0

So in the output of objdump -d on my ELF x86 binary i see some addresses having $ sign before them, i looked at previous questions on here about this sign but couldnt find anything related to being before address, all of them are related to strings and such.

and i dont get these dollar signs when i disassemble the binary with capstone!

So what does dollar sign before an address mean? is this something related to objdump or x86?

Max
  • 35
  • 4
  • Difference in syntax between Intel and AT&T. To get objdump to display Intel syntax use `-Mintel` option – Michael Petch Apr 17 '19 at 06:27
  • @MichaelPetch but why some addresses have dollar before them and some don't? what is the difference? – Max Apr 17 '19 at 06:37
  • Please post an example of what you mean. If you see something like `movl $1234, %eax` in the code, that's not a memory access, it's moving the value 1234 to `eax`. – Michael Apr 17 '19 at 06:52
  • 1
    my confusion is exactly stuff like that, for example what is the difference between : push $0x8048620 AND push 0x8048620 in AT&T syntax? why put a dollar before push? – Max Apr 17 '19 at 06:57
  • Because, as @MichaelPetch mentioned, the GNU binutils typically defaults to AT&T syntax, which is different from Intel syntax. See e.g. https://www.imada.sdu.dk/~kslarsen/dm546/Material/IntelnATT.htm – Michael Apr 17 '19 at 07:03
  • 1
    And as for _"why not use a dollar sign in both cases?"_ : because it changes the meaning of the instruction, and if the programmer intended meaning X rather than meaning Y, they need to use the appropriate syntax to express that. – Michael Apr 17 '19 at 07:06
  • 2
    In AT&T syntax a dollar sign appears before immediate values. When it is absent the value represents a memory operand. In AT&T syntax `push $0x8048620` pushes the value 0x8048620 on the stack. In AT&T syntax `push 0x8048620` in 32-bit code will push the 4 bytes at memory address 0x8048620 onto the stack. In Intel syntax `push 0x8048620` is the AT&T equivalent of `push $0x8048620` and Intel syntax `push dword [0x8048620]` is the equivalent of AT&T syntax's `push 0x8048620` – Michael Petch Apr 17 '19 at 08:11

0 Answers0