Donate
As it turns out, (technical) writing takes a lot of effort and work.
This book is free, available freely and available in source code form 16 (LaTeX), and it will be so forever.
15 http://yurichev.com/Dennis_Yurichev.pdf
16 https://github.com/dennis714/RE-for-beginners
My current plan for this book is to add lots of information about: PLANS 17
If you want me to continue writing on all these topics you may consider donat- ing.
I worked more than year on this book 18 , there are more than 800 pages There are at least≈400TEX-files,≈150C/C++ source codes,≈470various listings,≈160 screenshots.
Price of other books on the same subject varies between $20 and $50 on ama- zon.com.
Ways to donate are available on the page:http://beginners.re/donate. html
Every donor’s name will be included in the book! Donors also have a right to ask me to rearrange items in my writing plan.
In recent contributions, various individuals have made notable donations, including Oleg Vygovsky with 150 UAH, Daniel Bilar at $50, and James Truscott contributing $4.5 Other supporters include Luis Rocha ($63), Joris van de Vis ($127), and Richard S Shultz ($20) Contributions also came from Jang Minchang ($20), Shade Atlas (5 AUD), and Yao Xiao ($10) Pawel Szczur donated 40 CHF, while Justin Simms and Shawn the R0ck each contributed $20 and $27, respectively Ki Chan Ahn and Vankayala Vigneswararao both donated $50, and Triop AB contributed 100 SEK Additional donations included Ange Albertini (10 EUR), Sergey Lukianov (300 RUR), and Ludvig Gislason (200 SEK) Gérard Labadie gave 40 EUR, while Sergey Volchkov and Martin Haeberli contributed 10 AUD and $10, respectively Other notable donors included Sonny Thai ($15), Bayna AlZaabi ($75), and Redfive B.V (25 EUR), along with Joona Oskari Heikkilọ (5 EUR), Marshall Bishop ($50), Nicolas Werner (12 EUR), Jeremy Brown ($100), Alexandre Borges (25 EUR), and Vladimir Dikovski (50 EUR).
This A5-format version is designed for e-book readers, featuring similar content to the A4 version, but with resized illustrations that may not be fully readable For better visibility of the illustrations, please refer to the A4-format version available at http://beginners.re.
You can download and read my book online for free, but please refrain from distributing any translations without my permission If you are interested in the Korean translation, please reach out to me at dennis(a)yurichev.com or contact the copyright holder, Acorn Publishing, at acornpub(a)acornpub.co.kr.
17 https://github.com/dennis714/RE-for-beginners/blob/master/PLANS
18 Initial git commit from March 2013: https://github.com/dennis714/RE-for-beginners/tree/
Learning C and C++ through writing and compiling small code snippets helped me deeply understand the relationship between high-level code and the generated assembly language This hands-on approach allowed me to quickly interpret the original C code by analyzing the corresponding x86 output I believe this technique could benefit others, so I will share some examples to illustrate its effectiveness.
Sometimes, I use really ancient compilers, in order to get shortest (or simplest) possible code snippet.
Learning assembly language can be enhanced by compiling small C-functions and gradually rewriting them in assembly to create more concise code While this practice may not be practical in today’s real-world applications due to the efficiency of modern compilers, it serves as an excellent method for deepening your understanding of assembly Consider taking any assembly code from this book and attempting to optimize it further, but remember to thoroughly test your results.
CHAPTER 1 SHORT INTRODUCTION TO THE CPU
Short introduction to the CPU
TheCPUis the unit which executes all of the programs.
Instruction : a primitive command to theCPU Simplest examples: moving data between registers, working with memory, arithmetic primitives As a rule, eachCPUhas its own instruction set architecture (ISA 1 ).
Machine code : code for theCPU Each instruction is usually encoded by several bytes.
Assembly language : mnemonic code and some extensions like macros which are intended to make a programmer’s life easier.
A CPU register consists of a fixed number of general-purpose registers (GPRs), typically around 8 in x86 architecture, 16 in x86-64, and 16 in ARM These registers can be thought of as untyped temporary variables, similar to having a limited set of 8 variables in a high-level programming language, which allows for efficient data manipulation and processing.
The primary difference between machine code and high-level programming languages (PL) like C, Java, and Python lies in their usability and abstraction levels High-level languages are designed for ease of use by humans, while machine code operates at a lower level, making it more efficient for CPUs Although it may be theoretically possible to create a CPU that directly executes high-level code, such a design would be significantly more complex Conversely, assembly language, being low-level, poses challenges for human programmers, often leading to frustrating errors To bridge this gap, a compiler is utilized to convert high-level code into assembly language.
CHAPTER 1 SHORT INTRODUCTION TO THE CPU 1.1 COUPLE WORDS ABOUT X86 AND ARM
Couple words about x86 and ARM
The x86 architecture has historically featured variable-length opcodes, and the introduction of 64-bit extensions, known as x64, did not significantly alter the instruction set architecture (ISA) Many instructions that originated with the 16-bit 8086 CPU continue to be supported in modern processors.
ARM is a RISC 4 CPU that was designed with a constant opcode length, providing advantages in its early development Initially, all instructions were encoded in 4 bytes, a format now referred to as "ARM mode."
The initial perception of ARM's instruction set architecture (ISA) was that it lacked frugality, as many real-world CPU instructions could be encoded with less information To address this, ARM introduced the Thumb ISA, which encodes instructions in just 2 bytes, although it has a limited set of instructions Both ARM and Thumb modes can coexist within a single program Subsequently, Thumb-2 was developed in ARMv7, maintaining the 2-byte instruction format while introducing some 4-byte instructions Contrary to popular belief, Thumb-2 is not merely a blend of ARM and Thumb; it was designed to fully utilize processor features, allowing it to compete with ARM mode in terms of instruction richness As a result, most applications for iPod, iPhone, and iPad are compiled using the Thumb-2 instruction set by default in Xcode.
The introduction of 64-bit ARM brought a new instruction set architecture (ISA) that utilizes 4-byte opcodes without a separate Thumb mode As a result, there are now three distinct ARM instruction sets: ARM mode, Thumb mode (including Thumb-2), and ARM64 While these ISAs share some similarities, they are fundamentally different rather than mere variations This book includes code snippets from all three ARM ISAs to provide a comprehensive understanding.
Fixed-length instructions simplify the process of calculating the addresses of subsequent or preceding instructions, making them particularly useful in programming This topic will be further explored in the switch() section (12.2.2).
6 These are MOV/PUSH/CALL/Jcc
Let’s start with the famous example from the “The C programming Language”[Ker88] book:
x86
MSVC
Let’s compile it in MSVC 2010: cl 1.cpp /Fa1.asm
(/Fa option means generate assembly listing file)
CHAPTER 2 HELLO, WORLD! 2.1 X86 push ebp mov ebp, esp push OFFSET $SG3830 call _printf add esp, 4 xor eax, eax pop ebp ret 0
MSVC produces assembly listings in Intel-syntax The difference between Intel-syntax and AT&T-syntax will be discussed hereafter:2.1.3.
The compiler generated1.objfile will be linked into1.exe.
In our case, the file contain two segments: CONST (for data constants) and _TEXT(for code).
The string``hello, world'' in C/C++ has typeconst char[][Str13, p176, 7.3.2], however it does not have its own name.
The compiler needs to deal with the string somehow so it defines the internal name$SG3830for it.
So the example may be rewritten as:
#include const char $SG3830[]="hello, world"; int main()
Let’s back to the assembly listing As we can see, the string is terminated by a zero byte which is standard for C/C++ strings More about C strings:44.1.1.
In the code segment,_TEXT, there is only one function so far:main(). The functionmain()starts with prologue code and ends with epilogue code (like almost any function) 1
After the function prologue we see the call to theprintf()function: CALL _printf.
Before the call the string address (or a pointer to it) containing our greeting is placed on the stack with the help of thePUSHinstruction.
When the printf()function returns flow control to the main()function, string address (or pointer to it) is still in stack.
Since we do not need it anymore thestack pointer(theESPregister) needs to be corrected.
1 Read more about it in section about function prolog and epilog (3).
ADD ESP, 4 means add 4 to the value in theESPregister.
Why 4? Since it is 32-bit code we need exactly 4 bytes for address passing through the stack It is 8 bytes in x64-code.
``ADD ESP, 4'' is effectively equivalent to ``POP register'' but without using any register 2
Certain compilers, such as the Intel C++ Compiler, may generate the instruction POP ECX instead of ADD when compiling code, as seen in Oracle RDBMS While both instructions have similar effects, POP ECX modifies the contents of the ECX register The Intel C++ Compiler likely opts for POP ECX due to its shorter opcode, which is 1 byte compared to the 3 bytes required for ADD ESP, x.
Here is an example from it:
Listing 2.2: Oracle RDBMS 10.2 Linux (app.o file)
Read more about the stack in section (4).
After the call toprintf(), in the original C/C++ code wasreturn 0—return
0as the result of themain()function.
The generated code utilizes the instruction `XOR EAX, EAX`, which represents the "exclusive OR" operation Compilers prefer this method over `MOV EAX, 0` due to its shorter opcode length, consisting of only 2 bytes compared to the 5 bytes of the MOV instruction Additionally, some compilers may emit `SUB EAX, EAX`, effectively subtracting the value in EAX from itself.
EAXfrom the value inEAX, which in any case will result zero.
The last instructionRETreturns control flow to thecaller Usually, it is C/C++CRT 4 code which in turn returns control to theOS 5
GCC
Now let’s try to compile the same C/C++ code in the GCC 4.4.1 compiler in Linux: gcc 1.c -o 1
Next, with the assistance of theIDA 6 disassembler, let’s see how themain() function was created.
(IDA, like MSVC, shows code in Intel-syntax).
N.B We could also have GCC produce assembly listings in Intel-syntax by ap- plying the options-S -masm=intel
2 CPU flags, however, are modified
3 http://en.wikipedia.org/wiki/Exclusive_or
The GCC main procedure initializes the stack and sets up a local variable, `var_10`, before preparing to display the string "hello, world." It pushes the base pointer onto the stack, aligns the stack pointer, and allocates space for local variables The address of the string is moved into the local variable, followed by a call to the `_printf` function to output the message Finally, the procedure concludes by returning a value of 0 and cleaning up the stack.
The address of the "hello, world" string is first stored in the EAX register and then pushed onto the stack The function prologue includes the instruction AND ESP, 0FFFFFFF0h, which aligns the ESP register to a 16-byte boundary, enhancing CPU performance by ensuring stack values are aligned at 4- or 16-byte boundaries Additionally, the instruction SUB ESP, 10h allocates 16 bytes on the stack, although only 4 bytes are actually needed.
This is because the size of the allocated stack is also aligned on a 16-byte boundary.
The string address, or a pointer to the string, is directly written onto the stack space without utilizing the PUSH instruction Additionally, var_10 serves as both a local variable and an argument for the printf() function.
Then theprintf()function is called.
Unlike MSVC, when GCC is compiling without optimization turned on, it emits MOV EAX, 0instead of a shorter opcode.
The LEAVE instruction functions similarly to the MOV ESP, EBP and POP EBP instruction pair, effectively resetting the stack pointer (ESP) and restoring the EBP register to its original state.
This is necessary since we modified these register values (ESPandEBP) at the beginning of the function (executingMOV EBP, ESP/AND ESP, ).
GCC: AT&T syntax
Let’s see how this can be represented in the AT&T syntax of assembly language. This syntax is much more popular in the UNIX-world.
Listing 2.4: let’s compile in GCC 4.7.3 gcc -S 1_1.c
.cfi_offset 5, -8 movl %esp, %ebp
.cfi_def_cfa_register 5 andl $-16, %esp subl $16, %esp movl $.LC0, (%esp) call printf movl $0, %eax leave
.ident "GCC: (Ubuntu/Linaro 4.7.3-1ubuntu1) 4.7.3" section note.GNU-stack,"",@progbits
While there are numerous macros that start with a dot, they are not particularly relevant for our current focus For simplicity, we can choose to disregard them, with the exception of the stringmacro, which encodes a null-terminated character sequence similar to a C-string.
8 This GCC option can be used to eliminate “unnecessary” macros: -fno-asynchronous-unwind-tables
.string "hello, world" main: pushl %ebp movl %esp, %ebp andl $-16, %esp subl $16, %esp movl $.LC0, (%esp) call printf movl $0, %eax leave ret
Some of the major differences between Intel and AT&T syntax are:
In Intel-syntax: .
In AT&T syntax, the format follows the structure of To differentiate between Intel and AT&T syntaxes, think of Intel syntax as using an equality sign (=) between operands, while AT&T syntax can be visualized with a right arrow (→) indicating the flow of data from the source to the destination.
• AT&T: Before register names a percent sign must be written (%) and before numbers a dollar sign ($) Parentheses are used instead of brackets.
• AT&T: A special symbol is to be added to each instruction defining the type of data:
The compiled result mirrors what was observed in IDA, with a slight distinction: 0xFFFFFFF0 is represented as $-16 This equivalence arises because 16 in the decimal system translates to 0x10 in hexadecimal, and -0x10 corresponds to 0xFFFFFFF0 when using a 32-bit data type.
To set the return value to 0, use the MOV instruction instead of XOR, as MOV simply loads a value into a register The term "MOV" may be misleading since it does not actually move data; other architectures refer to this instruction as "LOAD" or similar.
In certain C standard functions, such as memcpy() and strcpy(), the arguments are organized similarly to Intel syntax, with the pointer to the destination memory block listed first, followed by the pointer to the source memory block.
x86-64
MSVC—x86-64
Let’s also try 64-bit MSVC:
$SG2989 DB 'hello, world', 00H main PROC sub rsp, 40 lea rcx, OFFSET FLAT:$SG2923 call printf xor eax, eax add rsp, 40 ret 0 main ENDP
In the x86-64 architecture, all registers have been upgraded to 64-bit and now feature an aR-prefix To minimize stack usage and reduce access to external memory or cache, a common method for passing function arguments has been adopted, known as fastcall This approach involves passing some function arguments through registers while others are passed via the stack Specifically, in the Win64 calling convention, four function arguments are transmitted through the RCX, RDX, R8, and R9 registers For instance, a pointer to the string for the printf() function is now passed using the RCX register instead of the stack.
Pointers are now 64-bit and are handled in the 64-bit sections of registers, indicated by the R-prefix However, to maintain backward compatibility, access to the 32-bit sections is still available through the E-prefix.
This is howRAX/EAX/AX/ALlooks like in 64-bit x86-compatibleCPUs:
7th(byte number) 6th 5th 4th 3rd 2nd 1st 0th
The main() function in C/C++ returns an int-typed value, which remains 32-bit for improved backward compatibility and portability Consequently, the EAX register is cleared at the end of the function instead of the RAX register.
GCC—x86-64
Let’s also try GCC in 64-bit Linux:
.string "hello, world" main: sub rsp, 8 mov edi, OFFSET FLAT:.LC0 ; "hello, world" xor eax, eax ; number of vector registers passed call printf xor eax, eax add rsp, 8 ret
In Linux, *BSD, and Mac OS X, function arguments are passed using a method where the first six arguments are transmitted through the registers RDI, RSI, RDX, RCX, R8, and R9, while any additional arguments are passed via the stack.
So the pointer to the string is passed inEDI(32-bit part of register) But why not use the 64-bit part,RDI?
In 64-bit mode, all MOV instructions that write to the lower 32-bit register also clear the upper 32 bits For example, executing MOV EAX, 011223344h will correctly store the value in RAX, as the higher bits are automatically cleared.
If we open the compiled object file (.o), we will also see all instruction’s opcodes
.text:00000000004004D4 BF E8 05 40 00 mov edi, offset ⤦ Ç format ; "hello, world"
.text:00000000004004DB E8 D8 FE FF FF call _printf
The instruction writing into EDI at address 0x4004D4 takes up 5 bytes, while the same instruction for writing a 64-bit value into RDI requires 7 bytes This indicates that GCC is optimizing for space Additionally, it ensures that the data segment containing the string will not be allocated at addresses exceeding 4 GiB.
We also see EAX register clearance beforeprintf()function call This is done because a number of used vector registers is passed in EAX by standard:
“with variable arguments passes information about the number of vector registers used”[Mit13].
10 This must be enabled in Options → Disassembly → Number of opcode bytes
CHAPTER 2 HELLO, WORLD! 2.3 GCC—ONE MORE THING
GCC—one more thing
The factanonymousC-string hasconsttype (2.1.1), and the fact C-strings allocated in constants segment are guaranteed to be immutable, has interesting consequence: compiler may use specific part of string.
Common C/C++-compiler (including MSVC) will allocate two strings, but let’s see what GCC 4.8.1 is doing:
The provided assembly code demonstrates two procedures, f1 and f2, using GCC 4.8.1 and IDA In f1, a string "world" is stored in memory, followed by a call to the _puts function to display it Similarly, f2 stores the string "hello" and also calls _puts to output the message Both procedures utilize stack manipulation and demonstrate basic string handling in assembly language.
CHAPTER 2 HELLO, WORLD! 2.4 ARM add esp, 1Ch retn f2 endp aHello db 'hello ' s db 'world',0
When printing the "hello world" string, the two words are stored adjacently in memory The puts() function, called from the f2() function, does not recognize that this string is virtually divided; it remains a single entity in memory.
Whenputs()is called from f1(), it uses “world” string plus zero byte.puts() is not aware there is something before this string!
This clever trick is often used by at least GCC and can save some memory bytes.
ARM
Non-optimizing Keil 6/2013 (ARM mode)
Let’s start by compiling our example in Keil: armcc.exe arm c90 -O0 1.c
Thearmcccompiler generates assembly listings in Intel syntax and includes high-level ARM processor macros However, our primary focus is to examine the instructions in their original form, so we will analyze the compiled output using IDA.
Listing 2.11: Non-optimizing Keil 6/2013 (ARM mode)IDA
11 It is indeed so: Apple Xcode 4.6.3 uses open-source GCC as front-end compiler and LLVM code generator
12 e.g ARM mode lacks PUSH/POP instructions
.text:00000004 1E 0E 8F E2 ADR R0, aHelloWorld ; "hello,⤦ Ç world"
.text:00000010 10 80 BD E8 LDMFD SP!, {R4,PC}
.text:000001EC 68 65 6C 6C+aHelloWorld DCB "hello, world",0 ⤦ Ç ; DATA XREF: main+4
In the example we can easily see each instruction has a size of 4 bytes Indeed, we compiled our code for ARM mode, not for thumb.
The initial instruction, "STMFD SP!, {R4, LR}," functions similarly to the x86 PUSH instruction by storing the values of registers R4 and LR onto the stack Although the output from the armcc compiler simplifies this to "PUSH {r4, lr}," it is not entirely accurate since the PUSH instruction is exclusive to thumb mode Therefore, I recommend using IDA to avoid confusion.
The instruction first decrements the stack pointer (SP) by 16, directing it to the available space in the stack for new entries It then stores the values of the R4 and LR registers at the address indicated by the updated stack pointer.
The STMFD instruction, similar to the PUSH instruction in thumb mode, allows for the simultaneous saving of multiple register values, which can be beneficial in various scenarios Unlike x86 architecture, STMFD serves as an enhanced version of PUSH, as it is capable of operating with any register, not limited to the stack pointer (SP) This versatility enables STMFD to store a group of registers at a designated memory location efficiently.
The instruction "ADR R0, aHelloWorld" calculates the address of the "hello, world" string by adding the value in the PC register to a specified offset, demonstrating the concept of position-independent code.
The ADR instruction is designed to operate at a non-fixed memory address, encoding the difference between the instruction's address and the location of the string This difference remains constant, regardless of the code's loading address by the operating system By simply adding the current instruction's address from the program counter (PC), we can determine the absolute address of the C-string in memory.
``BL 2printf'' 19 instruction calls theprintf()function Here’s how this instruction works:
• write the address following theBLinstruction (0xC) into theLR;
16 stack pointer SP/ESP/RSP in x86/x64 SP in ARM.
17 Program Counter IP/EIP/RIP in x86/64 PC in ARM.
18 Read more about it in relevant section (55.1)
• then pass control flow into printf()by writing its address into the PC register.
Whenprintf()finishes its work it must have information about where it must return control That’s why each function passes control to the address stored in the
That is the difference between “pure” RISC-processors like ARM andCISC 20 - processors like x86, where the return address is usually stored on the stack 21
In ARM architecture, a 32-bit address cannot be fully encoded in a 32-bit branch link instruction due to its limitation of 24 bits for offset encoding All ARM instructions are 4 bytes (32 bits) in size and must align with 4-byte boundaries, allowing the last two bits of the instruction address to be disregarded This results in 26 bits available for encoding offsets, sufficient for addressing approximately ±32MB from the current program counter Additionally, the instruction "MOV R0, #0" sets the R0 register to zero, which corresponds to the return value of a C function that returns zero, placing the result in the R0 register.
The instruction "LDMFD SP!, R4, PC" serves as the inverse of "STMFD," loading values from the stack to restore the R4 and PC registers while simultaneously incrementing the stack pointer (SP) Essentially, it functions similarly to a POP operation Notably, the initial instruction "STMFD" saves the R4 and LR register pair onto the stack, with R4 and PC being restored during the execution of "LDMFD."
As I wrote before, the address of the place to where each function must return control is usually saved in theLRregister The very first function saves its value in the stack because our main()function will use the register in order to call printf() In the function end this value can be written directly to thePCregister, thus passing control to where our function was called Since ourmain()function is usually the primary function in C/C++, control will be returned to theOSloader or to a point inCRT, or something like that.
DCB is an assembly language directive defining an array of bytes or ASCII strings, akin to the DB directive in x86-assembly language.
Non-optimizing Keil 6/2013 (thumb mode)
Let’s compile the same example using Keil in thumb mode: armcc.exe thumb c90 -O0 1.c
21 Read more about this in next section (4)
Listing 2.12: Non-optimizing Keil 6/2013 (thumb mode) +IDA
.text:00000002 C0 A0 ADR R0, aHelloWorld ; "hello,⤦ Ç world"
.text:00000304 68 65 6C 6C+aHelloWorld DCB "hello, world",0 ⤦ Ç ; DATA XREF: main+2
The 2-byte (16-bit) opcodes in thumb mode are easily identifiable, with the BL instruction consisting of two 16-bit instructions This dual instruction format is necessary because a single 16-bit opcode cannot accommodate the offset required for the printf() function in the PC The first instruction loads the higher 10 bits of the offset, while the second instruction handles the lower 11 bits Since all thumb mode instructions are 2 bytes in size, they cannot be located at odd addresses Consequently, the last address bit can be omitted during instruction encoding In summary, the BL thumb instruction can encode addresses around the current PC with a range of approximately ±2M.
In this function, the PUSHandPOP operations function similarly to STMFD/LDMFD, although the SP register is not explicitly referenced The ADR instruction operates as previously demonstrated, while the MOVS instruction sets the R0 register to zero to facilitate a return of zero.
Optimizing Xcode 4.6.3 (LLVM) (ARM mode)
Xcode 4.6.3 without optimization turned on produces a lot of redundant code so we’ll study optimized output, where the instruction count is as small as possible, setting compiler switch-O3.
Listing 2.13: Optimizing Xcode 4.6.3 (LLVM) (ARM mode)
text:000028E0 80 80 BD E8 LDMFD SP!, {R7,PC}
cstring:00003F62 48 65 6C 6C+aHelloWorld_0 DCB "Hello world⤦ Ç !",0
The instructionsSTMFDandLDMFDare already familiar to us.
TheMOVinstruction just writes the number0x1686into theR0register This is the offset pointing to the “Hello world!” string.
TheR7register (as it is standardized in [App10]) is a frame pointer More on it below.
The MOV R0, #0 instruction sets the higher 16 bits of the register to zero, while the generic MOV instruction in ARM mode may only affect the lower 16 bits, due to the 32-bit opcode limitation To write to the higher bits, an additional MOVT instruction is available, but its use is unnecessary here since the MOV R0, #0x1686 instruction already cleared the higher part of the register, indicating a potential compiler shortcoming The ADD R0, PC, R0 instruction calculates the absolute address of the “Hello world!” string by adding the value in the PC to R0, which is crucial for the position-independent code Finally, the BL instruction is utilized to call the puts() function instead of printf().
GCC replaced the firstprintf()call withputs() Indeed: printf()with a sole argument is almost analogous toputs().
Almost because we need to be sure the string will not contain printf-control statements starting with%: then the effect of these two functions would be differ- ent 25
Why did the compiler replace theprintf()withputs()? Probably because puts()is faster 26 puts()works faster because it just passes characters tostdoutwithout com- paring each to the%symbol.
Next, we see the familiar``MOV R0, #0''instruction intended to set theR0register to0.
Optimizing Xcode 4.6.3 (LLVM) (thumb-2 mode)
By default Xcode 4.6.3 generates code for thumb-2 in this manner:
Listing 2.14: Optimizing Xcode 4.6.3 (LLVM) (thumb-2 mode)
25 It should also be noted the puts() does not require a ’\n’ new line symbol at the end of a string, so we do not see it here.
26 http://www.ciselant.de/projects/gcc_printf/gcc_printf.html
cstring:00003E70 48 65 6C 6C 6F 20+aHelloWorld DCB "Hello ⤦ Ç world!",0xA,0
The BLandBLX instructions in thumb mode are represented as pairs of 16-bit instructions, while thumb-2 extends these surrogate opcodes to allow for the encoding of new 32-bit instructions This is evident as thumb-2 opcodes start with 0xFx or 0xEx In IDA listings, however, the order of the opcode bytes is swapped between thumb and thumb-2 modes For ARM mode instructions, the byte order follows a specific sequence: fourth, third, second, and first, due to differences in endianness Consequently, the MOVW, MOVT.W, and BLX instructions all begin with 0xFx.
One of the thumb-2 instructions is``MOVW R0, #0x13D8'' —it writes a 16-bit value into the lower part of theR0register, clearing higher bits.
Also,``MOVT.W R0, #0'' works just likeMOVTfrom the previous example but it works in thumb-2.
The BLX instruction is utilized in place of the BL instruction, which not only saves the RA 27 in the LR register but also transfers control to the puts() function while switching between thumb mode and ARM mode This placement is significant as the subsequent instruction, to which control is passed, is encoded in ARM mode.
symbolstub1:00003FEC _puts ; CODE XREF: ⤦ Ç _hello_world+E
symbolstub1:00003FEC 44 F0 9F E5 LDR PC, = imp puts
So, the observant reader may ask: why not call puts()right at the point in the code where it is needed?
Because it is not very space-efficient.
Most software applications rely on external dynamic libraries, such as DLLs in Windows, so files in UNIX, or dylib files in macOS These libraries contain frequently used functions, including standard C functions like puts().
Executable binary files, such as Windows PE (.exe), ELF, or Mach-O formats, include an import section that lists symbols like functions and global variables This section details the external modules from which these symbols are imported, along with their corresponding names.
TheOSloader loads all modules it needs and, while enumerating import sym- bols in the primary module, determines the correct addresses of each symbol.
In our scenario, imp puts is a 32-bit variable that the OS loader uses to store the correct address of a function in an external library The LDR instruction retrieves this 32-bit value from the variable and loads it into the PC register, thereby transferring control to the function.
To optimize the efficiency of anOSloader, it is advisable to write the address of each symbol only once in a designated area specifically allocated for this purpose, thereby reducing the time required for the loading process.
It is not feasible to load a 32-bit value into a register with a single instruction without accessing memory Therefore, the best approach is to create a dedicated function in ARM mode that transfers control to the dynamic library, allowing for a jump to a concise one-instruction function, commonly referred to as a thunk function, from thumb-code.
In the previous example compiled for ARM mode, control is transferred to the same thunk function via the BL instruction, but the processor mode remains unchanged, indicated by the lack of an "X" in the instruction mnemonic.
ARM64
Let’s compile the example using GCC 4.8.1 in ARM64:
Listing 2.15: Non-optimizing GCC 4.8.1 + objdump
There are no thumb and thumb-2 modes in ARM64, only ARM, so there are 32-bit instructions only Registers count is doubled: B.4.1 64-bit registers hasX- prefixes, while its 32-bit parts—W-.
STPinstruction (Store Pair) saves two registers in stack simultaneously: X29 inX30 Of course, this instruction is able to save this pair at random place of
CHAPTER 2 HELLO, WORLD! 2.4 ARM memory, butSPregister is specified here, so the pair is saved in stack ARM64 registers are 64-bit ones, each has size of 8 bytes, so one need 16 bytes for saving two registers.
The exclamation mark following the operand indicates that 16 will be subtracted from the stack pointer (SP) first, before the values from the register pair are pushed onto the stack This process is known as pre-indexing For more information on the differences between post-indexing and pre-indexing, click here.
In the context of x86 architecture, the initial instruction functions similarly to the combination of PUSH X29 and PUSH X30, where X29 serves as the frame pointer (FP) and X30 as the link register (LR) in ARM64 This is why these registers are preserved during the function prologue and restored in the function epilogue Additionally, the second instruction is responsible for copying the stack pointer (SP) into X29 (or FP), which is essential for establishing the function's stack frame.
To form the address of the string "Hello!" in the X0 register, ADRP and ADD instructions are necessary, as the first function argument is passed through this register However, ARM architecture lacks instructions capable of writing large numbers into a register due to the 4-byte limitation on instruction length.
To access a string located in a 4KB page, the first instruction (ADRP) loads the page address into register X0, while the second instruction (ADD) adds an offset to this address For further details, refer to section 36.4.
0x400000 + 0x648 = 0x400648, and we see our “Hello!” C-string in the rodatadata segment at this address. puts()is called then usingBLinstruction, this was already discussed before: 2.4.3.
MOVinstruction writes0intoW0 W0is low 32 bits of 64-bitX0register:
High 32-bit part low 32-bit part
The function result is returned through the X0 register, with the main function returning 0, which prepares the result The reason for using a 32-bit part is that the int data type in ARM64, similar to x86-64, remains 32-bit to ensure better compatibility Therefore, when a function returns a 32-bit integer, only the lowest 32 bits of the X0 register are populated.
In order to get sure about it, I changed by example slightly and recompiled it. Nowmain()returns 64-bit value:
Listing 2.16: main()returning a value ofuint64_ttype
CHAPTER 2 HELLO, WORLD! 2.5 CONCLUSION return 0;
Result is very same, but that’s howMOVat that line is now looks like:
Listing 2.17: Non-optimizing GCC 4.8.1 + objdump
LDP(Load Pair) then restoresX29andX30registers There are no exclamation mark after instruction: this mean, the value is first loaded from the stack, only then
SPvalue is increased by 16 This is calledpost-index.
The ARM64 architecture introduces a new instruction, RET, which functions similarly to BX LR but includes a special hint bit This hint informs the CPU that the operation is a function return rather than a standard jump, allowing for more optimized execution.
Due to simplicity of the function, optimizing GCC generates the very same code.
Conclusion
The primary distinction between x86/ARM and x64/ARM64 code lies in the transition to 64-bit pointers for strings With modern CPUs operating on a 64-bit architecture, the increased affordability of memory allows for significantly larger capacities in computers, rendering 32-bit pointers insufficient for addressing Consequently, all pointers are now 64-bit.
Exercises
Exercise #1
main: push 0xFFFFFFFF call MessageBeep xor eax,eax retn
What this win32-function does?
CHAPTER 3 FUNCTION PROLOGUE AND EPILOGUE
A function prologue is a sequence of instructions at the start of a function It often looks something like the following code fragment: push ebp mov ebp, esp sub esp, X
What these instruction do: saves the value in theEBPregister, sets the value of theEBPregister to the value of theESPand then allocates space on the stack for local variables.
The value of the EBP register remains constant during the execution of a function, making it ideal for accessing local variables and function arguments In contrast, the ESP register fluctuates, which can complicate access to these elements.
The epilogue function is responsible for freeing allocated stack space, restoring the EBP register to its original state, and transferring control back to the caller This is achieved through the instructions: `mov esp, ebp`, `pop ebp`, and `ret 0`.
Function prologues and epilogues are usually detected in disassemblers for function delimitation from each other.
Recursion
Epilogues and prologues can make recursion performance worse.
In a previous project, I developed a function to locate the correct node in a binary tree While the recursive approach appeared elegant, it ultimately performed significantly slower than an iterative implementation due to the extra time required for function call overhead.
CHAPTER 3 FUNCTION PROLOGUE AND EPILOGUE 3.1 RECURSION
By the way, that is the reason compilers usetail call.
A stack is a fundamental data structure in computer science, consisting of a block of memory in process memory It utilizes the ESP or RSP register in x86 or x64 architectures, or the SP register in ARM, serving as a pointer within the memory block.
The primary stack access instructions utilized in both x86 and ARM thumb-mode architectures are PUSH and POP In 32-bit mode, the PUSH instruction decreases the ESP/RSP/SP register by 4 bytes, while in 64-bit mode, it reduces it by 8 bytes, before storing the value of its operand at the memory location indicated by the ESP/RSP/SP register.
The POP operation retrieves data from memory indicated by the stack pointer (SP) and stores it in an operand, typically a register, before incrementing the stack pointer by 4 or 8 bytes After stack allocation, the stack pointer is positioned at the end of the stack, with the PUSH operation decreasing the stack pointer and the POP operation increasing it Interestingly, the end of the stack is located at the start of the allocated memory for the stack block, which may seem counterintuitive but is the standard behavior.
ARM architecture supports both descending and ascending stacks The instructions STMFD/LDMFD and STMED/LDMED are designed for managing descending stacks, while STMFA/LDMFA and STMEA/LDMEA instructions are used for ascending stacks.
1 http://en.wikipedia.org/wiki/Call_stack
2 Store Multiple Empty Descending (ARM instruction)
3 Load Multiple Empty Descending (ARM instruction)
4 Store Multiple Full Ascending (ARM instruction)
5 Load Multiple Full Ascending (ARM instruction)
6 Store Multiple Empty Ascending (ARM instruction)
7 Load Multiple Empty Ascending (ARM instruction)
CHAPTER 4 STACK 4.1 WHY DOES THE STACK GROW BACKWARD?
Why does the stack grow backward?
Intuitively, we might think that, like any other data structure, the stack may grow upward, i.e., towards higher addresses.
The stack grows backward due to historical reasons linked to early computer design In the era of large room-sized computers, memory was typically divided into two segments: one for the heap and one for the stack Since the sizes of the heap and stack could vary during program execution, this division represented the simplest and most efficient solution at the time.
In [RT74] we can read:
The user-core part of an image consists of three logical segments: the program text segment, the writable data segment, and the stack segment The program text segment, located at the start of the virtual address space, is write-protected and shared among all processes running the same program Above this segment, at the first 8K byte boundary, lies a nonshared, writable data segment that can be expanded through a system call Finally, the stack segment is positioned at the highest address in the virtual address space and grows downward as the hardware’s stack pointer changes.
What is the stack used for?
Passing function arguments
The most popular way to pass parameters in x86 is called “cdecl”: push arg3 push arg2 push arg1 call f add esp, 4*3
Calleefunctions get their arguments via the stack pointer.
Consequently, this is how values will be located in the stack before execution of the very first instruction of the f() function:
ESP return address ESP+4 argument#1, marked inIDAasarg_0 ESP+8 argument#2, marked inIDAasarg_4 ESP+0xC argument#3, marked inIDAasarg_8
9 http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ ka13785.html
In the past, on systems like PDP-11 and VAX, the CALL instruction for invoking functions was costly, consuming up to 50% of execution time Consequently, it became widely recognized that having a large number of small functions is considered an anti-pattern in programming.
CHAPTER 4 STACK 4.2 WHAT IS THE STACK USED FOR?
Programmers are not required to pass arguments through the stack, as there are alternative methods for implementing argument passing that do not involve the stack.
In x86 and ARM architectures, it is common practice to utilize the stack for passing arguments to functions, although it is technically feasible to allocate space in the heap, fill it, and pass a pointer to this block using the EAX register.
The `thecall` function lacks the capability to determine the number of arguments passed to it In contrast, functions that accept a variable number of arguments, such as `printf()`, ascertain the count through format specifiers that begin with a `%` sign in the format string For example, when using `printf("%d %d %d", 1234);`, the function will output `1234` followed by two arbitrary numbers that happen to be located nearby in the stack.
That’s why it is not very important how we declare themain()function: asmain(), main(int argc, char *argv[])ormain(int argc, char *argv[], char *envp[]).
In fact, theCRT-code is callingmain()roughly as: push envp push argv push argc call main
When declaring the main function in C, using main() without arguments means that arguments are present in the stack but not utilized Conversely, declaring main(int argc, char *argv[]) allows the use of two arguments, while any additional arguments remain inaccessible Additionally, it is also valid to declare main(int argc) without the argv parameter, and this will function correctly.
Local variable storage
A function can quickly allocate space for its local variables by simply moving the stack pointer downward, making this process efficient regardless of the number of local variables defined.
In "The Art of Computer Programming," Donald Knuth discusses a method for supplying arguments to subroutines, specifically in section 1.4.1 He highlights that one effective way to pass arguments is by listing them after the JMP instruction that directs control to the subroutine Knuth notes that this approach was especially convenient for the System/360 architecture.
CHAPTER 4 STACK 4.2 WHAT IS THE STACK USED FOR?
It is also not a requirement to store local variables in the stack You could store local variables wherever you like, but traditionally this is how it’s done.
x86: alloca() function
It is worth noting thealloca()function 12
This function operates similarly to malloc() but allocates memory directly on the stack The memory allocated does not require a free() function call, as the function epilogue will restore ESP to its original state, effectively nullifying the allocated memory.
It is worth noting howalloca()is implemented.
In simple terms, this function just shiftsESPdownwards toward the stack bot- tom by the number of bytes you need and setsESPas a pointer to theallocated block Let’s try:
#ifdef GNUC snprintf (buf, 600, "hi! %d, %d, %d\n", 1, 2, 3); // GCC
The _snprintf() function operates similarly to printf() but directs its output to a specified buffer instead of the standard output stream To display the contents of this buffer, the puts() function is used to copy it to stdout While these two function calls could be combined into a single printf() call, this example highlights the utility of working with small buffers.
12 In MSVC, the function implementation can be found in alloca16.asm and chkstk.asm inC:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\crt\src\intel
CHAPTER 4 STACK 4.2 WHAT IS THE STACK USED FOR?
Listing 4.1: MSVC 2010 mov eax, 600 ; 00000258H call alloca_probe_16 mov esi, esp push 3 push 2 push 1 push OFFSET $SG2672 push 600 ; 00000258H push esi call snprintf push esi call _puts add esp, 28 ; 0000001cH
The solealloca()argument is passed viaEAX(instead of pushing into stack)
13 After thealloca()call,ESPpoints to the block of 600 bytes and we can use it as memory for thebufarray.
GCC 4.4.1 can do the same without calling external functions:
The code snippet begins by initializing the stack frame and allocating space for local variables It aligns a pointer to a 16-bit boundary and stores the adjusted pointer in the stack Additionally, it sets a specific value in the stack, preparing for further operations.
13 It is because alloca() is rather compiler intrinsic (77) than usual function.
The MSVC 14 implementation of the alloca() function includes a mechanism that reads from the newly allocated memory, enabling the operating system to map physical memory to the corresponding virtual memory region This design choice underscores the importance of having a dedicated function rather than relying solely on a few instructions within the code.
CHAPTER 4 STACK 4.2 WHAT IS THE STACK USED FOR? mov DWORD PTR [esp+16], 2 mov DWORD PTR [esp+12], 1 mov DWORD PTR [esp+8], OFFSET FLAT:.LC0 ; "hi! %d, ⤦ Ç %d, %d\n" mov DWORD PTR [esp+4], 600 ; maxlen call _snprintf mov DWORD PTR [esp], ebx ; s call puts mov ebx, DWORD PTR [ebp-4] leave ret
Let’s see the same code, but in AT&T syntax:
The provided code snippet begins with a string format for output, followed by setting up the stack frame It initializes several local variables and prepares parameters for a formatted string output The code uses the `_snprintf` function to format the string with specific values, then calls the `puts` function to display the result Finally, it cleans up the stack and returns from the function.
The code is the same as in the previous listing.
By the way,movl $3, 20(%esp)is analogous tomov DWORD PTR [esp+20],
3 in Intel-syntax —when addressing memory in formregister+offset, it is written asoffset(%register)in AT&T syntax.
CHAPTER 4 STACK 4.3 TYPICAL STACK LAYOUT
SEH 16 records are also stored on the stack (if they present)
Buffer overflow protection
Typical stack layout
A very typical stack layout in a 32-bit environment at the start of a function, before first instruction executed:
ESP-0xC local variable #2, marked inIDAasvar_8
ESP-8 local variable #1, marked inIDAasvar_4
ESP+0xC argument#3, marked inIDAasarg_8
Noise in stack
In this book, I frequently discuss the concepts of "noise" or "garbage" values found in stack or memory These values originate from remnants left behind after the execution of other functions.
CHAPTER 4 STACK 4.4 NOISE IN STACK int main()
_f1 PROC push ebp mov ebp, esp sub esp, 12 mov DWORD PTR _a$[ebp], 1 mov DWORD PTR _b$[ebp], 2 mov DWORD PTR _c$[ebp], 3 mov esp, ebp pop ebp ret 0
The provided assembly code snippet demonstrates a function that utilizes the stack for parameter passing and calls the `printf` function to output three integer values It begins by setting up the stack frame and reserving space for local variables The function retrieves the values of three variables, `_a`, `_b`, and `_c`, and pushes them onto the stack in preparation for the `printf` call The format string `'%d, %d, %d'` is also pushed onto the stack to specify the output format After executing the `printf` function, the stack is cleaned up, and the function returns control to the caller.
CHAPTER 4 STACK 4.4 NOISE IN STACK
_main PROC push ebp mov ebp, esp call _f1 call _f2 xor eax, eax pop ebp ret 0
The compiler will grumble for a little… c:\Polygon\c>cl st.c /Fast.asm /MD
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version ⤦ Ç 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation All rights reserved. st.c c:\polygon\c\st.c(11) : warning C4700: uninitialized local ⤦ Ç variable 'c' used c:\polygon\c\st.c(11) : warning C4700: uninitialized local ⤦ Ç variable 'b' used c:\polygon\c\st.c(11) : warning C4700: uninitialized local ⤦ Ç variable 'a' used
Copyright (C) Microsoft Corporation All rights reserved.
/out:st.exe st.obj
But when I run… c:\Polygon\c>st
Oh What a weird thing We did not set any variables inf2() These are values are “ghosts”, which are still in the stack.
CHAPTER 4 STACK 4.4 NOISE IN STACK
Let’s load the example into OllyDbg:
Figure 4.1: OllyDbg:f1()Whenf1()writes toa,bandcvariables, they are stored at the address0x14F85C and so on.
a, bandcoff2() are located at the same address! No one overwritten values yet, so they are still untouched here.
In this unusual scenario, multiple functions need to be executed sequentially, ensuring that the stack pointer (SP) remains consistent at each function entry, meaning they must have the same number of arguments Consequently, local variables will be positioned at identical locations within the stack.
In summary, all values stored in the stack and memory cells from previous function executions are not random; instead, they possess unpredictable values.
How else? Probably, it would be possible to clear stack portions before each function execution, but that’s too much extra (and needless) work.
Exercises
Exercise #1
When this code is compiled and executed in MSVC, it outputs three numbers The origin of these numbers raises questions, particularly when the code is compiled with optimization flags (/Ox) in MSVC, resulting in different outputs In contrast, the behavior of the code varies significantly when compiled with GCC, highlighting the discrepancies between the two compilers.
CHAPTER 4 STACK 4.5 EXERCISES int main()
Exercise #2
_main PROC push 0 call DWORD PTR imp _time64 push edx push eax push OFFSET $SG3103 ; '%d' call DWORD PTR imp printf add esp, 16 xor eax, eax ret 0
Listing 4.6: Optimizing Keil 6/2013 (ARM mode) main PROC
Listing 4.7: Optimizing Keil 6/2013 (thumb mode) main PROC
Listing 4.8: Optimizing GCC 4.9 (ARM64) main: stp x29, x30, [sp, -16]! mov x0, 0 add x29, sp, 0 bl time mov x1, x0 ldp x29, x30, [sp], 16 adrp x0, LC0 add x0, x0, :lo12:.LC0 b printf
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS
Chapter 5 printf() with several arguments
Now let’s extend theHello, world!(2) example, replacingprintf()in themain() function body by this:
x86: 3 arguments
MSVC
Let’s compile it by MSVC 2010 Express and we got:
push 3 push 2 push 1 push OFFSET $SG3830 call _printf
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS add esp, 16 ; ⤦ Ç 00000010H
Almost the same, but now we can see the printf()arguments are pushed onto the stack in reverse order The first argument is pushed last.
By the way, variables ofinttype in 32-bit environment have 32-bit width, that is 4 bytes.
So, we have here 4 arguments 4∗4 = 16—they occupy exactly 16 bytes in the stack: a 32-bit pointer to a string and 3 numbers of typeint.
When the stack pointer(ESPregister) is changed back by the ADD ESP, X instruction after a function call, often, the number of function arguments can be deduced here: just divide X by 4.
Of course, this is specific to thecdeclcalling convention.
See also the section about calling conventions (52).
It is also possible for the compiler to merge several``ADD ESP, X''instruc- tions into one, after the last call: push a1 push a2 call
push a1 push a2 push a3 call add esp, 24
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS
MSVC and OllyDbg
To analyze our example using OllyDbg, a widely-used user-land Win32 debugger, we should compile it in MSVC 2012 with the /MD option This setting links the program against MSVCR*.DLL, allowing us to clearly view the imported functions within the debugger.
Then load executable in OllyDbg The very first breakpoint is inntdll.dll, press F9 (run) The second breakpoint is inCRT-code Now we should find the main()function.
Find this code by scrolling the code to the very top (MSVC allocatesmain() function at the very beginning of the code section):
Figure 5.1: OllyDbg: the very start of themain()function
Click on thePUSH EBPinstruction, press F2 (set breakpoint) and press F9 (run).
We need to do these manipulations in order to skipCRT-code, because, we aren’t really interested in it, yet.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS
Press F8 (step over) 6 times, i.e., skip 6 instructions:
The PC now directs to the CALL print instruction Similar to other debuggers, OllyDbg highlights the values of registers that have been altered, with the EIP changing to red each time F8 is pressed Additionally, the ESP register also changes as values are pushed onto the stack.
Where are the values in the stack? Take a look at the right/bottom window of debugger:
Figure 5.3: OllyDbg: stack after values pushed (I made the round red mark here in a graphics editor)
The display features three columns: the address in the stack, the corresponding value, and additional comments from OllyDbg This debugger interprets printf()-like strings, allowing it to present the string alongside three related values.
To view the format string, simply right-click on it and select "Follow in dump." This action will display the format string in the lower-left window.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS memory part is always seen These memory values can be edited It is possible to change the format string, and then the result of our example will be different It is probably not very useful now, but it’s a very good idea for doing it as an exercise, to get a feeling of how everything works here.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS
In the console we’ll see the output:
Figure 5.4: printf()function executed Let’s see how registers and stack state are changed:
The EAX register now holds the value 0xD (13), confirming that the printf() function returns the number of characters printed Additionally, the EIP value has been updated to reflect the address of the instruction following the CALL to printf Furthermore, the values of ECX and EDX have also changed, indicating that the internal workings of the printf() function utilized these registers for its operations.
A very important fact is that neither theESPvalue, nor the stack state is changed!
We clearly see that the format string and corresponding 3 values are still there.Indeed, that’s thecdeclcalling convention: calleedoesn’t returnESPback to its previous value It’s thecaller’s duty to do so.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS
Press F8 again to executeADD ESP, 10instruction:
Figure 5.6: OllyDbg: afterADD ESP, 10instruction execution
The ESP may change, but the values remain in the stack There's no need to reset these values to zero, as anything above the stack pointer (SP) is considered noise or garbage and holds no significance Clearing unused stack entries would be time-consuming and unnecessary.
GCC
To compile the same program in Linux using GCC 4.4.1, we can analyze the disassembled output in IDA The main procedure begins by defining local variables at specific offsets, followed by setting up the stack frame The code initializes the stack pointer and allocates space for local variables, ultimately preparing to display formatted output with the string "a=%d; b=%d; c=%d".
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS mov [esp+10h+var_4], 3 mov [esp+10h+var_8], 2 mov [esp+10h+var_C], 1 mov [esp+10h+var_10], eax call _printf mov eax, 0 leave retn main endp
The primary distinction between code generated by MSVC and GCC lies in their approach to stack argument management; GCC directly manipulates the stack without utilizing PUSH and POP instructions.
GCC and GDB
Let’s try this example also inGDB 1 in Linux.
-gmean produce debug information into executable file.
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute ⤦ Ç it.
There is NO WARRANTY, to the extent permitted by law Type "⤦ Ç show copying" and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /home/dennis/polygon/1 done.
Listing 5.1: let’s set breakpoint onprintf()
Run There are noprintf()function source code here, soGDBcan’t show its source, but may do so.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS
Starting program: /home/dennis/polygon/1
Breakpoint 1, printf (format=0x80484f0 "a=%d; b=%d; c=%d") at⤦ Ç printf.c:29
29 printf.c: No such file or directory.
Print 10 stack elements The left column is an address in stack.
The very first element is the RA(0x0804844a) We can make sure by disas- sembling the memory at this address:
Two XCHG instructions, apparently, is some random garbage, which we can ignore so far.
The second element (0x080484f0) is an address of format string:
Other 3 elements (1, 2, 3) areprintf()arguments Other elements may be just “garbage” present in stack, but also may be values from other functions, their local variables, etc We can ignore it for now.
Execute “finish” This mean, execute all instructions till the function end Here it means: execute till the finish ofprintf().
Run till exit from #0 printf (format=0x80484f0 "a=%d; b=%d; ⤦ Ç c=%d") at printf.c:29 main () at 1.c:6
GDBshows whatprintf()returned inEAX(13) This is number of characters printed, just like in the example with OllyDbg.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.1 X86: 3 ARGUMENTS
In the current directory, the file "the1.c" contains the expression "return 0;" at line 6, which GDB successfully identifies GDB determines the currently executing line of C code by utilizing debugging information generated by the compiler, which includes a mapping of source code line numbers to instruction addresses As a source-level debugger, GDB leverages this information to facilitate effective debugging.
(gdb) info registers eax 0xd 13 ecx 0x0 0 edx 0x0 0 ebx 0xb7fc0000 -1208221696 esp 0xbffff120 0xbffff120 ebp 0xbffff138 0xbffff138 esi 0x0 0 edi 0x0 0 eip 0x804844a 0x804844a
Let’s disassemble the current instructions The arrow points to the instruction to be executed next.
Dump of assembler code for function main:
GDBshows disassembly in AT&T syntax by default It’s possible to switch to Intel syntax:
(gdb) set disassembly-flavor intel
Dump of assembler code for function main:
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.2 X64: 8 ARGUMENTS
0x08048426 : mov DWORD PTR [esp+0xc],0x3
Execute next instruction GDBshows ending bracket, meaning, this ends the block of the function.
Let’s see the registers after theMOV EAX, 0instruction execution EAXhere is zero indeed.
(gdb) info registers eax 0x0 0 ecx 0x0 0 edx 0x0 0 ebx 0xb7fc0000 -1208221696 esp 0xbffff120 0xbffff120 ebp 0xbffff138 0xbffff138 esi 0x0 0 edi 0x0 0 eip 0x804844f 0x804844f
x64: 8 arguments
MSVC
In Win64, the first four arguments are passed through the RCX, RDX, R8, and R9 registers, while any additional arguments are sent via the stack Notably, the MOV instruction is employed to prepare the stack, allowing values to be written directly to it instead of using the PUSH instruction.
The code snippet demonstrates a procedure in assembly language that initializes a series of integer values and prepares a formatted string for output It sets up the stack frame, assigns values to specific memory locations, and uses the `printf` function to display a message formatted with these integers The string format includes placeholders for eight integer variables, and the values are loaded into registers before the call to `printf`.
; return 0 xor eax, eax add rsp, 88 ret 0 main ENDP
In computing, it may seem puzzling that 8 bytes are allocated for integer values when 4 bytes would suffice This allocation is standard practice, as 8 bytes are reserved for any data type shorter than 64 bits, facilitating easier address calculations and ensuring that all data types are stored at aligned memory addresses Similarly, in 32-bit environments, 4 bytes are allocated for all data types.
GCC
In *NIX OS-es, it’s the same story for x86-64, except that the first 6 arguments are passed in theRDI, RSI,RDX, RCX,R8, R9registers All the rest—via the stack.
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.2 X64: 8 ARGUMENTS
GCC generates the code writing string pointer intoEDIinstead if RDI—we saw this thing before:2.2.2.
We also saw before theEAX register being cleared before aprintf()call: 2.2.2.
The provided assembly code snippet demonstrates how to set up and call the `printf` function in a low-level programming context It initializes a stack frame and prepares several integer values for output, including variables a through h The code utilizes registers to load values, with specific integers assigned to each register before invoking `printf` to display the formatted string The final output will present the values in a structured format.
; return 0 xor eax, eax add rsp, 40 ret
GCC + GDB
Let’s try this example inGDB.
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute ⤦ Ç it.
There is NO WARRANTY, to the extent permitted by law Type "⤦ Ç show copying"
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.2 X64: 8 ARGUMENTS and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /home/dennis/polygon/2 done.
Listing 5.4: let’s set the breakpoint toprintf(), and run
Starting program: /home/dennis/polygon/2
Breakpoint 1, printf (format=0x400628 "a=%d; b=%d; c=%d; d=%d⤦ Ç ; e=%d; f=%d; g=%d; h=%d\n") at printf.c:29
29 printf.c: No such file or directory.
RegistersRSI/RDX/RCX/R8/R9has the values which are should be there.RIP has an address of the very first instruction of theprintf()function.
(gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x3 3 rdx 0x2 2 rsi 0x1 1 rdi 0x400628 4195880 rbp 0x7fffffffdf60 0x7fffffffdf60 rsp 0x7fffffffdf38 0x7fffffffdf38 r8 0x4 4 r9 0x5 5 r10 0x7fffffffdce0 140737488346336 r11 0x7ffff7a65f60 140737348263776 r12 0x400440 4195392 r13 0x7fffffffe040 140737488347200 r14 0x0 0 r15 0x0 0 rip 0x7ffff7a65f60 0x7ffff7a65f60 < printf>
Listing 5.5: let’s inspect the format string (gdb) x/s $rdi
Let’s dump the stack with the x/g command this time—g meansgiant words, i.e.,
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.2 X64: 8 ARGUMENTS
In the stack, the initial element is the RA, with three integer values—6, 7, and 8—being passed Notably, the value 8 is represented as 0x00007fff00000008, where the high 32 bits are not cleared This is acceptable since the values are of the 32-bit integer type, allowing the higher register or stack element to potentially contain random data.
If you take a look at where control flow will return afterprintf()execution, GDBwill show the wholemain()function:
(gdb) set disassembly-flavor intel
Dump of assembler code for function main:
0x0000000000400535 : mov DWORD PTR [rsp+0x10],0x8 0x000000000040053d : mov DWORD PTR [rsp+0x8],0x7 0x0000000000400545 : mov DWORD PTR [rsp],0x6
0x0000000000400571 : call 0x400410 0x0000000000400576 : mov eax,0x0
Let’s finish executingprintf(), execute the instruction zeroingEAX, and note that theEAXregister has a value of exactly zero RIPnow points to theLEAVE instruction, i.e., the penultimate one in themain()function.
Run till exit from #0 printf (format=0x400628 "a=%d; b=%d; c⤦ Ç =%d; d=%d; e=%d; f=%d; g=%d; h=%d\n") at printf.c:29 a=1; b=2; c=3; d=4; e=5; f=6; g=7; h=8 main () at 2.c:6
CHAPTER 5 PRINTF() WITH SEVERAL ARGUMENTS 5.3 ARM: 3 ARGUMENTS
(gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0x26 38 rdx 0x7ffff7dd59f0 140737351866864 rsi 0x7fffffd9 2147483609 rdi 0x0 0 rbp 0x7fffffffdf60 0x7fffffffdf60 rsp 0x7fffffffdf40 0x7fffffffdf40 r8 0x7ffff7dd26a0 140737351853728 r9 0x7ffff7a60134 140737348239668 r10 0x7fffffffd5b0 140737488344496 r11 0x7ffff7a95900 140737348458752 r12 0x400440 4195392 r13 0x7fffffffe040 140737488347200 r14 0x0 0 r15 0x0 0 rip 0x40057b 0x40057b