Things to remember when in emergency!
I'm sure we all know that emergency has different meaning for different people and different things. Emergency preparedness, when debugging could be handy I think. And it is more important, when we think it is emergency, hence not all regular matters. Being not regular categorically implies that we will not remember it dearly...
When it comes to x64bit assembly instructions, it is quite a bit of different from x86.
So here are some, just to warm up -
### Notice how the code was chewed up - no code for the logic, different from x86
### Look at how the args offset on the stack are stuffed in
_TEXT SEGMENT
fristArg$ = 16
secondArg$ = 24
function_return_void_takes_2_arg PROC
; 23 : {
$LN5:
mov DWORD PTR [rsp+16], edx
mov DWORD PTR [rsp+8], ecx
push rdi
; 24 : //chk if 1st arg is zero
; 25 : if (fristArg == 0 ){
; 26 : return;
; 27 : }
; 28 : //chk if 2nd arg is non-zero
; 29 : if (secondArg != 0 ){
; 30 : return;
; 31 : }
; 32 : }
pop rdi
ret 0
//void f takes 4 args
void f_void_take_4_arg( ULONG First, ULONG Second, ULONG Third, ULONG Fourth )
{
int i, *ptr_i;
// init i
i = 0;
//take the addr of
ptr_i = &i;
}
### Notice how the args are pushed thru registers ( 1st 4 args usually )
_TEXT SEGMENT
### Note how the offsets are being stored in these *$ vars, where * is the variable name
### Also watch how the offset took care of any stack push. Compare to x86 gened code too
i$ = 36
ptr_i$ = 56
First$ = 80
Second$ = 88
Third$ = 96
Fourth$ = 104
f_void_take_4_arg PROC
; 37 : {
$LN3:
### Watch this, callee is pushing the args onto stack, caller did not - This is shadowing the args!
mov DWORD PTR [rsp+32], r9d # 4th arg
mov DWORD PTR [rsp+24], r8d
mov DWORD PTR [rsp+16], edx
mov DWORD PTR [rsp+8], ecx # 1st arg
push rdi ## This push was taken into account when *$ vars for respective offsets are defined
sub rsp, 64 ; 00000040H ## Another fine points its not just for local variable space, also for calling down path
mov rdi, rsp
mov rcx, 16
mov eax, -858993460 ; ccccccccH
rep stosd
mov ecx, DWORD PTR [rsp+80]
; 38 : int i, *ptr_i;
; 39 : // init i
; 40 : i = 0;
mov DWORD PTR i$[rsp], 0
; 41 : //take the addr of
; 42 : ptr_i = &i;
lea rax, QWORD PTR i$[rsp] ## get the address of i. lea does not evaluate the indirection, just adds the offset.
mov QWORD PTR ptr_i$[rsp], rax ### put into the ptr_i
; 43 :
; 44 : }
mov rcx, rsp
lea rdx, OFFSET FLAT:f_void_take_4_arg$rtcFrameData
call _RTC_CheckStackVars
add rsp, 64 ; 00000040H ## to get to the register we pushed, we need to go back up the stack sub used
pop rdi
ret 0
f_void_take_4_arg ENDP ## end of procedure
_TEXT ENDS ## end of this code seg
Next I will delve into some common pattern blocks like: while; do while; for; switch; if then else etc. Then I will also give some normal stuff like structure access, procedure calls etc. So that we will have a handy reference for the code when we have to look at disassembled systems code.
Enjoy!
References (2)
-
Response: australian assignment helpWe should remember the old things. It will be considering up on the same ways. Therefore the main causes will be showing on the different various features. This is known as the first valuable things in it.
-
Response: 192 168 0 1
Reader Comments