Like Any Good Mechanic We Need Tools. Lets Start with Hexdump.

Tasks and the Tools to Accomplish Them.

Computers are just machines.  They are machines that can do amazing things, but they are still just machines.  To work on a machine you need the right tools for the job.  The jobs included in OS hacking comprise a long list.  However we should see some the big ones that jump out at us.

Programming is the most obvious job we have.  I have been using gvim to write my programs.  I like the simplicity of it and the ability to modify it.  I have also been known to use Atom when writing programs in programming languages other than C or messing with assembly.  Any text editor  you prefer is fine for this job.

Debugging is another task that goes hand in hand with programming, and we have already seen several examples.  In HTAE we have used gdb to get our debugging accomplished.  However gdb may or may not be the best tool for the job.  Just like the different text editors each debugger does what it does in a different way.  Even if it’s just using a slightly different command interface.  As we progress we will start looking at some different debuggers so we aren’t confined to gdb.

Eventually we are going to get into reverse engineering and tools of that trade.  As those tasks become necessary we will start going over different tools and how to use them.  Nothing I do here will replace the manual but I will give a general overview of how to use the tool and what it tells us.

With that in mind lets get started on some tools with hexdump.

Hexdump

If you’ve been reading Hacking the Art of Exploitation along with this blog you know there are places where Jon Erickson displays the hexdump output of a file.  The purpose of this post is to go over what hexdump is and how it is useful.  If we want to understand something we first need to understand a simple example.  The simplest programming example I can ever think of is the Hello World program.

First Example

Lets start by examining the hello world program with hexdump.  Here is the code for the program if you don’t have it memorized by now.

//A program to print hello world.

#include 

int main(void) {
    printf("Hello World!\n");

    return 0;
}

Lets take a look at the hexdump output when we use it on the text program file.

$ hexdump hello.c
0000000 2f2f 2041 7270 676f 6172 206d 6f74 7020
0000010 6972 746e 6820 6c65 6f6c 7720 726f 646c
0000020 0a2e 230a 6e69 6c63 6475 2065 733c 6474
0000030 6f69 682e 0a3e 690a 746e 6d20 6961 286e
0000040 6f76 6469 2029 0a7b 2020 2020 7270 6e69
0000050 6674 2228 6548 6c6c 206f 6f57 6c72 2164
0000060 6e5c 2922 0a3b 200a 2020 7220 7465 7275
0000070 206e 3b30 7d0a 000a                    
0000077

That doesn’t look like much to me at first glance.  There is noticeable structure but I need to break down what it means to get anything from it.

As the name hexdump suggests the command displays the binary information in a file in hexadecimal format, unless you change the output using flags.  But we won’t deal with changing the output at this point.  All of the output except for the first column are the hexadecimal representations of the information in our hello.c file.

The first column of the output is the offset of the information in the first hex column in the file.  That is 0000000 is the offset of the value 2f2f and 0000010 is the offset of the value 6972.  This offset is the distance between the piece of data and the beginning of the file.

Lets use the -C flag and see the output of the file in ascii as a column as well.

$ hexdump -C hello.c
00000000  2f 2f 41 20 70 72 6f 67  72 61 6d 20 74 6f 20 70  |//A program to p|
00000010  72 69 6e 74 20 68 65 6c  6c 6f 20 77 6f 72 6c 64  |rint hello world|
00000020  2e 0a 0a 23 69 6e 63 6c  75 64 65 20 3c 73 74 64  |...#include <std| 
00000030  69 6f 2e 68 3e 0a 0a 69  6e 74 20 6d 61 69 6e 28  |io.h>..int main(|
00000040  76 6f 69 64 29 20 7b 0a  20 20 20 20 70 72 69 6e  |void) {.    prin|
00000050  74 66 28 22 48 65 6c 6c  6f 20 57 6f 72 6c 64 21  |tf("Hello World!|
00000060  5c 6e 22 29 3b 0a 0a 20  20 20 20 72 65 74 75 72  |\n");..    retur|
00000070  6e 20 30 3b 0a 7d 0a                              |n 0;.}.|
00000077

To me this output is far more readable.  I can start matching up characters and bytes in the output.  If you remember 41 is the ASCII representation of the character “A”.  I point that out because we have seen that repeatedly in our previous examples.  If you want to take the time to do it you can compare each byte in the output with an ASCII table you will see that they are all here.  Including the control characters.

Just as a refresher remember that each number/letter in the hex output above represents four bits of information.  Each ASCII character is a one byte piece of information.  So one byte is eight bits.  I think of bits meaning binary to keep the distinction straight.

Ok so this is an interesting representation of our file but it doesn’t really give us anything we didn’t know already.  If we want to see what’s in hello.c we can just open the file and read it.  The real power of hexdump comes when we have a file we aren’t able to open up and read.  For example what happens when we output the contents of the executable which we compiled hello.c to?

$ cat ./hello
ELF44(# 444444�����▒���HHHDDP�td�,,Q�td/lib/ld-linux.so.2GNU GNUlqZ4o��
                                                                       Y§��O[ �  �K��▒1 
@��S�������������t�2�[��5��%��%�h������%������%h�����1�^�����PTRh�h0QVh�������f�f�f�f�f�f�f��$�
f�f�f�f�f�f��-��v▒���tU����h�Ѓ���Ð�t&�-���������t��tU����Ph�҃���Ít&��'�=uU����|�������f�����u듍v
���t�U����P�҃���u����L$����q�U��Q����
                                                                  
h���������M�ɍa��f�f�f��UW1�VS�������u���l$0��                                               
                                                                                     
                               ����=�������)�����t'���D$8�,$�D�D$4�D$�������9�u߃            
                                                                 
      ���������������S���������[�Hello World!(����D+���h`���������zR|  
                                                                               
                                                               ����F                    
                                
                        
                                                                    J           
                                                                     tx?▒;*2$"(@����.D
      GuCu|[
            A�C
               8l����a�A
                        �C�A�N0HA�A�
                                    AA��������
��▒����o����                                 ��
J
 �▒���oP���o���oF��GCC: (Debian 4.9.2-10) 4.9.2GCC: (Debian 4.8.4-1) 4.8.4�.�G�%�.q�s�i�zO�.�%


              >
               $

                >
                .?:
                   ;
hello.c�long long intlong long unsigned int/home/exploit/Hacking/ProgrammingGNU C 
4.9.2 -mtune=generic -march=i586 -gunsigned charmainshort unsigned intshort 
inthello.csizetype.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.
dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.
eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.
debug_info.debug_abbrev.debug_line.debug_str4Hh���Fp�  x�
��
 �
�������▒▒�
���Ж▒q�w▒�� ▒����0a�
 $▒0 J��
       crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_
auxcompleted.6279__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_
entryhello.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_
GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTable__x86.get_pc_thunk.
bxdata_start_edata_fini__data_startputs@@GLIBC_2.0__gmon_start____dso_handle_IO_stdin_used__
libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmain_Jv_RegisterClasses__
TMC_END___ITM_registerTMCloneTable_init4#HH 1hh$D���o�� N
                  ��PV��J^���oFF
k���oPP z       �p      Bxx▒
                           ���#��@����������,��������������������▒���0�9        )�!�D/�9;0�F0

There is a lot of unreadable information in here.  So lets compare this output to the output of hexdump.

$ hexdump -C ./hello
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 03 00 01 00 00 00  00 83 04 08 34 00 00 00  |............4...|
00000020  00 11 00 00 00 00 00 00  34 00 20 00 08 00 28 00  |........4. ...(.|
00000030  23 00 20 00 06 00 00 00  34 00 00 00 34 80 04 08  |#. .....4...4...|
00000040  34 80 04 08 00 01 00 00  00 01 00 00 05 00 00 00  |4...............|
00000050  04 00 00 00 03 00 00 00  34 01 00 00 34 81 04 08  |........4...4...|
00000060  34 81 04 08 13 00 00 00  13 00 00 00 04 00 00 00  |4...............|
00000070  01 00 00 00 01 00 00 00  00 00 00 00 00 80 04 08  |................|
00000080  00 80 04 08 b8 05 00 00  b8 05 00 00 05 00 00 00  |................|
00000090  00 10 00 00 01 00 00 00  b8 05 00 00 b8 95 04 08  |................|
000000a0  b8 95 04 08 18 01 00 00  1c 01 00 00 06 00 00 00  |................|
000000b0  00 10 00 00 02 00 00 00  c4 05 00 00 c4 95 04 08  |................|
000000c0  c4 95 04 08 e8 00 00 00  e8 00 00 00 06 00 00 00  |................|
000000d0  04 00 00 00 04 00 00 00  48 01 00 00 48 81 04 08  |........H...H...|
000000e0  48 81 04 08 44 00 00 00  44 00 00 00 04 00 00 00  |H...D...D.......|
000000f0  04 00 00 00 50 e5 74 64  d0 04 00 00 d0 84 04 08  |....P.td........|
00000100  d0 84 04 08 2c 00 00 00  2c 00 00 00 04 00 00 00  |....,...,.......|
00000110  04 00 00 00 51 e5 74 64  00 00 00 00 00 00 00 00  |....Q.td........|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 06 00 00 00  |................|
00000130  10 00 00 00 2f 6c 69 62  2f 6c 64 2d 6c 69 6e 75  |..../lib/ld-linu|
00000140  78 2e 73 6f 2e 32 00 00  04 00 00 00 10 00 00 00  |x.so.2..........|
00000150  01 00 00 00 47 4e 55 00  00 00 00 00 02 00 00 00  |....GNU.........|
00000160  06 00 00 00 20 00 00 00  04 00 00 00 14 00 00 00  |.... ...........|
00000170  03 00 00 00 47 4e 55 00  6c 71 5a 34 6f ef b0 0f  |....GNU.lqZ4o...|
00000180  0c 59 c2 a7 17 b7 8f 4f  5b c2 a0 b3 02 00 00 00  |.Y.....O[.......|
00000190  04 00 00 00 01 00 00 00  05 00 00 00 00 20 00 20  |............. . |
000001a0  00 00 00 00 04 00 00 00  ad 4b e3 c0 00 00 00 00  |.........K......|
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 1a 00 00 00  |................|
000001c0  00 00 00 00 00 00 00 00  12 00 00 00 31 00 00 00  |............1...|
000001d0  00 00 00 00 00 00 00 00  20 00 00 00 1f 00 00 00  |........ .......|
000001e0  00 00 00 00 00 00 00 00  12 00 00 00 0b 00 00 00  |................|
000001f0  bc 84 04 08 04 00 00 00  11 00 0f 00 00 6c 69 62  |.............lib|
00000200  63 2e 73 6f 2e 36 00 5f  49 4f 5f 73 74 64 69 6e  |c.so.6._IO_stdin|
00000210  5f 75 73 65 64 00 70 75  74 73 00 5f 5f 6c 69 62  |_used.puts.__lib|
00000220  63 5f 73 74 61 72 74 5f  6d 61 69 6e 00 5f 5f 67  |c_start_main.__g|
00000230  6d 6f 6e 5f 73 74 61 72  74 5f 5f 00 47 4c 49 42  |mon_start__.GLIB|
00000240  43 5f 32 2e 30 00 00 00  02 00 00 00 02 00 01 00  |C_2.0...........|
00000250  01 00 01 00 01 00 00 00  10 00 00 00 00 00 00 00  |................|
00000260  10 69 69 0d 00 00 02 00  40 00 00 00 00 00 00 00  |.ii.....@.......|
00000270  ac 96 04 08 06 02 00 00  bc 96 04 08 07 01 00 00  |................|
00000280  c0 96 04 08 07 02 00 00  c4 96 04 08 07 03 00 00  |................|
00000290  53 83 ec 08 e8 97 00 00  00 81 c3 17 14 00 00 8b  |S...............|
000002a0  83 fc ff ff ff 85 c0 74  05 e8 32 00 00 00 83 c4  |.......t..2.....|
000002b0  08 5b c3 00 00 00 00 00  00 00 00 00 00 00 00 00  |.[..............|
000002c0  ff 35 b4 96 04 08 ff 25  b8 96 04 08 00 00 00 00  |.5.....%........|
000002d0  ff 25 bc 96 04 08 68 00  00 00 00 e9 e0 ff ff ff  |.%....h.........|
000002e0  ff 25 c0 96 04 08 68 08  00 00 00 e9 d0 ff ff ff  |.%....h.........|
000002f0  ff 25 c4 96 04 08 68 10  00 00 00 e9 c0 ff ff ff  |.%....h.........|
00000300  31 ed 5e 89 e1 83 e4 f0  50 54 52 68 a0 84 04 08  |1.^.....PTRh....|
00000310  68 30 84 04 08 51 56 68  fb 83 04 08 e8 cf ff ff  |h0...QVh........|
00000320  ff f4 66 90 66 90 66 90  66 90 66 90 66 90 66 90  |..f.f.f.f.f.f.f.|
00000330  8b 1c 24 c3 66 90 66 90  66 90 66 90 66 90 66 90  |..$.f.f.f.f.f.f.|
00000340  b8 d3 96 04 08 2d d0 96  04 08 83 f8 06 76 1a b8  |.....-.......v..|
00000350  00 00 00 00 85 c0 74 11  55 89 e5 83 ec 14 68 d0  |......t.U.....h.|
00000360  96 04 08 ff d0 83 c4 10  c9 f3 c3 90 8d 74 26 00  |.............t&.|
00000370  b8 d0 96 04 08 2d d0 96  04 08 c1 f8 02 89 c2 c1  |.....-..........|
00000380  ea 1f 01 d0 d1 f8 74 1b  ba 00 00 00 00 85 d2 74  |......t........t|
00000390  12 55 89 e5 83 ec 10 50  68 d0 96 04 08 ff d2 83  |.U.....Ph.......|
000003a0  c4 10 c9 f3 c3 8d 74 26  00 8d bc 27 00 00 00 00  |......t&...'....|
000003b0  80 3d d0 96 04 08 00 75  13 55 89 e5 83 ec 08 e8  |.=.....u.U......|
000003c0  7c ff ff ff c6 05 d0 96  04 08 01 c9 f3 c3 66 90  ||.............f.|
000003d0  b8 c0 95 04 08 8b 10 85  d2 75 05 eb 93 8d 76 00  |.........u....v.|
000003e0  ba 00 00 00 00 85 d2 74  f2 55 89 e5 83 ec 14 50  |.......t.U.....P|
000003f0  ff d2 83 c4 10 c9 e9 75  ff ff ff 8d 4c 24 04 83  |.......u....L$..|
00000400  e4 f0 ff 71 fc 55 89 e5  51 83 ec 04 83 ec 0c 68  |...q.U..Q......h|
00000410  c0 84 04 08 e8 b7 fe ff  ff 83 c4 10 b8 00 00 00  |................|
00000420  00 8b 4d fc c9 8d 61 fc  c3 66 90 66 90 66 90 90  |..M...a..f.f.f..|
00000430  55 57 31 ff 56 53 e8 f5  fe ff ff 81 c3 75 12 00  |UW1.VS.......u..|
00000440  00 83 ec 1c 8b 6c 24 30  8d b3 0c ff ff ff e8 3d  |.....l$0.......=|
00000450  fe ff ff 8d 83 08 ff ff  ff 29 c6 c1 fe 02 85 f6  |.........)......|
00000460  74 27 8d b6 00 00 00 00  8b 44 24 38 89 2c 24 89  |t'.......D$8.,$.|
00000470  44 24 08 8b 44 24 34 89  44 24 04 ff 94 bb 08 ff  |D$..D$4.D$......|
00000480  ff ff 83 c7 01 39 f7 75  df 83 c4 1c 5b 5e 5f 5d  |.....9.u....[^_]|
00000490  c3 eb 0d 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000004a0  f3 c3 00 00 53 83 ec 08  e8 83 fe ff ff 81 c3 03  |....S...........|
000004b0  12 00 00 83 c4 08 5b c3  03 00 00 00 01 00 02 00  |......[.........|
000004c0  48 65 6c 6c 6f 20 57 6f  72 6c 64 21 00 00 00 00  |Hello World!....|
000004d0  01 1b 03 3b 28 00 00 00  04 00 00 00 f0 fd ff ff  |...;(...........|
000004e0  44 00 00 00 2b ff ff ff  68 00 00 00 60 ff ff ff  |D...+...h...`...|
000004f0  94 00 00 00 d0 ff ff ff  d0 00 00 00 14 00 00 00  |................|
00000500  00 00 00 00 01 7a 52 00  01 7c 08 01 1b 0c 04 04  |.....zR..|......|
00000510  88 01 00 00 20 00 00 00  1c 00 00 00 a4 fd ff ff  |.... ...........|
00000520  40 00 00 00 00 0e 08 46  0e 0c 4a 0f 0b 74 04 78  |@......F..J..t.x|
00000530  00 3f 1a 3b 2a 32 24 22  28 00 00 00 40 00 00 00  |.?.;*2$"(...@...|
00000540  bb fe ff ff 2e 00 00 00  00 44 0c 01 00 47 10 05  |.........D...G..|
00000550  02 75 00 43 0f 03 75 7c  06 5b 0c 01 00 41 c5 43  |.u.C..u|.[...A.C|
00000560  0c 04 04 00 38 00 00 00  6c 00 00 00 c4 fe ff ff  |....8...l.......|
00000570  61 00 00 00 00 41 0e 08  85 02 41 0e 0c 87 03 43  |a....A....A....C|
00000580  0e 10 86 04 41 0e 14 83  05 4e 0e 30 02 48 0e 14  |....A....N.0.H..|
00000590  41 c3 0e 10 41 c6 0e 0c  41 c7 0e 08 41 c5 0e 04  |A...A...A...A...|
000005a0  10 00 00 00 a8 00 00 00  f8 fe ff ff 02 00 00 00  |................|
000005b0  00 00 00 00 00 00 00 00  d0 83 04 08 b0 83 04 08  |................|
000005c0  00 00 00 00 01 00 00 00  01 00 00 00 0c 00 00 00  |................|
000005d0  90 82 04 08 0d 00 00 00  a4 84 04 08 19 00 00 00  |................|
000005e0  b8 95 04 08 1b 00 00 00  04 00 00 00 1a 00 00 00  |................|
000005f0  bc 95 04 08 1c 00 00 00  04 00 00 00 f5 fe ff 6f  |...............o|
00000600  8c 81 04 08 05 00 00 00  fc 81 04 08 06 00 00 00  |................|
00000610  ac 81 04 08 0a 00 00 00  4a 00 00 00 0b 00 00 00  |........J.......|
00000620  10 00 00 00 15 00 00 00  00 00 00 00 03 00 00 00  |................|
00000630  b0 96 04 08 02 00 00 00  18 00 00 00 14 00 00 00  |................|
00000640  11 00 00 00 17 00 00 00  78 82 04 08 11 00 00 00  |........x.......|
00000650  70 82 04 08 12 00 00 00  08 00 00 00 13 00 00 00  |p...............|
00000660  08 00 00 00 fe ff ff 6f  50 82 04 08 ff ff ff 6f  |.......oP......o|
00000670  01 00 00 00 f0 ff ff 6f  46 82 04 08 00 00 00 00  |.......oF.......|
00000680  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000006b0  c4 95 04 08 00 00 00 00  00 00 00 00 d6 82 04 08  |................|
000006c0  e6 82 04 08 f6 82 04 08  00 00 00 00 00 00 00 00  |................|
000006d0  47 43 43 3a 20 28 44 65  62 69 61 6e 20 34 2e 39  |GCC: (Debian 4.9|
000006e0  2e 32 2d 31 30 29 20 34  2e 39 2e 32 00 47 43 43  |.2-10) 4.9.2.GCC|
000006f0  3a 20 28 44 65 62 69 61  6e 20 34 2e 38 2e 34 2d  |: (Debian 4.8.4-|
00000700  31 29 20 34 2e 38 2e 34  00 1c 00 00 00 02 00 00  |1) 4.8.4........|
00000710  00 00 00 04 00 00 00 00  00 fb 83 04 08 2e 00 00  |................|
00000720  00 00 00 00 00 00 00 00  00 8b 00 00 00 04 00 00  |................|
00000730  00 00 00 04 01 47 00 00  00 01 a1 00 00 00 25 00  |.....G........%.|
00000740  00 00 fb 83 04 08 2e 00  00 00 00 00 00 00 02 04  |................|
00000750  07 18 00 00 00 02 01 08  71 00 00 00 02 02 07 84  |........q.......|
00000760  00 00 00 02 04 07 13 00  00 00 02 01 06 73 00 00  |.............s..|
00000770  00 02 02 05 97 00 00 00  03 04 05 69 6e 74 00 02  |...........int..|
00000780  08 05 00 00 00 00 02 08  07 0e 00 00 00 02 04 05  |................|
00000790  05 00 00 00 02 04 07 a9  00 00 00 02 01 06 7a 00  |..............z.|
000007a0  00 00 04 7f 00 00 00 01  05 4f 00 00 00 fb 83 04  |.........O......|
000007b0  08 2e 00 00 00 01 9c 00  01 11 01 25 0e 13 0b 03  |...........%....|
000007c0  0e 1b 0e 11 01 12 06 10  17 00 00 02 24 00 0b 0b  |............$...|
000007d0  3e 0b 03 0e 00 00 03 24  00 0b 0b 3e 0b 03 08 00  |>......$...>....|
000007e0  00 04 2e 00 3f 19 03 0e  3a 0b 3b 0b 27 19 49 13  |....?...:.;.'.I.|
000007f0  11 01 12 06 40 18 96 42  19 00 00 00 35 00 00 00  |....@..B....5...|
00000800  02 00 1e 00 00 00 01 01  fb 0e 0d 00 01 01 01 01  |................|
00000810  00 00 00 01 00 00 01 00  68 65 6c 6c 6f 2e 63 00  |........hello.c.|
00000820  00 00 00 00 00 05 02 fb  83 04 08 16 08 13 f4 59  |...............Y|
00000830  02 08 00 01 01 6c 6f 6e  67 20 6c 6f 6e 67 20 69  |.....long long i|
00000840  6e 74 00 6c 6f 6e 67 20  6c 6f 6e 67 20 75 6e 73  |nt.long long uns|
00000850  69 67 6e 65 64 20 69 6e  74 00 2f 68 6f 6d 65 2f  |igned int./home/|
00000860  65 78 70 6c 6f 69 74 2f  48 61 63 6b 69 6e 67 2f  |exploit/Hacking/|
00000870  50 72 6f 67 72 61 6d 6d  69 6e 67 00 47 4e 55 20  |Programming.GNU |
00000880  43 20 34 2e 39 2e 32 20  2d 6d 74 75 6e 65 3d 67  |C 4.9.2 -mtune=g|
00000890  65 6e 65 72 69 63 20 2d  6d 61 72 63 68 3d 69 35  |eneric -march=i5|
000008a0  38 36 20 2d 67 00 75 6e  73 69 67 6e 65 64 20 63  |86 -g.unsigned c|
000008b0  68 61 72 00 6d 61 69 6e  00 73 68 6f 72 74 20 75  |har.main.short u|
000008c0  6e 73 69 67 6e 65 64 20  69 6e 74 00 73 68 6f 72  |nsigned int.shor|
000008d0  74 20 69 6e 74 00 68 65  6c 6c 6f 2e 63 00 73 69  |t int.hello.c.si|
000008e0  7a 65 74 79 70 65 00 00  2e 73 79 6d 74 61 62 00  |zetype...symtab.|
000008f0  2e 73 74 72 74 61 62 00  2e 73 68 73 74 72 74 61  |.strtab..shstrta|
00000900  62 00 2e 69 6e 74 65 72  70 00 2e 6e 6f 74 65 2e  |b..interp..note.|
00000910  41 42 49 2d 74 61 67 00  2e 6e 6f 74 65 2e 67 6e  |ABI-tag..note.gn|
00000920  75 2e 62 75 69 6c 64 2d  69 64 00 2e 67 6e 75 2e  |u.build-id..gnu.|
00000930  68 61 73 68 00 2e 64 79  6e 73 79 6d 00 2e 64 79  |hash..dynsym..dy|
00000940  6e 73 74 72 00 2e 67 6e  75 2e 76 65 72 73 69 6f  |nstr..gnu.versio|
00000950  6e 00 2e 67 6e 75 2e 76  65 72 73 69 6f 6e 5f 72  |n..gnu.version_r|
00000960  00 2e 72 65 6c 2e 64 79  6e 00 2e 72 65 6c 2e 70  |..rel.dyn..rel.p|
00000970  6c 74 00 2e 69 6e 69 74  00 2e 74 65 78 74 00 2e  |lt..init..text..|
00000980  66 69 6e 69 00 2e 72 6f  64 61 74 61 00 2e 65 68  |fini..rodata..eh|
00000990  5f 66 72 61 6d 65 5f 68  64 72 00 2e 65 68 5f 66  |_frame_hdr..eh_f|
000009a0  72 61 6d 65 00 2e 69 6e  69 74 5f 61 72 72 61 79  |rame..init_array|
000009b0  00 2e 66 69 6e 69 5f 61  72 72 61 79 00 2e 6a 63  |..fini_array..jc|
000009c0  72 00 2e 64 79 6e 61 6d  69 63 00 2e 67 6f 74 00  |r..dynamic..got.|
000009d0  2e 67 6f 74 2e 70 6c 74  00 2e 64 61 74 61 00 2e  |.got.plt..data..|
000009e0  62 73 73 00 2e 63 6f 6d  6d 65 6e 74 00 2e 64 65  |bss..comment..de|
000009f0  62 75 67 5f 61 72 61 6e  67 65 73 00 2e 64 65 62  |bug_aranges..deb|
00000a00  75 67 5f 69 6e 66 6f 00  2e 64 65 62 75 67 5f 61  |ug_info..debug_a|
00000a10  62 62 72 65 76 00 2e 64  65 62 75 67 5f 6c 69 6e  |bbrev..debug_lin|
00000a20  65 00 2e 64 65 62 75 67  5f 73 74 72 00 00 00 00  |e..debug_str....|
00000a30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000a40  00 00 00 00 34 81 04 08  00 00 00 00 03 00 01 00  |....4...........|
00000a50  00 00 00 00 48 81 04 08  00 00 00 00 03 00 02 00  |....H...........|
00000a60  00 00 00 00 68 81 04 08  00 00 00 00 03 00 03 00  |....h...........|
00000a70  00 00 00 00 8c 81 04 08  00 00 00 00 03 00 04 00  |................|
00000a80  00 00 00 00 ac 81 04 08  00 00 00 00 03 00 05 00  |................|
00000a90  00 00 00 00 fc 81 04 08  00 00 00 00 03 00 06 00  |................|
00000aa0  00 00 00 00 46 82 04 08  00 00 00 00 03 00 07 00  |....F...........|
00000ab0  00 00 00 00 50 82 04 08  00 00 00 00 03 00 08 00  |....P...........|
00000ac0  00 00 00 00 70 82 04 08  00 00 00 00 03 00 09 00  |....p...........|
00000ad0  00 00 00 00 78 82 04 08  00 00 00 00 03 00 0a 00  |....x...........|
00000ae0  00 00 00 00 90 82 04 08  00 00 00 00 03 00 0b 00  |................|
00000af0  00 00 00 00 c0 82 04 08  00 00 00 00 03 00 0c 00  |................|
00000b00  00 00 00 00 00 83 04 08  00 00 00 00 03 00 0d 00  |................|
00000b10  00 00 00 00 a4 84 04 08  00 00 00 00 03 00 0e 00  |................|
00000b20  00 00 00 00 b8 84 04 08  00 00 00 00 03 00 0f 00  |................|
00000b30  00 00 00 00 d0 84 04 08  00 00 00 00 03 00 10 00  |................|
00000b40  00 00 00 00 fc 84 04 08  00 00 00 00 03 00 11 00  |................|
00000b50  00 00 00 00 b8 95 04 08  00 00 00 00 03 00 12 00  |................|
00000b60  00 00 00 00 bc 95 04 08  00 00 00 00 03 00 13 00  |................|
00000b70  00 00 00 00 c0 95 04 08  00 00 00 00 03 00 14 00  |................|
00000b80  00 00 00 00 c4 95 04 08  00 00 00 00 03 00 15 00  |................|
00000b90  00 00 00 00 ac 96 04 08  00 00 00 00 03 00 16 00  |................|
00000ba0  00 00 00 00 b0 96 04 08  00 00 00 00 03 00 17 00  |................|
00000bb0  00 00 00 00 c8 96 04 08  00 00 00 00 03 00 18 00  |................|
00000bc0  00 00 00 00 d0 96 04 08  00 00 00 00 03 00 19 00  |................|
00000bd0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 1a 00  |................|
00000be0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 1b 00  |................|
00000bf0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 1c 00  |................|
00000c00  00 00 00 00 00 00 00 00  00 00 00 00 03 00 1d 00  |................|
00000c10  00 00 00 00 00 00 00 00  00 00 00 00 03 00 1e 00  |................|
00000c20  00 00 00 00 00 00 00 00  00 00 00 00 03 00 1f 00  |................|
00000c30  01 00 00 00 00 00 00 00  00 00 00 00 04 00 f1 ff  |................|
00000c40  0c 00 00 00 c0 95 04 08  00 00 00 00 01 00 14 00  |................|
00000c50  19 00 00 00 40 83 04 08  00 00 00 00 02 00 0d 00  |....@...........|
00000c60  2e 00 00 00 70 83 04 08  00 00 00 00 02 00 0d 00  |....p...........|
00000c70  41 00 00 00 b0 83 04 08  00 00 00 00 02 00 0d 00  |A...............|
00000c80  57 00 00 00 d0 96 04 08  01 00 00 00 01 00 19 00  |W...............|
00000c90  66 00 00 00 bc 95 04 08  00 00 00 00 01 00 13 00  |f...............|
00000ca0  8d 00 00 00 d0 83 04 08  00 00 00 00 02 00 0d 00  |................|
00000cb0  99 00 00 00 b8 95 04 08  00 00 00 00 01 00 12 00  |................|
00000cc0  b8 00 00 00 00 00 00 00  00 00 00 00 04 00 f1 ff  |................|
00000cd0  01 00 00 00 00 00 00 00  00 00 00 00 04 00 f1 ff  |................|
00000ce0  c0 00 00 00 b4 85 04 08  00 00 00 00 01 00 11 00  |................|
00000cf0  ce 00 00 00 c0 95 04 08  00 00 00 00 01 00 14 00  |................|
00000d00  00 00 00 00 00 00 00 00  00 00 00 00 04 00 f1 ff  |................|
00000d10  da 00 00 00 bc 95 04 08  00 00 00 00 00 00 12 00  |................|
00000d20  eb 00 00 00 c4 95 04 08  00 00 00 00 01 00 15 00  |................|
00000d30  f4 00 00 00 b8 95 04 08  00 00 00 00 00 00 12 00  |................|
00000d40  07 01 00 00 b0 96 04 08  00 00 00 00 01 00 17 00  |................|
00000d50  1d 01 00 00 a0 84 04 08  02 00 00 00 12 00 0d 00  |................|
00000d60  2d 01 00 00 00 00 00 00  00 00 00 00 20 00 00 00  |-........... ...|
00000d70  49 01 00 00 30 83 04 08  04 00 00 00 12 02 0d 00  |I...0...........|
00000d80  5f 01 00 00 c8 96 04 08  00 00 00 00 20 00 18 00  |_........... ...|
00000d90  6a 01 00 00 d0 96 04 08  00 00 00 00 10 00 18 00  |j...............|
00000da0  71 01 00 00 a4 84 04 08  00 00 00 00 12 00 0e 00  |q...............|
00000db0  77 01 00 00 c8 96 04 08  00 00 00 00 10 00 18 00  |w...............|
00000dc0  84 01 00 00 00 00 00 00  00 00 00 00 12 00 00 00  |................|
00000dd0  94 01 00 00 00 00 00 00  00 00 00 00 20 00 00 00  |............ ...|
00000de0  a3 01 00 00 cc 96 04 08  00 00 00 00 11 02 18 00  |................|
00000df0  b0 01 00 00 bc 84 04 08  04 00 00 00 11 00 0f 00  |................|
00000e00  bf 01 00 00 00 00 00 00  00 00 00 00 12 00 00 00  |................|
00000e10  dc 01 00 00 30 84 04 08  61 00 00 00 12 00 0d 00  |....0...a.......|
00000e20  ec 01 00 00 d4 96 04 08  00 00 00 00 10 00 19 00  |................|
00000e30  f1 01 00 00 00 83 04 08  00 00 00 00 12 00 0d 00  |................|
00000e40  f8 01 00 00 b8 84 04 08  04 00 00 00 11 00 0f 00  |................|
00000e50  ff 01 00 00 d0 96 04 08  00 00 00 00 10 00 19 00  |................|
00000e60  0b 02 00 00 fb 83 04 08  2e 00 00 00 12 00 0d 00  |................|
00000e70  10 02 00 00 00 00 00 00  00 00 00 00 20 00 00 00  |............ ...|
00000e80  24 02 00 00 d0 96 04 08  00 00 00 00 11 02 18 00  |$...............|
00000e90  30 02 00 00 00 00 00 00  00 00 00 00 20 00 00 00  |0........... ...|
00000ea0  4a 02 00 00 90 82 04 08  00 00 00 00 12 00 0b 00  |J...............|
00000eb0  00 63 72 74 73 74 75 66  66 2e 63 00 5f 5f 4a 43  |.crtstuff.c.__JC|
00000ec0  52 5f 4c 49 53 54 5f 5f  00 64 65 72 65 67 69 73  |R_LIST__.deregis|
00000ed0  74 65 72 5f 74 6d 5f 63  6c 6f 6e 65 73 00 72 65  |ter_tm_clones.re|
00000ee0  67 69 73 74 65 72 5f 74  6d 5f 63 6c 6f 6e 65 73  |gister_tm_clones|
00000ef0  00 5f 5f 64 6f 5f 67 6c  6f 62 61 6c 5f 64 74 6f  |.__do_global_dto|
00000f00  72 73 5f 61 75 78 00 63  6f 6d 70 6c 65 74 65 64  |rs_aux.completed|
00000f10  2e 36 32 37 39 00 5f 5f  64 6f 5f 67 6c 6f 62 61  |.6279.__do_globa|
00000f20  6c 5f 64 74 6f 72 73 5f  61 75 78 5f 66 69 6e 69  |l_dtors_aux_fini|
00000f30  5f 61 72 72 61 79 5f 65  6e 74 72 79 00 66 72 61  |_array_entry.fra|
00000f40  6d 65 5f 64 75 6d 6d 79  00 5f 5f 66 72 61 6d 65  |me_dummy.__frame|
00000f50  5f 64 75 6d 6d 79 5f 69  6e 69 74 5f 61 72 72 61  |_dummy_init_arra|
00000f60  79 5f 65 6e 74 72 79 00  68 65 6c 6c 6f 2e 63 00  |y_entry.hello.c.|
00000f70  5f 5f 46 52 41 4d 45 5f  45 4e 44 5f 5f 00 5f 5f  |__FRAME_END__.__|
00000f80  4a 43 52 5f 45 4e 44 5f  5f 00 5f 5f 69 6e 69 74  |JCR_END__.__init|
00000f90  5f 61 72 72 61 79 5f 65  6e 64 00 5f 44 59 4e 41  |_array_end._DYNA|
00000fa0  4d 49 43 00 5f 5f 69 6e  69 74 5f 61 72 72 61 79  |MIC.__init_array|
00000fb0  5f 73 74 61 72 74 00 5f  47 4c 4f 42 41 4c 5f 4f  |_start._GLOBAL_O|
00000fc0  46 46 53 45 54 5f 54 41  42 4c 45 5f 00 5f 5f 6c  |FFSET_TABLE_.__l|
00000fd0  69 62 63 5f 63 73 75 5f  66 69 6e 69 00 5f 49 54  |ibc_csu_fini._IT|
00000fe0  4d 5f 64 65 72 65 67 69  73 74 65 72 54 4d 43 6c  |M_deregisterTMCl|
00000ff0  6f 6e 65 54 61 62 6c 65  00 5f 5f 78 38 36 2e 67  |oneTable.__x86.g|
00001000  65 74 5f 70 63 5f 74 68  75 6e 6b 2e 62 78 00 64  |et_pc_thunk.bx.d|
00001010  61 74 61 5f 73 74 61 72  74 00 5f 65 64 61 74 61  |ata_start._edata|
00001020  00 5f 66 69 6e 69 00 5f  5f 64 61 74 61 5f 73 74  |._fini.__data_st|
00001030  61 72 74 00 70 75 74 73  40 40 47 4c 49 42 43 5f  |art.puts@@GLIBC_|
00001040  32 2e 30 00 5f 5f 67 6d  6f 6e 5f 73 74 61 72 74  |2.0.__gmon_start|
00001050  5f 5f 00 5f 5f 64 73 6f  5f 68 61 6e 64 6c 65 00  |__.__dso_handle.|
00001060  5f 49 4f 5f 73 74 64 69  6e 5f 75 73 65 64 00 5f  |_IO_stdin_used._|
00001070  5f 6c 69 62 63 5f 73 74  61 72 74 5f 6d 61 69 6e  |_libc_start_main|
00001080  40 40 47 4c 49 42 43 5f  32 2e 30 00 5f 5f 6c 69  |@@GLIBC_2.0.__li|
00001090  62 63 5f 63 73 75 5f 69  6e 69 74 00 5f 65 6e 64  |bc_csu_init._end|
000010a0  00 5f 73 74 61 72 74 00  5f 66 70 5f 68 77 00 5f  |._start._fp_hw._|
000010b0  5f 62 73 73 5f 73 74 61  72 74 00 6d 61 69 6e 00  |_bss_start.main.|
000010c0  5f 4a 76 5f 52 65 67 69  73 74 65 72 43 6c 61 73  |_Jv_RegisterClas|
000010d0  73 65 73 00 5f 5f 54 4d  43 5f 45 4e 44 5f 5f 00  |ses.__TMC_END__.|
000010e0  5f 49 54 4d 5f 72 65 67  69 73 74 65 72 54 4d 43  |_ITM_registerTMC|
000010f0  6c 6f 6e 65 54 61 62 6c  65 00 5f 69 6e 69 74 00  |loneTable._init.|
00001100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001120  00 00 00 00 00 00 00 00  1b 00 00 00 01 00 00 00  |................|
00001130  02 00 00 00 34 81 04 08  34 01 00 00 13 00 00 00  |....4...4.......|
00001140  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00001150  23 00 00 00 07 00 00 00  02 00 00 00 48 81 04 08  |#...........H...|
00001160  48 01 00 00 20 00 00 00  00 00 00 00 00 00 00 00  |H... ...........|
00001170  04 00 00 00 00 00 00 00  31 00 00 00 07 00 00 00  |........1.......|
00001180  02 00 00 00 68 81 04 08  68 01 00 00 24 00 00 00  |....h...h...$...|
00001190  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
000011a0  44 00 00 00 f6 ff ff 6f  02 00 00 00 8c 81 04 08  |D......o........|
000011b0  8c 01 00 00 20 00 00 00  05 00 00 00 00 00 00 00  |.... ...........|
000011c0  04 00 00 00 04 00 00 00  4e 00 00 00 0b 00 00 00  |........N.......|
000011d0  02 00 00 00 ac 81 04 08  ac 01 00 00 50 00 00 00  |............P...|
000011e0  06 00 00 00 01 00 00 00  04 00 00 00 10 00 00 00  |................|
000011f0  56 00 00 00 03 00 00 00  02 00 00 00 fc 81 04 08  |V...............|
00001200  fc 01 00 00 4a 00 00 00  00 00 00 00 00 00 00 00  |....J...........|
00001210  01 00 00 00 00 00 00 00  5e 00 00 00 ff ff ff 6f  |........^......o|
00001220  02 00 00 00 46 82 04 08  46 02 00 00 0a 00 00 00  |....F...F.......|
00001230  05 00 00 00 00 00 00 00  02 00 00 00 02 00 00 00  |................|
00001240  6b 00 00 00 fe ff ff 6f  02 00 00 00 50 82 04 08  |k......o....P...|
00001250  50 02 00 00 20 00 00 00  06 00 00 00 01 00 00 00  |P... ...........|
00001260  04 00 00 00 00 00 00 00  7a 00 00 00 09 00 00 00  |........z.......|
00001270  02 00 00 00 70 82 04 08  70 02 00 00 08 00 00 00  |....p...p.......|
00001280  05 00 00 00 00 00 00 00  04 00 00 00 08 00 00 00  |................|
00001290  83 00 00 00 09 00 00 00  42 00 00 00 78 82 04 08  |........B...x...|
000012a0  78 02 00 00 18 00 00 00  05 00 00 00 0c 00 00 00  |x...............|
000012b0  04 00 00 00 08 00 00 00  8c 00 00 00 01 00 00 00  |................|
000012c0  06 00 00 00 90 82 04 08  90 02 00 00 23 00 00 00  |............#...|
000012d0  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
000012e0  87 00 00 00 01 00 00 00  06 00 00 00 c0 82 04 08  |................|
000012f0  c0 02 00 00 40 00 00 00  00 00 00 00 00 00 00 00  |....@...........|
00001300  10 00 00 00 04 00 00 00  92 00 00 00 01 00 00 00  |................|
00001310  06 00 00 00 00 83 04 08  00 03 00 00 a2 01 00 00  |................|
00001320  00 00 00 00 00 00 00 00  10 00 00 00 00 00 00 00  |................|
00001330  98 00 00 00 01 00 00 00  06 00 00 00 a4 84 04 08  |................|
00001340  a4 04 00 00 14 00 00 00  00 00 00 00 00 00 00 00  |................|
00001350  04 00 00 00 00 00 00 00  9e 00 00 00 01 00 00 00  |................|
00001360  02 00 00 00 b8 84 04 08  b8 04 00 00 15 00 00 00  |................|
00001370  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
00001380  a6 00 00 00 01 00 00 00  02 00 00 00 d0 84 04 08  |................|
00001390  d0 04 00 00 2c 00 00 00  00 00 00 00 00 00 00 00  |....,...........|
000013a0  04 00 00 00 00 00 00 00  b4 00 00 00 01 00 00 00  |................|
000013b0  02 00 00 00 fc 84 04 08  fc 04 00 00 bc 00 00 00  |................|
000013c0  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
000013d0  be 00 00 00 0e 00 00 00  03 00 00 00 b8 95 04 08  |................|
000013e0  b8 05 00 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
000013f0  04 00 00 00 00 00 00 00  ca 00 00 00 0f 00 00 00  |................|
00001400  03 00 00 00 bc 95 04 08  bc 05 00 00 04 00 00 00  |................|
00001410  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
00001420  d6 00 00 00 01 00 00 00  03 00 00 00 c0 95 04 08  |................|
00001430  c0 05 00 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
00001440  04 00 00 00 00 00 00 00  db 00 00 00 06 00 00 00  |................|
00001450  03 00 00 00 c4 95 04 08  c4 05 00 00 e8 00 00 00  |................|
00001460  06 00 00 00 00 00 00 00  04 00 00 00 08 00 00 00  |................|
00001470  e4 00 00 00 01 00 00 00  03 00 00 00 ac 96 04 08  |................|
00001480  ac 06 00 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
00001490  04 00 00 00 04 00 00 00  e9 00 00 00 01 00 00 00  |................|
000014a0  03 00 00 00 b0 96 04 08  b0 06 00 00 18 00 00 00  |................|
000014b0  00 00 00 00 00 00 00 00  04 00 00 00 04 00 00 00  |................|
000014c0  f2 00 00 00 01 00 00 00  03 00 00 00 c8 96 04 08  |................|
000014d0  c8 06 00 00 08 00 00 00  00 00 00 00 00 00 00 00  |................|
000014e0  04 00 00 00 00 00 00 00  f8 00 00 00 08 00 00 00  |................|
000014f0  03 00 00 00 d0 96 04 08  d0 06 00 00 04 00 00 00  |................|
00001500  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00001510  fd 00 00 00 01 00 00 00  30 00 00 00 00 00 00 00  |........0.......|
00001520  d0 06 00 00 39 00 00 00  00 00 00 00 00 00 00 00  |....9...........|
00001530  01 00 00 00 01 00 00 00  06 01 00 00 01 00 00 00  |................|
00001540  00 00 00 00 00 00 00 00  09 07 00 00 20 00 00 00  |............ ...|
00001550  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00001560  15 01 00 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00001570  29 07 00 00 8f 00 00 00  00 00 00 00 00 00 00 00  |)...............|
00001580  01 00 00 00 00 00 00 00  21 01 00 00 01 00 00 00  |........!.......|
00001590  00 00 00 00 00 00 00 00  b8 07 00 00 44 00 00 00  |............D...|
000015a0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
000015b0  2f 01 00 00 01 00 00 00  00 00 00 00 00 00 00 00  |/...............|
000015c0  fc 07 00 00 39 00 00 00  00 00 00 00 00 00 00 00  |....9...........|
000015d0  01 00 00 00 00 00 00 00  3b 01 00 00 01 00 00 00  |........;.......|
000015e0  30 00 00 00 00 00 00 00  35 08 00 00 b2 00 00 00  |0.......5.......|
000015f0  00 00 00 00 00 00 00 00  01 00 00 00 01 00 00 00  |................|
00001600  11 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00  |................|
00001610  e7 08 00 00 46 01 00 00  00 00 00 00 00 00 00 00  |....F...........|
00001620  01 00 00 00 00 00 00 00  01 00 00 00 02 00 00 00  |................|
00001630  00 00 00 00 00 00 00 00  30 0a 00 00 80 04 00 00  |........0.......|
00001640  22 00 00 00 32 00 00 00  04 00 00 00 10 00 00 00  |"...2...........|
00001650  09 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00  |................|
00001660  b0 0e 00 00 50 02 00 00  00 00 00 00 00 00 00 00  |....P...........|
00001670  01 00 00 00 00 00 00 00                           |........|
00001678

Thats a lot of data for such a simple file.  But its readable data, which is the important thing.  Its also data that tels us a lot about the program we are executing.  A surprising amount of information is contained on the first line of the output.  Lets take a look at it.

$ hexdump -C -n 16 ./hello
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

The first thing in this file is .ELF.  That means that the ./hello file is an ELF file.  An ELF file is an Executable and Linkable Format File.  You can read up on the properties of an ELF file here since we are focusing on hexdump right now.

Debian comes with a nice program to get information about an ELF file.

$ readelf --header ./hello
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048300
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4352 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         8
  Size of section headers:           40 (bytes)
  Number of section headers:         35
  Section header string table index: 32

See the Magic line in bold and compare that with the first line of output in our hexdump.  You will see they are the same.  It turns out that the first four bytes are the ELF flag.  The fifth byte tells us that the executable is a 32-bit executable.  If it were a 64-bit executable the fifth bit would be 02.  The sixth bit shows that the architecture is little endian, which we have encountered before.  Then we get into some other information.

As you can see the first line of the hexdump of the executable tells us a lot about that file.  It obviously doesn’t tell us what that file will do, but if we were looking at a 64-bit compiled executable on a 32-bit machine we would know that this executable file would not run.  If we were examining a piece of malware that would give us some information about what types of targets the executable is aimed at.  There’s some useful information included here.

Lets Look at Something Else

We already knew that ./hello was an executable program.  But what about some other type of file that isn’t just a plain text file or a compiled program?  Lets take a look at a pdf.  I used a sample pdf of some math notes that is 11 pages long.  If you run it through hexdump with no flags you will end up with such a large output that you can’t even see the head of the file.  I used the -n flag and just printed the first 1000 bytes.

$ hexdump -C -n 1000 wilshort.pdf
00000000  25 50 44 46 2d 31 2e 34  0a 33 20 30 20 6f 62 6a  |%PDF-1.4.3 0 obj|
00000010  20 3c 3c 0a 2f 4c 65 6e  67 74 68 20 33 30 33 38  | <<./Length 3038| 
00000020  20 20 20 20 20 20 0a 2f  46 69 6c 74 65 72 20 2f  |      ./Filter /| 
00000030  46 6c 61 74 65 44 65 63  6f 64 65 0a 3e 3e 0a 73  |FlateDecode.>>.s|
00000040  74 72 65 61 6d 0a 78 da  7d 19 cb 92 db 36 f2 3e  |tream.x.}....6.>|
00000050  5f a1 aa 3d 2c 55 35 62  48 82 cf 5c 52 b6 13 db  |_..=,U5bH..\R...|
00000060  c9 96 77 bd 35 53 95 43  36 07 0c 85 19 d1 cb 87  |..w.5S.C6.......|
00000070  02 50 9e 28 5f bf fd 02  a8 97 f7 22 81 e8 46 a3  |.P.(_......"..F.|
00000080  d1 ef 06 de 3e de 7d f7  3e 2d 57 45 dc 54 f5 ea  |....>.}.>-WE.T..|
00000090  f1 79 95 66 65 5c 56 d9  aa 6c 54 5c a5 d5 ea 71  |.y.fe\V..lT\...q|
000000a0  fb 5b f4 79 bd 49 23 3b  ad 37 2a 8b 5a 1c 1b b3  |.[.y.I#;.7*.Z...|
000000b0  ed c6 17 b7 de e4 69 19  4d cf f8 5f 45 0f 47 04  |......i.M.._E.G.|
000000c0  0d 7b 42 9b 5c a7 19 dc  8d 0c 7e b3 df f7 eb 34  |.{B.\.....~....4|
000000d0  ea 0c 62 6d 19 f6 49 cf  3b 33 e8 19 a7 ba d6 ad  |..bm..I.;3......|
000000e0  7f 7f fc e5 bb f7 4a ad  d2 34 6e 8a 02 d9 a9 f2  |......J..4n.....|
000000f0  38 a9 f3 d5 26 4d 55 9c  27 35 b1 f3 f3 b8 56 69  |8...&MU.'5....Vi|
00000100  34 03 31 8b 0b 91 2f a0  78 68 71 a6 9b e0 07 76  |4.1.../.xhq....v|
00000110  54 55 11 cd 08 a9 72 60  6c 58 03 4b 4f 84 37 11  |TU....r`lX.KO.7.|
00000120  13 2d 63 fc 78 1c f5 b0  3e dd 3b 5f a5 49 dc 24  |.-c.x...>.;_.I.$|
00000130  0d ee 5d 26 71 55 64 ab  4d 06 c2 49 14 6d fd 70  |..]&qUd.M..I.m.p|
00000140  00 6c 87 bb 6a dc 04 a8  7e 88 f1 5f 45 bf 76 3d  |.l..j...~.._E.v=|
00000150  51 06 7a 1b 44 61 72 c9  aa 02 c1 22 b1 4d 53 e3  |Q.z.Dar....".MS.|
00000160  68 93 55 71 96 e4 44 ec  cd 93 9b ad 5e 67 20 d4  |h.Uq..D.....^g .|
00000170  39 e6 05 69 11 16 e4 b0  ab 5a 25 84 f9 eb ba 6e  |9..i.....Z%....n|
00000180  22 10 5c d6 d4 d1 4b f7  75 ad 12 ff 85 6c 64 4d  |".\...K.u....ldM|
00000190  05 42 c8 9a 88 01 24 94  af 41 d4 af 82 f0 cc ff  |.B....$..A......|
000001a0  f3 8e 14 c8 1f ff 49 d2  dc f4 a2 90 53 2c 07 22  |......I.....S,."|
000001b0  03 82 4f f8 85 02 4e a3  1e 65 86 a0 2d 7e 1d 59  |..O...N..e..-~.Y|
000001c0  ca 20 86 a1 23 8b 70 df  83 46 f3 3c ea 66 c7 68  |. ..#.p..F.<.f.h|
000001d0  bb 8e a6 e7 c9 1e 91 f9  7b 3c df 6a c3 87 da 34  |........{<.j...4|
000001e0  71 53 66 74 32 bd 47 b4  3d 50 d7 38 98 bb 69 64  |qSft2.G.=P.8..id|
000001f0  f9 6d 54 91 c3 e9 b6 38  28 a2 27 ed d8 46 78 7e  |.mT....8(.'..Fx~|
00000200  4b 27 43 ee c7 8e 8d 67  1a 1d 63 86 25 e6 4f 3d  |K'C....g..c.%.O=|
00000210  10 f1 de 38 91 ae 2a 56  b8 b3 22 3b 4f 41 d0 4d  |...8..*V..";OA.M|
00000220  4a 2c 15 00 40 66 52 d0  65 01 66 f1 2f db bd 10  |J,..@fR.e.f./...|
00000230  fb e3 62 16 61 e1 26 55  70 88 0c 6d 12 28 28 b6  |..b.a.&Up..m.((.|
00000240  8b c7 1d 4a 34 2b 89 a7  35 c9 17 36 5e b3 5c b3  |...J4+..5..6^.\.|
00000250  82 e5 0a ff 74 0a 94 6d  4d b2 05 81 b3 5c 61 e5  |....t..mM....\a.|
00000260  16 b0 d1 1c d1 16 69 c2  7c 45 b4 a9 a7 3f ef 35  |......i.|E...?.5|
00000270  48 44 3b f9 67 3c 34 73  a2 c4 9f cf 40 67 b2 82  |HD;.g<4s....@g..|
00000280  31 ea 1e 55 f5 17 c9 68  84 d1 0b 23 bd 98 d1 73  |1..U...h...#...s|
00000290  69 75 cf c8 0b 03 30 43  da 92 03 6e bc 3b c2 41  |iu....0C...n.;.A|
000002a0  dd 91 8e 30 9b 01 99 a8  52 38 06 70 77 c4 71 42  |...0....R8.pw.qB|
000002b0  14 3a 82 b7 d6 cc dd 5f  10 23 18 e0 f6 ba a5 cd  |.:....._.#......|
000002c0  40 c0 79 a6 a2 9f 07 fd  d2 8d 86 81 9a 09 ed f9  |@.y.............|
000002d0  14 c0 25 98 dc cc 73 74  96 be 9f 70 8f d7 c0 3f  |..%...st...p...?|
000002e0  00 dc 34 18 1e a1 07 6d  40 dd 5f 0c d9 21 d8 1b  |..4....m@._..!..|
000002f0  1e 83 29 63 e8 09 3b 24  2c fc 3d 80 35 07 31 b2  |..)c..;$,.=.5.1.|
00000300  0a f0 b0 d3 f3 7d c6 ad  34 d2 98 3b 36 c6 ac c8  |.....}..4..;6...|
00000310  d0 69 d8 67 0a 75 4a 45  66 90 e5 9a d5 00 b8 64  |.i.g.uJEf......d|
00000320  95 28 88 d9 f4 47 46 18  f4 e8 a5 04 08 fb e0 9a  |.(...GF.........|
00000330  ad 21 62 f7 30 5f 8a 8a  81 35 c0 dc 31 66 af d9  |.!b.0_...5..1f..|
00000340  48 d8 9a cc 96 67 9f 4e  68 69 de 80 04 0f 1b 2b  |H....g.Nhi.....+|
00000350  d6 a8 57 2d f3 c5 98 e4  d1 55 b0 ba 98 83 32 04  |..W-.....U....2.|
00000360  96 1c 70 af e5 30 3d 61  34 d5 24 c1 02 24 22 7e  |..p..0=a4.$..$"~|
00000370  50 2e 7e a0 aa b8 6a 6a  09 50 0e ad 6c 78 5a 17  |P.~...jj.P..lxZ.|
00000380  a8 af 0e c6 68 d4 e0 f6  b3 c5 29 fd 85 38 82 51  |....h.....)..8.Q|
00000390  3b 4f 9e c3 e3 b5 6b d5  2a 4e 9a 46 48 2e c7 04  |;O....k.*N.FH...|
000003a0  dd 5b 12 68 b0 00 98 da  b2 51 08 7f 8b 82 9a c8  |.[.h.....Q......|
000003b0  d1 d9 ff 38 2c 52 48 25  6b 31 2e f9 22 fc bb c5  |...8,RH%k1.."...|
000003c0  0f 6b 4e 0b 8e 09 b4 93  b5 46 d4 4c d2 42 0a 5b  |.kN......F.L.B.[|
000003d0  d9 9c 1d 23 4b e2 1a a3  f9 89 c4 28 db 14 09 e5  |...#K......(....|
000003e0  25 8c 06 38 76 87 96 77                           |%..8v..w|
000003e8

Right there at the beginning again is our file descriptor flag.  Nothing really shocking there since we already knew it was a pdf file.  But what if it’s not labeled as a pdf file?  We can easily change the extension to anything we want.  It may not be usable to us afterwards but we could just as easily change it back to the original when we wanted to.

$ cp wilshort.pdf wilshort.txt
$ hexdump -C -n 100 wilshort.txt
00000000  25 50 44 46 2d 31 2e 34  0a 33 20 30 20 6f 62 6a  |%PDF-1.4.3 0 obj|
00000010  20 3c 3c 0a 2f 4c 65 6e  67 74 68 20 33 30 33 38  | <<./Length 3038| 
00000020  20 20 20 20 20 20 0a 2f  46 69 6c 74 65 72 20 2f  |      ./Filter /| 
00000030  46 6c 61 74 65 44 65 63  6f 64 65 0a 3e 3e 0a 73  |FlateDecode.>>.s|
00000040  74 72 65 61 6d 0a 78 da  7d 19 cb 92 db 36 f2 3e  |tream.x.}....6.>|
00000050  5f a1 aa 3d 2c 55 35 62  48 82 cf 5c 52 b6 13 db  |_..=,U5bH..\R...|
00000060  c9 96 77 bd                                       |..w.|
00000064

Even if we change the extension to .txt the hexdump still shows what kind of file we are examining.  This is because we are just changing an extension.  There is nothing being changed in the original code.  Now think about how easy writing a shell script to do that exact thing would be.

A Simple Example

We have seen that we can compile a program and change it to execute with root privileges.  What if our program running as root included the code to make the following executable.

#/bin/bash
#A shell script to change a file extension

mv wilshort.txt wilshort.pdf

Executing this script will change the file extension from .txt to .pdf. Or any other file extension we feel like putting on it.  We now have a naive example of masking a program extension and using a shell script to change the extension to what we actually want it to be.  But our trick won’t hide the true nature of the file from the hexdump output.

This example is not nefarious but if we expand our thinking a little bit we can see how useful it would be to do just this.  Imagine your anti-virus scans all files you download for the .bad extension.  So as an OS hacker we rename our .bad file as a .good file.  Then when you install whatever you were installing with admin privileges our shell script executes and changes .good file to .bad and executes it.  It’s not that simple in real life.  But if we want to become expert hackers we need to start looking at what’s available and how we can twist it to our nefarious hacking goals.

Conclusion

We have seen what hexdump does and some nice information that we can get from the output.  I haven’t even touched the surface of using it for reverse engineering, we will see that functionality as we go through examples later.  We did however see a nice example of how hexdump can be used to determine a file type no matter what extension has been put on it.

As we continue towards our goal of hacking operating systems and reverse engineering malware we will encounter hexdump again.  We don’t have much of a working knowledge of the tool yet but we at least know what it is now.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s