3

I'm new to binary analysis. I am trying to analyse a simple program I compiled from my C code via gcc.

I followed these steps:
1. aaa
2. afl

and I got this output:

0x00000608    3 23           sym._init
0x00000630    1 8            sym.imp.puts
0x00000638    1 8            sym.imp._IO_getc
0x00000640    1 8            sym.imp.__printf_chk
0x00000648    1 8            sym.imp.__cxa_finalize
0x00000650    4 77           sym.main
0x000006a0    1 43           entry0
0x000006d0    4 50   -> 44   sym.deregister_tm_clones
0x00000710    4 66   -> 57   sym.register_tm_clones
0x00000760    5 50           sym.__do_global_dtors_aux
0x000007a0    4 48   -> 42   sym.frame_dummy
0x000007d0    1 24           sym.smth
0x000007f0    4 101          sym.__libc_csu_init
0x00000860    1 2            sym.__libc_csu_fini
0x00000864    1 9            sym._fini

I can get main is the main starting point of the program but I'm worried about what entry0 is. Apparently from what I saw is not a symbol. I tried to run ag @ entry0 and ag @ main and the graphs I saw were very different. By looking at the disassembled code I see this for entry0:

enter image description here

I'm supposing this might be a kind of ELF template function to load the binary and run it from main. What is entry0 really?

Sorry for keeping it so long. Thanks in advance.

1 Answers1

2

You should post RE questions on https://reverseengineering.stackexchange.com/.

entry0 is an alias for the _start symbol, which corresponds to the _start function.

  • The memory address of _start is the program entry point, where control is passed from the loader to the program.
  • The _start function originates from a relocatable ELF object file called crt1.o that is linked into binaries that require the C runtime environment.
$ objdump -dj .text /usr/lib/x86_64-linux-gnu/crt1.o 

/usr/lib/x86_64-linux-gnu/crt1.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
   0: 31 ed                   xor    %ebp,%ebp
   2: 49 89 d1                mov    %rdx,%r9
   5: 5e                      pop    %rsi
   6: 48 89 e2                mov    %rsp,%rdx
   9: 48 83 e4 f0             and    $0xfffffffffffffff0,%rsp
   d: 50                      push   %rax
   e: 54                      push   %rsp
   f: 49 c7 c0 00 00 00 00    mov    $0x0,%r8
  16: 48 c7 c1 00 00 00 00    mov    $0x0,%rcx
  1d: 48 c7 c7 00 00 00 00    mov    $0x0,%rdi
  24: e8 00 00 00 00          callq  29 <_start+0x29>
  29: f4                      hlt

With /bin/cat as an example:

$ readelf -h /bin/cat
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x402602                      <-----
  Start of program headers:          64 (bytes into file)
  Start of section headers:          46112 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         28
  Section header string table index: 27

The memory address of the entry point is 0x402602.

  402602:       31 ed                   xor    %ebp,%ebp
  402604:       49 89 d1                mov    %rdx,%r9
  402607:       5e                      pop    %rsi
  402608:       48 89 e2                mov    %rsp,%rdx
  40260b:       48 83 e4 f0             and    $0xfffffffffffffff0,%rsp
  40260f:       50                      push   %rax
  402610:       54                      push   %rsp
  402611:       49 c7 c0 60 89 40 00    mov    $0x408960,%r8
  402618:       48 c7 c1 f0 88 40 00    mov    $0x4088f0,%rcx
  40261f:       48 c7 c7 40 1a 40 00    mov    $0x401a40,%rdi
  402626:       e8 d5 f1 ff ff          callq  401800 <__libc_start_main@plt>
  40262b:       f4                      hlt

Recommended reading:

Linux x86 Program Start Up or - How the heck do we get to main()?

What is the use of _start() in C?

Generic System V ABI

julian
  • 357
  • 1
  • 8
  • 17
  • This is a great introduction and the links are amazing. Also yes I shall post at RE next time. Thanks! –  Aug 09 '17 at 21:26