Exploitation 185reader@hacking:~/booksrc $ nm ./dtors_sample
080495bc d _DYNAMIC
08049688 d _GLOBAL_OFFSETTABLE
080484e4 R _IO_stdin_used
w _Jv_RegisterClasses
080495a8 d CTOR_END
080495a4 d CTOR_LIST
� 080495b4 d DTOR_END
� 080495ac d DTOR_LIST
080485a0 r FRAME_END
080495b8 d JCR_END
080495b8 d JCR_LIST
080496b0 A bss_start
080496a4 D data_start
08048480 t do_global_ctors_aux
08048340 t __do_global_dtors_aux
080496a8 D dso_handle
w __gmon_start
08048479 T i686.get_pc_thunk.bx
080495a4 d init_array_end
080495a4 d init_array_start
08048400 T libc_csu_fini
08048410 T libc_csu_init
U __libc_start_main@@GLIBC_2.0
080496b0 A _edata
080496b4 A _end
080484b0 T _fini
080484e0 R _fp_hw
0804827c T _init
080482f0 T _start
08048314 t call_gmon_start
080483e8 t cleanup
080496b0 b completed.1
080496a4 W data_start
U exit@@GLIBC_2.0
08048380 t frame_dummy
080483b4 T main
080496ac d p.0
U printf@@GLIBC_2.0
reader@hacking:~/booksrc $
The nm command shows that the cleanup() function is located at 0x080483e8
(shown in bold above). It also reveals that the .dtors section starts at 0x080495ac
with __DTOR_LIST__ (�) and ends at 0x080495b4 with __DTOR_END__ (). This
means that 0x080495ac should contain 0xffffffff, 0x080495b4 should contain
0x00000000, and the address between them (0x080495b0) should contain the
address of the cleanup() function (0x080483e8).
The objdump command shows the actual contents of the .dtors section
(shown in bold below), although in a slightly confusing format. The first
value of 80495ac is simply showing the address where the .dtors section is