RE-011 Lab 2: ELF Section Walk

Compile a short C program and dissect the resulting ELF with readelf, objdump, nm, and strings. Understand what the linker puts in each section and why.

Overview

You compile a provided C source file (two functions, one global variable, one string literal) and then systematically examine every major section of the resulting ELF binary. You compare the stripped and unstripped forms, locate the PLT and GOT, and explain dynamic linking in your own words.

Tools: gcc, readelf, objdump, nm, strings, strip

Time: ~90 minutes.

Setup

Create a working directory and save the following C source as lab2.c:

#include <stdio.h>
#include <string.h>

int call_count = 0;

int check_key(const char *input) {
    call_count++;
    return strcmp(input, "re011lab2") == 0;
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s <key>\n", argv[0]);
        return 1;
    }
    if (check_key(argv[1])) {
        printf("Correct\n");
        return 0;
    }
    printf("Wrong\n");
    return 1;
}

Compile it in two forms:

# Unstripped (debug-friendly)
gcc -O0 -o lab2_unstripped lab2.c

# Stripped
cp lab2_unstripped lab2_stripped
strip lab2_stripped

Part A: ELF header

Examine the ELF header of the unstripped binary:

readelf -h lab2_unstripped

Record and explain:

1. What is e_type? What does ET_EXEC or ET_DYN mean for this binary?
2. What is e_machine? What CPU architecture does this binary target?
3. What is e_entry? Is this the address of main? (Check with readelf -s lab2_unstripped | grep main to compare.)
4. What is e_phoff and e_shoff? What do these two offsets point to?

Part B: Section inventory

List all sections:

readelf -S lab2_unstripped

For each of the following sections, record: its name, type, size in bytes, and one sentence about what it contains:

• .text
• .data
• .rodata
• .bss
• .symtab
• .strtab
• .dynsym
• .dynstr
• .plt
• .got.plt

If a section appears to be missing (zero size or absent), explain why (e.g., .bss has zero size if there are no uninitialized globals).

Part C: Symbol table

Compare symbol visibility between the two binaries:

nm lab2_unstripped
nm lab2_stripped
nm -D lab2_unstripped
nm -D lab2_stripped

Answer:

1. What symbols are present in lab2_unstripped that are absent from lab2_stripped?
2. What symbols are present in BOTH (from -D, dynamic symbols)?
3. Where is call_count in the symbol table? What section does it belong to and why?
4. Where is the string "re011lab2"? Use strings -tx lab2_unstripped | grep re011 to find its offset. What section is it in?

Part D: PLT and dynamic linking

Disassemble the binary and examine the PLT:

objdump -d lab2_unstripped | grep -A 10 '<printf@plt>'
objdump -d lab2_unstripped | grep -A 10 '<strcmp@plt>'

Look at what a PLT stub does:

1. Describe in your own words what the PLT stub for printf does (at least 3 steps).
2. What is the role of .got.plt in this process?
3. After the first call to printf, what happens the second time the PLT stub is called? (Lazy binding resolution.)

Part E: Stripped vs. unstripped comparison

Load the stripped binary and explain what changed:

readelf -S lab2_stripped | grep -E '(symtab|strtab|debug)'
nm lab2_stripped
objdump -d lab2_stripped | head -40

1. Which sections were removed by strip? List them.
2. Is the code in .text the same in both binaries? Check: objdump -d lab2_unstripped > u.asm && objdump -d lab2_stripped > s.asm && diff u.asm s.asm. What do you find?
3. What is the practical consequence for someone analyzing lab2_stripped in Ghidra versus lab2_unstripped?

Lab Report

Submit a structured report with a section for each Part (A through E). Each section should include:

• The commands you ran (you do not need to include full output -- quote the relevant lines)
• Your answers to the specific questions
• At least one observation you made that surprised you or was not obvious from the Week 3 lecture

Grading

Lab 2 of 9. Due: end of Week 3. The sections you identify here reappear in every binary you analyze for the rest of the course.