copied from stackoverflow.
First, you would use readelf to determine the virtual address of the variable (where it lives in memory after the program is loaded). -s will show you the symbol table, and we'll grep for the name of your variable.
readelf -s a.out | grep value
This will output a line that looks like:
64: 000000000060102c 4 OBJECT GLOBAL DEFAULT 24 value
So here, the 64th symbol in the file is value. Its load address is 0x60102c, and it's 4 bytes in size. Now we have the virtual address, but this doesn't tell us where it's at in the file. To do that, we need to do three things:
- Figure out which section it's in,
- Figure out this value's section offset
- Add its section offset to that section's file offset, to get your item's actual file offset (the "address" you would see in a hex editor, if you opened the ELF file).
Let's run readelf again. -S will list the sections.
readelf -S a.out
Here's a snippet of the output. Remember the address of our variable is at 60102c, and we're looking for the section where 60102c lies between its Address and its Address + Size. Since this is a read-write variable, we can take a guess that it will be in the .data section.
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
...
[21] .dynamic DYNAMIC 0000000000600e28 00000e28
00000000000001d0 0000000000000010 WA 6 0 8
[22] .got PROGBITS 0000000000600ff8 00000ff8
0000000000000008 0000000000000008 WA 0 0 8
[23] .got.plt PROGBITS 0000000000601000 00001000
0000000000000028 0000000000000008 WA 0 0 8
[24] .data PROGBITS 0000000000601028 00001028
0000000000000008 0000000000000000 WA 0 0 4
[25] .bss NOBITS 0000000000601030 00001030
0000000000000008 0000000000000000 WA 0 0 4
[26] .comment PROGBITS 0000000000000000 00001030
000000000000002c 0000000000000001 MS 0 0 1
Sure enough, .data lives in memory at 601028 to 601028+8 = 601030. Subtracting value's address from this section's address, we get:
60102c Address of `value`
- 601028 Start address of .data section
--------
4
Thus, value is at offset 4 from the start of the .data section. Now, where in the file is the .data section? That's what the Offset column tells us. .data begins at file offset 1028. Knowing this, we can find the file offset of value:
1028 File offset of .data section
+ 4 Offset of `value` in .data section
-------
102c File offset of `value`
We've got our file offset, now let's make sure we know what to expect. Your variable has the value 1337. In hex, that's 0x539. But, we need to bring up byte order (or "endianness"). Intel x86 systems are little endian. That means when an integer larger than one byte is stored at an address, the least-signifiant byte (or "little" end) of the value is at that address, and the remaining bytes are at subsequent (increasing address).
So your 1337 will be stored (as a 4-byte int) in the file like this:
39 05 00 00
On a "big endian" system (e.g. Motorola 68k), the value would be seen in the file in the opposite order:
00 00 05 39
That all said, if you open your ELF file in a hex editor, an go to offset 102c, you will see your value:
here we use linux command hexdump:
$ hexdump -s 102c -x -n 16 foo
ELF files have no checksum or CRC, so you should be able to simply edit that value in your hex editor, and it will have the new value when your program executes!
hexdump命令
hexdump命令一般用来查看“二进制”文件的十六进制编码,但实际上它能查看任何文件,而不只限于二进制文件。
语法
hexdump [选项] [文件]...选项
-n length 只格式化输入文件的前length个字节。
-C 输出规范的十六进制和ASCII码。
-b 单字节八进制显示。
-c 单字节字符显示。
-d 双字节十进制显示。
-o 双字节八进制显示。
-x 双字节十六进制显示。
-s 从偏移量开始输出。
-e 指定格式字符串,格式字符串包含在一对单引号中,格式字符串形如:'a/b "format1" "format2"'。
1888
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
