Why objdump can figure out certain entry of PLT is used for “printf”, “puts”, and others?

Question

Test platform is on 32-bit Linux. I use objdump to disassemble a stripped binary.

So in the disassemble asm code, I can see instructions like this:

80483e4: e8 07 ff ff ff call 80482f0

So basically e8 07 ff ff ff is just a relative address of one entry of PLT...

So my question is:

Why tools like objdump (I also tried with IDA Pro) can figure out certain entries in PLT is used for relocation of puts?

I know Ida Pro can use some heuristic solutions to recognise certain functions, which is called F.L.I.R.T., but basically it is totally a different story....

kornman00 · Answer 1 · 2017-01-07T22:59:27.090

0

I'm not a Linux developer, but from what I gather the "Procedure Linkage Table" section is very much like the section in Windows PE files which describe DLL Imports (ie, how Windows does 'shared' libraries).

So for objdump/IDA, it is just a matter of understanding the pattern of how code/data in the .PLT section is generated. For Windows, there's usually a string representing the library to import from (eg, "libc.dll") along with a list of strings and import thunks used to resolve a given imported function by name (eg, "printf").

edited Jan 07 '17 at 22:59

answered Apr 01 '14 at 21:42

kornman00

808
10
27

A down vote? When there's no other responses? And without an explanation? Gotta love SO users! – kornman00 Oct 14 '15 at 16:05

Why objdump can figure out certain entry of PLT is used for “printf”, “puts”, and others?

1 Answers1