Home > Software engineering >  Is there a way to see what's inside a ".rodata (memory location)" in an object file?
Is there a way to see what's inside a ".rodata (memory location)" in an object file?

Time:06-11

So I'm taking a class where I am given a single object file and need to reverse engineer it into c code. The command I'm told to use is "gdb assignment6_1.o" to open it in gdb, and "disass main" to see assembly code.

I'm also using "objdump -dr assignment6_1.o" myself since it outputs a little more information.

The problem I'm running into, is that using objdump, I can see that the program is trying to access what I believe is a variable or maybe a string, ".rodata 0x41". There are multiple .rodata's, that's just one example.

Is there a command or somewhere I can look to see what that's referencing? I also have access to the "Bless" program.

Below is a snippet of the disassembled code I have.

  a3:   48 8d 35 00 00 00 00    lea    0x0(%rip),%rsi        # aa <main 0x31>
                        a6: R_X86_64_PC32       .rodata 0x41
  aa:   48 8d 3d 00 00 00 00    lea    0x0(%rip),%rdi        # b1 <main 0x38>
                        ad: R_X86_64_PC32       _ZSt4cout-0x4
  b1:   e8 00 00 00 00          callq  b6 <main 0x3d>
                        b2: R_X86_64_PLT32      _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc-0x4
  b6:   48 8d 35 00 00 00 00    lea    0x0(%rip),%rsi        # bd <main 0x44>
                        b9: R_X86_64_PC32       .rodata 0x53
  bd:   48 8d 3d 00 00 00 00    lea    0x0(%rip),%rdi        # c4 <main 0x4b>
                        c0: R_X86_64_PC32       _ZSt4cout-0x4
  c4:   e8 00 00 00 00          callq  c9 <main 0x50>
                        c5: R_X86_64_PLT32      _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc-0x4
  c9:   48 8d 35 00 00 00 00    lea    0x0(%rip),%rsi        # d0 <main 0x57>
                        cc: R_X86_64_PC32       .rodata 0x5e
  d0:   48 8d 3d 00 00 00 00    lea    0x0(%rip),%rdi        # d7 <main 0x5e>
                        d3: R_X86_64_PC32       _ZSt4cout-0x4
  d7:   e8 00 00 00 00          callq  dc <main 0x63>
                        d8: R_X86_64_PLT32      _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc-0x4
  dc:   48 8d 35 00 00 00 00    lea    0x0(%rip),%rsi        # e3 <main 0x6a>
                        df: R_X86_64_PC32       .rodata 0x6e
  e3:   48 8d 3d 00 00 00 00    lea    0x0(%rip),%rdi        # ea <main 0x71>
                        e6: R_X86_64_PC32       _ZSt4cout-0x4
  ea:   e8 00 00 00 00          callq  ef <main 0x76>
                        eb: R_X86_64_PLT32      _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc-0x4```

CodePudding user response:

Is there a way to see what's inside a ".rodata (memory location)" in an object file?

Sure. Both objdump and readelf can dump contents of any section.

Example:

// x.c
#include <stdio.h>

int foo() { return printf("AA.\n")   printf("BBBB.\n"); }

gcc -c x.c
objdump -dr x.o

...
   9:   48 8d 05 00 00 00 00    lea    0x0(%rip),%rax        # 10 <foo 0x10>
                        c: R_X86_64_PC32        .rodata-0x4
...
  1f:   48 8d 05 00 00 00 00    lea    0x0(%rip),%rax        # 26 <foo 0x26>
                        22: R_X86_64_PC32       .rodata 0x1
...

Note that because the RIP used in these instructions is the address of the next instruction, the actual data we care about is at .rodata 0 and .rodata 5 (in your original disassembly, you care about .rodata 45, not .rodata 41).

So what's there?

 objdump -sj.rodata x.o

x.o:     file format elf64-x86-64

Contents of section .rodata:
 0000 41412e0a 00424242 422e0a00           AA...BBBB...

or, using readelf:

readelf -x .rodata x.o

Hex dump of section '.rodata':
  0x00000000 41412e0a 00424242 422e0a00          AA...BBBB...

  • Related