Recitation 2: Assembly - PowerPoint PPT Presentation

About This Presentation
Title:

Recitation 2: Assembly

Description:

Recitation 2: Assembly – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 25
Provided by: andrewrobe
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Recitation 2: Assembly


1
Recitation 2Assembly gdb
  • Andrew Faulring
  • 15213 Section A
  • 16 September 2002

2
Andrew Faulring
  • faulring_at_cs.cmu.edu
  • Office hours
  • NSH 2504 (lab) / 2507 (conference room)
  • Normally Thursday 56
  • THIS WEEK Wednesday 56

3
Todays Plan
  • Preparing for Lab2
  • due Thursday, 26 Sep _at_ 1159PM
  • Assembly programming
  • C to ASM
  • Using gdb
  • ASM to C
  • Reverse engineering (like in Lab2)

4
Machine Model
CPU
Memory
Addresses
Registers
E I P
Object Code Program Data
Data
Condition Codes
Instructions
Stack
5
Special Registers
  • eax Return Value
  • eip Instruction Pointer
  • ebp Base (Stack Frame) Pointer
  • esp Stack Pointer

6
Simple Addressing Modes
  • 10 10
  • (R) MemR
  • 10(R) MemR 10
  • 0x10(R) MemR 16

7
Indexed Addressing Modes
  • Generic Form
  • D(Rb, Ri, S) MemRegRbSRegRiD
  • Examples
  • (Rb,Ri) MemRegRbRegRi
  • D(Rb,Ri) MemRegRbRegRiD
  • (Rb,Ri,S) MemRegRbSRegRi

8
Example 1 Arithmetic
  • int func1(int a, int b)
  • int x, y
  • x a b
  • y 2x - b
  • return xy

9
func1 assembly
  • func1
  • push ebp save frame pointer
  • mov esp,ebp frame ptr stack
    ptr
  • mov 0xc(ebp),eax eax b
  • mov 0x8(ebp),ecx ecx a
  • add eax,ecx ecx x a b
  • lea (ecx,ecx,1),edx edx 2 x
  • sub eax,edx edx y 2 x -
    b
  • mov ecx,eax eax x
  • imul edx,eax eax x y
  • mov ebp,esp restore stack
    pointer
  • pop ebp restore frame
    pointer
  • ret

10
gdb
  • GNU debugger
  • Your friend for Lab2
  • Usage
  • gdb ltexecutable namegt

11
gdb commands
  • run starts the program, can include command line
    arguments
  • disas disassembles code into asm
  • print used to print values of variables memory
  • x examine memory contents
  • step, next step through code
  • break set breakpoints in the code

12
Using gdb with func1
  • break func1
  • run
  • disas
  • where
  • print/x eax
  • print/x ecx

13
Example 2 Control
  • int func2(int a, int b)
  • if(agtb)
  • return a
  • else
  • return b

14
ASM for func2
  • func2
  • push ebp save frame pointer
  • mov esp,ebp frame ptr stack ptr
  • mov 0x8(ebp),edx edx a
  • mov 0xc(ebp),eax eax b
  • cmp eax,edx a gt b
  • jle .L1 a lt b
  • mov edx,eax return a
  • .L1 otherwise eax b
  • mov ebp,esp restore stack pointer
  • pop ebp restore frame pointer
  • ret

15
Example 3
  • int func3(int a, int b)
  • int r 0xDEADBEEF
  • switch(a)
  • case 0 r a break
  • case 1 r b break
  • case 2 r ab break
  • case 3 r a-b break
  • case 4 r ab break
  • return r

16
ASM for func3
  • edx a, ecx b, eax 0xdeadbeef
  • 0x8048453 ltfunc33gt mov 0x8(ebp),edx
  • 0x8048456 ltfunc36gt mov 0xc(ebp),ecx
  • 0x8048459 ltfunc39gt mov 0xdeadbeef,eax
  • go to default case, if a gt 4
  • 0x804845e ltfunc314gt cmp 0x4,edx
  • 0x8048461 ltfunc317gt ja 0x804848b
    ltfunc359gt
  • execute the jump
  • 0x8048463 ltfunc319gt jmp 0x8048578(,edx,4)
  • 0x804846a ltfunc326gt lea 0x0(esi),esi

17
ASM for func3
  • case 0 return a
  • 0x8048470 ltfunc332gt mov edx,eax
  • 0x8048472 ltfunc334gt jmp 0x804848b
    ltfunc359gt
  • case 1 return b
  • 0x8048474 ltfunc336gt mov ecx,eax
  • 0x8048476 ltfunc338gt jmp 0x804848b
    ltfunc359gt
  • 0x8048478 ltfunc340gt lea (ecx,edx,1),eax
  • case 2 return ab
  • 0x8048478 ltfunc340gt lea (ecx,edx,1),eax
  • 0x804847b ltfunc343gt jmp 0x804848b
    ltfunc359gt
  • 0x804847d ltfunc345gt lea 0x0(esi),esi

18
ASM for func3
  • case 3 a-b
  • 0x8048480 ltfunc348gt mov edx,eax
  • 0x8048482 ltfunc350gt sub ecx,eax
  • 0x8048484 ltfunc352gt jmp 0x804848b
    ltfunc359gt
  • case 4 ab
  • 0x8048486 ltfunc354gt mov edx,eax
  • 0x8048488 ltfunc356gt imul ecx,eax

19
Addresses of the cases
  • case 0 0x8048470
  • case 1 0x8048474
  • case 2 0x8048478
  • case 3 0x8048480
  • case 4 0x8048486

20
The Jump Table
  • 0x8048463 ltfunc319gt jmp 0x8048578(,edx,4)
  • (gdb) x/5xw 0x8048578
  • 0x8048578 lt_IO_stdin_used4gt 0x08048470
    0x08048474 0x08048478 0x08048480
  • 0x8048588 lt_IO_stdin_used20gt 0x08048486
  • edx a
  • Jump to instruction with address
  • MEM0x8048578 a4

21
Example 4 asm gt c
  • Dump of assembler code for function func4
  • 0x80483c0 ltfunc4gt push ebp
  • 0x80483c1 ltfunc41gt mov esp,ebp
  • 0x80483c3 ltfunc43gt mov 0x8(ebp),ecx
  • 0x80483c6 ltfunc46gt xor eax,eax
  • 0x80483c8 ltfunc48gt xor edx,edx
  • 0x80483ca ltfunc410gt cmp ecx,eax
  • 0x80483cc ltfunc412gt jge 0x80483d7
    ltfunc423gt
  • 0x80483ce ltfunc414gt mov esi,esi
  • 0x80483d0 ltfunc416gt add edx,eax
  • 0x80483d2 ltfunc418gt inc edx
  • 0x80483d3 ltfunc419gt cmp ecx,edx
  • 0x80483d5 ltfunc421gt jl 0x80483d0
    ltfunc416gt
  • 0x80483d7 ltfunc423gt mov ebp,esp
  • 0x80483d9 ltfunc425gt pop ebp
  • 0x80483da ltfunc426gt ret
  • 0x80483db ltfunc427gt nop
  • End of assembler dump.

22
Examining func4
  • ltfunc4gt
  • pushl ebp save frame pointer
  • movl esp,ebp frame ptr stack ptr
  • movl 0x8(ebp),ecx put arg1 into ecx
  • xorl eax,eax zero eax
  • xorl edx,edx zero edx

23
Examining func4
  • cmpl ecx,eax compare arg1 (ecx) and eax
  • jge .L4 jump to .L4 if arg1 lt eax
    (0)
  • .L6
  • addl edx,eax eax eax edx
  • incl edx edx edx 1
  • cmpl ecx,edx compare arg1 (ecx) and edx
  • jl .L6 jump to .L06 if edx lt arg1
  • .L4
  • movl ebp,esp restore stack pointer
  • popl ebp restore frame pointer
  • ret

24
Name the variables
  • ecx x (first argument)
  • eax result
  • edx i

25
func4
  • int func4(int x) // ecx x
  • int result 0 // eax result
  • int i // edx i
  • for (i 0 i lt x i)
  • result i
  • return result
Write a Comment
User Comments (0)
About PowerShow.com