DISASSEMBLY

perform quick instruction-level view to confirm it’s not packed/obfuscated and to spot an entry point before loading into Ghidra/IDA

BASIC DISASSEMBLY: .TEXT (EXECUTABLE CODE)

root@sre:~$ objdump -M intel -d disasm
 disasm:     file format elf64-x86-64
 Disassembly of section .text:
 0000000000401000 <_start>:
  401000:	48 b8 00 20 40 00 00 	movabs rax,0x402000
  401007:	00 00 00 
  40100a:	48 31 c0             	xor    rax,rax
  40100d:	b8 3c 00 00 00       	mov    eax,0x3c
  401012:	bf 00 00 00 00       	mov    edi,0x0
  401017:	0f 05                	syscall

BASIC DISASSEMBLY: STRING & .DATA (NON EXECUTABLE CODE)

root@sre:~$ objdump -M intel -sj .data disasm
 disasm:     file format elf64-x86-64

 Contents of section .data:
  402000 4842547b 64313534 3535336d 3831316e  d154553m811n
  402010 395f3831 6e343231 33355f32 5f66316e  9_81n42135_2_f1n
  402020 645f3533 63323337 357d               d_53c2375
PreviousSIGNATURE CHECKSNext02.PRE-ANALYSIS

Last updated