When working with Linux, sometimes you will need to analyze a binary file - maybe you don't have the original source code, you want to understand how a program works internally, or you're debugging an issue at a very low level. In such cases, disassembling the binary becomes necessary. Disassembly allows you to translate the raw machine code inside an executable into human-readable assembly instructions. This tutorial explains how to disassemble a binary file on Linux.
One of the most commonly used tools for disassembling a binary file on Linux is the objdump
command (part of the Binutils package). With the -d
option, it can disassemble the executable sections of a binary into human-readable assembly code.
For example, if we want to disassemble /usr/bin/pwd
, we can run:
objdump -d /usr/bin/pwd
This will output a section-by-section disassembly of the program, showing addresses, opcodes, and the corresponding assembly instructions. Here's a snippet example:
Disassembly of section .init:
0000000000002000 <.init>:
2000: f3 0f 1e fa endbr64
2004: 48 83 ec 08 sub $0x8,%rsp
2008: 48 8b 05 a9 6f 00 00 mov 0x6fa9(%rip),%rax # 8fb8 <__ctype_b_loc@plt+0x68c8>
200f: 48 85 c0 test %rax,%rax
2012: 74 02 je 2016 <__cxa_finalize@plt-0x37a>
2014: ff d0 call *%rax
2016: 48 83 c4 08 add $0x8,%rsp
201a: c3 ret
Disassembly of section .plt:
0000000000002020 <.plt>:
2020: ff 35 b2 6d 00 00 push 0x6db2(%rip) # 8dd8 <__ctype_b_loc@plt+0x66e8>
2026: f2 ff 25 b3 6d 00 00 bnd jmp *0x6db3(%rip) # 8de0 <__ctype_b_loc@plt+0x66f0>
202d: 0f 1f 00 nopl (%rax)
2030: f3 0f 1e fa endbr64
2034: 68 00 00 00 00 push $0x0
2039: f2 e9 e1 ff ff ff bnd jmp 2020 <__cxa_finalize@plt-0x370>
...
To make the analysis easier, you can redirect the output into a file:
objdump -d /usr/bin/pwd > pwd.asm
And if you prefer Intel syntax instead of AT&T syntax (which is the default on most Linux systems), you can use -M intel
option:
objdump -M intel -d /usr/bin/pwd
Leave a Comment
Cancel reply