Linux汇编gdb

最新推荐文章于 2024-08-21 00:07:22 发布

weixin_33843947

最新推荐文章于 2024-08-21 00:07:22 发布

阅读量103

点赞数

文章标签：操作系统 shell c/c++

原文链接：http://blog.51cto.com/tuoxie174/660795

版权

同学问了个问题：问里面到底是怎样加的，俺们是学过编译原理的，只能看汇编了~。限于VS启动慢，用了mingw中的gdb调试：disassemble，反汇编出来看代码。

#include <iostream>
using namespace std;
int main(int argc, char *argv[])
{
int x = 7;
x = (9+x++) + (16+x++);
cout<<x<<endl;
return 0;
}

反汇编：

Dump of assembler code for function main:
0x00401318 <main+0>: push %ebp
0x00401319 <main+1>: mov %esp,%ebp
0x0040131b <main+3>: and $0xfffffff0,%esp
0x0040131e <main+6>: sub $0x20,%esp
0x00401321 <main+9>: call 0x413390 <__main>
0x00401326 <main+14>: movl $0x0,0x1c(%esp)
0x0040132e <main+22>: mov 0x1c(%esp),%eax
0x00401332 <main+26>: lea 0x1(%eax),%edx
0x00401335 <main+29>: mov 0x1c(%esp),%eax
0x00401339 <main+33>: add $0x2,%eax
0x0040133c <main+36>: lea (%edx,%eax,1),%eax
0x0040133f <main+39>: mov %eax,0x1c(%esp)
0x00401343 <main+43>: incl 0x1c(%esp)
0x00401347 <main+47>: incl 0x1c(%esp)
0x0040134b <main+51>: mov 0x1c(%esp),%eax
0x0040134f <main+55>: mov %eax,0x4(%esp)
0x00401353 <main+59>: movl $0x4740c0,(%esp)
0x0040135a <main+66>: call 0x4485b0 <_ZNSolsEi>
0x0040135f <main+71>: mov $0x0,%eax
0x00401364 <main+76>: leave
0x00401365 <main+77>: ret
End of assembler dump.

可见，调用逻辑就是最后才做俩次自增操作....

想看下lea的，就搜了些资料~

资料：http://xue23.blog.163.com/blog/static/979344200662736300/

linux汇编编程 2006-07-27 15:06:30| 分类： Asm | 标签： |字号大中小订阅 .
Author:philliph(phillip@u***back.com)
translator:horacexue(xue23@163.com)
介绍
这篇文章描述在linux下使用汇编语言编程的方法。其中包含的内容有：
Intel及AT&T汇编语言的比较
怎么使用系统调用
怎么在GCC中使用嵌入的汇编
写这篇文章的原因是因为在这方面编程(特别是内嵌汇编编程)缺乏比较好的材料，我们在这里不写shell编程，因为这方面的材料很容易找到。
这篇文章是都是我的经验所得，所以不免会有错误。如果你发现任何问题，一定要发邮件给我，或者给我指导。
读这篇文章具备的条件是有x86汇编和c语言方面的基础。
--------------------------------------------------------------------------------
Intel和AT&T的语法.
Intel和AT&T汇编语法在有很大的差别，所以一个懂Intel汇编语法的人开始去学习At&t时，很容易造成混乱，反过也是一样。下面我们从基础开始学起。
前缀
Intel的汇编语法中，寄存器和立即数立即数没有前缀。而在AT&T汇编语法中在寄存器前面要加上前缘%,立即数前面要加上前缀$。Intel语法的16进制，2进制立即数必须分别加上后缀h,b，另外如果第一个16进制数是字母，那么该值必须加上前缀0.
Example:
Intex Syntax
mov eax,1
mov ebx,0ffh
int 80h
AT&T Syntax
movl $1,%eax
movl $0xff,%ebx
int $0x80
Direction of Operands.
The direction of the operands in Intel syntax is opposite from that of AT&T syntax. In Intel syntax the first operand is the destination, and the second operand is the source whereas in AT&T syntax the first operand is the source and the second operand is the destination. The advantage of AT&T syntax in this situation is obvious. We read from left to right, we write from left to right, so this way is only natural.
Example:
Intex Syntax
instr dest,source
mov eax,[ecx]
AT&T Syntax
instr source,dest
movl (%ecx),%eax
Memory Operands.
Memory operands as seen above are different also. In Intel syntax the base register is enclosed in '[' and ']' whereas in AT&T syntax it is enclosed in '(' and ')'.
Example:
Intex Syntax
mov eax,[ebx]
mov eax,[ebx+3]
AT&T Syntax
movl (%ebx),%eax
movl 3(%ebx),%eax
The AT&T form for instructions involving complex operations is very obscure compared to Intel syntax. The Intel syntax form of these is segreg:[base+index*scale+disp]. The AT&T syntax form is %segreg:disp(base,index,scale).
Index/scale/disp/segreg are all optional and can simply be left out. Scale, if not specified and index is specified, defaults to 1. Segreg depends on the instruction and whether the app is being run in real mode or pmode. In real mode it depends on the instruction whereas in pmode its unnecessary. Immediate data used should not '$' prefixed in AT&T when used for scale/disp.
Example:
Intel Syntax
instr foo,segreg:[base+index*scale+disp]
mov eax,[ebx+20h]
add eax,[ebx+ecx*2h
lea eax,[ebx+ecx]
sub eax,[ebx+ecx*4h-20h]
AT&T Syntax
instr %segreg:disp(base,index,scale),foo
movl 0x20(%ebx),%eax
addl (%ebx,%ecx,0x2),%eax
leal (%ebx,%ecx),%eax
subl -0x20(%ebx,%ecx,0x4),%eax
As you can see, AT&T is very obscure. [base+index*scale+disp] makes more sense at a glance than disp(base,index,scale).
Suffixes.
As you may have noticed, the AT&T syntax mnemonics have a suffix. The significance of this suffix is that of operand size. 'l' is for long, 'w' is for word, and 'b' is for byte. Intel syntax has similar directives for use with memory operands, i.e. byte ptr, word ptr, dword ptr. "dword" of course corresponding to "long". This is similar to type casting in C but it doesnt seem to be necessary since the size of registers used is the assumed datatype.
Example:
Intel Syntax
mov al,bl
mov ax,bx
mov eax,ebx
mov eax, dword ptr [ebx]
AT&T Syntax
movb %bl,%al
movw %bx,%ax
movl %ebx,%eax
movl (%ebx),%eax
**NOTE: ALL EXAMPLES FROM HERE WILL BE IN AT&T SYNTAX**
--------------------------------------------------------------------------------
Syscalls.
This section will outline the use of linux syscalls in assembly language. Syscalls consist of all the functions in the second section of the manual pages located in /usr/man/man2. They are also listed in: /usr/include/sys/syscall.h. A great list is at http://www.linuxassembly.org/syscall.html. These functions can be executed via the linux interrupt service: int $0x80.
Syscalls with < 6 args.
For all syscalls, the syscall number goes in %eax. For syscalls that have less than six args, the args go in %ebx,%ecx,%edx,%esi,%edi in order. The return value of the syscall is stored in %eax.
The syscall number can be found in /usr/include/sys/syscall.h. The macros are defined as SYS_<syscall name> i.e. SYS_exit, SYS_close, etc.
Example:
(Hello world program - it had to be done)
According to the write(2) man page, write is declared as: ssize_t write(int fd, const void *buf, size_t count);
Hence fd goes in %ebx, buf goes in %ecx, count goes in %edx and SYS_write goes in %eax. This is followed by an int $0x80 which executes the syscall. The return value of the syscall is stored in %eax.
$ cat write.s
.include "defines.h"
.data
hello:
.string "hello world\n"
.globl main
main:
movl $SYS_write,%eax
movl $STDOUT,%ebx
movl $hello,%ecx
movl $12,%edx
int $0x80
ret
$
The same process applies to syscalls which have less than five args. Just leave the un-used registers unchanged. Syscalls such as open or fcntl which have an optional extra arg will know what to use.
Syscalls with > 5 args.
Syscalls whos number of args is greater than five still expect the syscall number to be in %eax, but the args are arranged in memory and the pointer to the first arg is stored in %ebx.
If you are using the stack, args must be pushed onto it backwards, i.e. from the last arg to the first arg. Then the stack pointer should be copied to %ebx. Otherwise copy args to an allocated area of memory and store the address of the first arg in %ebx.
Example:
(mmap being the example syscall). Using mmap() in C:
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#define STDOUT 1
void main(void) {
char file[]="mmap.s";
char *mappedptr;
int fd,filelen;
fd=fopen(file, O_RDONLY);
filelen=lseek(fd,0,SEEK_END);
mappedptr=mmap(NULL,filelen,PROT_READ,MAP_SHARED,fd,0);
write(STDOUT, mappedptr, filelen);
munmap(mappedptr, filelen);
close(fd);
}
Arrangement of mmap() args in memory: %esp %esp+4 %esp+8 %esp+12 %esp+16 %esp+20
00000000 filelen 00000001 00000001 fd 00000000
ASM Equivalent:
$ cat mmap.s
.include "defines.h"
.data
file:
.string "mmap.s"
fd:
.long 0
filelen:
.long 0
mappedptr:
.long 0
.globl main
main:
push %ebp
movl %esp,%ebp
subl $24,%esp
// open($file, $O_RDONLY);
movl $fd,%ebx // save fd
movl %eax,(%ebx)
// lseek($fd,0,$SEEK_END);
movl $filelen,%ebx // save file length
movl %eax,(%ebx)
xorl %edx,%edx
// mmap(NULL,$filelen,PROT_READ,MAP_SHARED,$fd,0);
movl %edx,(%esp)
movl %eax,4(%esp) // file length still in %eax
movl $PROT_READ,8(%esp)
movl $MAP_SHARED,12(%esp)
movl $fd,%ebx // load file descriptor
movl (%ebx),%eax
movl %eax,16(%esp)
movl %edx,20(%esp)
movl $SYS_mmap,%eax
movl %esp,%ebx
int $0x80
movl $mappedptr,%ebx // save ptr
movl %eax,(%ebx)
// write($stdout, $mappedptr, $filelen);
// munmap($mappedptr, $filelen);
// close($fd);
movl %ebp,%esp
popl %ebp
ret
$
**NOTE: The above source listing differs from the example source code found at the end of the article. The code listed above does not show the other syscalls, as they are not the focus of this section. The source above also only opens mmap.s, whereas the example source reads the command line arguments. The mmap example also uses lseek to get the filesize.** Socket Syscalls.
Socket syscalls make use of only one syscall number: SYS_socketcall which goes in %eax. The socket functions are identified via a subfunction numbers located in /usr/include/linux/net.h and are stored in %ebx. A pointer to the syscall args is stored in %ecx. Socket syscalls are also executed with int $0x80.
$ cat socket.s
.include "defines.h"
.globl _start
_start:
pushl %ebp
movl %esp,%ebp
sub $12,%esp
// socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
movl $AF_INET,(%esp)
movl $SOCK_STREAM,4(%esp)
movl $IPPROTO_TCP,8(%esp)
movl $SYS_socketcall,%eax
movl $SYS_socketcall_socket,%ebx
movl %esp,%ecx
int $0x80
movl $SYS_exit,%eax
xorl %ebx,%ebx
int $0x80
movl %ebp,%esp
popl %ebp
ret
$
--------------------------------------------------------------------------------
Command Line Arguments.
Command line arguments in linux executables are arranged on the stack. argc comes first, followed by an array of pointers (**argv) to the strings on the command line followed by a NULL pointer. Next comes an array of pointers to the environment (**envp). These are very simply obtained in asm, and this is demonstrated in the example code (args.s).
--------------------------------------------------------------------------------
GCC内嵌汇编
这章我们只讨论x86应用程序,在别的CPU上操作指令可能有所不同，我们可以从文章结尾的列表去查找有关这方面的资料。
gcc中的内嵌的汇编的基本结构是简单明僚的。如下例所示：
__asm__("movl %esp,%eax"); // look familiar ?
or
__asm__("
movl $1,%eax // SYS_exit
xor %ebx,%ebx
int $0x80
");通过指定的其值可以调整的寄存器作为输入输出数据，可能更有效的使用内嵌汇编, It is possible to use it more effectively by specifying the data that will be used as input, output for the asm as well as which registers will be modified. No particular input/output/modify field is compulsory. It is of the format:
__asm__("<asm routine>" : output : input : modify);
The output and input fields must consist of an operand constraint string followed by a C expression enclosed in parentheses. The output operand constraints must be preceded by an '=' which indicates that it is an output. There may be multiple outputs, inputs, and modified registers. Each "entry" should be separated by commas (',') and there should be no more than 10 entries total. The operand constraint string may either contain the full register name, or an abbreviation.
Abbrev Table
Abbrev Register
a %eax/%ax/%al
b %ebx/%bx/%bl
c %ecx/%cx/%cl
d %edx/%dx/%dl
S %esi/%si
D %edi/%di
m memory
Example:
__asm__("test %%eax,%%eax", : /* no output */ : "a"(foo));
OR
__asm__("test %%eax,%%eax", : /* no output */ : "eax"(foo));
You can also use the keyword __volatile__ after __asm__: "You can prevent an `asm' instruction from being deleted, moved significantly, or combined, by writing the keyword `volatile' after the `asm'."
(Quoted from the "Assembler Instructions with C Expression Operands" section in the gcc info files.)
$ cat inline1.c
#include <stdio.h>
int main(void) {
int foo=10,bar=15;
__asm__ __volatile__ ("addl %%ebxx,%%eax"
: "=eax"(foo) // ouput
: "eax"(foo), "ebx"(bar)// input
: "eax" // modify
);
printf("foo+bar=%d\n", foo);
return 0;
}
$
You may have noticed that registers are now prefixed with "%%" rather than '%'. This is necessary when using the output/input/modify fields because register aliases based on the extra fields can also be used. I will discuss these shortly.
Instead of writing "eax" and forcing the use of a particular register such as "eax" or "ax" or "al", you can simply specify "a". The same goes for the other general purpose registers (as shown in the Abbrev table). This seems useless when within the actual code you are using specific registers and hence gcc provides you with register aliases. There is a max of 10 (%0-%9) which is also the reason why only 10 inputs/outputs are allowed.
$ cat inline2.c
int main(void) {
long eax;
short bx;
char cl;
__asm__("nop;nop;nop"); // to separate inline asm from the rest of
// the code
__volatile__ __asm__("
test %0,%0
test %1,%1
test %2,%2"
: /* no outputs */
: "a"((long)eax), "b"((short)bx), "c"((char)cl)
);
__asm__("nop;nop;nop");
return 0;
}
$ gcc -o inline2 inline2.c
$ gdb ./inline2
GNU gdb 4.18
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnulibc1"...
(no debugging symbols found)...
(gdb) disassemble main
Dump of assembler code for function main:
... start: inline asm ...
0x8048427 : nop
0x8048428 : nop
0x8048429 : nop
0x804842a : mov 0xfffffffc(%ebp),%eax
0x804842d : mov 0xfffffffa(%ebp),%bx
0x8048431 : mov 0xfffffff9(%ebp),%cl
0x8048434 : test %eax,%eax
0x8048436 : test %bx,%bx
0x8048439 : test %cl,%cl
0x804843b : nop
0x804843c : nop
0x804843d : nop
... end: inline asm ...
End of assembler dump.
$
As you can see, the code that was generated from the inline asm loads the values of the variables into the registers they were assigned to in the input field and then proceeds to carry out the actual code. The compiler auto detects operand size from the size of the variables and so the corresponding registers are represented by the aliases %0, %1 and %2. (Specifying the operand size in the mnemonic when using the register aliases may cause errors while compiling).
The aliases may also be used in the operand constraints. This does not allow you to specify more than 10 entries in the input/output fields. The only use for this i can think of is when you specify the operand constraint as "q" which allows the compiler to choose between a,b,c,d registers. When this register is modified we will not know which register has been chosen and consequently cannot specify it in the modify field. In which case you can simply specify "<number>".
Example:
$ cat inline3.c
#include <stdio.h>
int main(void) {
long eax=1,ebx=2;
__asm__ __volatile__ ("add %0,%2"
: "=b"((long)ebx)
: "a"((long)eax), "q"(ebx)
: "2"
);
printf("ebx=%x\n", ebx);
return 0;
}
$
--------------------------------------------------------------------------------
Compiling
Compiling assembly language programs is much like compiling normal C programs. If your program looks like Listing 1, then you would compile it like you would a C app. If you use _start instead of main, like in Listing 2 you would compile the app slightly differently:
•Listing 1
$ cat write.s
.data
hw:
.string "hello world\n"
.text
.globl main
main:
movl $SYS_write,%eax
movl $1,%ebx
movl $hw,%ecx
movl $12,%edx
int $0x80
movl $SYS_exit,%eax
xorl %ebx,%ebx
int $0x80
ret
$ gcc -o write write.s
$ wc -c ./write
4790 ./write
$ strip ./write
$ wc -c ./write
2556 ./write
•Listing 2
$ cat write.s
.data
hw:
.string "hello world\n"
.text
.globl _start
_start:
movl $SYS_write,%eax
movl $1,%ebx
movl $hw,%ecx
movl $12,%edx
int $0x80
movl $SYS_exit,%eax
xorl %ebx,%ebx
int $0x80
$ gcc -c write.s
$ ld -s -o write write.o
$ wc -c ./write
408 ./write
The -s switch is optional, it just creates a stripped ELF executable which is smaller than a non-stripped one. This method (Listing 2) also creates smaller executables, since the compiler isnt adding extra entry and exit routines as would normally be the case.
--------------------------------------------------------------------------------
Links.
Further reference.
http://www.linuxassembly.org
GNU Assembler Manual
GNU C Compiler Manual
GNU Debugger Manual
Operand Constraint Reference
AT&T Syntax Reference
Example Code
args.s Reads command line arguments passed to the prog
daemon.s Binds a shell to a port (backdoor style)
mmap.s Maps a file to memory, and dumps its contents
socket.s Creates a socket
write.s Hello world !
linasm-src.tgz Makefile defines.h args.s daemon.s socket.s write.s

转载于:https://blog.51cto.com/tuoxie174/660795

weixin_33843947

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Linux汇编gdb

同学问了个问题：问里面到底是怎样加的，俺们是学过编译原理的，只能看汇编了~。限于VS启动慢，用了mingw中的gdb调试：disassemble，反汇编出来看代码。#include<iostream> usingnamespacestd; intmain(intargc,char*argv[]) { intx=7; ...
复制链接

扫一扫