objdump

1. objdump: purpose, common uses, and key header options

1.1. What objdump was originally made for

objdump is a tool from GNU Binutils for inspecting object files and other binary files.

A lot of people first meet it as a disassembler, but that is only part of its job. More generally, it is used to display information from:

  • object files (.o)
  • executables
  • shared libraries (.so)
  • static libraries / archives (.a)

We can think of it as a binary inspection tool.

It can show things like:

  • file headers
  • section headers
  • symbol tables
  • relocation entries
  • debug information
  • disassembled machine code

So the best mental model is:

objdump is a general-purpose binary inspection tool, and disassembly is one of its most common uses.

1.2. Common uses of objdump

1.2.1. View basic file information

objdump -f a.out

Use this when we want to know:

  • what file format this is
  • what architecture it targets
  • what the entry point is
  • basic flags and file identity

This is often the first command to run on an unfamiliar binary.

1.2.2. View section layout

objdump -h a.out

This shows the file’s section table, for example:

  • .text
  • .data
  • .bss
  • .rodata

Use this when we want to understand the internal layout of the file:

  • where code lives
  • where data lives
  • section sizes
  • offsets and addresses

1.2.3. Disassemble code

objdump -d a.out

This disassembles executable sections.

Use this when we want to:

  • see what assembly a function compiled into
  • inspect control flow
  • study compiler output
  • analyze machine instructions

1.2.4. Disassemble more aggressively

objdump -D a.out

This disassembles all sections, not just the ones normally considered executable.

Useful when:

  • we want a more complete dump
  • we are doing reverse engineering
  • we suspect code may exist outside standard code sections

A simple way to remember the difference:

  • -d: disassemble normal executable code
  • -D: disassemble everything possible

1.2.5. View the symbol table

objdump -t a.out

This shows symbols such as:

  • function names
  • global variables
  • addresses
  • symbol types

Useful when we want to know:

  • what functions exist
  • whether symbols were stripped
  • where important symbols are

1.2.6. View source together with assembly

objdump -S a.out

Often used together with: 

objdump -S -l a.out

This helps we correlate:

  • source code
  • line numbers
  • generated assembly

This is especially useful for learning compiler output. It works best when the binary was compiled with debug information, for example with -g.

1.3. Common used command combinations

1.3.1. Intel syntax disassembly

objdump -d -M intel a.out

Many people find Intel syntax easier to read than AT&T syntax.

1.3.2. Disassemble only one function

objdump -d --disassemble=main a.out

Useful when we only care about one symbol and do not want pages of output.

1.3.3. Disassemble only one section

objdump -d -j .text a.out

Useful when we want to restrict output to a specific section.

1.3.4. Source + line numbers + Intel syntax

objdump -S -l -M intel a.out

Intermix source code with disassembly

1.3.5. Show file offsets too

objdump -d -F a.out

Useful when relating disassembly to file offsets, patching, or hex editors.

1.3.6. Show relocation entries

objdump -r a.out

Useful for learning linking and for inspecting relocatable object files.

2. It can also inspect member object files

2.1. Object file vs archive

Object file

An object file is typically a compiled but not yet fully linked file, usually a .o file.

Example: 

gcc -c foo.c -o foo.o
gcc -c bar.c -o bar.o

Here, foo.o and bar.o are object files.

Archive

An archive is a single file that contains multiple member files.

In practice, the most common archive we will encounter is a static library: 

libsomething.a

Usually it is created from several object files: 

ar rcs libmylib.a foo.o bar.o baz.o

So here:

  • libmylib.a is the archive
  • foo.o, bar.o, baz.o are members

2.2. Why this matters for objdump

When we run objdump on a static library .a, it does not merely treat the archive as one opaque blob.

Instead, it effectively:

  1. recognizes that the file is an archive
  2. iterates through its members
  3. shows information for each member object file

So if we do this: 

objdump -t libmylib.a

we are essentially asking:

show the symbol table for each object file inside this archive

And if we do this: 

objdump -d libmylib.a

we are asking:

disassemble each object file inside the archive

2.3. A tiny example

Suppose we have: 

// add.c
int add(int a, int b) { return a + b; }

// sub.c
int sub(int a, int b) { return a - b; }

Compile them: 

gcc -c add.c -o add.o
gcc -c sub.c -o sub.o

Create a static library: 

ar rcs libcalc.a add.o sub.o

List archive members: 

ar t libcalc.a

Output: 

add.o
sub.o

Now inspect the archive: 

objdump -t libcalc.a
objdump -d libcalc.a

We will see output organized per member object file.

3. Explanation of some options

3.1. -a, --archive-headers

This is mainly for archives, such as static libraries (.a).

It shows archive header information, meaning information about the members inside the archive.

Example: 

objdump -a libcalc.a

Use it when we want to know:

  • what members the archive contains
  • member sizes
  • timestamps
  • archive-level metadata

A simple memory aid:

a = archive

Author: Lowtroo

Created on: 2026-04-07 Tue 20:00

Powered by Emacs 29.3 (Org mode 9.6.15)