.
(Because the hexadecimal code 0x454c46 is ‘ELF’ in ASCII).
Linux may load this code into memory and does not jump to the 0x00000000 because there is no executable code.
I have a problem here.
- How do I know the address of the start address?
- What code can be ignored? (Maybe many 0x0000 can be ignored, but what else?) )
Solution
Even with the simplest program like yours, gcc links some libraries and some object files (specifically crt0.o, which calls your main and contains _start, ELF starting point). And your binaries may be dynamically linked to some libc.so.6, so a dynamic linker is needed (use ldd foobar to find out). Use gcc -v to understand what gcc is doing. And objdump has a lot of interesting flags or options.
You may also want to read Assembly Howto, X86 calling conventions , this question , the X86-64 ABI , These notes on X86-64 programming, etc