Objdump Commands
objdump is a versatile binary analysis tool that displays detailed information about binary files. It can disassemble code, display section headers, show symbols, and provide comprehensive binary analysis capabilities essential for debugging and reverse engineering.
Installation
Linux/Ubuntu
sudo apt update
sudo apt install binutilsmacOS
# Use with Xcode tools
brew install binutils
# Or use otool (native alternative)Basic Object Inspection
Display File Information
# Display all sections and headers
objdump -a /usr/bin/ls
# Show section headers
objdump -h /usr/bin/ls
# Display program headers
objdump -p /usr/bin/ls
# Show all headers
objdump -x /usr/bin/ls
# File format information
objdump -f /usr/bin/ls
# Display target architecture
file /usr/bin/ls
objdump -f /usr/bin/lsDisassembly Operations
Disassemble Sections
# Disassemble entire file
objdump -d /usr/bin/ls
# Disassemble specific section
objdump -d -j .text /usr/bin/ls
# Disassemble .init section
objdump -d -j .init /usr/bin/ls
# Disassemble .fini section
objdump -d -j .fini /usr/bin/ls
# Disassemble all code sections
objdump -d /usr/bin/ls | head -100Disassembly Formatting
# Disassemble with source code
objdump -S /usr/bin/ls
# Show line numbers
objdump -dl /usr/bin/ls
# Display addresses
objdump -d /usr/bin/ls
# Show raw bytes
objdump -d --no-show-raw-insn /usr/bin/ls
# Show opcodes only
objdump -d /usr/bin/ls | awk '{print $2, $3}'
# Syntax variants
objdump -d -M intel /usr/bin/ls # Intel syntax
objdump -d -M att /usr/bin/ls # AT&T syntax (default)Section Analysis
Display Section Contents
# List all sections
objdump -h /usr/bin/ls
# Show section sizes
objdump -h /usr/bin/ls | grep -E 'Name|Size'
# Display specific section data
objdump -s -j .rodata /usr/bin/ls
# Show strings section
objdump -s -j .rodata /usr/bin/ls | strings
# Display data sections
objdump -d -j .data /usr/bin/ls
# Show initialized data
objdump -s -j .data /usr/bin/ls
# Display BSS section (uninitialized)
objdump -s -j .bss /usr/bin/ls
# Show all loadable sections
objdump -h /usr/bin/ls | grep -E 'LOAD'Hexdump Sections
# Show section in hex and ASCII
objdump -s /usr/bin/ls
# Hex dump specific section
objdump -s -j .text /usr/bin/ls | head
# Full dump with all sections
objdump -s /usr/bin/ls
# Dump from specific address
objdump -s -j .rodata /usr/bin/ls
# Show string tables
objdump -s -j .strtab /usr/bin/lsSymbol and Relocation Information
Display Symbols
# Show symbol table
objdump -t /usr/bin/ls
# Show dynamic symbols
objdump -T /usr/bin/ls
# Show symbols with addresses
objdump -t /usr/bin/ls | head -20
# Display external symbols
objdump -t /usr/bin/ls | grep -E '\*UND\*'
# Show defined symbols
objdump -t /usr/bin/ls | grep -v UND
# Combined symbol info
objdump -t -T /usr/bin/lsRelocation Records
# Show relocations
objdump -r /usr/bin/ls
# Display dynamic relocations
objdump -R /usr/bin/ls
# Show relocations with symbols
objdump -r /usr/bin/ls | head -20
# Full relocation info
objdump -r -T /usr/bin/lsAdvanced Disassembly Analysis
Function Analysis
# Find main function
objdump -d /usr/bin/ls | grep -A 30 '<main>:'
# Find function prologue
objdump -d /usr/bin/ls | grep -E 'push|sub.*rsp'
# Show function calls
objdump -d /usr/bin/ls | grep 'call'
# Find specific function
objdump -d -j .text /usr/bin/ls | grep -A 50 'printf:'
# List all functions
objdump -t /usr/bin/ls | grep -E 'F\s' | awk '{print $NF}'
# Disassemble function range
objdump -d /usr/bin/ls | sed -n '/^[0-9a-f].*<printf>:/,/^[0-9a-f].*ret$/p'Stack and Memory Analysis
# Show stack frame setup
objdump -d /usr/bin/ls | grep -E 'rbp|rsp'
# Find loop patterns
objdump -d /usr/bin/ls | grep -E 'jmp.*<|je\s|jne\s'
# Identify function returns
objdump -d /usr/bin/ls | grep 'ret'
# Show memory operations
objdump -d /usr/bin/ls | grep -E 'mov.*rax|mov.*rbx'
# Find error handling
objdump -d /usr/bin/ls | grep -E 'cmp\s|test\s|je\s|jne\s'Binary Comparison
Compare Binaries
# Disassemble both and compare
diff <(objdump -d original) <(objdump -d modified)
# Find code differences
diff <(objdump -d -j .text original) <(objdump -d -j .text modified)
# Show modified functions
objdump -d original > orig.asm
objdump -d modified > mod.asm
diff orig.asm mod.asm | grep '^<\|^>'
# Symbol comparison
diff <(objdump -t original | sort) <(objdump -t modified | sort)
# Section size comparison
echo "Original:"; objdump -h original | grep -E 'Name|\.text|\.data'
echo "Modified:"; objdump -h modified | grep -E 'Name|\.text|\.data'Security Analysis
Find Vulnerable Patterns
# Look for dangerous functions
objdump -d /usr/bin/binary | grep -E 'strcpy|sprintf|gets'
# Find buffer operations
objdump -d /usr/bin/binary | grep -E 'mov.*rax|memcpy|strcpy'
# Identify return-oriented gadgets
objdump -d /usr/bin/binary | grep -B3 'ret'
# Find system calls
objdump -d /usr/bin/binary | grep 'syscall'
# Identify privilege changes
objdump -d /usr/bin/binary | grep -E 'setuid|setgid'
# Find ASLR indicators
objdump -d /usr/bin/binary | grep -E 'rip|GOT'Code Quality Analysis
# Check for debug symbols
objdump -t /usr/bin/binary | grep -c 'debug'
# Find code sections
objdump -h /usr/bin/binary | grep -E '\.text|\.code'
# Check for Position Independent Code (PIE)
objdump -d /usr/bin/binary | head -20
# Find PLT entries
objdump -d /usr/bin/binary | grep -E '<.*@plt>'
# Check relocation requirements
objdump -R /usr/bin/binary | wc -lReal-World Examples
Executable Analysis
# Analyze ELF binary structure
objdump -a /bin/ls
# View entry point
objdump -f /bin/bash
# Check protection mechanisms
objdump -d /bin/cat | grep -E 'call.*<\*'
# Find imports
objdump -t /bin/ls | grep -E '\*UND\*'
# Analyze shared library
objdump -h /usr/lib/libc.so.6
# Check for stripped binaries
objdump -t /usr/bin/ls | wc -lDebugging and Analysis
# Find specific instruction
objdump -d /usr/bin/ls | grep 'mov.*rax'
# Identify function boundaries
objdump -d /usr/bin/ls | grep -E '^[0-9a-f]+.*<.*>:'
# Track memory usage
objdump -d /usr/bin/ls | grep -E 'sub.*rsp|add.*rsp'
# Find optimization opportunities
objdump -d /usr/bin/ls | grep -E 'nop|jmp.*next'Batch Processing and Automation
Process Multiple Files
# Analyze all binaries in directory
for f in /bin/*; do
echo "=== $f ==="
objdump -f "$f" | head -2
done
# Extract disassembly
find /usr/bin -type f -executable | while read f; do
objdump -d "$f" > "${f##*/}.asm"
done
# Find specific pattern across binaries
for f in /bin/*; do
objdump -d "$f" | grep -q 'syscall' && echo "$f"
done
# Compare sections across binaries
for f in /bin/* /usr/bin/*; do
[ -f "$f" ] && echo "$f: $(objdump -h $f | grep -c '.text')"
doneText Processing
# Extract just opcode information
objdump -d /usr/bin/ls | awk '/^ *[0-9a-f]+:/ {print $2, $3}'
# Get function names
objdump -d /usr/bin/ls | grep '^[0-9a-f].*<' | awk '{print $NF}' | sed 's/<\|>//g'
# Create reverse engineering document
objdump -d /usr/bin/ls | sed -n '/<main>/,/ret$/p' > main_function.asm
# Build call graph
objdump -d /usr/bin/ls | grep 'call' | awk '{print $NF}' | sort | uniq -cTroubleshooting and Tips
# Verify binary format
objdump -f /usr/bin/ls
# Check for debug symbols
objdump -t /usr/bin/ls | grep -i debug
# Find executable sections
objdump -h /usr/bin/ls | grep -E 'ALLOC.*CODE'
# Identify architecture
objdump -f /usr/bin/ls | grep Architecture
# Test disassembly
objdump -d /usr/bin/ls | wc -l
# Verify section presence
objdump -h /usr/bin/ls | grep -E 'Name'Best Practices
- Use -S to view source alongside disassembly when available
- Use -d for disassembly, -h for headers, -t for symbols
- Use syntax variants (-M intel or -M att) based on preference
- Save disassembly output to files for detailed analysis
- Compare before/after disassembly for change validation
- Use pipes and grep for targeted searches
- Document findings with line numbers and addresses
- Cross-reference symbols with addresses
- Check for optimization artifacts
- Maintain archive of binaries for future analysis
Last updated: 2026-03-30