Some questions about ELF file format

Question

I am trying to learn how ELF files are structured and probably how to make one manually.

I am working on aarch64 Linux OS, the ELF files I am inspecting are of elf64-littleaarch64 format.

Also I try to learn by myself, however I got stuck with some questions...

1. When I do xxd code, the first number in each line of the output specifies the address of bytes in the file. But when objdump -D code, the first number is something like 4000b0, however corresponds to 000000b0 in xxd. Why is there a four at the beginning?
2. In objdump, the bytecode is for example 11000a94, which 'means' add w20, w20, #2 in assembly. I know, that 11 is the opcode, but what does 000a94 mean? I thought, it should be the parameters, but I am adding the value 2 and can't find the number 2 in it.

If you have a good article to read, or can help me explain this, I will be very grateful!

Answer 1

Well, I was too fast asking this question, but now, I will answer it too.

1. 40 at the beginning of the addresses in objdump is the hex representation of the char "@", which means "at" and points to an address, very simple!
2. Little Endian has CPU addresses stored in 5 bits instead of 6 or 8. That means, that I should look for the binary value of the objdump code: 11000a94 --> 10001000000000000101010010100, where it can be divided into [10001][00000000000010][10100][10100] with [opcode][value][first address][second address]

Both answers are wrong, see the accepted answer. I will still let them here, though

Answer 2

1. xxd shows the offset of the bytes within the file on disk. objdump -D shows (tentatively) the address in memory where those bytes will be loaded when the program is run. It is common for them to differ by a round number. In particular, 0x400000 may correspond to one higher-level page table entry; see Why Linux/gnu linker chose address 0x400000? which is for x86-64 but I think ARM64 is similar (haven't checked). It doesn't have anything to do with the fact that 0x40 is ASCII @; that's just a coincidence.

   Note that if ASLR is in use, the actual memory address will be randomly chosen every time the program is run, and will not match what objdump shows you, though the difference will still be a multiple of the page size.