0

I use IDA pro to disassembly ELF 32 bit file.

In the asm code it creates, I find one sentence as below:

mov     eax, ds:(__dso_handle_ptr - 804DFF4h)[ebx]

I have never seen asm code like this, and use nasm/masm to directly assembly it would generate errors...

After searching the code, I found this:

    __dso_handle    dd 0

But I don't found __dso_handle_ptr which is very strange...

Could anyone give me some help..? Thank you!

lllllllllllll
  • 8,519
  • 9
  • 45
  • 80
  • I believe the ds:(_sym - hexaddr) is specifying the data segment. So the 32-bit value at offset EBX in that data segment will be moved into the accumulator EAX. Is __dso_handle_ptr referenced anywhere else in the disassembly? My guess it that it's a symbol loaded from the elf binary. The __dso_ prefix represents this symbol is from a Dynamic Shared Object. handle_ptr is a pretty generic name. You can Google "dso handle_ptr" for some clues. – David H. Bennett Feb 01 '14 at 19:38
  • This looks like a reference to a dynamically-placed symbol from a shared object - it allows shared objects to share code whilst having their own data. – Drew McGowen Feb 01 '14 at 20:17
  • @user1257931 Hi, I update my question, the problem is that I can not find __dso_handle_ptr .. – lllllllllllll Feb 01 '14 at 21:15
  • What do you see if you run the ELF binary through objdump -t {bin} | grep -i handle – David H. Bennett Feb 01 '14 at 21:28
  • @user1257931 It will generate this line: **0804e0ac l O .data 00000000 __dso_handle** – lllllllllllll Feb 01 '14 at 21:45
  • @user1257931 all right, so basically I think this should be a version checking routine... probably I should just remove it cause it will not harm the functionality unless I can find some better way – lllllllllllll Feb 01 '14 at 21:46
  • It looks like IDA Pro is referencing that data segment is loaded with the address located as __dso_handle which is a pointer (hence the _ptr suffix). You may want to get further clarification on the IDA Pro forums https://www.hex-rays.com/forum/ucp.php?mode=login – David H. Bennett Feb 01 '14 at 21:51
  • @computereasy could you just press enter on its name? :'( I think you gonna see smth like `__dso_handle_ptr dd offset __dso_handle` – qwm Feb 02 '14 at 07:56

0 Answers0