ELF文件分析常用命令收集
经常使用
objdump
和readelf
相关的命令进行ELF文件分析. 但是两个命令之间的参数有一定的差异.混合在一起用会经常相互混淆. 这里把这两个命令的常用参数进行说明. 同时把其它常用的命令也进行一个总结.
OBJDUMP
OBJDUMP(1) GNU Development Tools OBJDUMP(1)
NAME
objdump - display information from object files.
SYNOPSIS
objdump [-a|--archive-headers]
[-b bfdname|--target=bfdname]
[-C|--demangle[=style] ]
[-d|--disassemble]
[-D|--disassemble-all]
[-z|--disassemble-zeroes]
[-EB|-EL|--endian={big | little }]
[-f|--file-headers]
[-F|--file-offsets]
[--file-start-context]
[-g|--debugging]
[-e|--debugging-tags]
[-h|--section-headers|--headers]
[-i|--info]
[-j section|--section=section]
[-l|--line-numbers]
[-S|--source]
[-m machine|--architecture=machine]
[-M options|--disassembler-options=options]
[-p|--private-headers]
[-r|--reloc]
[-R|--dynamic-reloc]
[-s|--full-contents]
[-W[lLiaprmfFsoR]|
--dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,=frames-interp,=str,=loc,=Ranges]]
[-G|--stabs]
[-t|--syms]
[-T|--dynamic-syms]
[-x|--all-headers]
[-w|--wide]
[--start-address=address]
[--stop-address=address]
[--prefix-addresses]
[--[no-]show-raw-insn]
[--adjust-vma=offset]
[--special-syms]
[--prefix=prefix]
[--prefix-strip=level]
[--insn-width=width]
[-V|--version]
[-H|--help]
objfile...
DESCRIPTION
objdump displays information about one or more object files. The options control what particular information to display. This information is mostly useful
to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work.
objfile... are the object files to be examined. When you specify archives, objdump shows information on each of the member object files.
OPTIONS
The long and short forms of options, shown here as alternatives, are equivalent. At least one option from the list
-a,-d,-D,-e,-f,-g,-G,-h,-H,-p,-r,-R,-s,-S,-t,-T,-V,-x must be given.
-a
--archive-header
If any of the objfile files are archives, display the archive header information (in a format similar to ls -l). Besides the information you could list
with ar tv, objdump -a shows the object file format of each archive member.
--adjust-vma=offset
When dumping information, first add offset to all the section addresses. This is useful if the section addresses do not correspond to the symbol table,
which can happen when putting sections at particular addresses when using a format which can not represent section addresses, such as a.out.
-b bfdname
--target=bfdname
Specify that the object-code format for the object files is bfdname. This option may not be necessary; objdump can automatically recognize many formats.
For example,
objdump -b oasys -m vax -h fu.o
displays summary information from the section headers (-h) of fu.o, which is explicitly identified (-m) as a VAX object file in the format produced by
Oasys compilers. You can list the formats available with the -i option.
-C
--demangle[=style]
Decode (demangle) low-level symbol names into user-level names. Besides removing any initial underscore prepended by the system, this makes C++ function
names readable. Different compilers have different mangling styles. The optional demangling style argument can be used to choose an appropriate
demangling style for your compiler.
-g
--debugging
Display debugging information. This attempts to parse STABS and IEEE debugging format information stored in the file and print it out using a C like
syntax. If neither of these formats are found this option falls back on the -W option to print any DWARF information in the file.
-e
--debugging-tags
Like -g, but the information is generated in a format compatible with ctags tool.
-d
--disassemble
Display the assembler mnemonics for the machine instructions from objfile. This option only disassembles those sections which are expected to contain
instructions.
-D
--disassemble-all
Like -d, but disassemble the contents of all sections, not just those expected to contain instructions.
If the target is an ARM architecture this switch also has the effect of forcing the disassembler to decode pieces of data found in code sections as if
they were instructions.
--prefix-addresses
When disassembling, print the complete address on each line. This is the older disassembly format.
-EB
-EL
--endian={big|little}
Specify the endianness of the object files. This only affects disassembly. This can be useful when disassembling a file format which does not describe
endianness information, such as S-records.
-f
--file-headers
Display summary information from the overall header of each of the objfile files.
-F
--file-offsets
When disassembling sections, whenever a symbol is displayed, also display the file offset of the region of data that is about to be dumped. If zeroes are
being skipped, then when disassembly resumes, tell the user how many zeroes were skipped and the file offset of the location from where the disassembly
resumes. When dumping sections, display the file offset of the location from where the dump starts.
--file-start-context
Specify that when displaying interlisted source code/disassembly (assumes -S) from a file that has not yet been displayed, extend the context to the start
of the file.
-h
--section-headers
--headers
Display summary information from the section headers of the object file.
File segments may be relocated to nonstandard addresses, for example by using the -Ttext, -Tdata, or -Tbss options to ld. However, some object file
formats, such as a.out, do not store the starting address of the file segments. In those situations, although ld relocates the sections correctly, using
objdump -h to list the file section headers cannot show the correct addresses. Instead, it shows the usual addresses, which are implicit for the target.
-H
--help
Print a summary of the options to objdump and exit.
-i
--info
Display a list showing all architectures and object formats available for specification with -b or -m.
-j name
--section=name
Display information only for section name.
-l
--line-numbers
Label the display (using debugging information) with the filename and source line numbers corresponding to the object code or relocs shown. Only useful
with -d, -D, or -r.
-m machine
--architecture=machine
Specify the architecture to use when disassembling object files. This can be useful when disassembling object files which do not describe architecture
information, such as S-records. You can list the available architectures with the -i option.
If the target is an ARM architecture then this switch has an additional effect. It restricts the disassembly to only those instructions supported by the
architecture specified by machine. If it is necessary to use this switch because the input file does not contain any architecture information, but it is
also desired to disassemble all the instructions use -marm.
-M options
--disassembler-options=options
Pass target specific information to the disassembler. Only supported on some targets. If it is necessary to specify more than one disassembler option
then multiple -M options can be used or can be placed together into a comma separated list.
If the target is an ARM architecture then this switch can be used to select which register name set is used during disassembler. Specifying -M reg-names-
std (the default) will select the register names as used in ARM’s instruction set documentation, but with register 13 called ’sp’, register 14 called ’lr’
and register 15 called ’pc’. Specifying -M reg-names-apcs will select the name set used by the ARM Procedure Call Standard, whilst specifying -M reg-
names-raw will just use r followed by the register number.
There are also two variants on the APCS register naming scheme enabled by -M reg-names-atpcs and -M reg-names-special-atpcs which use the ARM/Thumb
Procedure Call Standard naming conventions. (Either with the normal register names or the special register names).
This option can also be used for ARM architectures to force the disassembler to interpret all instructions as Thumb instructions by using the switch
--disassembler-options=force-thumb. This can be useful when attempting to disassemble thumb code produced by other compilers.
For the x86, some of the options duplicate functions of the -m switch, but allow finer grained control. Multiple selections from the following may be
specified as a comma separated string. x86-64, i386 and i8086 select disassembly for the given architecture. intel and att select between intel syntax
mode and AT&T syntax mode. intel-mnemonic and att-mnemonic select between intel mnemonic mode and AT&T mnemonic mode. intel-mnemonic implies intel and
att-mnemonic implies att. addr64, addr32, addr16, data32 and data16 specify the default address size and operand size. These four options will be
overridden if x86-64, i386 or i8086 appear later in the option string. Lastly, suffix, when in AT&T mode, instructs the disassembler to print a mnemonic
suffix even when the suffix could be inferred by the operands.
For PowerPC, booke controls the disassembly of BookE instructions. 32 and 64 select PowerPC and PowerPC64 disassembly, respectively. e300 selects
disassembly for the e300 family. 440 selects disassembly for the PowerPC 440. ppcps selects disassembly for the paired single instructions of the
PPC750CL.
For MIPS, this option controls the printing of instruction mnemonic names and register names in disassembled instructions. Multiple selections from the
following may be specified as a comma separated string, and invalid options are ignored:
"no-aliases"
Print the ’raw’ instruction mnemonic instead of some pseudo instruction mnemonic. I.e., print ’daddu’ or ’or’ instead of ’move’, ’sll’ instead of
’nop’, etc.
"gpr-names=ABI"
Print GPR (general-purpose register) names as appropriate for the specified ABI. By default, GPR names are selected according to the ABI of the
binary being disassembled.
"fpr-names=ABI"
Print FPR (floating-point register) names as appropriate for the specified ABI. By default, FPR numbers are printed rather than names.
"cp0-names=ARCH"
Print CP0 (system control coprocessor; coprocessor 0) register names as appropriate for the CPU or architecture specified by ARCH. By default, CP0
register names are selected according to the architecture and CPU of the binary being disassembled.
"hwr-names=ARCH"
Print HWR (hardware register, used by the "rdhwr" instruction) names as appropriate for the CPU or architecture specified by ARCH. By default, HWR
names are selected according to the architecture and CPU of the binary being disassembled.
"reg-names=ABI"
Print GPR and FPR names as appropriate for the selected ABI.
"reg-names=ARCH"
Print CPU-specific register names (CP0 register and HWR names) as appropriate for the selected CPU or architecture.
For any of the options listed above, ABI or ARCH may be specified as numeric to have numbers printed rather than names, for the selected types of
registers. You can list the available values of ABI and ARCH using the --help option.
For VAX, you can specify function entry addresses with -M entry:0xf00ba. You can use this multiple times to properly disassemble VAX binary files that
don’t contain symbol tables (like ROM dumps). In these cases, the function entry mask would otherwise be decoded as VAX instructions, which would
probably lead the rest of the function being wrongly disassembled.
-p
--private-headers
Print information that is specific to the object file format. The exact information printed depends upon the object file format. For some object file
formats, no additional information is printed.
-r
--reloc
Print the relocation entries of the file. If used with -d or -D, the relocations are printed interspersed with the disassembly.
-R
--dynamic-reloc
Print the dynamic relocation entries of the file. This is only meaningful for dynamic objects, such as certain types of shared libraries. As for -r, if
used with -d or -D, the relocations are printed interspersed with the disassembly.
-s
--full-contents
Display the full contents of any sections requested. By default all non-empty sections are displayed.
-S
--source
Display source code intermixed with disassembly, if possible. Implies -d.
--prefix=prefix
Specify prefix to add to the absolute paths when used with -S.
--prefix-strip=level
Indicate how many initial directory names to strip off the hardwired absolute paths. It has no effect without --prefix=prefix.
--show-raw-insn
When disassembling instructions, print the instruction in hex as well as in symbolic form. This is the default except when --prefix-addresses is used.
--no-show-raw-insn
When disassembling instructions, do not print the instruction bytes. This is the default when --prefix-addresses is used.
--insn-width=width
Display width bytes on a single line when disassembling instructions.
-W[lLiaprmfFsoR]
--dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,=frames-interp,=str,=loc,=Ranges]
Displays the contents of the debug sections in the file, if any are present. If one of the optional letters or words follows the switch then only data
found in those specific sections will be dumped.
-G
--stabs
Display the full contents of any sections requested. Display the contents of the .stab and .stab.index and .stab.excl sections from an ELF file. This is
only useful on systems (such as Solaris 2.0) in which ".stab" debugging symbol-table entries are carried in an ELF section. In most other file formats,
debugging symbol-table entries are interleaved with linkage symbols, and are visible in the --syms output.
--start-address=address
Start displaying data at the specified address. This affects the output of the -d, -r and -s options.
--stop-address=address
Stop displaying data at the specified address. This affects the output of the -d, -r and -s options.
-t
--syms
Print the symbol table entries of the file. This is similar to the information provided by the nm program, although the display format is different. The
format of the output depends upon the format of the file being dumped, but there are two main types. One looks like this:
[ 4](sec 3)(fl 0x00)(ty 0)(scl 3) (nx 1) 0x00000000 .bss
[ 6](sec 1)(fl 0x00)(ty 0)(scl 2) (nx 0) 0x00000000 fred
where the number inside the square brackets is the number of the entry in the symbol table, the sec number is the section number, the fl value are the
symbol’s flag bits, the ty number is the symbol’s type, the scl number is the symbol’s storage class and the nx value is the number of auxilary entries
associated with the symbol. The last two fields are the symbol’s value and its name.
The other common output format, usually seen with ELF based files, looks like this:
00000000 l d .bss 00000000 .bss
00000000 g .text 00000000 fred
Here the first number is the symbol’s value (sometimes refered to as its address). The next field is actually a set of characters and spaces indicating
the flag bits that are set on the symbol. These characters are described below. Next is the section with which the symbol is associated or *ABS* if the
section is absolute (ie not connected with any section), or *UND* if the section is referenced in the file being dumped, but not defined there.
After the section name comes another field, a number, which for common symbols is the alignment and for other symbol is the size. Finally the symbol’s
name is displayed.
The flag characters are divided into 7 groups as follows:
"l"
"g"
"u"
"!" The symbol is a local (l), global (g), unique global (u), neither global nor local (a space) or both global and local (!). A symbol can be neither
local or global for a variety of reasons, e.g., because it is used for debugging, but it is probably an indication of a bug if it is ever both local
and global. Unique global symbols are a GNU extension to the standard set of ELF symbol bindings. For such a symbol the dynamic linker will make
sure that in the entire process there is just one symbol with this name and type in use.
"w" The symbol is weak (w) or strong (a space).
"C" The symbol denotes a constructor (C) or an ordinary symbol (a space).
"W" The symbol is a warning (W) or a normal symbol (a space). A warning symbol’s name is a message to be displayed if the symbol following the warning
symbol is ever referenced.
"I"
"i" The symbol is an indirect reference to another symbol (I), a function to be evaluated during reloc processing (i) or a normal symbol (a space).
"d"
"D" The symbol is a debugging symbol (d) or a dynamic symbol (D) or a normal symbol (a space).
"F"
"f"
"O" The symbol is the name of a function (F) or a file (f) or an object (O) or just a normal symbol (a space).
-T
--dynamic-syms
Print the dynamic symbol table entries of the file. This is only meaningful for dynamic objects, such as certain types of shared libraries. This is
similar to the information provided by the nm program when given the -D (--dynamic) option.
--special-syms
When displaying symbols include those which the target considers to be special in some way and which would not normally be of interest to the user.
-V
--version
Print the version number of objdump and exit.
-x
--all-headers
Display all available header information, including the symbol table and relocation entries. Using -x is equivalent to specifying all of -a -f -h -p -r
-t.
-w
--wide
Format some lines for output devices that have more than 80 columns. Also do not truncate symbol names when they are displayed.
-z
--disassemble-zeroes
Normally the disassembly output will skip blocks of zeroes. This option directs the disassembler to disassemble those blocks, just like any other data.
@file
Read command-line options from file. The options read are inserted in place of the original @file option. If file does not exist, or cannot be read,
then the option will be treated literally, and not removed.
Options in file are separated by whitespace. A whitespace character may be included in an option by surrounding the entire option in either single or
double quotes. Any character (including a backslash) may be included by prefixing the character to be included with a backslash. The file may itself
contain additional @file options; any such options will be processed recursively.
SEE ALSO
nm(1), readelf(1), and the Info entries for binutils.
COPYRIGHT
Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is
included in the section entitled "GNU Free Documentation License".
binutils-2.20.51.0.2 2016-05-10 OBJDUMP(1)
-a
读取文档存储头信息, 一般只能获取到ELF文件的类型及简单的平台信息.
objdump -a main.out
main.out: file format elf32-i386
main.out
-d
-d
--disassemble
Display the assembler mnemonics **for** the machine instructions from objfile. This option only disassembles those sections **which** are expected to contain
instructions.
用于显示汇编助记符 for 机器指令 在 对象文件里面.这个选项只会反汇编那些
section
: 其中一般存在指令的section
-D
-D
--disassemble-all
Like -d, but disassemble the contents of all sections, not just those expected to contain instructions.
If the target is an ARM architecture this switch also has the effect of forcing the disassembler to decode pieces of data found in code sections as if they were instructions.
功能与
-d
相似,但是会反汇编所有的section
的内容. 不仅仅是那些期望包含指令的段.
如果目标是一个ARM
架构,这个开关也有一个影响: 那就是强制反汇编器去解码 数据片段 (在code section) ,就像他们是真的指令一样.
--prefix-addresses
--prefix-addresses
When disassembling, print the complete address on each line. This is the older disassembly format.
当反汇编的时候,打印完整的地址在每一行上. 这是一个更古老的反汇编格式.
旧汇编格式(加上参数)
新汇编格式(无参数)
-EB
和EL
-EB
-EL
--endian={big|little}
Specify the endianness of the object files. This only affects disassembly. This can be useful when disassembling a file format which does not describe endianness information, such as S-records.
指定对象文件的大小端. 这个选项仅影响汇编. 这个选项可用于: 当反汇编一个文件格式但是没有指定大小端信息时. 例如: s-recoreds
-f
-f
--file-headers
Display summary information from the overall header of each of the objfile files.
用于显示总结性信息,来自于总体的 每一个对象文件 的 文件头
objdump -f add.so
add.so: file format elf32-i386
architecture: i386, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x00000350
objdump -f add.so main.out
add.so: file format elf32-i386
architecture: i386, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x00000350
main.out: file format elf32-i386
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048400
-F
显示dump的内容在文件中的偏移
-F
--file-offsets
When disassembling sections, whenever a symbol is displayed, also display the file offset of the region of data that is about to be dumped. If zeroes are being skipped, then when disassembly resumes, tell the user how many zeroes were skipped and the file offset of the
location from where the disassembly resumes. When dumping sections, display the file offset of the location from where the dump starts.
当反汇编一个sections时,无论何时一个符号显示, 都显示数据region的文件偏移(file offset). 如果有0被跳过,然后反汇编恢复, 告诉用户多少个
0
被跳过,然后从哪个位置的文件偏移恢复反汇编. 当dump 多个sections时,显示dump从哪里开始的文件偏移.
-h
, --section-headers
, --headers
: 段表,段描述符信息
-h
--section-headers
--headers
Display summary information from the section headers of the object file.
File segments may be relocated to nonstandard addresses, for example by using the -Ttext, -Tdata, or -Tbss options to ld. However, some object file formats, such as a.out, do not store the starting address of the file segments. In those situations, although ld relocates
the sections correctly, using objdump -h to list the file section headers cannot show the correct addresses. Instead, it shows the usual addresses, which are implicit for the target.
-i
: 查看-b
和-m
参数支持的所有处理器架构及对象格式
-i
--info
Display a list showing all architectures and object formats available for specification with -b or -m.
输出架构示例:
BFD header file version version 2.20.51.0.2-5.44.el6 20100205
elf64-x86-64
(header little endian, data little endian)
i386
elf32-i386
(header little endian, data little endian)
i386
a.out-i386-linux
(header little endian, data little endian)
i386
pei-i386
(header little endian, data little endian)
i386
pei-x86-64
(header little endian, data little endian)
i386
elf64-l1om
(header little endian, data little endian)
l1om
elf64-little
(header little endian, data little endian)
i386
l1om
elf64-big
(header big endian, data big endian)
i386
l1om
elf32-little
(header little endian, data little endian)
i386
l1om
elf32-big
(header big endian, data big endian)
i386
l1om
srec
(header endianness unknown, data endianness unknown)
i386
l1om
symbolsrec
(header endianness unknown, data endianness unknown)
i386
l1om
verilog
(header endianness unknown, data endianness unknown)
i386
l1om
tekhex
(header endianness unknown, data endianness unknown)
i386
l1om
binary
(header endianness unknown, data endianness unknown)
i386
l1om
ihex
(header endianness unknown, data endianness unknown)
i386
l1om
elf64-x86-64 elf32-i386 a.out-i386-linux pei-i386 pei-x86-64
i386 elf64-x86-64 elf32-i386 a.out-i386-linux pei-i386 pei-x86-64
l1om ------------ ---------- ---------------- -------- ----------
elf64-l1om elf64-little elf64-big elf32-little elf32-big srec
i386 ---------- elf64-little elf64-big elf32-little elf32-big srec
l1om elf64-l1om elf64-little elf64-big elf32-little elf32-big srec
symbolsrec verilog tekhex binary ihex
i386 symbolsrec verilog tekhex binary ihex
l1om symbolsrec verilog tekhex binary ihex
-j
: 仅显示某一个section
的内容
-j name
--section=name
Display information only for section name.
示例:
objdump -h -j .dynsym main.out
main.out: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
4 .dynsym 00000108 0000000000400298 0000000000400298 00000298 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
-l
: 行号
-l
--line-numbers
Label the display (using debugging information) with the filename and source line numbers corresponding to the object code or relocs shown.
Only useful with -d, -D, or -r.
标注这显示(用调试信息)用文件名与行号, 与此对象关联的 对象代码或者是 relocs shown. 仅在参数:
-d
,-D
或者-r
时有效.
示例
# objdump -dSl main.out
0000000000400604 <main>:
main():
/root/ccode/xiu/plt/main.c:7
// 声明一个外部导入的函数
int addtwo(int x,int y);
int main(int argc, char* argv[])
{
400604: 55 push %rbp
400605: 48 89 e5 mov %rsp,%rbp
400608: 48 83 ec 20 sub $0x20,%rsp
40060c: 89 7d ec mov %edi,-0x14(%rbp)
40060f: 48 89 75 e0 mov %rsi,-0x20(%rbp)
/root/ccode/xiu/plt/main.c:8
int sum = addtwo(1,2);
400613: be 02 00 00 00 mov $0x2,%esi
400618: bf 01 00 00 00 mov $0x1,%edi
40061d: e8 e6 fe ff ff callq 400508 <addtwo@plt>
400622: 89 45 fc mov %eax,-0x4(%rbp)
/root/ccode/xiu/plt/main.c:9
printf("1+2=%d\n",sum);
400625: b8 48 07 40 00 mov $0x400748,%eax
40062a: 8b 55 fc mov -0x4(%rbp),%edx
40062d: 89 d6 mov %edx,%esi
40062f: 48 89 c7 mov %rax,%rdi
400632: b8 00 00 00 00 mov $0x0,%eax
400637: e8 ac fe ff ff callq 4004e8 <printf@plt>
/root/ccode/xiu/plt/main.c:10
return 0;
40063c: b8 00 00 00 00 mov $0x0,%eax
/root/ccode/xiu/plt/main.c:11
}
-m machine
-m machine
--architecture=machine
Specify the architecture to use when disassembling object files. This can be useful when disassembli
ng object files which do not describe
architecture information, such as S-records. You can list the available architectures with the -i op
tion.
指定架构来使用.当反汇编一个对象的时候. 这个会特别有用当反汇编对象文件,但是没有描述对象架构信息. 现实中基本没有用到
实际我们可以用来指定汇编语言的风格
-M
: 指定汇编选项
--disassembler-options=options
Pass target specific information to the disassembler. Only supported on some targets.
If it is necessary to specify more than one disassembler option then multiple -M options
can be used or can be placed together into a comma separated list.
For the x86, some of the options duplicate functions of the -m switch, but allow finer
grained control. Multiple selections from the following may be specified as a comma
separated string. x86-64, i386 and i8086 select disassembly for the given architecture.
intel and att select between intel syntax mode and AT&T syntax mode. intel-mnemonic and
att-mnemonic select between intel mnemonic mode and AT&T mnemonic mode. intel-mnemonic
implies intel and att-mnemonic implies att. addr64, addr32, addr16, data32 and data16
specify the default address size and operand size. These four options will be overridden
if x86-64, i386 or i8086 appear later in the option string. Lastly, suffix, when in AT&T
mode, instructs the disassembler to print a mnemonic suffix even when the suffix could be
inferred by the operands.
For PowerPC, booke controls the disassembly of BookE instructions. 32 and 64 select
PowerPC and PowerPC64 disassembly, respectively. e300 selects disassembly for the e300
family. 440 selects disassembly for the PowerPC 440. ppcps selects disassembly for the
paired single instructions of the PPC750CL.
For MIPS, this option controls the printing of instruction mnemonic names and register
names in disassembled instructions. Multiple selections from the following may be
specified as a comma separated string, and invalid options are ignored:
"no-aliases"
Print the ’raw’ instruction mnemonic instead of some pseudo instruction mnemonic.
I.e., print ’daddu’ or ’or’ instead of ’move’, ’sll’ instead of ’nop’, etc.
"gpr-names=ABI"
Print GPR (general-purpose register) names as appropriate for the specified ABI. By
default, GPR names are selected according to the ABI of the binary being
disassembled.
"fpr-names=ABI"
Print FPR (floating-point register) names as appropriate for the specified ABI. By
default, FPR numbers are printed rather than names.
"cp0-names=ARCH"
Print CP0 (system control coprocessor; coprocessor 0) register names as appropriate
for the CPU or architecture specified by ARCH. By default, CP0 register names are
selected according to the architecture and CPU of the binary being disassembled.
"hwr-names=
ARCH"
Print HWR (hardware register, used by the "rdhwr" instruction) names as appropriate
for the CPU or architecture specified by ARCH. By default, HWR names are selected
according to the architecture and CPU of the binary being disassembled.
"reg-names=ABI"
Print GPR and FPR names as appropriate for the selected ABI.
"reg-names=ARCH"
Print CPU-specific register names (CP0 register and HWR names) as appropriate for the
selected CPU or architecture.
For any of the options listed above, ABI or ARCH may be specified as numeric to have
numbers printed rather than names, for the selected types of registers. You can list the
available values of ABI and ARCH using the --help option.
For VAX, you can specify function entry addresses with -M entry:0xf00ba. You can use
this multiple times to properly disassemble VAX binary files that don’t contain symbol
tables (like ROM dumps). In these cases, the function entry mask would otherwise be
decoded as VAX instructions, which would probably lead the rest of the function being
wrongly disassembled.
intel
andatt
select betweenintel syntax
mode andAT&T
syntax mode.intel-mnemonic
andatt-mnemonic
select between intel mnemonic mode and AT&T mnemonic mode.intel-mnemonic
implies intel andatt-mnemonic
implies att.
- addr64, addr32, addr16, data32 and data16
specify the default address size and operand size.- These four options will be overridden if x86-64, i386 or i8086 appear later in the option string. Lastly, suffix, when in AT&T
mode, instructs the disassembler to print a mnemonic suffix even when the suffix could be
inferred by the operands.**
- These four options will be overridden if x86-64, i386 or i8086 appear later in the option string. Lastly, suffix, when in AT&T