Desmontando C, reemplace el código de operación

I was trying to learn the basics of reversing and I tried to disassemble a small C program. I'm working under MacOS 10.7.2 (64 bit - Intel) and using gcc 4.2.1.

#include <stdio.h>

int main() {

    char word[20];

    if (strcmp(word,"password")==0) 

Yo compilé con gcc -o test test.c, then, working a while with gdb, I placed a breakpoint after the strcmp call (100000e8e) and get (what I think is) the relevant assembly code:

0x0000000100000e40 <main+0>:    push   %rbp
0x0000000100000e41 <main+1>:    mov    %rsp,%rbp
0x0000000100000e44 <main+4>:    sub    $0x30,%rsp
0x0000000100000e48 <main+8>:    mov    0x1e9(%rip),%rax        # 0x100001038
0x0000000100000e4f <main+15>:   mov    (%rax),%rax
0x0000000100000e52 <main+18>:   mov    %rax,-0x8(%rbp)
0x0000000100000e56 <main+22>:   lea    -0x20(%rbp),%rax
0x0000000100000e5a <main+26>:   mov    %rax,%rcx
0x0000000100000e5d <main+29>:   xor    %dl,%dl
0x0000000100000e5f <main+31>:   lea    0xda(%rip),%rsi        # 0x100000f40
0x0000000100000e66 <main+38>:   mov    %rsi,%rdi
0x0000000100000e69 <main+41>:   mov    %rcx,%rsi
0x0000000100000e6c <main+44>:   mov    %rax,-0x28(%rbp)
0x0000000100000e70 <main+48>:   mov    %dl,%al
0x0000000100000e72 <main+50>:   callq  0x100000eee <dyld_stub_scanf>
0x0000000100000e77 <main+55>:   mov    -0x28(%rbp),%rcx
0x0000000100000e7b <main+59>:   xor    %dl,%dl
0x0000000100000e7d <main+61>:   lea    0xbf(%rip),%rsi        # 0x100000f43
0x0000000100000e84 <main+68>:   mov    %rcx,%rdi
0x0000000100000e87 <main+71>:   mov    %dl,%al
0x0000000100000e89 <main+73>:   callq  0x100000ef4 <dyld_stub_strcmp>
0x0000000100000e8e <main+78>:   mov    %eax,%ecx
0x0000000100000e90 <main+80>:   cmp    $0x0,%ecx
0x0000000100000e93 <main+83>:   jne    0x100000ea6 <main+102>
0x0000000100000e95 <main+85>:   lea    0xb0(%rip),%rax        # 0x100000f4c
0x0000000100000e9c <main+92>:   mov    %rax,%rdi
0x0000000100000e9f <main+95>:   callq  0x100000ee8 <dyld_stub_puts>
0x0000000100000ea4 <main+100>:  jmp    0x100000eb5 <main+117>
0x0000000100000ea6 <main+102>:  lea    0xa7(%rip),%rax        # 0x100000f54
0x0000000100000ead <main+109>:  mov    %rax,%rdi
0x0000000100000eb0 <main+112>:  callq  0x100000ee8 <dyld_stub_puts>
0x0000000100000eb5 <main+117>:  mov    -0xc(%rbp),%eax
0x0000000100000eb8 <main+120>:  mov    0x179(%rip),%rcx        # 0x100001038
0x0000000100000ebf <main+127>:  mov    (%rcx),%rcx
0x0000000100000ec2 <main+130>:  mov    -0x8(%rbp),%rdx
0x0000000100000ec6 <main+134>:  cmp    %rdx,%rcx
0x0000000100000ec9 <main+137>:  mov    %eax,-0x2c(%rbp)
0x0000000100000ecc <main+140>:  jne    0x100000ed7 <main+151>
0x0000000100000ece <main+142>:  mov    -0x2c(%rbp),%eax
0x0000000100000ed1 <main+145>:  add    $0x30,%rsp
0x0000000100000ed5 <main+149>:  pop    %rbp
0x0000000100000ed6 <main+150>:  retq   
0x0000000100000ed7 <main+151>:  callq  0x100000edc <dyld_stub___stack_chk_fail>

Now, according to my comprehension of assembler, things should be easy: after the strcmp call at 100000e89 the value of %ecx is saved and then compared with 0.

If they are not equal (jne) there is the jump (else), otherwise it should continue (if).

Very well, I thought modifying jne en un je I should get "Correct" even with wrong input.

Actually I didn't. Trying to understand what the problem may be, I tried to examine the operation codes and I get a strange (to me) output:

(gdb) x/8x 0x100000e93
0x100000e93 <main+83>:  0x8d481175  0x0000b005  0xc7894800  0x000044e8
0x100000ea3 <main+99>:  0x480feb00  0x00a7058d  0x89480000  0x0033e8c7

No hay rastro del 0f85 that should be the code for jne.

I'm a little bit confused then...Shouldn't I get the operation code for the jump? May someone explain me my error?

preguntado el 10 de marzo de 12 a las 01:03

1 Respuestas

See opcode for JNE here:

So, it is what is expected: 0x8d481175 since its dword printed, and architecture is little endian, you having following sequence of bytes starting from that address: 75 11 48 8d

and 75 is opcode for JNE in 64-bit mode with 8-bit rel offset.

Verification: a jump address is calculated from address of next instruction + offset. So, 0x0000000100000e95 + 0x11 = 0x0000000100000eA6 which is exactly what gdb shows

respondido 10 mar '12, 02:03

Thanks, it worked. I actually was looking the same page you linked, and I took 0f85 from that page...Can you please explain "8-bit rel offset" and why 0f85 ¿Está Mal? - Manlio

8-bit rel offset means a relative offset, encoded in single byte, so you have values in range between -128 .. 127 for offset. The 0f85 opcode in 64-bit mode used for 16-bit and 32-bit rel offsets (depending on operand-size instruction prefix). - Igor Stasenko

The use of various offset lengths is obviously done for conserving code size, i.e. you don't need to waste space encoding offset as 32-bit integer, if your jump target lies within 8 or 16-bit integer range. - Igor Stasenko

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.