i have x86-64 executable , trying analyze using static methods. starting _start, see jump 0x400648 - address within plt - contains instruction jmp *0x20065a(%rip). jump leads *0x600ca8, 0x40064e. brings plt , executes pushq $0x2.
here's i'm stuck: know pushq $0x2 instruction exists tell dynamic linker resolve 3rd entry in .dynsym table. problem st_value field in entry 0x0. value should offset of main _start, right? if so, how st_value field initialized?
this value should offset of main _start, right?
wrong. can't jump _start main -- latter expects argc , argv[] parameters, nobody has them set yet. job of libc initialization code to:
- initialize libc itself, create standard
filehandles (stdout, etc.), set environment, etc. and - call
maincorrect arguments, and - if/when
mainreturns, arrange programexit(2)correct exit code.
what seeing plt call __libc_start_main, of above, , then call main. can see objdump -dr a.out, similar this:
00000000004003d0 <_start>: 4003d0: 31 ed xor %ebp,%ebp 4003d2: 49 89 d1 mov %rdx,%r9 4003d5: 5e pop %rsi 4003d6: 48 89 e2 mov %rsp,%rdx 4003d9: 48 83 e4 f0 , $0xfffffffffffffff0,%rsp 4003dd: 50 push %rax 4003de: 54 push %rsp 4003df: 49 c7 c0 50 05 40 00 mov $0x400550,%r8 4003e6: 48 c7 c1 c0 04 40 00 mov $0x4004c0,%rcx 4003ed: 48 c7 c7 b4 04 40 00 mov $0x4004b4,%rdi 4003f4: e8 c7 ff ff ff callq 4003c0 <__libc_start_main@plt> 4003f9: f4 hlt 4003fa: 90 nop 4003fb: 90 nop how st_value field initialized?
you can read actual details of how dynamic symbol resolution works here (search "procedure linkage table"; warned: few people understand how works in detail).
Comments
Post a Comment