通过代码可知,efl文件除了代码段、数据段之外,还有bss段,drectve段,rdata段,eh_frame段。另外可以看到各个段所具有的属性,size属性,file off属性,contents属性。
然后我们分析代码段:通过命令objdump -s -d SimpleSection.o,可得如下命令:
C:\Users\Administrator>objdump -s -d C:\Users\Administrator\Desktop\SimpleSectoin.o
C:\Users\Administrator\Desktop\SimpleSectoin.o: file format pe-i386
Contents of section .text:
0000 5589e583 ec188b45 08894424 04c70424 U
E..D$
$
0010 00000000 e8000000 00c9c355 89e583e4
..U
.
0020 f083ec20 e8000000 00c74424 1c010000
D$
.
0030 008b1504 000000a1 00000000 01d00344
D
0040 241c0344 24188904 24e80000 0000c9c3 $..D$
$
.
Contents of section .data:
0000 54000000 55000000 T
U
Contents of section .drectve:
0000 202d616c 69676e63 6f6d6d3a 225f676c -aligncomm:"_gl
0010 6f62616c 5f756e69 6e69745f 76617222 obal_uninit_var"
0020 2c320000 ,2..
Contents of section .rdata:
0000 25640a00 %d..
Contents of section .eh_frame:
0000 14000000 00000000 017a5200 017c0801
zR..|..
0010 1b0c0404 88010000 1c000000 1c000000
.
0020 04000000 1b000000 00410e08 8502420d
A
.B.
0030 0557c50c 04040000 1c000000 3c000000 .W
.<
0040 1f000000 35000000 00410e08 8502420d
.5
.A
.B.
0050 0571c50c 04040000 .q
Disassembly of section .text:
00000000 <_fun1>:
0: 55 push %ebp
1: 89 e5 mov %esp,%ebp
3: 83 ec 18 sub $0x18,%esp
6: 8b 45 08 mov 0x8(%ebp),%eax
9: 89 44 24 04 mov %eax,0x4(%esp)
d: c7 04 24 00 00 00 00 movl $0x0,(%esp)
14: e8 00 00 00 00 call 19 <_fun1+0x19>
19: c9 leave
1a: c3 ret
0000001b <_main>:
1b: 55 push %ebp
1c: 89 e5 mov %esp,%ebp
1e: 83 e4 f0 and $0xfffffff0,%esp
21: 83 ec 20 sub $0x20,%esp
24: e8 00 00 00 00 call 29 <_main+0xe>
29: c7 44 24 1c 01 00 00 movl $0x1,0x1c(%esp)
30: 00
31: 8b 15 04 00 00 00 mov 0x4,%edx
37: a1 00 00 00 00 mov 0x0,%eax
3c: 01 d0 add %edx,%eax
3e: 03 44 24 1c add 0x1c(%esp),%eax
42: 03 44 24 18 add 0x18(%esp),%eax
46: 89 04 24 mov %eax,(%esp)
49: e8 00 00 00 00 call 4e <_main+0x33>
4e: c9 leave
4f: c3 ret
C:\Users\Administrator>
contents of .text,就是我们前面的.text的内容,共有0x5b大小的内容,最左边一列是偏移量,中间四列是十六进制内容,左右边一列是.text的ascII的内容。按照反汇编的内容,可以明显的看到,.text内容里面包含有func1和mian函数的指令。
然后看数据段内容:通过命令objdump -x -s -d SimpleSection.o可得如下内容:
C:\Users\Administrator>objdump -s -d C:\Users\Administrator\Desktop\SimpleSectoin.o
……
Contents of section .data:
0000 54000000 55000000 T
U
Contents of section .drectve:
0000 202d616c 69676e63 6f6d6d3a 225f676c -aligncomm:"_gl
0010 6f62616c 5f756e69 6e69745f 76617222 obal_uninit_var"
0020 2c320000 ,2..
Contents of section .rdata:
0000 25640a00 %d..
Contents of section .eh_frame:
0000 14000000 00000000 017a5200 017c0801
zR..|..
0010 1b0c0404 88010000 1c000000 1c000000
.
0020 04000000 1b000000 00410e08 8502420d
A
.B.
0030 0557c50c 04040000 1c000000 3c000000 .W
.<
0040 1f000000 35000000 00410e08 8502420d
.5
.A
.B.
0050 0571c50c 04040000 .q
Disassembly of section .text:
00000000 <_fun1>:
0: 55 push %ebp
1: 89 e5 mov %esp,%ebp
3: 83 ec 18 sub $0x18,%esp
6: 8b 45 08 mov 0x8(%ebp),%eax
9: 89 44 24 04 mov %eax,0x4(%esp)
d: c7 04 24 00 00 00 00 movl $0x0,(%esp)
14: e8 00 00 00 00 call 19 <_fun1+0x19>
19: c9 leave
1a: c3 ret
0000001b <_main>:
1b: 55 push %ebp
1c: 89 e5 mov %esp,%ebp
1e: 83 e4 f0 and $0xfffffff0,%esp
21: 83 ec 20 sub $0x20,%esp
24: e8 00 00 00 00 call 29 <_main+0xe>
29: c7 44 24 1c 01 00 00 movl $0x1,0x1c(%esp)
30: 00
31: 8b 15 04 00 00 00 mov 0x4,%edx
37: a1 00 00 00 00 mov 0x0,%eax
3c: 01 d0 add %edx,%eax
3e: 03 44 24 1c add 0x1c(%esp),%eax
42: 03 44 24 18 add 0x18(%esp),%eax
46: 89 04 24 mov %eax,(%esp)
49: e8 00 00 00 00 call 4e <_main+0x33>
4e: c9 leave
4f: c3 ret
C:\Users\Administrator>