View static link nature from binary code

View static link nature from binary code

Static links are no stranger to everyone. This article will analyze the nature of static links from binary code.

First, list the two source files of the link to be static, which are a. c and B. c respectively, and the files that are successfully linked are AB.

The A.C code is as follows:

extern int shared;extern void swap(int * ,int *);int main(){int a = 100;swap( &a, &shared );}

B. c code is as follows:

int shared = 1;void swap( int* a, int* b ){*a ^= *b ^= *a ^= *b;}

First, use the command gcc-c a. c and gcc-c B. c to generate the relocated files a. o and B. o.

Run the command objdump-h a. o and objdump-h B. o to view the basic segments of the relocated files.

They are shown as follows:

Figure 1

<喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD48cD48aW1nIHNyYz0 = "http://www.2cto.com/uploadfile/Collfiles/20140911/2014091109134673.png" alt = "\"/>

Figure 2

Pay attention to File off and Size. The length of a. o code segment is 0x22, B. o Code segment is 0x4a, and the data segment is 0x4.

Then use the command ld a. o B. o-e main-o AB to link two relocated files.

Run the command objdump-h AB to obtain the following information:

Figure 3

In this case, we do not care about File off. We only care about VMA and Size. VMA is the virtual space of a process. The code segment ranges from 0x4000e8 to 0x400156 and the Size is 0x6e. The data segment ranges from 0x6001b0 to 0x6001b4, And the Size is 0x4.

Observe figure 1 and figure 2,. the code segment of o is 0x22, B. the code segment of o is 0x4a, and the two are 0x6c, and the upper part is aligned with two digits. The last length is 0x6e. The data segment is similar.

In a. c, the shared variables and the swap method are not defined in this file. What will happen to the binary code?

Use objdump-d a. o to view:

Figure 4

At the 13 offset, be is followed by 00000000, which indicates the address of the shared variable. Because there is no link at this time, the default value 00000000 is used, which is obviously a false value.

At the 18 offset, 00000000 after e8 indicates the address of the swap function. Because there is no link at this time, the default value 00000000 is used, which is obviously a false value.

Similarly, use the command objdump-d B. o to view:

Figure 5

This function does not have any functions or variables to be relocated.

We use objdump-d AB to view the link file AB:

Figure 6

For code alignment, two empty commands are added after the main function, so the length of AB is the sum of the length of a. o and B. o plus 2.

We have observed that the data after "be" at "0x4000fb" is not the previous 0x00000000, but 0x6001b0. We know that this data represents the address of the shared variable. Why is this value? See Figure 3. the starting position of the data segment is 0x6001b0, and shared is the only variable. Therefore, 0x6001b0 is the address of the shared variable.

The data after e8 at 0x400103 is not 0x00000000, but 0x00000004. See figure 3 or 6. the starting position of the code segment is 0x4000e8, and the address of the swap function is 0x40010c. Why is 0x00000004 behind e8? Because the actual address transferred by call is 0x400108 + 0x4 in the next command address of call, and the actual address is 0x40010c, which is exactly the address of swap.

So far, this article has been analyzed, referring to the self-cultivation of programmers.