15213 Recitation Section C

1
15213 Recitation Section C
Outline

• Assembly Review
• C ?ASM using GDB
• ASM ? C

2
Assembly Review Machine Model
CPU
Memory
3
Assembly Format

• Op Src, Dest
• add eax, ebx ebx eax
• sub eax, ebx ebx - eax
• Op Arg
• jmp 0x87654321 unconditional branch
• jge 0x87654321 branch if gt in signed
  comparison

4
Memory Addressing Mode

• Generic form
• D(R1, R2, S)
• Address RegR1 RegR2S D
• e.g. 0x8(eax, ebx, 0x4)
• the address is eax ebx 0x4 0x8
• Special forms
• omit D, R1, R2, or S
• (R1), D(R1), (R1, R2), D(R1, R2)

5
Exercise What do the ASM mean?

1. sub ecx, edx
2. cmp ecx, 0x4jge 0x12345678
3. mov (ebx), eax
4. mov (ebx, esi, 0x4), edi
5. lea (ebx, esi, 0x4), edi
6. xor ecx, ecx

6
Procedure Related Instructions

• int a_func (int arg1, int arg2, int arg3)
• Get arguments
• arg1 mov 8(ebp),ecx
• arg2 mov 12(ebp),ecx
• arg3?
• Set return value
• mov 0x1, eax return 1

mov 16(ebp),ecx
7
C?ASM

• Compilation and GDB basics
• C?ASM Examples

8
Compiling and Debugging C Code

• Generating ASM with gcc
• gcc O S -Wall example.c
• generate example.s
• Debugging C code
• gcc O g o example -Wall example.c
• gdb example

9
What if compiling without -g?

• gcc O o example -Wall example.c
• gdb will not know the C code for assembly
• the same as in L2 bomb lab
• use gdb to examine the object code
• Other tools (objdump etc.) see L2 description

10
Example func1

• int func1(int a, int b)
• int x, y
• x a b
• y 2x - b
• return xy

11
ASM of func1

• Dump of assembler code for function func1
• 0x8048420 ltfunc1gt push ebp
• 0x8048421 ltfunc11gt mov esp,ebp
• 0x8048423 ltfunc13gt mov 0xc(ebp),eax
• 0x8048426 ltfunc16gt mov 0x8(ebp),ecx
• 0x8048429 ltfunc19gt add eax,ecx
• 0x804842b ltfunc111gt lea (ecx,ecx,1),edx
  
• 0x804842e ltfunc114gt sub eax,edx
• 0x8048430 ltfunc116gt mov ecx,eax
• 0x8048432 ltfunc118gt imul edx,eax
• 0x8048435 ltfunc121gt mov ebp,esp
• 0x8048437 ltfunc123gt pop ebp
• 0x8048438 ltfunc124gt ret
• 0x8048439 ltfunc125gt lea 0x0(esi),esi
• End of assembler dump.

12
ASM of func1

• Dump of assembler code for function func1
• 0x8048420 ltfunc1gt push ebp
• 0x8048421 ltfunc11gt mov esp,ebp
• 0x8048423 ltfunc13gt mov 0xc(ebp),eax
  eaxb
• 0x8048426 ltfunc16gt mov 0x8(ebp),ecx
  ecxa
• 0x8048429 ltfunc19gt add eax,ecx
  ecxab
• 0x804842b ltfunc111gt lea (ecx,ecx,1),edx
  edx2ecx
• 0x804842e ltfunc114gt sub eax,edx
  edx-b
• 0x8048430 ltfunc116gt mov ecx,eax
  eaxx
• 0x8048432 ltfunc118gt imul edx,eax
  return xy
• 0x8048435 ltfunc121gt mov ebp,esp
• 0x8048437 ltfunc123gt pop ebp
• 0x8048438 ltfunc124gt ret
• 0x8048439 ltfunc125gt lea 0x0(esi),esi
• End of assembler dump.

13
Using GDB to run the program

• Lets use gdb to run the program and examine
  registers and memory locations
• break func1
• run
• p/x ebp
• x/2wx ebp8

14
Example 2

• int func2(int a, int b)
• if(agtb)
• return a
• else
• return b

15
ASM of func2

• Dump of assembler code for function func2
• 0x804843c ltfunc2gt push ebp
• 0x804843d ltfunc21gt mov esp,ebp
• 0x804843f ltfunc23gt mov 0x8(ebp),edx
• 0x8048442 ltfunc26gt mov 0xc(ebp),eax
• 0x8048445 ltfunc29gt cmp eax,edx
• 0x8048447 ltfunc211gt jle 0x804844b
  ltfunc215gt
• 0x8048449 ltfunc213gt mov edx,eax
• 0x804844b ltfunc215gt mov ebp,esp
• 0x804844d ltfunc217gt pop ebp
• 0x804844e ltfunc218gt ret
• 0x804844f ltfunc219gt nop
• End of assembler dump.

16
ASM of func2

• Dump of assembler code for function func2
• 0x804843c ltfunc2gt push ebp
• 0x804843d ltfunc21gt mov esp,ebp
• 0x804843f ltfunc23gt mov 0x8(ebp),edx
  edxa
• 0x8048442 ltfunc26gt mov 0xc(ebp),eax
  eaxb
• 0x8048445 ltfunc29gt cmp eax,edx
  edxlteax?
• 0x8048447 ltfunc211gt jle 0x804844b
  ltfunc215gt
• 0x8048449 ltfunc213gt mov edx,eax
  eaxa
• 0x804844b ltfunc215gt mov ebp,esp
• 0x804844d ltfunc217gt pop ebp
• 0x804844e ltfunc218gt ret
• 0x804844f ltfunc219gt nop
• End of assembler dump.

17
Example 3

• int func3(int a, int b)
• int r 0xDEADBEEF
• switch(a)
• case 0
• case 1
• r b break
• case 2 r ab break
• case 3 r a-b break
• case 4 r ab break
• default
• return r

18
ASM of func3

• Dump of assembler code for function func3
• 0x8048450 ltfunc3gt push ebp
• 0x8048451 ltfunc31gt mov esp,ebp
• 0x8048453 ltfunc33gt mov 0x8(ebp),edx
• 0x8048456 ltfunc36gt mov 0xc(ebp),ecx
• 0x8048459 ltfunc39gt mov 0xdeadbeef,eax
• 0x804845e ltfunc314gt cmp 0x4,edx
• 0x8048461 ltfunc317gt ja 0x804848b
  ltfunc359gt
• 0x8048463 ltfunc319gt jmp 0x8048598(,edx,4)
  
• 0x804846a ltfunc326gt lea 0x0(esi),esi
• 0x8048470 ltfunc332gt mov ecx,eax
• 0x8048472 ltfunc334gt jmp 0x804848b
  ltfunc359gt
• 0x8048474 ltfunc336gt lea (ecx,edx,1),eax
• 0x8048477 ltfunc339gt jmp 0x804848b
  ltfunc359gt

19
ASM of func3

• 0x8048479 ltfunc341gt lea 0x0(esi,1),esi
• 0x8048480 ltfunc348gt mov edx,eax
• 0x8048482 ltfunc350gt sub ecx,eax
• 0x8048484 ltfunc352gt jmp 0x804848b
  ltfunc359gt
• 0x8048486 ltfunc354gt mov edx,eax
• 0x8048488 ltfunc356gt imul ecx,eax
• 0x804848b ltfunc359gt mov ebp,esp
• 0x804848d ltfunc361gt pop ebp
• 0x804848e ltfunc362gt ret
• (gdb) x/5wx 0x8048598
• 0x8048598 lt_IO_stdin_used4gt 0x08048470
  0x08048470 0x08048474 0x08048480
• 0x80485a8 lt_IO_stdin_used20gt 0x08048486

20
ASM of func3

• Dump of assembler code for function func3
• 0x8048450 ltfunc3gt push ebp
• 0x8048451 ltfunc31gt mov esp,ebp
• 0x8048453 ltfunc33gt mov 0x8(ebp),edx e
  dxa
• 0x8048456 ltfunc36gt mov 0xc(ebp),ecx e
  cxb
• 0x8048459 ltfunc39gt mov 0xdeadbeef,eax
  eax is r
• 0x804845e ltfunc314gt cmp 0x4,edx (agt4?)
  
• 0x8048461 ltfunc317gt ja 0x804848b
  ltfunc359gt
• 0x8048463 ltfunc319gt jmp 0x8048598(,edx,4)
  jmp table
• 0x804846a ltfunc326gt lea 0x0(esi),esi no
  p
• 0x8048470 ltfunc332gt mov ecx,eax rb
• 0x8048472 ltfunc334gt jmp 0x804848b
  ltfunc359gt
• 0x8048474 ltfunc336gt lea (ecx,edx,1),eax
  rab
• 0x8048477 ltfunc339gt jmp 0x804848b
  ltfunc359gt

21
ASM of func3

• 0x8048479 ltfunc341gt lea
  0x0(esi,1),esi nop
• 0x8048480 ltfunc348gt mov edx,eax ra
• 0x8048482 ltfunc350gt sub ecx,eax r-b
• 0x8048484 ltfunc352gt jmp 0x804848b
  ltfunc359gt
• 0x8048486 ltfunc354gt mov edx,eax ra
• 0x8048488 ltfunc356gt imul ecx,eax rb
• 0x804848b ltfunc359gt mov ebp,esp
• 0x804848d ltfunc361gt pop ebp
• 0x804848e ltfunc362gt ret
• (gdb) x/5wx 0x8048598
• 0x8048598 lt_IO_stdin_used4gt 0x08048470
  0x08048470 0x08048474 0x08048480
• 0x80485a8 lt_IO_stdin_used20gt 0x08048486

22
Example 4

• void func4 ()
• printf ("hello world!\n")

23
ASM of func4

• 0x8048490 ltfunc4gt push ebp
• 0x8048491 ltfunc41gt mov esp,ebp
• 0x8048493 ltfunc43gt sub 0x8,esp
• 0x8048496 ltfunc46gt add 0xfffffff4,esp
• 0x8048499 ltfunc49gt push 0x80485ac
• 0x804849e ltfunc414gt call 0x804833c
  ltprintfgt calling printf
• 0x80484a3 ltfunc419gt mov ebp,esp
• 0x80484a5 ltfunc421gt pop ebp
• 0x80484a6 ltfunc422gt ret
• 0x80484a7 ltfunc423gt nop
• (gdb) x/s 0x80485ac
• 0x80485ac lt_IO_stdin_used24gt "hello world!\n"

24
ASM?C

• int func5(int x)
• ???

25
ASM?C write C code for ASM

• 0x80483c0 ltfunc5gt push ebp
• 0x80483c1 ltfunc51gt mov esp,ebp
• 0x80483c3 ltfunc53gt mov 0x8(ebp),ecx
• 0x80483c6 ltfunc56gt xor eax,eax
• 0x80483c8 ltfunc58gt xor edx,edx
• 0x80483ca ltfunc510gt cmp ecx,edx
• 0x80483cc ltfunc512gt jge 0x80483d7
  ltfunc523gt
• 0x80483ce ltfunc514gt mov esi,esi
• 0x80483d0 ltfunc516gt add edx,eax
• 0x80483d2 ltfunc518gt inc edx
• 0x80483d3 ltfunc519gt cmp ecx,edx
• 0x80483d5 ltfunc521gt jl 0x80483d0
  ltfunc516gt
• 0x80483d7 ltfunc523gt mov ebp,esp
• 0x80483d9 ltfunc525gt pop ebp
• 0x80483da ltfunc526gt ret
• 0x80483db ltfunc527gt nop