3

I want to show users imported symbols of a given ELF file like this(#1) in a disassembler project.(Android app)

1d21a: f7fa e8e8 blx 173ec ; __android_log_print@plt ...

Currently, I can only show like this(#2):

1d21a: f7fa e8e8 blx 173ec

To show data like #1, I heard that I need to parse PLT or GOT or PLTGOT. However I don't know how to use them to show name of functions. (Of course I don't know how to parse it, yet)

My theoritical approach is to disassemble PLT and find the target offset and do something.

Example; 

     000173ec __android_log_print@plt:
     173ec:       e28fc600        add     ip, pc, #0, 12  ; ip!=pc?
     173f0:       e28cca11        add     ip, ip, #69632  ; addr of got? 
     173f4:       e5bcf9f4        ldr     pc, [ip, #2548]!; index=2548
         000173f8 sleep@plt:
     173f8:       e28fc600        add     ip, pc, #0, 12
     173fc:       e28cca11        add     ip, ip, #69632
     17400:       e5bcf9ec        ldr     pc, [ip, #2540]!
     ...

I think I may earn that #2548 or #2540 by disassembling PLT... but no confidence.

Is there any way to parse PLT and show data like #1 in disassembly?

Thanks!

Improve this question

1 Answer 1

Reset to default
4

This information is available from the dynamic segment PT_DYNAMIC. This is an array of structure ElfXX_Dyn. You have to search for the type DT_REL or DT_RELA. This is an array of ElfXX_Rel or ElfXX_Rela. The field r_offset is the offset to the GOT entry. And the name could be retrieved with the field r_info. It contains an index for ElfXX_Sym. You probably want to use an external library to do that.

Improve this answer
0

Not the answer you're looking for? Browse other questions tagged or ask your own question.