3.1 Basic Tools and Techniques

< Day Day Up >

One of the wonderful things about Unix in general and Linux in particular is that the operating system ships with a number of powerful utilities that can be used for programming or reverse engineering (of course, some commercial Unixes still try to enforce "licensing" of so-called developer tools ”an odd choice of phrase since "developers" tend to use Windows and "coders" tend to use Uni ”but packages such as the GNU development tools are available for free on virtually every Unix platform extant). A virtual cornucopia of additional tools can be found online (see Section 3.5 at the end of the chapter), many of which are under continual development.

The tools presented here are restricted to the GNU packages and utilities available in most Linux distributions: nm, gdb, lsof, ltrace, objdump , od, and hexdump. Other tools that have become fairly widely used in the security and reverse engineering fields ”dasm, elfdump, hte, ald, IDA, and IDA_Pro ”xare not discussed, though the reader is encouraged to experiment with them.

One tool whose omission would at first appear to be a matter of great neglect is the humble hex editor. There are many of these available for Linux/Unix. biew is the best; hexedit is supplied with just about every major Linux distribution. Of course, as all true Unixers know in their hearts, you need no hex editor when you're in bed with od and dd.

3.1.1 Overview of the Target

The first tool that should be run on a prospective target is nm, the system utility for listing symbols in a binary. There are quite a few options to nm; the more useful are -C (demangle), -D (dynamic symbols), -g (global/external symbols), -u (only undefined symbols), --defined-only (only defined symbols), and -a (all symbols, including debugger hints).

There are notions of symbol type, scope, and definition in the nm listing. Type specifies the section where the symbol is located and usually has one of the following values:

B: Uninitialized data (. bss )
D: Initialized data (. data )
N: Debug symbol
R: Read-only data (. rodata )
T: Text section/code (. text )
U: Undefined symbol
W: Weak symbol
?: Unknown symbol

The scope of a symbol is determined by the case of the type; lowercase types are local in scope, while uppercase types are global. Thus, "t" denotes a local symbol in the code section, while "T" denotes a global symbol in the code section. Whether a symbol is defined is determined by the type, as listed above; `nm -u` is equivalent to doing an `nm grep ' \{9,\}[uUwW]'` , where the ' \{9,\} ' refers to the empty spaces printed in lieu of an address or value. Thus, in the following example:

 bash# nm a.out 08049fcc ? _DYNAMIC 08049f88 ? _GLOBAL_OFFSET_TABLE_ 08048ce4 R _IO_stdin_used 0804a06c A _  _bss_start 08049f60 D _  _data_start          w _  _deregister_frame_info@@GLIBC_2.0 08048c90 t _  _do_global_ctors_aux          w __gmon_start_  _          U _  _libc_start_main@@GLIBC_2.0 08048cbc ? _fini 08048ce0 R _fp_hw 0804848c ? _init 080485a0 T _start 08048bb4 T bind 080485c4 t call_gmon_start

the symbols _start and bind are exported symbols defined in .text ; _ _do_global_ctors_aux and call_gmon_start are private symbols defined in .text , _DYNAMIC , _GLOBAL_OFFSET_TABLE_ , _fini , and _init are unknown symbols; and _ _libc_start_main is imported from libc.so .

Using the proper command switches and filtering based on type, we can see at a glance the layout of the target:

 List labels in the code sections:         nm -C --defined-only filename  grep '[0-9a-f ]\{8,\} [Tt]' List data:         nm -C --defined-only filename  grep '[0-9a-f ]\{8,\} [RrBbDd]' List unresolved symbols [imported functions/variables]:         nm -Cu

The objdump utility also provides a quick summary of the target with its -f option:

 bash# objdump -f /bin/login /bin/login:     file format elf32-i386 architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x0804a0c0 bash#

This is somewhat akin to the file(1) command, which has similar output:

 bash# file /bin/login /bin/login: setuid ELF 32-bit LSB executable, Intel 80386, version 1,  dynamically linked (uses shared libs), stripped bash#

Both correctly identify the target, though the objdump version gives the BFD target type (see Section 3.4.3 later in this chapter) as well as the entry point.

The final utility used in the casual assessment of a target is the venerable strings(1), without which the software security industry would apparently curl up and die. The purpose of strings is to print out all ASCII character sequences that are four characters or more long. strings(1) itself is easy to use:

 List all ASCII strings in the initialized and loaded sections:         strings -tx List all ASCII strings in all sections:         strings -atx List all ASCII strings that are at least 8 characters in length:         strings -atx -8

It should be noted that the addresses in the "tx" section should be cross-referenced with the address ranges of the various program sections; it is terribly easy to give a false impression about what a program does simply by including data strings such as "setsockopt" and " execve ", which can be mistaken for shared library references.

3.1.2 Debugging

Anyone who has spent any reasonable amount of time on a Linux system will be familiar with gdb. The GNU Debugger actually consists of two core components : the console-mode gdb utility, and libgdb, a library intended for embedding gdb in a larger application (e.g., an IDE). Numerous frontends to gdb are available, including ddd, kdbg, gvd, and insight for X-Windows, and vidbg and motor for the console.

As a console-mode program, gdb requires some familiarity on the part of the user ; GNU has made available a very useful quick reference card in addition to the copious "Debugging with GDB" tome (see Section 3.5 at the end of this chapter for more information).

The first question with any debugger is always "How do you use this to disassemble?" The second follows closely on its heels: "How do you examine memory?" In gdb, we use the disassemble , p (print), and x (examine) commands:

 disassemble start end :    disasm from 'start' address to 'end' p $reg                : print contents of register 'reg' ['p $eax'] p address             : print value of 'address' ['p _start'] p *address            : print contents of 'address' ['p *0x80484a0'] x $reg                : disassemble address in 'reg' ['x $eip'] x address             : disassemble 'address' ['x _start'] x *address            : dereference and disassemble address

The argument to the p and x commands is actually an expression, which can be a symbol, a register name (with a "$" prefix), an address, a dereferenced address (with a "*" prefix), or a simple arithmetic expression, such as "$edi + $ds" or "$ebx + ($ecx * 4)".

Both the p and x commands allow formatting arguments to be appended:

 x/i    print the result as an assembly language instruction x/x    print the result in hexadecimal x/d    print the result in decimal x/u    print the result in unsigned decimal x/t    print the result in binary x/o    print the result in octal x/f    print the result as a float x/a    print the result as an address x/c    print the result as an unsigned char x/s    print the result as an ASCII string

However, i and s are not usable with the p command, as it does not dereference the address it is given.

For examining process data other than address space, gdb provides the info command. There are over 30 info options, which are documented with the help info command; the more useful options are:

 all-registers        Contents of all CPU registers args                 Arguments for current stack frame [req. syms] breakpoints          Breakpoint/watch list and status frame                Summary of current stack frame functions            Names/addresses of all known functions locals               Local vars in current stack frame [req. syms] program              Execution status of the program registers            Contents of standard CPU registers set                  Debugger settings sharedlibrary        Status of loaded shared libraries signals              Debugger handling of process signals stack                Backtrace of the stack threads              Threads IDs tracepoints          Tracepoint list and status types                Types recognized by gdb udot                 Kernel user struct for the process variables            All known global and static variable names

Thus, to view the registers, type info registers . Many of the info options take arguments; for example, to examine a specific register, type info registers eax , where eax is the name of the register to be examined. Note that the "$" prefix is not needed with the info register command.

Now that the state of the process can be easily examined, a summary of the standard process control instructions is in order:

 continue        Continue execution of target finish          Execute through end of subroutine (current stack frame) kill            Send target a SIGKILL next            Step (over calls) one source line nexti           Step (over calls) one machine instruction run             Execute target [uses PTRACE_TRACEME] step            Step one source line stepi           Step one machine instruction backtrace       Print backtrace of stack frames up              Set scope "up" one stack frame (out of call) down            Set scope "down" one stack frame (into call)

Many of these commands have aliases since they are used so often: n ( next ), ni ( nexti ), s ( step ), si ( stepi ), r ( run ), c ( continue ), and bt ( backtrace ).

The use of these commands should be familiar to anyone experienced with debuggers . stepi and nexti are sometimes referred to as "step into" and "step over," while finish is often called "ret" or "p ret." The backtrace command requires special attention: it shows how execution reached the current point in the program by analyzing stack frames; the up and down commands allow the current context to be moved up or down one frame (as far as gdb is concerned , that is; the running target is not affected). To illustrate :

 gdb>  bt  #0  0x804849a in main (  ) #1  0x8048405 in _start (  ) gdb>  up  #1  0x8048405 in _start (  ) gdb>  down  #0  0x804849a in main (  )

The numbers at the start of each line in the backtrace are frame numbers ; up increments the context frame number (the current frame number is always 0), and down decrements it. Details for each frame can be viewed with the info frame command:

 gdb>  bt  #0  0x804849a in main (  ) #1  0x8048405 in _start (  ) gdb>  info frame 0  Stack frame at 0xbfbffa60:  eip = 0x804849a in main; saved eip 0x8048405  called by frame at 0xbfbffaac Arglist at 0xbfbffa60, args:  Locals at 0xbfbffa60, Previous frame's sp is 0x0 Saved registers:  ebp at 0xbfbffa60, eip at 0xbfbffa64 gdb>  info frame 1  Stack frame at 0xbfbffaac:  eip = 0x8048405 in _start; saved eip 0x1  caller of frame at 0xbfbffa60 Arglist at 0xbfbffaac, args:  Locals at 0xbfbffaac, Previous frame's sp is 0x0 Saved registers:  ebx at 0xbfbffa94, ebp at 0xbfbffaac, esi at 0xbfbffa98,   edi at 0xbfbffa9c, eip at 0xbfbffab0

It is important to become used to working with stack frames in gdb, as they are likely to be the only frame of reference available while debugging a stripped binary.

A debugger is nothing without breakpoints. Fortunately, gdb provides a rich breakpoint subsystem with support for data and execution breakpoints, commands to execute on breakpoint hits, and breakpoint conditions.

 break          Set an execution breakpoint hbreak         Set an execution breakpoint using a debug register xbreak         Set a breakpoint at the exit of a procedure clear          Delete breakpoints by target address/symbol delete         Delete breakpoints by ID number disable        Disable breakpoints by ID number enable         Enable breakpoints by ID number ignore         Ignore a set number of occurrences of a breakpoint condition      Apply a condition to a breakpoint commands       Set commands to be executed when a breakpoint hits

Each of the break commands takes as its argument a line number, a function name, or an address if prefixed with "*" (e.g., "break *0x8048494"). Conditional breakpoints are supported via the condition command of the form:

 condition num  expression

...where num is the breakpoint ID and expression is any expression that evaluates to TRUE (nonzero) in order for the breakpoint to hit; the break command also supports an if suffix of the form:

 break address if  expression

where expression is the same as in the command. Breakpoint conditions can be any expression; however, they're devoid of meaning:

 break main if $eax > 0 break main if *(unsigned long *)(0x804849a +16) == 23 break main if 2 > 1

These conditions are associated with a breakpoint number and are deleted when that breakpoint is deleted; alternatively, the condition for a breakpoint can be changed with the condition command, or cleared by using the condition command with no expression specified.

Breakpoint commands are another useful breakpoint extension. These are specified with commands , which has the following syntax:

 commands  num   command1   command2  ... end

num is the breakpoint ID number, and all lines between commands and end are commands to be executed when the breakpoint hits. These commands can be used to perform calculations, print values, set new breakpoints, or even continue the target:

 commands 1 info registers end commands 2 b *(unsigned long *)$eax continue end commands 3 x/s $esi x/s $edi end commands 4 set $eax = 1 set $eflags = $eflags & ~0x20 set $eflags = $eflags  0x01 end

The last example demonstrates the use of commands to set the eax register to 1, to clear the Zero flag, and to set the Carry flag. Any standard C expression can be used in gdb commands.

The break , hbreak , and xbreak commands all have temporary forms that begin with "t" and cause the breakpoint to be removed after it hits. The tbreak command, for example, installs an execution breakpoint at the specified address or symbol, then removes the breakpoint after it hits the first time, so that subsequent executions of the same address will not trigger the breakpoint.

This is perhaps a good point to introduce the gdb display command. This command is used with an expression (i.e., an address or register) to display a value whenever gdb stops the process, such as when a breakpoint is encountered or an instruction is traced. Unfortunately the display command does not take arbitrary gdb commands, so display info regs will not work.

It is still useful to display variables or register contents at each stop; this allows "background" watchpoints (i.e., watchpoints that do not stop the process on modification, but are simply displayed) to be set up, and also allows for a runtime context to be displayed:

 gdb>  display/i $eip  gdb>  display/s *$edi  gdb>  display/s *$esi  gdb>  display/t $eflags  gdb>  display $edx  gdb>  display $ecx  gdb>  display $ebx  gdb>  display $eax  gdb>  n  0x400c58c1 in nanosleep (  ) from /lib/libc.so.6     9: $eax = 0xfffffffc 8: $ebx = 0x4013c0b8 7: $ecx = 0xbffff948 6: $edx = 0x4013c0b8 5: /t $eflags = 1100000010 4: x/s *$esi  0x10000:  <Address 0x10000 out of bounds> 3: x/s *$edi  0xbffffc6f:       "/home/_m/./a.out" 2: x/i $eip  0x400c58c1 <nanosleep+33>:        pop    %ebx gdb>

As can be seen in the above example, the display command can take the same formatting arguments as the p and x commands. A list of all display expressions in effect can be viewed with info display , and expressions can be deleted with undisplay # , where # is the number of the display as shown in the display listing.

In gdb, a data breakpoint is called a watchpoint ; a watched address or variable causes execution of the program to stop when the address is read or written. There are three watch commands in gdb:

 awatch       Set a read/write watchpoint watch        Set a write watchpoint  rwatch       Set a read watchpoint

Watchpoints appear in the breakpoint listing ( info breakpoints ) and are deleted as if they are breakpoints.

One point about breakpoints and watchpoints in gdb on the x86 platform needs to be made clear: the use of x86 debug registers. By default, gdb attempts to use a hardware register for awatch and rwatch watchpoints in order to avoid slowing down execution of the program; execution breakpoints are embedded INT3 instructions by default, although the hbreak is intended to allow hardware register breakpoints on execution access. This support seems to be disabled in many versions of gdb, however; if an awatch or rwatch cannot be made because of a lack of debug register support, the error message "Expression cannot be implemented with read/access watchpoint" will appear, while if an hbreak cannot be installed, the message "No hardware breakpoint support in the target" is printed. The appearance of one of these messages means either that gdb has no hardware debug register support or that all debug registers are in use. More information on Intel debug registers can be found in Section 3.3.1 and Section 3.4.2, later in this chapter.

One area of debugging with gdb that gets little attention is the support for SIGSTOP via Ctrl-z. Normally, in a terminal application, the shell catches Ctrl-z and the foreground process is sent a SIGSTOP. When gdb is running, however, Ctrl-z sends a SIGSTOP to the target, and control is returned to gdb. Needless to say, this is extremely useful in programs that enter an endless loop, and it can be used as an underpowered replacement for SoftICE's Ctrl-d when debugging an X program from an xterm .

For example, use gdb to run a program with an endless loop:

 #include <unistd.h> int main( int argc, char **argv ) {           int x = 666;           while ( 1 )  {                 x++;                 sleep(1);           }           return(0);  } bash# gdb ./a.out gdb> r (no debugging symbols found)...(no debugging symbols found)...

At this point the program is locked in a loop; press Ctrl-z to stop the program.

 Program received signal SIGTSTP, Stopped (user). 0x400c58b1 in nanosleep (  ) from /lib/libc.so.6 Program received signal SIGTSTP, Stopped (user). 0x400c58b1 in nanosleep (  ) from /lib/libc.so.6

A simple backtrace shows the current location of the program; a judicious application of finish commands will step out of the library calls:

 gdb>  bt  #0  0x400c58b1 in nanosleep (  ) from /lib/libc.so.6 #1  0x400c5848 in sleep (  ) from /lib/libc.so.6 #2  0x8048421 in main (  ) #3  0x4003e64f in _  _libc_start_main (  ) from /lib/libc.so.6 gdb>  finish  Program received signal SIGTSTP, Stopped (user).  0x400c58b1 in nanosleep (  ) from /lib/libc.so.6  gdb>  finish  0x400c5848 in sleep (  ) from /lib/libc.so.6  gdb>  finish  0x8048421 in main (  )  gdb>  dis main  Dump of assembler code for function main:  ...  0x8048414 <main+20>:    incl   0xfffffffc(%ebp)  0x8048417 <main+23>:    add  gdb>  bt  #0 0x400c58b1 in nanosleep ( ) from /lib/libc.so.6 #1 0x400c5848 in sleep ( ) from /lib/libc.so.6 #2 0x8048421 in main ( ) #3 0x4003e64f in _ _libc_start_main ( ) from /lib/libc.so.6 gdb>  finish  Program received signal SIGTSTP, Stopped (user). 0x400c58b1 in nanosleep ( ) from /lib/libc.so.6 gdb>  finish  0x400c5848 in sleep ( ) from /lib/libc.so.6 gdb>  finish  0x8048421 in main ( ) gdb>  dis main  Dump of assembler code for function main: ... 0x8048414 <main+20>: incl 0xfffffffc(%ebp) 0x8048417 <main+23>: add $0xfffffff4,%esp 0x804841a <main+26>: push $0x1 0x804841c <main+28>: call 0x80482f0 <sleep> 0x8048421 <main+33>: add $0x10,%esp 0x8048424 <main+36>: jmp 0x8048410 <main+16> 0x8048426 <main+38>: xor %eax,%eax 0x8048428 <main+40>: jmp 0x8048430 <main+48> 0x804842a <main+42>: lea 0x0(%esi),%esi 0x8048430 <main+48>: mov %ebp,%esp 0x8048432 <main+50>: pop %ebp 0x8048433 <main+51>: ret End of assembler dump. 
 xfffffff4,%esp  0x804841a <main+26>:    push  gdb>  bt  #0 0x400c58b1 in nanosleep ( ) from /lib/libc.so.6 #1 0x400c5848 in sleep ( ) from /lib/libc.so.6 #2 0x8048421 in main ( ) #3 0x4003e64f in _ _libc_start_main ( ) from /lib/libc.so.6 gdb>  finish  Program received signal SIGTSTP, Stopped (user). 0x400c58b1 in nanosleep ( ) from /lib/libc.so.6 gdb>  finish  0x400c5848 in sleep ( ) from /lib/libc.so.6 gdb>  finish  0x8048421 in main ( ) gdb>  dis main  Dump of assembler code for function main: ... 0x8048414 <main+20>: incl 0xfffffffc(%ebp) 0x8048417 <main+23>: add $0xfffffff4,%esp 0x804841a <main+26>: push $0x1 0x804841c <main+28>: call 0x80482f0 <sleep> 0x8048421 <main+33>: add $0x10,%esp 0x8048424 <main+36>: jmp 0x8048410 <main+16> 0x8048426 <main+38>: xor %eax,%eax 0x8048428 <main+40>: jmp 0x8048430 <main+48> 0x804842a <main+42>: lea 0x0(%esi),%esi 0x8048430 <main+48>: mov %ebp,%esp 0x8048432 <main+50>: pop %ebp 0x8048433 <main+51>: ret End of assembler dump. 
 x1  0x804841c <main+28>:    call   0x80482f0 <sleep>  0x8048421 <main+33>:    add  gdb>  bt  #0 0x400c58b1 in nanosleep ( ) from /lib/libc.so.6 #1 0x400c5848 in sleep ( ) from /lib/libc.so.6 #2 0x8048421 in main ( ) #3 0x4003e64f in _ _libc_start_main ( ) from /lib/libc.so.6 gdb>  finish  Program received signal SIGTSTP, Stopped (user). 0x400c58b1 in nanosleep ( ) from /lib/libc.so.6 gdb>  finish  0x400c5848 in sleep ( ) from /lib/libc.so.6 gdb>  finish  0x8048421 in main ( ) gdb>  dis main  Dump of assembler code for function main: ... 0x8048414 <main+20>: incl 0xfffffffc(%ebp) 0x8048417 <main+23>: add $0xfffffff4,%esp 0x804841a <main+26>: push $0x1 0x804841c <main+28>: call 0x80482f0 <sleep> 0x8048421 <main+33>: add $0x10,%esp 0x8048424 <main+36>: jmp 0x8048410 <main+16> 0x8048426 <main+38>: xor %eax,%eax 0x8048428 <main+40>: jmp 0x8048430 <main+48> 0x804842a <main+42>: lea 0x0(%esi),%esi 0x8048430 <main+48>: mov %ebp,%esp 0x8048432 <main+50>: pop %ebp 0x8048433 <main+51>: ret End of assembler dump. 
 x10,%esp  0x8048424 <main+36>:    jmp    0x8048410 <main+16>  0x8048426 <main+38>:    xor    %eax,%eax  0x8048428 <main+40>:    jmp    0x8048430 <main+48>  0x804842a <main+42>:    lea    0x0(%esi),%esi  0x8048430 <main+48>:    mov    %ebp,%esp  0x8048432 <main+50>:    pop    %ebp  0x8048433 <main+51>:    ret  End of assembler dump.

At this point the location of the counter can be seen in the inc instruction: 0xfffffffc(%ebp) or [ebp-4] in signed Intel format. A watchpoint can now be set on the counter and execution of the program can be continued with a break each time the counter is incremented:

 gdb>  p $ebp - 4  0xbffffb08  gdb>  p/d *($ebp - 4)  = 668  gdb>  watch 0xbffffb08  Watchpoint 2: 0xbffffb08  gdb>  c

Note that the address of the counter on the stack is used for the watch; while a watch could be applied to the ebp expression with watch *($ebp-4) , this would break whenever the first local variable of a function was accessed ”hardly what we want. In general, it is best to place watchpoints on actual addresses instead of variable names, address expressions, or registers.

Now that gdb has been exhaustively introduced, it has no doubt caused the reader some trepidation: while it is powerful, the sheer number of commands is intimidating and makes it hard to use. To overcome this difficulty, you must edit the gdb config file: ~/. gdbinit on Unix systems. Aliases can be defined between define and end commands, and commands to be performed at startup (e.g., the display command) can be specified as well. Following a sample .gdbinit , which should make life easier when using gdb.

First, aliases for the breakpoint commands are defined to make things a bit more regular:

 # ______________breakpoint aliases____________  _ define bpl  info breakpoints end define bpc   clear $arg0 end define bpe  enable $arg0 end define bpd  disable $arg0 end

Note that the .gdbinit comment character is "#" and that mandatory arguments for a macro can be specified by the inclusion of "$arg#" variables in the macro.

Next up is the elimination of the tedious info command; the following macros provide more terse aliases for runtime information:

 # ______________process information___________  _ define stack  info stack  info frame  info args  info locals end define reg  printf "     eax:%08X ebx:%08X  ecx:%08X",  $eax, $ebx, $ecx  printf " edx:%08X\teflags:%08X\n",  $edx, $eflags  printf "     esi:%08X edi:%08X  esp:%08X",  $esi, $edi, $esp  printf " ebp:%08X\teip:%08X\n", $ebp, $eip  printf "     cs:%04X  ds:%04X  es:%04X", $cs, $ds, $es  printf "  fs:%04X  gs:%04X  ss:%04X\n", $fs, $gs, $ss end define func  info functions end define var  info variables end define lib  info sharedlibrary end define sig  info signals end define thread  info threads end define u  info udot end define dis  disassemble $arg0 end  # ________________hex/ascii dump an address_____________  _ define hexdump  printf "%08X : ", $arg0  printf "%02X %02X %02X %02X  %02X %02X %02X %02X",                   \      *(unsigned char*)($arg0), *(unsigned char*)($arg0 + 1),       \      *(unsigned char*)($arg0 + 2), *(unsigned char*)($arg0 + 3),   \      *(unsigned char*)($arg0 + 4), *(unsigned char*)($arg0 + 5),   \      *(unsigned char*)($arg0 + 6), *(unsigned char*)($arg0 + 7)  printf " - "  printf "%02X %02X %02X %02X  %02X %02X %02X %02X ",                  \      *(unsigned char*)($arg0 + 8), *(unsigned char*)($arg0 + 9),   \      *(unsigned char*)($arg0 + 10), *(unsigned char*)($arg0 + 11), \      *(unsigned char*)($arg0 + 12), *(unsigned char*)($arg0 + 13), \      *(unsigned char*)($arg0 + 14), *(unsigned char*)($arg0 + 15)  printf "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",                         \      *(unsigned char*)($arg0), *(unsigned char*)($arg0 + 1),       \      *(unsigned char*)($arg0 + 2), *(unsigned char*)($arg0 + 3),   \      *(unsigned char*)($arg0 + 4), *(unsigned char*)($arg0 + 5),   \      *(unsigned char*)($arg0 + 6), *(unsigned char*)($arg0 + 7),   \      *(unsigned char*)($arg0 + 8), *(unsigned char*)($arg0 + 9),   \      *(unsigned char*)($arg0 + 10), *(unsigned char*)($arg0 + 11), \      *(unsigned char*)($arg0 + 12), *(unsigned char*)($arg0 + 13), \      *(unsigned char*)($arg0 + 14), *(unsigned char*)($arg0 + 15) end # ________________process context_____________  _ define context printf "______________________________________  _" printf "_______________________________________  _\n" reg printf "[%04X:%08X]------------------------", $ss, $esp printf "---------------------------------[stack]\n" hexdump $sp+48 hexdump $sp+32 hexdump $sp+16 hexdump $sp printf "[%04X:%08X]------------------------", $cs, $eip printf "---------------------------------[ code]\n" x /8i $pc printf "---------------------------------------" printf "---------------------------------------\n" end

Of these, the context macro is the most interesting. This macro builds on the previous reg and hexdump macros, which display the x86 registers and a standard hexadecimal dump of an address, respectively. The context macro formats these and displays an eight-line disassembly of the current instruction.

With the display of information taken care of, aliases can be assigned to the usual process control commands to take advantage of the display macros:

 # ________________process control_____________  _ define n  ni  context end define c  continue  context end define go  stepi $arg0  context end define goto  tbreak $arg0  continue  context end define pret  finish  context end define start  tbreak _start  r  context end define main  tbreak main  r  context end

The n command simply replaces the default step command with the "step one machine instruction" command and displays the context when the process stops; c performs a continue and displays the context at the next process break. The go command steps $arg0 number of instructions, while the goto command attempts to execute until address $arg0 (note that intervening break- and watchpoints will still stop the program), and the pret command returns from the current function. Both start and main are useful for starting a debugging session: they run the target and break on the first execution of _start( ) (the target entry point) and main( ) , respectively.

And, finally, some useful gdb display options can be set:

 # __________________gdb options________________  _ set confirm 0 set verbose off set prompt gdb>  set output-radix 0x10 set input-radix 0x10

For brevity, none of these macros provides help text; it can be added using the document command to associate a text explanation with a given command:

 document main Run program; break on main; clear breakpoint on main end

The text set by the document command will appear under "help user-defined". Using this .gdbinit , gdb is finally prepared for assembly language debugging:

 bash#  gdb a.out  ...    (no debugging symbols found)...    gdb>  main  Breakpoint 1 at 0x8048406 in main(  )    ___________________________________________________________________________  _      eax:00000001 ebx:4013C0B8  ecx:00000000 edx:08048400       eflags:00000282      esi:40014C34 edi:BFFFFB74  esp:BFFFFAF4 ebp:BFFFFB0C       eip:08048406      cs:0023  ds:002B  es:002B  fs:0000  gs:0000  ss:002B    [002B:BFFFFAF4]------------------------------------------------------[stack]     BFFFFB3C : 74 FB FF BF  94 E5 03 40 - 80 9F 31 83  04 08 00 84 ............     BFFFFB26 : 00 00 48 FB  FF BF 21 E6 - 03 40 00 00  10 83 04 08 ............     BFFFFB0A : FF BF 48 FB  FF BF 4F E6 - 03 40 FF BF  7C FB FF BF ............     BFFFFAF4 : 84 95 04 08  18 FB FF BF - E8 0F 90 A7  00 40 28 FB ............    [0023:08048406]------------------------------------------------------[ code]      0x8048406 <main+6>:     movl  bash#  gdb a.out  ... (no debugging symbols found)... gdb>  main  Breakpoint 1 at 0x8048406 in main( ) ___________________________________________________________________________ _ eax:00000001 ebx:4013C0B8 ecx:00000000 edx:08048400 eflags:00000282 esi:40014C34 edi:BFFFFB74 esp:BFFFFAF4 ebp:BFFFFB0C eip:08048406 cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B [002B:BFFFFAF4]------------------------------------------------------[stack] BFFFFB3C : 74 FB FF BF 94 E5 03 40 - 80 9F 31 83 04 08 00 84 ............ BFFFFB26 : 00 00 48 FB FF BF 21 E6 - 03 40 00 00 10 83 04 08 ............ BFFFFB0A : FF BF 48 FB FF BF 4F E6 - 03 40 FF BF 7C FB FF BF ............ BFFFFAF4 : 84 95 04 08 18 FB FF BF - E8 0F 90 A7 00 40 28 FB ............ [0023:08048406]------------------------------------------------------[ code] 0x8048406 <main+6>: movl $0x29a,0xfffffffc(%ebp) 0x804840d <main+13>: lea 0x0(%esi),%esi 0x8048410 <main+16>: jmp 0x8048414 <main+20> 0x8048412 <main+18>: jmp 0x8048426 <main+38> 0x8048414 <main+20>: incl 0xfffffffc(%ebp) 0x8048417 <main+23>: add $0xfffffff4,%esp 0x804841a <main+26>: push $0x1 0x804841c <main+28>: call 0x80482f0 <sleep> ---------------------------------------------------------------------------- gdb> 
 x29a,0xfffffffc(%ebp)      0x804840d <main+13>:    lea    0x0(%esi),%esi      0x8048410 <main+16>:    jmp    0x8048414 <main+20>      0x8048412 <main+18>:    jmp    0x8048426 <main+38>      0x8048414 <main+20>:    incl   0xfffffffc(%ebp)      0x8048417 <main+23>:    add  bash#  gdb a.out  ... (no debugging symbols found)... gdb>  main  Breakpoint 1 at 0x8048406 in main( ) ___________________________________________________________________________ _ eax:00000001 ebx:4013C0B8 ecx:00000000 edx:08048400 eflags:00000282 esi:40014C34 edi:BFFFFB74 esp:BFFFFAF4 ebp:BFFFFB0C eip:08048406 cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B [002B:BFFFFAF4]------------------------------------------------------[stack] BFFFFB3C : 74 FB FF BF 94 E5 03 40 - 80 9F 31 83 04 08 00 84 ............ BFFFFB26 : 00 00 48 FB FF BF 21 E6 - 03 40 00 00 10 83 04 08 ............ BFFFFB0A : FF BF 48 FB FF BF 4F E6 - 03 40 FF BF 7C FB FF BF ............ BFFFFAF4 : 84 95 04 08 18 FB FF BF - E8 0F 90 A7 00 40 28 FB ............ [0023:08048406]------------------------------------------------------[ code] 0x8048406 <main+6>: movl $0x29a,0xfffffffc(%ebp) 0x804840d <main+13>: lea 0x0(%esi),%esi 0x8048410 <main+16>: jmp 0x8048414 <main+20> 0x8048412 <main+18>: jmp 0x8048426 <main+38> 0x8048414 <main+20>: incl 0xfffffffc(%ebp) 0x8048417 <main+23>: add $0xfffffff4,%esp 0x804841a <main+26>: push $0x1 0x804841c <main+28>: call 0x80482f0 <sleep> ---------------------------------------------------------------------------- gdb> 
 xfffffff4,%esp      0x804841a <main+26>:    push  bash#  gdb a.out  ... (no debugging symbols found)... gdb>  main  Breakpoint 1 at 0x8048406 in main( ) ___________________________________________________________________________ _ eax:00000001 ebx:4013C0B8 ecx:00000000 edx:08048400 eflags:00000282 esi:40014C34 edi:BFFFFB74 esp:BFFFFAF4 ebp:BFFFFB0C eip:08048406 cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B [002B:BFFFFAF4]------------------------------------------------------[stack] BFFFFB3C : 74 FB FF BF 94 E5 03 40 - 80 9F 31 83 04 08 00 84 ............ BFFFFB26 : 00 00 48 FB FF BF 21 E6 - 03 40 00 00 10 83 04 08 ............ BFFFFB0A : FF BF 48 FB FF BF 4F E6 - 03 40 FF BF 7C FB FF BF ............ BFFFFAF4 : 84 95 04 08 18 FB FF BF - E8 0F 90 A7 00 40 28 FB ............ [0023:08048406]------------------------------------------------------[ code] 0x8048406 <main+6>: movl $0x29a,0xfffffffc(%ebp) 0x804840d <main+13>: lea 0x0(%esi),%esi 0x8048410 <main+16>: jmp 0x8048414 <main+20> 0x8048412 <main+18>: jmp 0x8048426 <main+38> 0x8048414 <main+20>: incl 0xfffffffc(%ebp) 0x8048417 <main+23>: add $0xfffffff4,%esp 0x804841a <main+26>: push $0x1 0x804841c <main+28>: call 0x80482f0 <sleep> ---------------------------------------------------------------------------- gdb> 
 x1      0x804841c <main+28>:    call   0x80482f0 <sleep>    ----------------------------------------------------------------------------     gdb>

The context screen will print in any macro that calls context and can be invoked directly if need be; as with typical binary debuggers, a snapshot of the stack is displayed as well as a disassembly of the current instruction and the CPU registers.

3.1.3 Runtime Monitoring

No discussion of reverse engineering tools would be complete without a mention of lsof and ltrace. While neither of these are standard Unix utilities that are guaranteed to ship with a system, they have become quite common and are included in every major Linux distribution as well as FreeBSD, OpenBSD, and NetBSD.

The lsof utility stands for "list open files"; by default, it will display a list of all open files on the system, their type, size , owning user, and the command name and PID of the process that opened them:

 bash#  lsof  COMMAND     PID   USER   FD   TYPE   SIZE      NODE NAME init          1   root  cwd    DIR    4096         2 / init          1   root  rtd    DIR    4096         2 / init          1   root  txt    REG   27856    143002 /sbin/init init          1   root  mem    REG   92666    219723 /lib/ld-2.2.4.so init          1   root  mem    REG 1163240    224546 /lib/libc-2.2.4.so init          1   root   10u  FIFO            64099 /dev/initctl keventd       2   root  cwd    DIR    4096         2 / keventd       2   root  rtd    DIR    4096         2 / keventd       2   root   10u  FIFO             64099 /dev/initctl ksoftirqd     3   root  cwd    DIR    4096         2 / ...

Remember that in Unix, everything is a file; therefore, lsof will list ttys, directories, pipes, sockets, and memory mappings as well as simple files.

The FD or File Descriptor field serves as an identifier and can be used to filter results from the lsof output. FD consists of a file descriptor (a number) or a name, followed by an optional mode character and an optional lock character:

 10uW       cwd  ^^---------^^^-------------  FD or name  ^-----------^------------  mode  ^-----------^-----------  lock

where name is one of:

 cwd  current working directory rtd  root dir pd   parent directory txt  program [text] Lnn  library reference ltx  shared library code [text] mem  memory-mapped file

mode can be one of these:

 r           read access w           write access u           read and write access space       unknown [no lock character follows] -           unknown [lock character follows]

And lock can be one of:

 N           Solaris NFS lock [unknown type] r           read lock [part of file] R           read lock [entire file] w           write lock [part of file] W           write lock [entire file] u           read and write lock [any length] U           unknown lock type x           SCO OpenServer Xenix lock [part of the file] X           SCO OpenServer Xenix lock [entire file] space       no lock

The name portion of the FD field can be used in conjunction with the -d flag to limit the reporting to specific file descriptors:

 lsof -d 0-3               # List STDIN, STDOUT, STDERR lsof -d 3-65536           # List all other file descriptors lsof -d cwd,pd,rtd        # List all directories lsof -d mem,txt           # List all binaries, libraries, memory maps

Specific flags exist for limiting the output to special file types; -i shows only TCP/IP sockets, -U shows only Unix sockets, and -N shows only NFS files:

 bash#  lsof -i  COMMAND     PID   USER   FD   TYPE DEVICE SIZE NODE NAME inetd     10281   root    4u  IPv4 540746       TCP *:auth (LISTEN) xfstt     10320   root    2u  IPv4 542171       TCP *:7101 (LISTEN) bash#  lsof -U  COMMAND     PID USER   FD   TYPE     DEVICE SIZE   NODE NAME gpm         228 root    1u  Unix 0xcf62c3c0         430 /dev/gpmctl xinit       514   _m    3u  Unix 0xcef05aa0        2357 socket XFree86     515   _m    1u  Unix 0xcfe0f3e0        2355 /tmp/.X11-Unix/X0

To limit the results even further, lsof output can be limited by specifying a PID (process ID) with the -p flag, a username with the -u flag, or a command name with the -c flag:

 bash#  lsof -p 11283  COMMAND   PID USER   FD   TYPE DEVICE    SIZE   NODE NAME man     11283  man  cwd    DIR    3,1    4096 234285 /usr/share/man man     11283  man  rtd    DIR    3,1    4096      2 / man     11283  man  txt    REG    3,1   82848 125776 /usr/lib/man-db/man ... man     11283  man    3w   REG    3,1   93628 189721 /tmp/zmanoteNaJ bash#  lsof -c snort  COMMAND   PID USER   FD   TYPE DEVICE     NODE NAME ... snort   10506 root    0u   CHR    1,3    62828 /dev/null snort   10506 root    1u   CHR    1,3    62828 /dev/null snort   10506 root    2u   CHR    1,3    62828 /dev/null snort   10506 root    3u  sock    0,0   546789 can't identify protocol snort   10506 root    4w   REG    3,1    49916 /var/log/snort/snort.log

This can be used effectively with the -r command to repeat the listing every n seconds; the following example demonstrates updating the listing each second:

 bash#  lsof -c snort -r 1  grep -v 'REG\DIR\CHR'  COMMAND   PID USER   FD   TYPE DEVICE      NODE NAME snort   10506 root    3u  sock    0,0    546789 can't identify protocol ======= COMMAND   PID USER   FD   TYPE DEVICE      NODE NAME snort   10506 root    3u  sock    0,0    546789 can't identify protocol ======= ...

Finally, passing filenames to lsof limits the results to files of that name only:

 bash#  lsof /tmp/zmanoteNaJ  COMMAND   PID USER   FD   TYPE DEVICE  SIZE   NODE NAME man     11283  man    3w   REG    3,1 93628 189721 /tmp/zmanoteNaJ sh      11286  man    3w   REG    3,1 93628 189721 /tmp/zmanoteNaJ gzip    11287  man    3w   REG    3,1 93628 189721 /tmp/zmanoteNaJ pager   11288  man    3w   REG    3,1 93628 189721 /tmp/zmanoteNaJ

Combining this with -r and -o would be extremely useful for tracking reads and writes to a file ”if -o was working in lsof.

The ltrace utility traces library and system calls made by a process; it is based on ptrace ( ), meaning that it can take a target as an argument or attach to a process using the -p PID flag. The flags to ltrace are simple:

 -p #      Attach to process # and trace -i        Show instruction pointer at time of call -S        Show system calls -L        Hide library calls -e  list  Include/exclude library calls in 'list'

Thus, -L -S shows only the system calls made by the process. The -e parameter takes a comma-separated list of functions to list; if the list is preceded by a "!", the functions are excluded from the output. The list !printf,fprintf prints all library calls except printf( ) and fprintf( ) , while -e execl,execlp,execle,execv,execvp prints only the exec calls in the program. System calls ignore the -e lists.

For a library call, ltrace prints the name of the call, the parameters passed to it, and the return value:

 bash#  ltrace -i /bin/date  [08048d01] _  _libc_start_main(0x080491ec, 1, 0xbffffb44, 0x08048a00,      0x0804bb7c <unfinished ...> [08048d89] _  _register_frame_info(0x0804ee94, 0x0804f020, 0xbffffae8,      0x40050fe8, 0x4013c0b8) = 0x4013cde0 ... [0804968e] time(0xbffffa78)                       = 1039068300 [08049830] localtime(0xbffffa38)                  = 0x401407e0 [0804bacd] realloc(NULL, 200)                     = 0x0804f260 [080498b8] strftime("Wed Dec  4 22:05:00 PST 2002", 200,      "%a %b %e %H:%M:%S %Z %Y", 0x401407e0) = 28 [080498d2] printf("%s\n", "Wed Dec  4 22:05:00 PST 2002") = 29

System call traces have similar parameters, although the call names are preceded by "SYS_", and the syscall ordinal may be present if the name is unknown:

 bash#  ltrace -S -L /bin/date  SYS_uname(0xbffff71c)                             = 0 SYS_brk(NULL)                                     = 0x0804f1cc SYS_mmap(0xbffff50c, 0x40014ea0, 0x400146d8, 4096, 640) = 0x40015000 ... SYS_time(0xbffffa78, 0x0804ca74, 0, 0, 0)         = 0x3deeeba0 SYS_open("/etc/localtime", 0, 0666)               = 3 SYS_197(3, 0xbffff75c, 0x4013ce00, 0x4014082c, 3) = 0 SYS_mmap(0xbffff724, 0xbffff75c, 0x4013c0b8, 0x0804f220, 4096)=0x40016000 SYS_read(3, "TZif", 4096)                         = 1017 SYS_close(3)                                      = 0 SYS_munmap(0x40016000, 4096)                      = 0 SYS_197(1, 0xbffff2ac, 0x4013ce00, 0x4014082c, 1) = 0 SYS_ioctl(1, 21505, 0xbffff1f8, 0xbffff240, 8192) = 0 SYS_mmap(0xbffff274, 0, 0x4013c0b8, 0x401394c0, 4096) = 0x40016000 SYS_write(1, "Wed Dec  4 22:01:04 PST 2002\n", 29) = 29 ...

The ltrace utility is extremely useful when attempting to understand a target; however, it must be used with caution, for it is trivial for a target to detect if it is being run under ptrace. It is advisable to always run a potentially hostile target under a debugger such as gdb before running it under an automatic trace utility such as ltrace; this way, any ptrace-based protections can be observed and countered in preparation for the ltrace.

3.1.4 Disassembly

The disassembler is the most important tool in the reverse engineer's kit; without it, automatic analysis of the target is difficult, if not impossible . The good news is that Unix and Linux systems ship with a working disassembler; unfortunately, it is not a very good one. The objdump utility is usually described as "sufficient"; it is an adequate disassembler, with support for all of the file types and CPU architectures that the BFD library understands (see Section 3.4.3). Its analysis is a straightforward sequential disassembly; no attempt is made to reconstruct the control flow of the target. In addition, it cannot handle binaries that have missing or invalid section headers, such as those produced by sstrip (see Section 3.3.2).

It should be made clear that a disassembler is a utility that converts the machine-executable binary code of a program into the human-readable assembly language for that processor. In order to make use of a disassembler, you must have some familiarity with the assembly language to which the target will be converted. Those unfamiliar with assembly language and how Linux programs written in assembly language look are directed to read the available tutorials and source code (see Section 3.5).

The basic modes of objdump determine its output:

 objdump -f [target]    Print out a summary of the target objdump -h [target]    Print out the ELF section headers objdump -p [target]    Print out the ELF program headers objdump -T [target]    Print out the dynamic symbols [imports] objdump -t [target]    Print out the local symbols objdump -d [target]    Disassemble all code sections objdump -D [target]    Disassemble all sections objdump -s [target]    Print the full contents of all sections

Details of the ELF headers are discussed further under Section 3.4.1.

When in one of these modes, objdump can print out specific ELF sections with the -j argument:

 objdump -j [  section-name  ] [  target  ]

Note that section-name can only refer to sections in the section headers; the segments in the program headers cannot be dumped with the -j flag. The -j flag is useful for limiting the output of objdump to only the desired sections (e.g., in order to skip the dozens of compiler version strings that GCC packs into each object file). Multiple -j flags have no effect; only the last -j flag is used.

The typical view of a target is that of a file header detailing the sections in the target, followed by a disassembly of the code sections and a hex dump of the data sections. This can be done easily with multiple objdump commands:

 bash#  (objdump -h a.out; objdump -d a.out; objdump -s i-j .data;       \   objdump -s -j .rodata) > a.out.lst

By default, objdump does not show hexadecimal bytes, and it skips blocks of NULL bytes when disassembling . This default behavior may be overridden with the --show-raw-insn and --disassemble-zeroes options.

3.1.5 Hex Dumps

In addition to the objdump disassembler, Unix and Linux systems ship with the octal dump program, or od. This is useful when a hex, octal, or ASCII dump of a program is needed; for example, when objdump is unable to process the file or when the user has scripts that will process binary data structures found in the data sections. The data addresses to be dumped can be obtained from objdump itself by listing the program headers and using grep to filter the listing:

 bash#  objdump -h a.out  grep "\.rodata\\.data"            \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", , )  }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00        003  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 001  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 002  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65          D   e   c   e   m   b   e   r  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 N   o   v   e   m   b   e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 364 256 004  \b  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
  bash#  objdump -h a.out  grep "\.rodata\\.data"  \   awk '{ printf("-j 0x%s -N 0x%s a.out\n", $6, $3) }'  \   xargs -n 5 -t od -A x -t x1 -t c -w16  od -A x -t x1 -t c -w16 a.out -j 0x00001860 -N 0x00000227 001860 03 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 003 \0 \0 \0 001 \0 002 \0 \0 \0 \0 \0 \0 \0 \0 \0 001870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001880 44 65 63 65 6d 62 65 72 00 4e 6f 76 65 6d 62 65 D e c e m b e r \0 N o v e m b e ... od -A x -t x1 -t c -w16 a.out -j 0x00001aa0 -N 0x00000444 001aa0 00 00 00 00 f4 ae 04 08 00 00 00 00 00 00 00 00 \0 \0 \0 \0 364 256 004 \b \0 \0 \0 \0 \0 \0 \0 \0 001ab0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28 @ ( # ) C o p y r i g h t ( ... 
 001ac0 40 28 23 29 20 43 6f 70 79 72 69 67 68 74 20 28          @   (   #   )       C   o   p   y   r   i   g   h   t       ( ...

The xargs -t option prints the full od command before displaying the output; the arguments passed to od in the above example are:

 -A x        Use hexadecimal ['x'] for the address radix in output -t x1       Print the bytes in one-byte ['1'] hex ['x'] format -t c        Print the character representation of each byte -w16        Print 16 bytes per line -j addr     Start at offset 'addr' in the file -N len      Print up to 'len' bytes from the start of the file

The output from the above example could be cleaned up by removing the -t c argument from od and the -t argument from xargs .

In some systems, od has been replaced by hexdump, which offers much more control over formatting ”at the price of being somewhat complicated.

 bash#  objdump -h a.out  grep "\.rodata\\.data"                   \   awk '{ off = sprintf( "0x%s",  ); len = sprintf( "0x%s", );  \   printf("-s %s -n %d a.out\n", off, len)  }'                     \   xargs -n 5 -t hexdump -e                                         \   '"%08_ax: " 8/1 "%02x " " - " 8/1  "%02x " "  "'                 \   -e '"%_p"'  '"\n"'

The hexdump arguments appear more complex than those to od due to the format string passed; however, they are very similar:

 -s addr    Start at offset 'addr' in the file -n len     Print up to 'len' bytes from the start of the file -e format

The hexdump format string is fprintf( ) inspired, but it requires some maniacal quoting to make it functional. The formatting codes take the format iteration_count / byte_count " format_str ", where "iteration_count" is the number of times to repeat the effect of the format string, and "byte_count" is the number of data bytes to use as input to the format string. The format strings used in the above example are:

 %08_ax Print address of byte with field width of 8                  %02x   Print hex value of byte with field width of 2              %p     Print ASCII character of next byte or '.'

These are strung together with string constants such as " ", " - ", and "\n", which will be printed between the expansion of the formatting codes. The example uses three format strings to ensure that the ASCII representation does not throw off the byte count; thus, the first format string contained within protective single-quotes consists of an address, eight 1-byte %02x conversions, a space/hyphen delimiter, eight more 1-byte %02x conversions, and a space delimiter ; the second consists of an ASCII conversion on the same set of input, and the third ignores the set of input and printf a newline. All format strings are applied in order.

Note that unlike od, hexdump does not take hex values as input for its len parameter; a bit of awk manipulation was performed on the input to acquire correct input values. The output from hexdump is worth the extra complexity:

 bash#  hexdump -e '"%08_ax: " 8/1 "%02x " " - " 8/1  "%02x " "  "' -e '"%_p"' \   -e '"\n"' -s 0x00001860 -n 551 a.out  00001860: 03 00 00 00 01 00 02 00 - 00 00 00 00 00 00 00 00  ................   00001870: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................   00001880: 44 65 63 65 6d 62 65 72 - 00 4e 6f 76 65 6d 62 65  December.Novembe   ...     bash#  hexdump -e '"%08_ax: " 8/1 "%02x " " - " 8/1  "%02x " "  "' -e '"%_p"' \   -e '"\n"' -s 0x00001aa0 -n 1092 a.out  00001aa0: 00 00 00 00 f4 ae 04 08 - 00 00 00 00 00 00 00 00  ................   00001ab0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................   00001ac0: 40 28 23 29 20 43 6f 70 - 79 72 69 67 68 74 20 28  @(#) Copyright (   ...

The output of either od or hexdump can be appended to an objdump disassembly in order to provide a more palatable data representation than objdump -s , or can be passed to other Unix utilities in order to scan for strings or patterns of bytes or to parse data structures.

< Day Day Up >