用od转储二进制文件

od就是octal dump的意思，缺省情况下用八进制输出二进制文件

zecho@zecho-laptop:~$ od /etc/ld.so.cache | head -50000000 062154 071456 026557 027061 027067 000060 001650 0000000000020 000003 000000 055470 000000 055507 000000 000003 0000000000040 055537 000000 055551 000000 000003 000000 055570 0000000000060 055600 000000 000003 000000 055621 000000 055637 0000000000100 000003 000000 055666 000000 055702 000000 000003 000000 

但是，用八进制输出很难理解，通过帮助文档我们可以看到，通过-t可以指定输出类型

-a same as -t a, select named characters, ignoring high-order bit -b same as -t o1, select octal bytes -c same as -t c, select ASCII characters or backslash escapes -d same as -t u2, select unsigned decimal 2-byte units -f same as -t fF, select floats -i same as -t dI, select decimal ints -l same as -t dL, select decimal longs -o same as -t o2, select octal 2-byte units -s same as -t d2, select decimal 2-byte units -x same as -t x2, select hexadecimal 2-byte units 

zecho@zecho-laptop:~$ od -t x1 -A x /etc/ld.so.cache | head -5000000 6c 64 2e 73 6f 2d 31 2e 37 2e 30 00 a8 03 00 00000010 03 00 00 00 38 5b 00 00 47 5b 00 00 03 00 00 00000020 5f 5b 00 00 69 5b 00 00 03 00 00 00 78 5b 00 00000030 80 5b 00 00 03 00 00 00 91 5b 00 00 9f 5b 00 00000040 03 00 00 00 b6 5b 00 00 c2 5b 00 00 03 00 00 00 

-x1为每次输出一个字节为小单位

其中-A 选项是指定地址的输出格式，x为十六进制，d为十进制，o为八进制

zecho@zecho-laptop:~$ od -t x2 -A d /etc/ld.so.cache | head -50000000 646c 732e 2d6f 2e31 2e37 0030 03a8 00000000016 0003 0000 5b38 0000 5b47 0000 0003 00000000032 5b5f 0000 5b69 0000 0003 0000 5b78 00000000048 5b80 0000 0003 0000 5b91 0000 5b9f 00000000064 0003 0000 5bb6 0000 5bc2 0000 0003 0000 

下面我们看od命令的一个应用

通过readelf我们查看可执行文件或者可重定位文件的结构

zecho@zecho-laptop:~$ readelf -S /bin/ls............... [23] .got PROGBITS 08063fec 01afec 000008 04 WA 0 0 4 [24] .got.plt PROGBITS 08063ff4 01aff4 00019c 04 WA 0 0 4 [25] .data PROGBITS 080641a0 01b1a0 00012c 00 WA 0 0 32 [26] .bss NOBITS 080642e0 01b2cc 000c40 00 WA 0 0 32 [27] .gnu_debuglink PROGBITS 00000000 01b2cc 000008 00 0 0 1 [28] .shstrtab STRTAB 00000000 01b2d4 0000f2 00 0 0 1 

readelf -S读取的是可执行文件的节信息，其中28项是字符串节，我们通过od命令来查看它们的内容

zecho@zecho-laptop:~$ od --skip-bytes 0x1b2d4 --read-bytes 0xf2 -t x1z /bin/ls0331324 00 2e 73 68 73 74 72 74 61 62 00 2e 69 6e 74 65 >..shstrtab..inte<0331344 72 70 00 2e 6e 6f 74 65 2e 41 42 49 2d 74 61 67 >rp..note.ABI-tag<0331364 00 2e 6e 6f 74 65 2e 67 6e 75 2e 62 75 69 6c 64 >..note.gnu.build<0331404 2d 69 64 00 2e 67 6e 75 2e 68 61 73 68 00 2e 64 >-id..gnu.hash..d<0331424 79 6e 73 79 6d 00 2e 64 79 6e 73 74 72 00 2e 67 >ynsym..dynstr..g<0331444 6e 75 2e 76 65 72 73 69 6f 6e 00 2e 67 6e 75 2e >nu.version..gnu.<0331464 76 65 72 73 69 6f 6e 5f 72 00 2e 72 65 6c 2e 64 >version_r..rel.d<0331504 79 6e 00 2e 72 65 6c 2e 70 6c 74 00 2e 69 6e 69 >yn..rel.plt..ini<0331524 74 00 2e 74 65 78 74 00 2e 66 69 6e 69 00 2e 72 >t..text..fini..r<0331544 6f 64 61 74 61 00 2e 65 68 5f 66 72 61 6d 65 5f >odata..eh_frame_<0331564 68 64 72 00 2e 65 68 5f 66 72 61 6d 65 00 2e 63 >hdr..eh_frame..c<0331604 74 6f 72 73 00 2e 64 74 6f 72 73 00 2e 6a 63 72 >tors..dtors..jcr<0331624 00 2e 64 79 6e 61 6d 69 63 00 2e 67 6f 74 00 2e >..dynamic..got..<0331644 67 6f 74 2e 70 6c 74 00 2e 64 61 74 61 00 2e 62 >got.plt..data..b<0331664 73 73 00 2e 67 6e 75 5f 64 65 62 75 67 6c 69 6e >ss..gnu_debuglin<0331704 6b 00 >k.<0331706 

readelf -s 读取的是可执行文件的符号表，我们可以通过od来分析它，首先我们查看符号表节的位置

zecho@zecho-laptop:~$ readelf -S /bin/ls........[ 6] .dynsym DYNSYM 08048554 000554 000700 10 A 7 1 4 

通过od来查看里面的内容

zecho@zecho-laptop:~$ od --skip-bytes 0x554 --read-bytes 0x700 -t x1z /bin/ls0002524 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >................<0002544 97 01 00 00 00 00 00 00 00 00 00 00 12 00 00 00 >................<0002564 14 02 00 00 00 00 00 00 00 00 00 00 12 00 00 00 >................<0002604 ef 01 00 00 00 00 00 00 00 00 00 00 12 00 00 00 >................<0002624 02 02 00 00 00 00 00 00 00 00 00 00 12 00 00 00 >................< 

第0行为00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

下面

97 01 00 00    00 00 00 00     00 00 00 00    12 00 00 00 

根据节的数据结构，可以得到

st_name = 0x0197

st_value = 0x0000

st_size = 0x0000

st_info = 0x12 == (STB_GLOBAL | STT_FUNC)

st_shndx = 0

[ 7] .dynstr STRTAB 08048c54 000c54 0004fd 00 A 0 0 1 

我们要略过0x197+0xc54 = 0xdeb

zecho@zecho-laptop:~$ od --skip-bytes 0xdeb --read-bytes 16 -txz /bin/ls0006753 726f6261 655f0074 00746978 66727473 >abort._exit.strf< 

得到abort._exit.strf，然后我们读取readelf -s

Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND abort@GLIBC_2.0 (2) 

可以得到abort@GLIBC_2.0 (2) ，与前面相对应