Post on 17-Jan-2016
Practical Session 4
Computer Architecture and Assembly Language
Labels Definition - advanced
label: (pseudo) instruction operands ; comment
•valid characters in labels are: letters, numbers, _, $, #, @, ~, ., and ?•first character can be: letter, _, ?, and . ( . has a special meaning)
Local Labels Definition
A label beginning with a single period (.) is treated as a local label, which means that it is associated with the previous non-local label.
Example:
label1: mov eax, 3
.loop: dec eax jne .loop
ret
label2: mov eax, 5
.loop: dec eax
jne .loop ret
Each JNE instruction jumps to the closest .loop, because the two definitions of .loop are kept separate.
(this is indeed label1.loop)
(this is indeed label2.loop)
section .data numeric: DD 0x12345678string: DB 'abc'answer: DD 0
section .text global _start ;entry point (main)
_start:
pushad ; backup registerspush dword 2 ; push argument #2push dword 1 ; push argument #1CALL myFuncCALL myFunc ; call the function myFunc
returnAddress: mov [answer], eax ; retrieve return value from EAXadd esp, 8 ; "delete" function argumentspopad
mov ebx,0 ; exit program mov eax,1
int 0x80
myFunc:push ebp ; save previous value of ebpmov ebp, esp ; set ebp to point to myFunc framemov eax, dword [ebp+8] ; get function argument #1mov ebx, dword [ebp+12] ; get function argument #2
myFunc_code:add eax, ebx ; eax = 3
returnFrom_myFunc:mov esp, ebp ; "delete" local variables of
myFuncpop ebp ; restore previous value of ebpRETRET ; return to the caller
Assembly program with no .c file usage – sample.sGNU Linker
ld links together compiled assembly without using .c main file
> nasm –f elf sample.s –o sample.o
> ld -m elf_i386 sample.o –o sample
> sample
or with gdb debugger
> gdb sample
Command-line arguments
ld(_start) vs. gcc (main)
argv[2]
argv[1]
argv[0]
argc
stack
ESP
&{argv[0],argv[1],argv[2],…}
argc
stack
ESP
This is just like C’s main(int argc, char** argv)
Producing assembly file for .c file
-S (capital letter) option to gcc compiler generates an assembly code to .c program
> gcc –m32 –S main.c
Compile the following c code with –S option to observe parameters pass in C, compare to material given in class.
#include <stdio.h>extern int atoi(char*);void main(int argc, char ** argv) {
int m, n;if (argc < 3 ) {
printf("use : %s num1 num2\n",argv[0]);return 0; }
m = atoi(argv[1]);n = atoi(argv[2]);return;
} .file
"
CT
oAss
.c"
.s
ect
ion
.r
odat
a.L
C0
:
.str
ing
"u
se :
%s
num
1 n
um2
\n"
.t
ext
.g
lobl
m
ain
.t
ype
ma
in, @
func
tion
mai
n:.L
FB
0:
.cfi_
star
tpro
c
pus
hl
%e
bp
.cfi_
de
f_cf
a_
offs
et 8
.c
fi_o
ffse
t 5,
-8
mov
l
%e
sp,
%eb
p
.cfi_
de
f_cf
a_
reg
iste
r 5
a
ndl
$-1
6, %
esp
s
ubl
$3
2, %
esp
c
mpl
$
2, 8
(%e
bp)
jg
.L
2
mov
l
12(%
ebp
), %
ea
x
mov
l
(%e
ax),
%ed
x
mov
l
$.LC
0, %
eax
m
ovl
%
edx
, 4(
%e
sp)
m
ovl
%
eax
, (%
esp
)
cal
l
prin
tf
jmp
.
L1.L
2:
mov
l
12(%
ebp
), %
ea
x
add
l $
4, %
eax
m
ovl
(%
eax
), %
eax
m
ovl
%
eax
, (%
esp
)
cal
l
ato
i
mov
l
%e
ax,
24(%
esp
)
mov
l
12(%
ebp
), %
ea
x
add
l $
8, %
eax
m
ovl
(%
eax
), %
eax
m
ovl
%
eax
, (%
esp
)
cal
l
ato
i
mov
l
%e
ax,
28(%
esp
)
nop
.L1:
le
ave
.c
fi_re
sto
re 5
.c
fi_d
ef_
cfa
4, 4
r
et
.c
fi_e
ndp
roc
.LF
E0:
.s
ize
m
ain,
.-m
ain
.i
dent
"G
CC
: (U
bun
tu/L
inar
o 4
.6.3
-1
ubun
tu5
) 4
.6.3
"
.se
ctio
n
.no
te.G
NU
-st
ack
,"",
@p
rog
bits
לימוד עצמי
Producing a listing file: > nasm -f elf sample.s -l sample.lst• The first column (from the left) is the line number in the listing file
•The second column is the relative address of where the code will be placed in memory
•The third column is the compiled code
• Labels do not create code; they are a way to tell assembler that those locations have symbolic names.
• ‘CALL myFunc’ is compiled to opcode E8 followed by a 4-byte target address, relative to the next instruction after the call. address of myFunc label = 0x1F address of the next instruction after the call (i.e. ‘mov [answer], eax’) is 0xA 0x1F-0xA=0x15, and we get exactly the binary code written here ‘E815000000’
•The forth column is the original code
• each section starts at relative address 0
executable
0x15 is how many bytes EIP should jump forward
section .data numeric: DD 0x12345678string: DB 'abc'answer: DD 0
section .text global _start
_start:
pushadpush dword 2
push dword 1
CALL myFuncreturnAddress:
mov [answer], eaxadd esp, 8popad
mov ebx,0 mov eax,1
int 0x80
myFunc: push ebp mov ebp, esp mov eax, dword [ebp+8]mov ebx, dword [ebp+12]
myFunc_code:add eax, ebx
returnFrom_myFunc:mov esp, ebp
pop ebpret
print ‘numeric’ global variable
numeric into memory – little endian
print ‘string’ global variable
string into memory – little endian
pushad
0xffffd640 – 0xffffd620= 0x20 = 32 bytes = 8 registers * 4 bytes
push function’s arguments into stack
CALL myFunc
return address
Debugging with GDB guide - examining memory
- examining data
שאלות חזרה שאלות חזרה למבחןלמבחן
1שאלה :נתונות ההגדרות הבאות
x: dw 1y: db 2z: db 3
באמצעות פקודה 2 ב x, y, z יש להכפיל את overflow ניתן להניח שאין .אחת
2נכפול את כל המילה ב :תשובה
shl dword [x], 1
.עלינו לממש קריאה לפונקציה ללא ארגומנטים יש לסמן את . eaxשכתובתה נמצאת ברגיסטר
. יבצע זאת נכון לאהקוד שa)push next_apush eaxretnext_a:b)push eaxpush eaxretc)push next_ajmp eaxnext_a:d)call eax
2שאלה
.עלינו לממש קריאה לפונקציה ללא ארגומנטים יש לסמן את . eaxשכתובתה נמצאת ברגיסטר
. יבצע זאת נכון לאהקוד שa)push next_apush eaxretnext_a:b)push eaxpush eaxretc)push next_ajmp eaxnext_a:d)call eax
2שאלה
1- נמצא הערך eaxברגיסטר שכל אחת מהן שונות פקודות 5יש לרשום
1 יהיה הערך eaxתגרום לכך שברגיסטר
תשובה
mov eax, 1add eax, 2neg eaxshr eax, 31and eax, 1
3שאלה
: הבא הקוד קטע את לממש עלינוint a, b, x;
x = blah(a,&b)
נכון ? זאת שיבצע הקוד קטע מהוa) push a c) push dword b
push b push dword [a]
call blah call blah
add esp, 8 add esp, 8
mov [x], eax mov [x], eax
b) push dword [b] d) push dword [b]
push dword a push dword a
call blah call blah
add esp, 8 add esp, 8
mov [x], eax pop dword [x]
5שאלה
: הבא הקוד קטע את לממש עלינוint a, b, x;
x = blah(a,&b)
נכון ? זאת שיבצע הקוד קטע מהוa) push a c) push dword b
push b push dword [a]
call blah call blah
add esp, 8 add esp, 8
mov [x], eax mov [x], eax
b) push dword [b] d) push dword [b]
push dword a push dword a
call blah call blah
add esp, 8 add esp, 8
mov [x], eax pop dword [x]
5שאלה