ELF Relocation reverse engineering

Question

I am hoping you guys could help me understand how relocation entries and ELF section data are related, and how it is all processed and generated.

I have an ancient unsupported tool that takes an ELF file and a related PLF file (partially linked file, generated earlier in the build process) and builds a custom relocatable file from it that is used on a platform (PPC) with tight memory constraints. This works fine except that it contains about a meg of initialization code that we want to unload after start up. So we put all that init code in a custom section in order to unload it, but unfortunately, the tool fails to properly handle custom sections and the rel file is invalid. So my task is to make a new tool that correctly generates this relocatable file with the custom section in it.

I've gotten relatively far with this tool and generating the rel file, but am currently bogged down in trying to figure out how to process the section data and build the relocation entries, etc. I am a high-level programmer way out of my element with this task, so all this reverse engineering business is new to me (thank goodness for the internet!).

I found Elf Sharp and used that as a starting point. It allows me to load both ELF and PLF files and interact with their contents. From there, I've reverse engineered the relocation file's header and contents for the most part, but it's far from accurate. When I compare the old tool's version of the file to mine, I find that some of the section data has been fixed up while my file uses the section data straight out of the PLF file and is plain. What I mean by this is the section data I copied over contains a ton of "48 00 00 01", but these are all fixed up in some way by the old tool. What is the significance of those bytes, and what is being done to them? I also have to generate the relocation entries but am unsure how to proceed.

I found a few examples of processing elf relocations online, and I have something similar up and running in my tool, but I'm still pretty unclear just what exactly I am supposed to be doing. I have a good resource for all the relocation types and their formulas (chapter 4.12.5 here), but I'm still not quite sure what offsets, sections info, etc I should be using.

TL;DR

• Can you help me visualize what exactly is happening with these relocation entries, how it is all generated and processed, and how it is used when the program is executed?

• What has been done to all the "48 00 00 01" words in the section data? I'm assuming they've been resolved with the appropriate symbols, but how was this done? Using the .rela information?

• Also, I'm not sure when I should use the PLF contents and when I should use the ELF contents. I think I only need the ELF to get the load address and segment information.

• When I generate the relocation fixups (on PPC), how exactly do I evaluate the relocation type equations? The examples I referred to online are not intuitive on that point. I'm confused with the offsets - you get one from Elf32_Rela, but is that the one you modify? And what is the offset that is used to record the result of the fixup? What exactly is the addend? I haven't found anything online that is all that enlightening.

• Some (actually most) of the relocation fixups point to one of several .debug_* sections or .bss. Should I skip the .debug fixups or are those important? .bss is a NoBits section so how do I handle that? And when it comes to actually generating the relocation entries, I understand how they are constructed, but who/what is actually behind making the entries? I mean, I'm ready to build it, but I don't know where to start - do I iterate over some data somewhere or what??

• Any other questions I should be asking but haven't yet realized it? ;)

Thanks for reading my long winded question!

Answer 1

Maybe the objconv tool can help. It can show the relocation types in x86 ELF files as dump or disassembly. http://www.agner.org/optimize/#objconv