0

I seriously can't tell if I'm misunderstanding something grossly or if this is a bug in objdump. Newbie alert.

$ objdump -s --start-address=0x3fc0 --stop-address=0x3fc1 test

test:     file format elf64-x86-64

Contents of section .got:
 3fc0 00        
                           .               
$ xxd -s 0x3fc0 -l 1 test
00003fc0: 50                                       P

Looking at the file with kaitai I was able to confirm that objdump is the incorrect one. This doesn't happen merely with this byte: a lot of others in the .got are wrong. However, the .text section is completely correct.

It also doesn't happen only with these flags: doing objdump -d -s test | less shows the same bytes wrong in the same place.

I'm willing to provide the binary: it is a simple printf for me to play with.

Edit: Here is the full contents from the .got, obtained with objdump -d -s test | less

Contents of section .got:
 3fb0 c03d0000 00000000 00000000 00000000  .=..............
 3fc0 00000000 00000000 30100000 00000000  ........0.......
 3fd0 40100000 00000000 00000000 00000000  @...............
 3fe0 00000000 00000000 00000000 00000000  ................
 3ff0 00000000 00000000 00000000 00000000  ................

And here are the bytes at the same offset, as obtained from xxd:

xxd -s 0x3fb0 -l 0x50 test
00003fb0: b03f 0000 0000 0000 b02f 0000 0000 0000  .?......./......
00003fc0: 5000 0000 0000 0000 0000 0000 0000 0000  P...............
00003fd0: 0800 0000 0000 0000 0800 0000 0000 0000  ................
00003fe0: 0601 0000 0100 0000 0300 0000 0000 0000  ................
00003ff0: 0040 0000 0000 0000 0030 0000 0000 0000  [email protected]......

Why are the values different?

Improve this question
1
  • I guess a better way to phrase the question is: am I using the commands wrong, and inadvertently looking at the byte value at an offset that is not 0x3fc0 when using objdump, or is this really an error in objdump?
    – chilliefiber
    Commented Aug 15, 2023 at 12:00

1 Answer 1

Reset to default
1
+100

When a ELF binary is loaded each one of its sections is loaded to a Virtual Memory Address which is different than its raw offset on disk.

Now, objdump shows the contents of the __got's as if it was mapped to it's virtual memory address in 0x3fc0.

However, xxd would show the contents of the same address on raw disk (not mapped).

You could check what is the Virtual Memory Address (VMA) of the __got by using "objdump --section-headers test".

Also the --start-address and --end-address switches/flags are only used for disassembling, print relocations, and print symbols according to the documentation (if I understood correctly)

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.