60

Can I disassemble a flat binary file using objdump?

I'm familiar with disassembling a structured binary executable such as an ELF file using:

objdump -d file.elf

But if I have a flat binary file that I know is supposed to be loaded at, e.g., address 0xabcd1000, can I ask objdump to disassemble it? I tried supplying options such as '--start-address=0xabcd1000' but objdump just states that it doesn't recognize the format.

I have other ideas about how to disassemble the file but I wanted to know if objdump could provide a simple solution.

Improve this question
3
  • This is not a flat binary file. It looks like it's an ELF file.
    – Calmarius
    Commented Jan 28, 2013 at 8:31
  • In the example above, I mentioned an ELF file (file.elf) in order to illustrate that I was familiar with the basic disassembly principles. However, the file I was interested in disassembling was absolutely a flat binary file. The first bytes in the file were the first opcodes to be executed. There was no header.
    – Multimedia Mike
    Commented Jan 30, 2013 at 3:27
  • Possible duplicate of How do I disassemble raw x86 code?
    – Ciro Santilli OurBigBook.com
    Commented Oct 3, 2015 at 16:53

2 Answers 2

Reset to default
66

I found the solution to my own question on a different forum. It looks something like this:

objdump -b binary --adjust-vma=0xabcd1000 -D file.bin

I've tested this and it works.

Improve this answer
6
  • 24
    returns can't disassemble for architecture unknown! seems that you missed the machine option -m i386 in my case
    – Oussama L.
    Commented Jan 2, 2014 at 17:09
  • 1
    Thanks for that catch. I suspect it's because a standard objdump in linux/x86 land handles 2 architectures. When I ran it, I used a version that only dealt with one arch (SH-4 in my case).
    – Multimedia Mike
    Commented Jan 2, 2014 at 18:30
  • 2
    and you can omit --adjust-vma=0xabcd1000
    – Thorsten Staerk
    Commented Jan 3, 2014 at 20:26
  • 12
    for x86-64 one needs to specify the architecture as -m i386:x86-64
    – ead
    Commented Jun 25, 2017 at 21:49
  • 3
    --adjust-vma=.. is useful when you want to account for a different starting address of the piece of code in memory it's been compiled for. Otherwise it will disassemble it as if it were loaded starting from memory address 0, which might not be the case. One can also use --start-address=.. to disassemble from a different starting offset in the binary file.
    – BarbaraKwarc
    Commented Jul 2, 2018 at 5:57
45

starblue and hlovdal both have parts of the canonical answer. If you want to disassemble raw i8086 code, you usually want Intel syntax, not AT&T syntax, too, so use:

objdump -D -Mintel,i8086 -b binary -m i386 mbr.bin
objdump -D -Mintel,i386 -b binary -m i386 foo.bin    # for 32-bit code
objdump -D -Mintel,x86-64 -b binary -m i386 foo.bin  # for 64-bit code

If your code is ELF (or a.out (or (E)COFF)), you can use the short form:

objdump -D -Mintel,i8086 a.out  # disassembles the entire file
objdump -d -Mintel,i8086 a.out  # disassembles only code sections

For 32-bit or 64-bit code, omit the ,8086; the ELF header already includes this information.

ndisasm, as suggested by jameslin, is also a good choice, but objdump usually comes with the OS and can deal with all architectures supported by GNU binutils (superset of those supported by GCC), and its output can usually be fed into GNU as (ndisasm’s can usually be fed into nasm though, of course).

Peter Cordes suggests that “Agner Fog's objconv is very nice. It puts labels on branch targets, making a lot easier to figure out what the code does. It can disassemble into NASM, YASM, MASM, or AT&T (GNU) syntax.”

Multimedia Mike already found out about --adjust-vma; the ndisasm equivalent is the -o option.

To disassemble, say, sh4 code (I used one binary from Debian to test), use this with GNU binutils (almost all other disassemblers are limited to one platform, such as x86 with ndisasm and objconv):

objdump -D -b binary -m sh -EL x

The -m is the machine, and -EL means Little Endian (for sh4eb use -EB instead), which is relevant for architectures that exist in either endianness.

Improve this answer
2
  • For the architecture, I used -m i386:x86-64 to be able to get AMD64 binaries listed. By default, just i386 gives you 32 bit instructions. The -Mintel,x86-64 did not work for me...
    – Alexis Wilke
    Commented Feb 27, 2023 at 5:41
  • @AlexisWilke hmm, works for me… (Debian bullseye and unstable both)
    – mirabilos
    Commented Feb 27, 2023 at 20:18

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.