« Stable Marriage Algorithms! | Main | Pi day ! »

Things to remember when in emergency!

I'm sure we all know that emergency has different meaning for different people and different things. Emergency preparedness, when debugging could be handy I think. And it is more important, when we think it is emergency, hence not all regular matters. Being not regular categorically implies that we will not remember it dearly...

When it comes to x64bit assembly instructions, it is quite a bit of different from x86.

So here are some, just to warm up -

 

// fuction returing void, taking two args
void function_return_void_takes_2_arg ( ULONG fristArg, ULONG secondArg)
{
     //chk if 1st arg is zero
     if (fristArg == 0 ){
     return;
}
    //chk if 2nd arg is non-zero
    if (secondArg != 0 ){
       return;
    }
}

 

### Notice how the code was chewed up - no code for the logic, different from x86

### Look at how the args offset on the stack are stuffed in 

 

_TEXT SEGMENT

fristArg$ = 16

secondArg$ = 24

function_return_void_takes_2_arg PROC

; 23   : {

$LN5:

mov DWORD PTR [rsp+16], edx

mov DWORD PTR [rsp+8], ecx

push rdi

; 24   : //chk if 1st arg is zero

; 25   : if (fristArg == 0 ){

; 26   : return;

; 27   : }

; 28   : //chk if 2nd arg is non-zero

; 29   : if (secondArg != 0 ){

; 30   : return;

; 31   : }

; 32   : } 

pop rdi

ret 0

 //void f takes 4 args

void f_void_take_4_arg( ULONG First, ULONG Second, ULONG Third, ULONG Fourth )

{

int i, *ptr_i;

// init i

i = 0;

//take the addr of 

ptr_i = &i;

}

### Notice how the args are pushed thru registers ( 1st 4 args usually )

_TEXT SEGMENT

### Note how the offsets are being stored in these *$ vars, where * is the variable name

### Also watch how the offset took care of any stack push. Compare to x86 gened code too

i$ = 36

ptr_i$ = 56

First$ = 80

Second$ = 88

Third$ = 96

Fourth$ = 104

f_void_take_4_arg PROC

; 37   : {

$LN3:

### Watch this, callee is pushing the args onto stack, caller did not - This is shadowing the args!

mov DWORD PTR [rsp+32], r9d  # 4th arg

mov DWORD PTR [rsp+24], r8d

mov DWORD PTR [rsp+16], edx

mov DWORD PTR [rsp+8], ecx  # 1st arg

push rdi   ## This push was taken into account when *$ vars for respective offsets are defined

sub rsp, 64 ; 00000040H ## Another fine points its not just for local variable space, also for calling down path

mov rdi, rsp

mov rcx, 16

mov eax, -858993460 ; ccccccccH

rep stosd

mov ecx, DWORD PTR [rsp+80]

 

; 38   : int i, *ptr_i;

; 39   : // init i

; 40   : i = 0;

mov DWORD PTR i$[rsp], 0

; 41   : //take the addr of 

; 42   : ptr_i = &i;

lea rax, QWORD PTR i$[rsp] ## get the address of i. lea does not evaluate the indirection, just adds the offset.

mov QWORD PTR ptr_i$[rsp], rax  ### put into the ptr_i 

; 43   : 

; 44   : }

mov rcx, rsp

lea rdx, OFFSET FLAT:f_void_take_4_arg$rtcFrameData

call _RTC_CheckStackVars

add rsp, 64 ; 00000040H  ## to get to the register we pushed, we need to go back up the stack sub used

pop rdi

ret 0

f_void_take_4_arg ENDP  ## end of procedure

_TEXT ENDS  ## end of this code seg

 

Next I will delve into some common pattern blocks like: while; do while; for; switch; if then else etc. Then I will also give some normal stuff like structure access, procedure calls etc. So that we will have a handy reference for the code when we have to look at disassembled systems code.

 

Enjoy!

 

Posted on Friday, April 27, 2012 at 09:59PM by Registered CommenterProkash Sinha | CommentsPost a Comment | References2 References

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    We should remember the old things. It will be considering up on the same ways. Therefore the main causes will be showing on the different various features. This is known as the first valuable things in it.
  • Response
    Response: 192 168 0 1

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.