Recognizing C Code Constructs in Assembly

Previous page
Table of content
Next page

Recognizing C++ Code Constructs in Assembly

The C family of programming languages (C, C++, C#) is one of the most widely used, if not the most widely used, genre of programming languages. C is definitely the most popular language for Windows and Unix server applications, which are good targets for vulnerability development. For these reasons, a solid understanding of C is critical.

Along with a broad comprehension of C, you should be able to understand how compiled C code translates into assembly. Understanding how C variables , pointers, functions, and memory allocation are represented by assembly will make the contents of this book much easier to understand.

Let's take some common C++ code constructs and see what they look like in assembly. If you have a firm grasp of these examples, you should be ready to move forward with the rest of the book.

Let's look at declaring an Integer in C++, then using that same integer for counting. 

 int number;  . . . more code . . . number++;

This could be translated to, in assembly: 

 number dw 0  . . .more code . . . mov eax,number inc eax mov number,eax

We use the Define Word ( DW ) instruction to define a value for our integer, number. Next we put the value into the EAX register, increment the value in the EAX register by one, and then move this value back into the number integer.

Now, look at a simple if statement in C++. 

 int number; if (number<0)  {   . . .more code . . . }

Now, look at the same if statement in assembly. 

 number dw 0 mov eax,number or eax,eax jge label <no> label :<yes>

What we are doing here is defining a value for number again with the DW instruction. Then we move the value stored in number into EAX , then we jump to label if number is greater than or equal to zero with Jump if Greater than or Equal to ( JGE ).

Let's look at another example, using an array. 

 int array[4];  . . .more code . . . array[2]=9;

Here, we have declared an array, array , and set an array element equal to 9 . In assembly we have: 

 array dw 0,0,0,0  . . .more code . . . mov ebx,2 mov array[ebx],9

In this example, we declare an array, then use the EBX register to move values into the array.

Last, let's take a look at a more complicated example. The code shows how a simple C function looks in assembly. If you can easily understand this example, you are probably ready to move forward to the next chapter. 

 int triangle (int width, in height){ int array[5] = {0,1,2,3,4}; int area; area = width * height/2; return (area);     }

Here is the same function, but in disassembled form. The following is gdb output: 

 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub 
 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub     $0x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov    $0x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov    $0x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar    $0x1f,%eax 0x8048456 <triangle+38>:    shr    $0x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add    $0x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret 
 x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov 
 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub     $0x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov    $0x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov    $0x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar    $0x1f,%eax 0x8048456 <triangle+38>:    shr    $0x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add    $0x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret 
 x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov 
 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub     $0x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov    $0x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov    $0x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar    $0x1f,%eax 0x8048456 <triangle+38>:    shr    $0x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add    $0x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret 
 x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar 
 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub     $0x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov    $0x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov    $0x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar    $0x1f,%eax 0x8048456 <triangle+38>:    shr    $0x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add    $0x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret 
 x1f,%eax 0x8048456 <triangle+38>:    shr 
 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub     $0x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov    $0x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov    $0x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar    $0x1f,%eax 0x8048456 <triangle+38>:    shr    $0x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add    $0x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret 
 x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add 
 0x8048430 <triangle>:      push    %ebp 0x8048431 <triangle+1>:    mov     %esp, %ebp 0x8048433 <triangle+3>:    push    %edi 0x8048434 <triangle+4>:    push    %esi 0x8048435 <triangle+5>:    sub     $0x30,%esp 0x8048438 <triangle+8>:    lea     0xffffffd8(%ebp), %edi 0x804843b <triangle+11>:    mov    $0x8049508,%esi 0x8048440 <triangle+16>:    cld 0x8048441 <triangle+17>:    mov    $0x30,%esp 0x8048446 <triangle+22>:    repz movsl    %ds:( %esi), %es:( %edi) 0x8048448 <triangle+24>:    mov    0x8(%ebp),%eax 0x804844b <triangle+27>:    mov    %eax,%edx 0x804844d <triangle+29>:    imul   0xc(%ebp),%edx 0x8048451 <triangle+33>:    mov    %edx,%eax 0x8048453 <triangle+35>:    sar    $0x1f,%eax 0x8048456 <triangle+38>:    shr    $0x1f,%eax 0x8048459 <triangle+41>:    lea    (%eax, %edx, 1), %eax 0x804845c <triangle+44>:    sar    %eax 0x804845e <triangle+46>:    mov    %eax,0xffffffd4(%ebp) 0x8048461 <triangle+49>:    mov    0xffffffd4(%ebp),%eax 0x8048464 <triangle+52>:    mov    %eax,%eax 0x8048466 <triangle+54>:    add    $0x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret 
 x30,%esp 0x8048469 <triangle+57>:    pop    %esi 0x804846a <triangle+58>:    pop    %edi 0x804846b <triangle+59>     pop    %ebp 0x804846c <triangle+60>:    ret

Previous page
Table of content
Next page
The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
SQL Tips & Techniques (Miscellaneous)
Cisco Voice Gateways and Gatekeepers
Cisco IOS Cookbook (Cookbooks (OReilly))
Microsoft WSH and VBScript Programming for the Absolute Beginner
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy