Recitation 2:Assembly & gdb

Andrew Faulring15213 Section A

16 September 2002

Andrew Faulring

• faulring@cs.cmu.edu• Office hours:

– NSH 2504 (lab) / 2507 (conference room)

– Normally Thursday 5–6

– THIS WEEK: Wednesday 5–6

Today’s Plan

• Preparing for Lab2– due Thursday, 26 Sep @ 11:59PM

• Assembly programming• C to ASM

– Using gdb

• ASM to C– Reverse engineering (like in Lab2)

Machine Model

EIP

Registers

CPU Memory

Object CodeProgram Data

Addresses

Data

Instructions

Stack

ConditionCodes

Special Registers

• %eax Return Value• %eip Instruction Pointer• %ebp Base (Stack Frame)

Pointer• %esp Stack Pointer

Simple Addressing Modes

• $10 10• (R) Mem[R]• $10(R) Mem[R + 10]• $0x10(R) Mem[R + 16]

Indexed Addressing Modes

Generic Form• D(Rb, Ri, S) Mem[Reg[Rb]+S*Reg[Ri]

+D]

Examples• (Rb,Ri) Mem[Reg[Rb]+Reg[Ri]]• D(Rb,Ri) Mem[Reg[Rb]+Reg[Ri]+D]• (Rb,Ri,S)Mem[Reg[Rb]+S*Reg[Ri]]

Example 1: Arithmetic

int func1(int a, int b)

{

int x, y;

x = a + b;

y = 2*x - b;

return x*y;

}

func1 assemblyfunc1: push %ebp # save frame pointer mov %esp,%ebp # frame ptr = stack ptr mov 0xc(%ebp),%eax # %eax = b mov 0x8(%ebp),%ecx # %ecx = a add %eax,%ecx # %ecx = x = a + b lea (%ecx,%ecx,1),%edx # %edx = 2 * x sub %eax,%edx # %edx = y = 2 * x - b mov %ecx,%eax # %eax = x imul %edx,%eax # %eax = x * y mov %ebp,%esp # restore stack pointer pop %ebp # restore frame pointer ret

gdb

• GNU debugger• Your friend for Lab2• Usage

– gdb <executable name>

gdb commands

• run: starts the program, can include command line arguments

• disas: disassembles code into asm• print: used to print values of

variables & memory• x: examine memory contents• step, next: step through code• break: set breakpoints in the code

Example 2: Control

int func2(int a, int b)

{

if(a>b)

return a;

else

return b;

}

ASM for func2func2: push %ebp # save frame pointer mov %esp,%ebp # frame ptr = stack ptr mov 0x8(%ebp),%edx # %edx = a mov 0xc(%ebp),%eax # %eax = b cmp %eax,%edx # a > b jle .L1 # a <= b mov %edx,%eax # return a.L1: # otherwise %eax = b mov %ebp,%esp # restore stack pointer pop %ebp # restore frame pointer ret

Example 3: int func3(int a, int b){ int r = 0xDEADBEEF;

switch(a) { case 0: r = a; break; case 1: r = b; break; case 2: r = a+b; break; case 3: r = a-b; break; case 4: r = a*b; break; }

return r;}

ASM for func3 # $edx = a, $ecx = b, $eax = 0xdeadbeef0x8048453 <func3+3>: mov 0x8(%ebp),%edx0x8048456 <func3+6>: mov 0xc(%ebp),%ecx0x8048459 <func3+9>: mov $0xdeadbeef,%eax

# go to default case, if a > 40x804845e <func3+14>: cmp $0x4,%edx0x8048461 <func3+17>: ja 0x804848b <func3+59>

# execute the jump …0x8048463 <func3+19>: jmp *0x8048578(,%edx,4)0x804846a <func3+26>: lea 0x0(%esi),%esi

ASM for func3 case 0: return a0x8048470 <func3+32>: mov %edx,%eax0x8048472 <func3+34>: jmp 0x804848b <func3+59>

case 1: return b0x8048474 <func3+36>: mov %ecx,%eax0x8048476 <func3+38>: jmp 0x804848b <func3+59>0x8048478 <func3+40>: lea (%ecx,%edx,1),%eax

case 2: return a+b0x8048478 <func3+40>: lea (%ecx,%edx,1),%eax0x804847b <func3+43>: jmp 0x804848b <func3+59>0x804847d <func3+45>: lea 0x0(%esi),%esi

ASM for func3 case 3: a-b0x8048480 <func3+48>: mov %edx,%eax0x8048482 <func3+50>: sub %ecx,%eax0x8048484 <func3+52>: jmp 0x804848b <func3+59>

case 4: a*b0x8048486 <func3+54>: mov %edx,%eax0x8048488 <func3+56>: imul %ecx,%eax

Addresses of the cases

• case 0: 0x8048470• case 1: 0x8048474• case 2: 0x8048478• case 3: 0x8048480• case 4: 0x8048486

The Jump Table

0x8048463 <func3+19>: jmp *0x8048578(,%edx,4)

(gdb) x/5xw 0x8048578

0x8048578 <_IO_stdin_used+4>: 0x08048470 0x08048474 0x08048478 0x08048480

0x8048588 <_IO_stdin_used+20>: 0x08048486

%edx = a

Jump to instruction with address

MEM[0x8048578 + a*4]

Example 4: asm => cDump of assembler code for function func4:0x80483c0 <func4>: push %ebp0x80483c1 <func4+1>: mov %esp,%ebp0x80483c3 <func4+3>: mov 0x8(%ebp),%ecx0x80483c6 <func4+6>: xor %eax,%eax0x80483c8 <func4+8>: xor %edx,%edx0x80483ca <func4+10>: cmp %ecx,%eax0x80483cc <func4+12>: jge 0x80483d7 <func4+23>0x80483ce <func4+14>: mov %esi,%esi0x80483d0 <func4+16>: add %edx,%eax0x80483d2 <func4+18>: inc %edx0x80483d3 <func4+19>: cmp %ecx,%edx0x80483d5 <func4+21>: jl 0x80483d0 <func4+16>0x80483d7 <func4+23>: mov %ebp,%esp0x80483d9 <func4+25>: pop %ebp0x80483da <func4+26>: ret 0x80483db <func4+27>: nop End of assembler dump.

Examining func4

<func4>:

pushl %ebp # save frame pointer

movl %esp,%ebp # frame ptr = stack ptr

movl 0x8(%ebp),%ecx # put arg1 into %ecx

xorl %eax,%eax # zero %eax

xorl %edx,%edx # zero %edx

Examining func4 cmpl %ecx,%eax # compare arg1 (%ecx) and %eax jge .L4 # jump to .L4 if arg1 <= %eax (0).L6: addl %edx,%eax # %eax = %eax + %edx incl %edx # %edx = %edx + 1 cmpl %ecx,%edx # compare arg1 (%ecx) and %edx jl .L6 # jump to .L06 if %edx < arg1.L4: movl %ebp,%esp # restore stack pointer popl %ebp # restore frame pointer ret

Name the variables

%ecx: x (first argument)%eax: result%edx: i

func4

int func4(int x) // %ecx = x{ int result = 0; // %eax = result int i; // %edx = i for (i = 0; i < x; i++) result += i;

return result;}