Parse a mock ELF64 header — extract version, machine, entry

Challenge

Given the first 64 bytes of an ELF64 binary, extract three fields:

• class — buf[4]: 1 = 32-bit, 2 = 64-bit
• data — buf[5]: 1 = little-endian (LSB), 2 = big-endian (MSB)
• machine — buf[18..19] little-endian (assume LSB; we'll only test LSB binaries)

Implement int parse_elf64_ident(const unsigned char *buf, int len, int *class_, int *data, int *machine).

Return 1 on success (and the three outputs filled). Return 0 if:

• buf is NULL or len < 20
• The first 4 bytes are not the ELF magic
• Any output pointer is NULL

Why this matters

The ELF header is the universal Linux binary fingerprint. Knowing how to extract its fields makes you fluent in any reverse-engineering tool.

Input format

64+ byte buffer + length.

Output format

0/1 + filled outputs.

Constraints

Bound-check every read.

Starter code

#include <stddef.h>
int parse_elf64_ident(const unsigned char *buf, int len, int *class_, int *data, int *machine) { /* TODO */ (void)buf; (void)len; (void)class_; (void)data; (void)machine; return 0; }

Common mistakes

Indexing buf[18] without confirming len >= 20.

Edge cases to handle

Magic mismatch; short buffer; NULL outputs.

Complexity

O(1).

Background lessons

• ELF header — the binary's calling card
• Endianness and byte order

Up next

• Identify the file format from the first 8 bytes