1

I have a binary file that I disassemble using objdump disassembler tool. I want to know how can I can extract the data type of the global variables that are exist in the objdump output file?

hamb
  • 159
  • 1
  • 2
  • 11

1 Answers1

1

Compiled object/executable files do not contain any information about variable types or names, or their scope or storage class. However, some of that information may be available if there are debugging symbols left in the file.

zxcdw
  • 1,629
  • 1
  • 10
  • 18
  • do you mean the objdump output file? and how I can know if there are debugging symbols in that file? – hamb May 26 '12 at 16:06
  • 1
    Please elaborate what you mean with "objdump output file" - objdump outputs information about object files to stdout. What kind of flags do you use when you call objdump? You can use the objdump `-g` flag(or `--debugging`) to find out debug information about the target. – zxcdw May 26 '12 at 16:17
  • I use this command: objdump -d -s -Tdata --no-show-raw-insn executable_File_Name >output.s , output.s is the objdump output file. I use -g flag but I received a message that told "no recognized debugging information" – hamb May 26 '12 at 16:26
  • 1
    Oh I see. I doubt you can then see the actual type of the variable used. By reading the disassembly, however, you can determine the byte width of the variable and by the way the memory address is used, you can determine the type of it. However, this requires somewhat deeper understanding of assembly and disassembling/reverse engineering in general and as such might not be very a easy way - but I don't think there are other ways. – zxcdw May 26 '12 at 16:56
  • if I use the byte width of the variable to determine the type of the array, it should not be correct, assume we have the next two array: int a[10]; char b[40]; these two arrays have the same size and we can't determine the type of them based on the byte width! moreover, the addresses of the arrays are not consecutive when its located in the symbol table! – hamb Jun 04 '12 at 01:06
  • 1
    Yes, it's true that array of int and array of char are just all individual bytes. However, to figure out the width of one *element* in the array(and then guess the actual C type) you need to look at how the array is accessed. For example if array starts at 0x0000, the second element is accessed at 0x0002, third at 0x0004 etc. you can figure out that since the element size is two bytes, it could very well be array of short. This alone is not enough though, and don't think you can *ever* be 100 % sure of the type. After all, at CPU level everything is just bytes regardless of high-level types. – zxcdw Jun 04 '12 at 13:04