An assignment asks to load the location of a trap we were asked to write into location x0026 of the trap vector table. I understand loading into a register, but I'm not sure as far as loading something into the trap vector table. Any help is appreciated!
All you need to do is load your trap call as a separate .obj file into the simulator before you load your program.
This creates a new trap call for x26
.orig x26
.fill x5000
.end
This means when you use TRAP x26 in your program it will run whatever code you have saved at x5000
Related
I was reading a very cool post "How does DOS load a program into memory?"
How does DOS load a program into memory?
to bring some light on doubts about the process of loading and executing a program in DOS. It is clear as the water but I still have a doubt:
Once the COMMAND.COM has issued (called) the INT 21h interrupt, what happens to the "parameters" such as the program's file name? Are they kept until the called program exits (returns) or they are immediatly discarded after INT 21h is called?
I mean, for example, the program's file name pointed by DS:DX, i.e. 'C:\HOMEWORK\TEXT01.COM', is it preserved in memory until the executed program exits or it is freed immediatly and that memory is reused (overwritten)?
Note: I know that registers and pointers will change, but what happens to the string once the executed program is running?
Thx!
I want to generate shellcode using the following NASM code:
global _start
extern exit
section .text
_start:
xor rcx, rcx
or rcx, 10
call exit
The problem here is that I cannot use this because the address of exit function cannot be hard coded. So, how do I go about using library functions without having to re-implement them using system calls?
One way that I can think of, is to retrieve the address of exit function in a pre-processing program using GetProcAddress and substitute it in the shellcode at the appropriate place.
However, this method does not generate shellcode that can be run as it is. I'm sure there must be a better way to do it.
I am not an expert on writing shellcode, but you could try to find the import address table (IAT) of your target program and use the stored function pointers to call windows functions.
Note that you would be limited to the functions the target program uses.
Also you would have to let your shellcode calculate IAT's position relative to the process's base address due to relocations. Of course you could rely on Windows not relocating, but this might result in errors in a few cases.
Another issue is that you would have to find the target process's base address from outside.
A totally different attempt would be using syscalls, but they are really hard to use, not talking about the danger using them.
Information on PE file structure:
https://msdn.microsoft.com/en-us/library/ms809762.aspx
I used JSR and RET to jump to a subroutine and jump back to the main function. However, every time when the PC is on the address of RET, it stops there and never moves. Is there any possible reason for this problem? I did not use any subroutine inside my first subroutine, but I do use Branches. SO, I think my R7 does not change in the subroutine.
Are you using any TRAPs? TRAP modifies R7 also.
What function does IN do? The textbook says it "Print prompt on console, read (and echo) one character from keybd. Character stored in R0[7:0]". Does it mean that IN can print out the input character on the console? Also, I wonder if I use GETC and OUT together, can it have the same effect as IN ?
I suggest testing it in a simulator. You can just write a program like the below, run it in the simulator (make sure to load the OS also!) and you can answer your own question...
.orig x3000
TEST_IN IN
TEST_GETCOUT GETC
OUT
BR TEST_IN
.end
I wrote a subroutine to be used as a Trap call via Trap x26. My code for my subroutine is at address x3300. I cannot figure out how to jump from x26 to my actual instructions for the subroutine at x3300, since the gap is greater than JSR's PC offset parameter allows. I know I could add some code in near x26 to make it possible to jump all the way to x3300, but I don't think that's how I am supposed to do it. I think I'm missing something with understanding traps in general.
Here's my understanding/confusion of traps: So from x0000 - X00FF is the trap vector table. For example, if you call TRAP x20, then the PC goes to x20 and continues execution with the instruction at x20. (Please let me know if this is incorrect!) At this point I am confused because at the address x20 in the LC-3 is a BRZ x0021 command, which takes the PC to x21. At x21, there is a BRZ x52command. When this branch gets executed to go to x52 plus the PC, the command there is TRAP x00. Most of the Trap 20's commands seem to go to these (what look like) nonsense trap commands. After the trap x00 is executed, the program goes to xFD79. This is really confusing me since at x00 in memory, there is just another TRAP x00. To me, it seems like the program should go to x00 instead of xFD79.
Can someone help explain this to me please? What exactly is going on when a trap is called? I thought it just went to another address in memory where the actual code for the instruction was and executed that, but what I have seen doesn't reflect that. Any help is greatly appreciated as this is preventing me from completing a school project right now.
Thanks!
"So from x0000 - X00FF is the trap vector table. For example, if you call TRAP x20, then the PC goes to x20 and continues execution with the instruction at x20. (Please let me know if this is incorrect!)"
This is correct, however the next sentence...
"At this point I am confused because at the address x20 in the LC-3 is a BRZ x0021 command, which takes the PC to x21"
The command you see which looks like a BRz is not, in fact, an instruction. It is an address! x0400 would be a fairly useless command - it the PC offset is zero, so it just goes to the next line. If you interpret it as an address instead, and go to that address as part of the trap call, you will find the rest of the trap instructions.