Practical Session 4

Computer Architecture and Assembly Language

Labels Definition - advanced

label: (pseudo) instruction operands ; comment

•valid characters in labels are: letters, numbers, _, $, #, @, ~, ., and ?•first character can be: letter, _, ?, and . ( . has a special meaning)

Local Labels Definition

A label beginning with a single period (.) is treated as a local label, which means that it is associated with the previous non-local label.

Example:

label1: mov eax, 3

.loop: dec eax jne .loop

ret

label2: mov eax, 5

.loop: dec eax

jne .loop ret

Each JNE instruction jumps to the closest .loop, because the two definitions of .loop are kept separate.

(this is indeed label1.loop)

(this is indeed label2.loop)

section .data numeric: DD 0x12345678string: DB 'abc'answer: DD 0

section .text global _start ;entry point (main)

_start:

pushad ; backup registerspush dword 2 ; push argument #2push dword 1 ; push argument #1CALL myFuncCALL myFunc ; call the function myFunc

returnAddress: mov [answer], eax ; retrieve return value from EAXadd esp, 8 ; "delete" function argumentspopad

mov ebx,0 ; exit program mov eax,1

int 0x80

myFunc:push ebp ; save previous value of ebpmov ebp, esp ; set ebp to point to myFunc framemov eax, dword [ebp+8] ; get function argument #1mov ebx, dword [ebp+12] ; get function argument #2

myFunc_code:add eax, ebx ; eax = 3

returnFrom_myFunc:mov esp, ebp ; "delete" local variables of

myFuncpop ebp ; restore previous value of ebpRETRET ; return to the caller

Assembly program with no .c file usage – sample.sGNU Linker

ld links together compiled assembly without using .c main file

> nasm –f elf sample.s –o sample.o

> ld -m elf_i386 sample.o –o sample

> sample

or with gdb debugger

> gdb sample

Command-line arguments

ld(_start) vs. gcc (main)

argv[2]

argv[1]

argv[0]

argc

stack

ESP

&{argv[0],argv[1],argv[2],…}

argc

stack

ESP

This is just like C’s main(int argc, char** argv)

Producing assembly file for .c file

-S (capital letter) option to gcc compiler generates an assembly code to .c program

> gcc –m32 –S main.c

Compile the following c code with –S option to observe parameters pass in C, compare to material given in class.

#include <stdio.h>extern int atoi(char*);void main(int argc, char ** argv) {

int m, n;if (argc < 3 ) {

printf("use : %s num1 num2\n",argv[0]);return 0; }

m = atoi(argv[1]);n = atoi(argv[2]);return;

} .file

"

CT

oAss

.c"

.s

ect

ion

.r

odat

a.L

C0

:

.str

ing

"u

se :

%s

num

1 n

um2

\n"

.t

ext

.g

lobl

m

ain

.t

ype

ma

in, @

func

tion

mai

n:.L

FB

0:

.cfi_

star

tpro

c

pus

hl

%e

bp

.cfi_

de

f_cf

a_

offs

et 8

.c

fi_o

ffse

t 5,

-8

mov

l

%e

sp,

%eb

p

.cfi_

de

f_cf

a_

reg

iste

r 5

a

ndl

$-1

6, %

esp

s

ubl

$3

2, %

esp

c

mpl

$

2, 8

(%e

bp)

jg

.L

2

mov

l

12(%

ebp

), %

ea

x

mov

l

(%e

ax),

%ed

x

mov

l

$.LC

0, %

eax

m

ovl

%

edx

, 4(

%e

sp)

m

ovl

%

eax

, (%

esp

)

cal

l

prin

tf

jmp

.

L1.L

2:

mov

l

12(%

ebp

), %

ea

x

add

l $

4, %

eax

m

ovl

(%

eax

), %

eax

m

ovl

%

eax

, (%

esp

)

cal

l

ato

i

mov

l

%e

ax,

24(%

esp

)

mov

l

12(%

ebp

), %

ea

x

add

l $

8, %

eax

m

ovl

(%

eax

), %

eax

m

ovl

%

eax

, (%

esp

)

cal

l

ato

i

mov

l

%e

ax,

28(%

esp

)

nop

.L1:

le

ave

.c

fi_re

sto

re 5

.c

fi_d

ef_

cfa

4, 4

r

et

.c

fi_e

ndp

roc

.LF

E0:

.s

ize

m

ain,

.-m

ain

.i

dent

"G

CC

: (U

bun

tu/L

inar

o 4

.6.3

-1

ubun

tu5

) 4

.6.3

"

.se

ctio

n

.no

te.G

NU

-st

ack

,"",

@p

rog

bits

לימוד עצמי

Producing a listing file: > nasm -f elf sample.s -l sample.lst• The first column (from the left) is the line number in the listing file

•The second column is the relative address of where the code will be placed in memory

•The third column is the compiled code

• Labels do not create code; they are a way to tell assembler that those locations have symbolic names.

• ‘CALL myFunc’ is compiled to opcode E8 followed by a 4-byte target address, relative to the next instruction after the call. address of myFunc label = 0x1F address of the next instruction after the call (i.e. ‘mov [answer], eax’) is 0xA 0x1F-0xA=0x15, and we get exactly the binary code written here ‘E815000000’

•The forth column is the original code

• each section starts at relative address 0

executable

0x15 is how many bytes EIP should jump forward

section .data numeric: DD 0x12345678string: DB 'abc'answer: DD 0

section .text global _start

_start:

pushadpush dword 2

push dword 1

CALL myFuncreturnAddress:

mov [answer], eaxadd esp, 8popad

mov ebx,0 mov eax,1

int 0x80

myFunc: push ebp mov ebp, esp mov eax, dword [ebp+8]mov ebx, dword [ebp+12]

myFunc_code:add eax, ebx

returnFrom_myFunc:mov esp, ebp

pop ebpret

print ‘numeric’ global variable

numeric into memory – little endian

print ‘string’ global variable

string into memory – little endian

pushad

0xffffd640 – 0xffffd620= 0x20 = 32 bytes = 8 registers * 4 bytes

push function’s arguments into stack

CALL myFunc

return address

Debugging with GDB guide - examining memory

- examining data

שאלות חזרה שאלות חזרה למבחןלמבחן

1שאלה :נתונות ההגדרות הבאות

x: dw 1y: db 2z: db 3

באמצעות פקודה 2 ב x, y, z יש להכפיל את overflow ניתן להניח שאין .אחת

2נכפול את כל המילה ב :תשובה

shl dword [x], 1

.עלינו לממש קריאה לפונקציה ללא ארגומנטים יש לסמן את . eaxשכתובתה נמצאת ברגיסטר

. יבצע זאת נכון לאהקוד שa)push next_apush eaxretnext_a:b)push eaxpush eaxretc)push next_ajmp eaxnext_a:d)call eax

2שאלה

.עלינו לממש קריאה לפונקציה ללא ארגומנטים יש לסמן את . eaxשכתובתה נמצאת ברגיסטר

. יבצע זאת נכון לאהקוד שa)push next_apush eaxretnext_a:b)push eaxpush eaxretc)push next_ajmp eaxnext_a:d)call eax

2שאלה

1- נמצא הערך eaxברגיסטר שכל אחת מהן שונות פקודות 5יש לרשום

1 יהיה הערך eaxתגרום לכך שברגיסטר

תשובה

mov eax, 1add eax, 2neg eaxshr eax, 31and eax, 1

3שאלה

: הבא הקוד קטע את לממש עלינוint a, b, x;

x = blah(a,&b)

נכון ? זאת שיבצע הקוד קטע מהוa) push a c) push dword b

push b push dword [a]

call blah call blah

add esp, 8 add esp, 8

mov [x], eax mov [x], eax

b) push dword [b] d) push dword [b]

push dword a push dword a

call blah call blah

add esp, 8 add esp, 8

mov [x], eax pop dword [x]

5שאלה

: הבא הקוד קטע את לממש עלינוint a, b, x;

x = blah(a,&b)

נכון ? זאת שיבצע הקוד קטע מהוa) push a c) push dword b

push b push dword [a]

call blah call blah

add esp, 8 add esp, 8

mov [x], eax mov [x], eax

b) push dword [b] d) push dword [b]

push dword a push dword a

call blah call blah

add esp, 8 add esp, 8

mov [x], eax pop dword [x]

5שאלה