Disassemble Binary File on Linux

Disassemble Binary File on Linux

When working with Linux, sometimes you will need to analyze a binary file - maybe you don't have the original source code, you want to understand how a program works internally, or you're debugging an issue at a very low level. In such cases, disassembling the binary becomes necessary. Disassembly allows you to translate the raw machine code inside an executable into human-readable assembly instructions. This tutorial explains how to disassemble a binary file on Linux.

One of the most commonly used tools for disassembling a binary file on Linux is the objdump command (part of the Binutils package). With the -d option, it can disassemble the executable sections of a binary into human-readable assembly code.

For example, if we want to disassemble /usr/bin/pwd, we can run:

objdump -d /usr/bin/pwd

This will output a section-by-section disassembly of the program, showing addresses, opcodes, and the corresponding assembly instructions. Here's a snippet example:

Disassembly of section .init:

0000000000002000 <.init>:
    2000:   f3 0f 1e fa             endbr64 
    2004:   48 83 ec 08             sub    $0x8,%rsp
    2008:   48 8b 05 a9 6f 00 00    mov    0x6fa9(%rip),%rax        # 8fb8 <__ctype_b_loc@plt+0x68c8>
    200f:   48 85 c0                test   %rax,%rax
    2012:   74 02                   je     2016 <__cxa_finalize@plt-0x37a>
    2014:   ff d0                   call   *%rax
    2016:   48 83 c4 08             add    $0x8,%rsp
    201a:   c3                      ret    

Disassembly of section .plt:

0000000000002020 <.plt>:
    2020:   ff 35 b2 6d 00 00       push   0x6db2(%rip)        # 8dd8 <__ctype_b_loc@plt+0x66e8>
    2026:   f2 ff 25 b3 6d 00 00    bnd jmp *0x6db3(%rip)        # 8de0 <__ctype_b_loc@plt+0x66f0>
    202d:   0f 1f 00                nopl   (%rax)
    2030:   f3 0f 1e fa             endbr64 
    2034:   68 00 00 00 00          push   $0x0
    2039:   f2 e9 e1 ff ff ff       bnd jmp 2020 <__cxa_finalize@plt-0x370>
...

To make the analysis easier, you can redirect the output into a file:

objdump -d /usr/bin/pwd > pwd.asm

And if you prefer Intel syntax instead of AT&T syntax (which is the default on most Linux systems), you can use -M intel option:

objdump -M intel -d /usr/bin/pwd

Leave a Comment

Cancel reply

Your email address will not be published.