How to read source of a Binary file alongwith assembly code (or Machine code)?

Here we will look at one of the interesting feature of Linux to read the source program from a binary file.

This is one of the most useful tip that most of the Linux guys are not aware of.

To read the source program and assembly language code of the program, we will use objdump command

objdump displays information about one or more object file(s), and can display all the information associated with it.

We can read source, assembly or machine code of the object file/program using this command

 

Viewing Source of Object file

Lets have a look at the source of “delete” command which i have created as a replacement of rm command.

### The file type is an executable object file.
[root@nglinux ~]# file /usr/nglinux/deleteme/delete
/usr/nglinux/deleteme/delete: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

### There are 493 lines in the binary file.
[root@nglinux ~]# objdump -s /usr/nglinux/deleteme/delete | wc -l
493

### Lets have a look at the source program of the file.
[root@nglinux ~]# objdump -s /usr/nglinux/deleteme/delete | more

/usr/nglinux/deleteme/delete:     file format elf32-i386

Contents of section .interp:
 8048134 2f6c6962 2f6c642d 6c696e75 782e736f  /lib/ld-linux.so
 8048144 2e3200                               .2.             
Contents of section .note.ABI-tag:
 8048148 04000000 10000000 01000000 474e5500  ............GNU.
 8048158 00000000 02000000 06000000 12000000  ................
Contents of section .note.gnu.build-id:
 8048168 04000000 14000000 03000000 474e5500  ............GNU.
 8048178 fcd679d4 0defba0b 58253407 4571f0f9  ..y.....X%4.Eq..
 8048188 51afdc4c                             Q..L            
Contents of section .gnu.hash:
 804818c 02000000 05000000 01000000 05000000  ................
 804819c 00200020 00000000 05000000 ad4be3c0  . . .........K..
Contents of section .dynsym:
 80481ac 00000000 00000000 00000000 00000000  ................
 80481bc 01000000 00000000 00000000 20000000  ............ ...
 80481cc 2e000000 00000000 00000000 12000000  ................
 80481dc 35000000 00000000 00000000 12000000  5...............
 80481ec 29000000 00000000 00000000 12000000  )...............
 80481fc 1a000000 dc840408 04000000 11000f00  ................
Contents of section .dynstr:
 804820c 005f5f67 6d6f6e5f 73746172 745f5f00  .__gmon_start__.
 804821c 6c696263 2e736f2e 36005f49 4f5f7374  libc.so.6._IO_st
 804822c 64696e5f 75736564 00707574 73007379  din_used.puts.sy
 804823c 7374656d 005f5f6c 6962635f 73746172  stem.__libc_star
 804824c 745f6d61 696e0047 4c494243 5f322e30  t_main.GLIBC_2.0
 804825c 00                                   .               
Contents of section .gnu.version:
 804825e 00000000 02000200 02000100           ............    
Contents of section .gnu.version_r:
 804826c 01000100 10000000 10000000 00000000  ................
 804827c 1069690d 00000200 47000000 00000000  .ii.....G.......
Contents of section .rel.dyn:
 804828c 74ad0408 06010000                    t.......        
Contents of section .rel.plt:
 8048294 84ad0408 07010000 88ad0408 07020000  ................
 80482a4 8cad0408 07030000 90ad0408 07040000  ................
Contents of section .init:
 80482b4 5589e553 83ec04e8 00000000 5b81c3b8  U..S........[...
 80482c4 2a00008b 93fcffff ff85d274 05e81e00  *..........t....
 80482d4 0000e8f5 000000e8 b0010000 585bc9c3  ............X[..
Contents of section .plt:
 80482e4 ff357cad 0408ff25 80ad0408 00000000  .5|....%........
 80482f4 ff2584ad 04086800 000000e9 e0ffffff  .%....h.........
 8048304 ff2588ad 04086808 000000e9 d0ffffff  .%....h.........
 8048314 ff258cad 04086810 000000e9 c0ffffff  .%....h.........
 8048324 ff2590ad 04086818 000000e9 b0ffffff  .%....h.........
Contents of section .text:
 8048340 31ed5e89 e183e4f0 50545268 20840408  1.^.....PTRh ...
 8048350 68308404 08515668 f4830408 e8b3ffff  h0...QVh........
 8048360 fff49090 90909090 90909090 90909090  ................
 8048370 5589e553 8d6424fc 803d98ad 04080075  U..S.d$..=.....u
 8048380 3ebba4ac 0408a19c ad040881 eba0ac04  >...............
 8048390 08c1fb02 83eb0139 d8731d90 8d742600  .......9.s...t&.
 80483a0 83c001a3 9cad0408 ff1485a0 ac0408a1  ................
 80483b0 9cad0408 39d872e8 c60598ad 0408018d  ....9.r.........
 80483c0 6424045b 5dc38d76 008dbc27 00000000  d$.[]..v...'....
 80483d0 5589e58d 6424e8a1 a8ac0408 85c07412  U...d$........t.
 80483e0 b8000000 0085c074 09c70424 a8ac0408  .......t...$....
 80483f0 ffd0c9c3 5589e583 e4f083ec 10c70424  ....U..........$
 8048400 e4840408 e81bffff ffc70424 f4840408  ...........$....
 8048410 e8effeff ffb80000 0000c9c3 90909090  ................
 8048420 5589e55d c366662e 0f1f8400 00000000  U..].ff.........
 8048430 5589e557 5653e84f 00000081 c33d2900  U..WVS.O.....=).
 8048440 0083ec1c e86bfeff ff8dbb20 ffffff8d  .....k..... ....
 8048450 8320ffff ff29c7c1 ff0285ff 742431f6  . ...)......t$1.
 8048460 8b451089 4424088b 450c8944 24048b45  .E..D$..E..D$..E
 8048470 08890424 ff94b320 ffffff83 c60139fe  ...$... ......9.
 8048480 72de83c4 1c5b5e5f 5dc38b1c 24c39090  r....[^_]...$...
 8048490 5589e553 8d6424fc a198ac04 0883f8ff  U..S.d$.........
 80484a0 7412bb98 ac040890 8d5bfcff d08b0383  t........[......
 80484b0 f8ff75f4 8d642404 5b5dc390           ..u..d$.[]..    
Contents of section .fini:
 80484bc 5589e553 83ec04e8 00000000 5b81c3b0  U..S........[...
 80484cc 280000e8 9cfeffff 595bc9c3           (.......Y[..    
Contents of section .rodata:
 80484d8 03000000 01000200 00000000 53746172  ............Star
 80484e8 74696e67 206e6f77 3a000000 23212f62  ting now:...#!/b
 80484f8 696e2f62 61736820 0a200a23 23232053  in/bash . .### S
 8048508 63726970 7420746f 2072656d 6f766520  cript to remove 
 8048518 61206669 6c652069 6e206c69 6e757820  a file in linux 
 8048528 62792073 6176696e 67206974 73207374  by saving its st
 8048538 61727469 6e672062 6c6f636b 20696e66  arting block inf
 8048548 6f726d61 74696f6e 2c200a23 23232069  ormation, .### i
 8048558 6e6f6465 20616e64 20746865 20746f74  node and the tot
 8048568 616c2073 697a6520 696e2062 6c6f636b  al size in block
 8048578 7320746f 20726573 746f7265 20746865  s to restore the
 8048588 20616d6f 756e7420 6f662064 61746120   amount of data 
 8048598 0a200a23 23232054 616b6573 2066696c  . .### Takes fil
 80485a8 656e616d 6520616c 6f6e6777 69746820  ename alongwith 
 80485b8 70617468 20617320 616e2061 7267756d  path as an argum
<---- Output Truncated --->

In the end of the above output, you can see exact comments which is run by the script i.e. source program.

If you deep dive into the assembly instructions and this code, you can decode the program.

Leave a Reply

avatar
  Subscribe  
Notify of