I found example of code on assembly, which finds the maximum number in array named data_items but that example was for x86 and I tried to adapt it for x64 because 32 bit absolute addressing is not supported by 64 bit system.
To be short there are three actions:
lea data_items(%rip), %rdi #(1) Obtaining data_items address
add $4, %rdi #(2) Incrementing the pointer to 4 to read a next item
movl (%rdi), %eax #(3) Reading data at %rdi to %eax
The main questions:
Is it correct way to pointing? Can it produce error after code relocation?
If the %rip register constantly grows, why lea data_items(%rip), %rdi loads correct memory address? May be getting an offset by %rip have special meaning rather than "dataItems + %rip"?
Full adapted code here:
.section __DATA,__data
data_items:
.long 3,67,34,222,45,75,54,34,44,33,22,11,66,0
.section __TEXT,__text
.globl _main
_main:
lea data_items(%rip), %rdi #(1)
movl (%rdi), %eax
movl %eax, %ebx
start_loop:
cmpl $0, %eax
je loop_exit
add $4, %rdi #(2)
movl (%rdi), %eax #(3)
cmpl %ebx, %eax
jle start_loop
movl %eax, %ebx
jmp start_loop
loop_exit:
mov $0x2000001, %rax
mov $0, %rdi
syscall
Related
This question already has answers here:
How to load address of function or label into register
(1 answer)
32-bit absolute addresses no longer allowed in x86-64 Linux?
(1 answer)
Closed 4 months ago.
I'm completing the final assignment for a compilers course and right now the deal is to translate some intermediate representation into x86_64 assembly source code and then build an executable through gcc by running
gcc output.s -o output
This executable should work properly. The issue is that I just can't get my code past GCC when it comes to (at least) one particular instruction. This is it:
mov L0, %rbx
Where L0 is a label.
The whole test file is as follows:
.text
.section .rodata
.text
.globl main
main:
// rbss for now
add $0, %rsp
mov %rsp, %rsi
// register spill area
add $0, %rsp
mov %rsp, %rdi
// store rax => rsp
mov %rax, %rcx
mov %rcx, ( %rsp )
// subI rsp, 4 => rsp
mov %rsp, %rcx
sub $4, %rcx
mov %rcx, %rsp
// lea L0 => rbx
mov L0, %rbx
// store rbp => rsp
mov %rbp, %rcx
mov %rcx, ( %rsp )
// subI rsp, 4 => rsp
mov %rsp, %rcx
sub $4, %rcx
mov %rcx, %rsp
// store rbx => rsp
mov %rbx, %rcx
mov %rcx, ( %rsp )
// subI rsp, 4 => rsp
mov %rsp, %rcx
sub $4, %rcx
mov %rcx, %rsp
// jumpI => Lmain
jmp Lmain
// L0 : halt
L0:
hlt
// Lmain : nop
Lmain:
// addI rsp, 0 => rbp
mov %rsp, %rcx
add $0, %rcx
mov %rcx, %rbp
// subI rsp, 0 => rsp
mov %rsp, %rcx
sub $0, %rcx
mov %rcx, %rsp
// addI rbp, 8 => rsp
mov %rbp, %rcx
add $8, %rcx
mov %rcx, %rsp
// loadAI rbp, 4 => rbp
mov %rdi, %rbx
add %rbp, %rbx
add $4, %rbx
mov ( %rbx ), %rcx
mov %rcx, %rbp
// jump => rbp
mov %rbp, %rbx
jmp *%rbx
Is there anything inherently mistaken about using mov this way? I'm not using call/ret semantics since the translation must be carried out directly from ILOC (a toy/education purpose) intermediate code.
When I try to run the aforementioned command I get some variation of:
/usr/bin/ld: /tmp/cccAoFmz.o: relocation R_X86_64_32S against `.text' can not be used when making a PIE object; recompile with -fPIE
collect2: error: ld returned 1 exit status
Could you guys help me to get a grasp of what's actually going on? I'm quite new to x86 programming and that's my first time with this kind of application. The whole assignment is done, my only issue is getting it to a working state (So no, huahuahua, I'm not getting you guys to do my homework :D).
Is there another way to get what I'm trying to achieve? Is my approach incorrect? I'm out of ideas right now.
Thank you so much :)
Best,
I am trying to understand scanf function a have 3 question regarding it.
this is c file:
#include <stdio.h>
#include <stdlib.h>
int main(){
int x;
printf("Enter X:\n");
scanf("%i",&x);
printf("You entered %d...\n",x);
return 0;
}
and here is gas:
.text
.section .rodata
.LC0:
.string "Enter X:"
.LC1:
.string "%i"
.LC2:
.string "You entered %d...\n"
.text
.globl main
.type main, #function
main:
pushq %rbp #
movq %rsp, %rbp #,
subq $16, %rsp #,
# a.c:5: printf("Enter X:\n");
leaq .LC0(%rip), %rdi #,
call puts#PLT #
# a.c:6: scanf("%i",&x);
leaq -4(%rbp), %rax #, tmp90
movq %rax, %rsi # tmp90,
leaq .LC1(%rip), %rdi #,
movl $0, %eax #,
call __isoc99_scanf#PLT #
# a.c:7: printf("You entered %d...\n",x);
movl -4(%rbp), %eax # x, x.0_1
movl %eax, %esi # x.0_1,
leaq .LC2(%rip), %rdi #,
movl $0, %eax #,
call printf#PLT #
# a.c:8: return 0;
movl $0, %eax #, _6
# a.c:9: }
leave
ret
.size main, .-main
.ident "GCC: (Debian 8.3.0-6) 8.3.0"
.section .note.GNU-stack,"",#progbits
1)
The rsi should take address of x int, but it takes the address from -4(%rbp), where there is nothing, in time of execution. Because the initialization of x variable comes from the stdin as scanf waits for input to init the variable. But the what is in -4(%rbp) in the time of instruction leaq -4(%rbp), %rax? It looks like garbage, not address of x, which value should be initialized from stdin.
2)according to this Integer describing number of floating point arguments in xmm registers not passed to rax, the movl $0, %eax is to zero FP registers in al, but that is the same convention for printf. So my question is, to which functions from glibc or other libraries apply this convetion? (So I have to zero %al in printf, scanf, ....?). I assume to every, that has va_list or variable argument?
3) where in the gas source is stack canary in that should protect scanf buffer from overflow? according to this: https://reverseengineering.stackexchange.com/questions/10823/how-does-scanf-interact-with-my-code-in-assembly, this should set canary (in masm):
0x080484c5 <+6>: mov eax,gs:0x14
0x080484cb <+12>: mov DWORD PTR [ebp-0xc],eax
0x080484ce <+15>: xor eax,eax
But I see nothing similar to this in my gas source, which is also output from gcc, which should set it by itself (unless there is some checking in the the scanf function itself which is not visible in my source). So where is it?
I have a C program here that invokes CreateProcess...
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
int main(int argc, char *argv[])
{
STARTUPINFO st;
ZeroMemory(%st, sizeof(STARTUPINFO));
st.cb = sizeof(STARTUPINFO);
PROCESS_INFORMATION pi;
CreateProcessA("C:\\WINDOWS\\system32\\cmd.exe",0,0,0,0,0,0,0,&st,&pi);
return 0;
}
Which runs fine, creating a shell within a shell.
I also have this code, written in GAS assembly via the MinGW compiler suite for Windows...
.extern _CreateProcessA#40
.def _CreateProcessA#40; .scl 2; .type 32; .endef
.extern _ExitProcess#4
.def _ExitProcess#4; .scl 2; .type 32; .endef
.text
.globl _main
.def _main; .scl 2; .type 32; .endef
_main:
push %ebp
movl %esp, %ebp
#PROCESS_INFORMATION...
subl $16, %esp
movl %esp, %eax
#STARTUPINFO...
subl $68, %esp
movl $68, (%esp)
movl %esp, %ebx
#Application name with path : C:\WINDOWS\system32\cmd.exe...
subl $29, %esp
xor %edx, %edx
movb %dx, 27(%esp)
movb $0x65, 26(%esp)
movw $0x7856, 24(%esp)
movl $0x2e646d63, 20(%esp)
movl $0x5c32336d, 16(%esp)
movl $0x65747379, 12(%esp)
movl $0x735c5357, 8(%esp)
movl $0x4f444e49, 4(%esp)
movl $0x575c3a43, (%esp)
movl %esp, %ecx
push %eax
push %ebx
push %edx
push %edx
push %edx
push %edx
push %edx
push %edx
push %edx
push %ecx
call _CreateProcessA#40
movl %ebp, %esp
pop %ebp
push %edx
call _ExitProcess#4
It compiles and links fine with;
as createProc.s -o createProc.o
ld createProc.o -o createProc.exe -lkernel32
When it runs though, and it does run, it executes without starting a second shell within a shell on the command line. What could be wrong?
Note : I'm inputting the string with the movl instructions for a reason, so please no suggestions saying that I should be using .data, .bss, or lables. Also note I have already tried using escaped slashes (\\) within the string in the assembly program to no avail, it actually crashes if escaped slashes are used.
About programming style
You should forget about mucking around with ESP.
The way to do it is to set up a stack frame at the start of your routine and use EBP to address the space thus created.
You have a typo in your path
You pass "c1\win...." as the path. That's not going to work.
You should double check the code against the ascii-table, or review the parameters in a debugger making the API call..
Also I have no idea why you need 29 bytes to store the string. It fits in 28 chars as far as I can tell.
Working code using a stack frame
Here's code that works using a stack frame the way it is supposed to be done.
//Set up stack frame.
00418200 55 push ebp
00418201 8BEC mov ebp,esp
00418203 83C490 add esp,-$70
//Zero StartupInfoA
00418206 57 push edi
00418207 8D45A0 lea eax,[ebp-$60]
0041820A 8BF8 mov edi,eax
0041820C 33C0 xor eax,eax
0041820E B911000000 mov ecx,$00000011
00418213 F3AB rep stosd
//st.cb = SizeOf(st)
00418215 C745A044000000 mov [ebp-$60],$00000044
//Set the string: path = 'c:\windows\system32\cmd.exe'; 28 chars including trailing 0.
0041821C C745E4433A5C77 mov [ebp-$1c],$775c3a43 //c:\w
00418223 C745E8696E646F mov [ebp-$18],$6f646e69 //indo
0041822A C745EC77735C73 mov [ebp-$14],$735c7377 //ws\s
00418231 C745F079737465 mov [ebp-$10],$65747379 //yste
00418238 C745F46D33325C mov [ebp-$0c],$5c32336d //m32\
0041823F C745F8636D642E mov [ebp-$08],$2e646d63 //cmd.
00418246 C745FC65786500 mov [ebp-$04],$00657865 //exe-
//Set up parameters for call
0041824D 8D4590 lea eax,[ebp-$70] //ProcessInfo
00418250 50 push eax
00418251 8D45A0 lea eax,[ebp-$60] //StartupInfoA
00418254 50 push eax
00418255 6A00 push $00
00418257 6A00 push $00
00418259 6A00 push $00
0041825B 6A00 push $00
0041825D 6A00 push $00
0041825F 6A00 push $00
00418261 6A00 push $00
00418263 8D45E4 lea eax,[ebp-$1c] //Path
00418266 50 push eax
//Call
00418267 E80823FFFF call CreateProcessA
//Clean up the stackframe
0041826C 5F pop edi
0041826D 8BE5 mov esp,ebp
0041826F 5D pop ebp
About messing with ESP
If you set ESP to an unaligned address it will seriously degrade performance.
#HarryJohnson figured it out, all that was needed was to zero out the STARTUPINFO structure,
.extern _CreateProcessA#40
.def _CreateProcessA#40; .scl 2; type 32; .endef
.extern _ExitProcess#4
.def _ExitProcess#4; .scl 2; type 32; .endef
.text
.globl _main
.def _main; .scl 2; .type 32; .endef
_main:
push %ebp
movl %ebp, %esp
xor %edx, %edx
#PROCESS_INFORMATION...
subl $16, %esp
movl %esp, %eax
#STARTUPINFO...
subl $68, %esp
movl %edx, 64(%esp)
movl %edx, 60(%esp)
movl %edx, 56(%esp)
movl %edx, 52(%esp)
movl %edx, 48(%esp)
movl %edx, 44(%esp)
movl %edx, 40(%esp)
movl %edx, 36(%esp)
movl %edx, 32(%esp)
movl %edx, 28(%esp)
movl %edx, 24(%esp)
movl %edx, 20(%esp)
movl %edx, 16(%esp)
movl %edx, 12(%esp)
movl %edx, 8(%esp)
movl %edx, 4(%esp)
movl %edx, (%esp)
movb $68, (%esp)
movl %esp, %ebx
#Application name (C:\WINDOWS\system32\cmd.exe)...
subl $28, %esp
movb %dl, 27(%esp)
movb $0x65, 26(%esp)
movw $0x7865, 24(%esp)
movl $0x2e646d63, 20(%esp)
movl $0x5c32336d, 16(%esp)
movl $0x65747379, 12(%esp)
movl $0x735c5357, 8(%esp)
movl $0x4f444e49, 4(%esp)
movl $0x575c3a43, (%esp)
movl %esp, %ecx
push %eax
push %ebx
push %edx
push %edx
push %edx
push %edx
push %edx
push %edx
push %edx
push %ecx
call _CreateProcessA#40
mov %ebp, %esp
pop %ebp
push %edx
call _ExitProcess#4
I have been trying for some time now to get a number from a keyboard and comparing it with a value on the stack. If it is correct it will print "Hello World!" and if incorrect, it should print out "Nope!". However, what happens now is no matter the input "jne" is called, nope is printed, and segfault. Perhaps one of you could lend a hand.
.section __DATA,__data
str:
.asciz "Hello world!\n"
sto:
.asciz "Nope!\n"
.section __TEXT,__text
.globl _main
_main:
push %rbp
mov %rsp,%rbp
sub $0x20, %rsp
movl $0x0, -0x4(%rbp)
movl $0x2, -0x8(%rbp)
movl $0x2000003, %eax
mov $0, %edi
subq $0x4, %rsi
movq %rsi, %rcx
syscall
cmp -0x8(%rbp), %edx
je L1
jne L2
xor %rbx, %rbx
xor %rax, %rax
movl $0x2000001, %eax
syscall
L1:
xor %rax, %rax
movl $0x2000004, %eax
movl $1, %edi
movq str#GOTPCREL(%rip), %rsi
movq $14, %rdx
syscall
ret
L2:
xor %eax, %eax
movl $0x2000004, %eax
movl $1, %edi
movq sto#GOTPCREL(%rip), %rsi
movq $6, %rdx
syscall
ret
I would start with this OS/X Syscall tutorial (The 64-bit part in your case). It is written for NASM syntax but the important information is the text and links for the SYSCALL calling convention. The SYSCALL table is found on this Apple webpage. Additional information on the standard calling convention for 64-bit OS/X can be found in the System V 64-bit ABI.
Of importance for SYSCALL convention:
arguments are passed in order via these registers rdi, rsi, rdx, r10, r8 and r9
syscall number in the rax register
the call is done via the syscall instruction
what OS X contributes to the mix is that you have to add 0x20000000 to the syscall number (still have to figure out why)
You have many issues with with your sys_read system call. The SYSCALL table says this:
3 AUE_NULL ALL { user_ssize_t read(int fd, user_addr_t cbuf, user_size_t nbyte); }
So given the calling convention, int fd is in RDI, user_addr_t cbuf (pointer to character buffer to hold return data) is in RSI, and user_size_t nbyte (maximum bytes buffer can contain) is in RDX.
Your program seg faulted on the ret because you didn't have proper function epilogue to match the function prologue at the top:
push %rbp #
mov %rsp,%rbp # Function prologue
You need to do the reverse at the bottom, set the result code in RAX and then do the ret. Something like:
mov %rbp,%rsp # \ Function epilogue
pop %rbp # /
xor %eax, %eax # Return value = 0
ret # Return to C runtime which will exit
# gracefully and return to OS
I did other minor cleanup, but tried to keep the structure of the code similar. You will have to learn more assembly to better understand the code that sets up RSI with the address for sys_read SYSCALL . You should try to find a good tutorial/book on x86-64 assembly language programming in general. Writing a primer on that subject is beyond the scope of this answer.
Code that might be closer to what you were looking for that takes the above into account:
.section __DATA,__data
str:
.asciz "Hello world!\n"
sto:
.asciz "Nope!\n"
.section __TEXT,__text
.globl _main
_main:
push %rbp #
mov %rsp,%rbp # Function prologue
sub $0x20, %rsp # Allocate 32 bytes of space on stack
# for temp local variables
movl $0x2, -4(%rbp) # Number for comparison
# 16-bytes from -20(%rbp) to -5(%rbp)
# for char input buffer
movl $0x2000003, %eax
mov $0, %edi # 0 for STDIN
lea -20(%rbp), %rsi # Address of temporary buffer on stack
mov $16, %edx # Read 16 character maximum
syscall
movb (%rsi), %r10b # RSI = pointer to buffer on stack
# get first byte
subb $48, %r10b # Convert first character to number 0-9
cmpb -4(%rbp), %r10b # Did we find magic number (2)?
jne L2 # If No exit with error message
L1: # If the magic number matched print
# Hello World
xor %rax, %rax
movl $0x2000004, %eax
movl $1, %edi
movq str#GOTPCREL(%rip), %rsi
movq $14, %rdx
syscall
jmp L0 # Jump to exit code
L2: # Print "Nope"
xor %eax, %eax
movl $0x2000004, %eax
movl $1, %edi
movq sto#GOTPCREL(%rip), %rsi
movq $6, %rdx
syscall
L0: # Code to exit main
mov %rbp,%rsp # \ Function epilogue
pop %rbp # /
xor %eax, %eax # Return value = 0
ret # Return to C runtime which will exit
# gracefully and return to OS
I've tried this over and over and looked at disassembly of a small C version that works fine, but trying to allocate this small block of memory keeps returning '9' ? Can somebody see what I'm doing wrong, thanks.
movl $0x0, %edi
movl $0x4000, %esi ## imm = 0x4000
movl $0x3, %edx
movl $0x1002, %ecx ## imm = 0x1002
movq $-0x1, %r8
movl $0x0, %r9d
movl $0x20000c5, %eax ## imm = 0x20000C5
syscall
Regards
Chris
OK, I found the problem and it's that if using syscall you need to pass r10 rather than rcx ! From C the disassembly uses rcx because it doesn't call the syscall directly !
Hope this helps others.
Chris