2

Here is the situation. I am investigating ARM binary files. When using objdump -T to see the dynamic symbol table, the output shows me (excerpt from a real case):

DYNAMIC SYMBOL TABLE:
00000000    DF  *UND*  00000000  __cxa_finalenter
....
00002055 g  DF  .text  00000060   SomeFunction
...
0000818c g  DF  .text  00000008   _Unwind_GetTextReleaseBase
....

And disassembly of the symbols gives the following (objdump -d):

    ...
00002054 <SomeFunction>:
    2054:   b5f7        push    {r0, r1, r2, r4, r5, r6, r7, lr}
    2056:   1c04        adds    r4, r0, #0
    2058:   4815        ldr r0, [pc, #84]   
    ...
0000818c <_Unwind_GetTextRelBase>:
    818c:   e92d4008    push    {r3, lr}
    8190:   ebffe79c    bl  2008 <abort@plt>

My question is, as you can see the value specified in the dynamic symbol table for SomeFunction is 0x2055 but the actual disassembly starts at 0x2054. However, for _Unwind_GetTextRelBase, the assembly starts at the address specified in the symbol table. What is the logic behind this and how can I programmatically identify the right beginning address?

Biniam
  • 56
  • 1
  • 5
  • 2
    Essentially the same question as [this one from yesterday](http://stackoverflow.com/q/33220424/3156750). – Notlikethat Oct 20 '15 at 15:40
  • Thank you very much for pointing that out. You're right this is almost exactly the same problem. I have also found the description in the manual at section 4.5.3. and finally found the solution. Therefore, what I did is as follows: I check the value of st_value of each symbol. If its bit zero is set, then it addresses a thumb function therefore the address will be st_value-1 and disassembled in Thumb mode. Otherwise st_value will be the address of an ARM function and is disassembled in ARM mode. – Biniam Oct 21 '15 at 12:25
  • Yup, it's basically the exact same logic as the CPUs use for interworking branches. – Notlikethat Oct 21 '15 at 12:34

0 Answers0