02-ia32

8/12/2019 02-ia32

1/47

Crash Dump AnalysisIA-32

Jakub Jerm Martin Dck

8/12/2019 02-ia32

2/47

Crash Dump Analysis MFF UK IA-32 2

IA-32 Overview

32 bit CISC architecture Starts with 80386

Also known as x86, i386, i586, i686, etc. Strong inheritance of 8086, even 8080

Some RISC characteristics after Pentium (P5, i586) Variable instruction size Non-orthogonal instruction set Most instructions can have memory operands

8/12/2019 02-ia32

3/47

8/12/2019 02-ia32

4/47


Little vs. Big Endian

Memory is usually addressed in bytes (8 bits) There are at least two native ways how to store

larger data structures in sequence of bytes v = 0xAA884400

Big-Endianbig end firstmost significant byte first

AA 88 !!

! " 2 3

Litte-Endian#itt#e end first#east significant byte first

!! 88 AA

! " 2 3

8/12/2019 02-ia32

5/47


Little-Endian

Storing data using larger element sizes v = 0xAA884400 Element size: 16 bits

!! AA88! " 2 3

!! AA 88

! " 2 3

8/12/2019 02-ia32

6/47


IA-32 Manuals

Intel 64 and IA-32 Architectures SoftwareDeveloper's Manual

Volume 1: Basic Architecture Volume 2A + 2B: Instruction Set Reference Volume 3A + 3B: System Programming Guide

Intel 64 and IA-32 Architectures OptimizationReference Manual

http://www.intel.com/products/processor/manuals
http://www.intel.com/products/processor/manualshttp://www.intel.com/products/processor/manuals

8/12/2019 02-ia32

7/47


IA-32 ABI

System V Application Binary Interface, Intel386Architecture Processor Supplement

This is the authoritative source of information At least for systems using GNU GCC toolchain

(GNU/Linux, *BSD, most Unixes, etc.) We will use and present a simplified view which is

sufficient for common cases (integer arguments)

www.sco.com/developers/devspecs/abi386-4.pdf
http://www.sco.com/developers/devspecs/abi386-4.pdfhttp://www.sco.com/developers/devspecs/abi386-4.pdf

8/12/2019 02-ia32

8/47


IA-32 Registers

A$ A% A&

'A&

($ (%(&

'(&

)$ )%)&

')&

D$ D%D&

'D&

DI'DI

*I'*I

(+'(+

*+'*+

,%A *',%A *

)* D* '* ** ,* *

.+/s

segmentregisters

frame

0ointer

stack

0ointer

. return 1a#ue

I+'I+

. .

8/12/2019 02-ia32

9/47


ABI in a Nutshell

Arguments passed on stack In reverse order (the last argument is pushed first)

Return value For simple integer types in EAX

Otherwise on the stack Implicit stack pointer

Some instructions use ESP as implicit registeroperand

8/12/2019 02-ia32

10/47


ABI in a Nutshell (2)

Frame pointer Usually (not always) stored in EBP

Volatile (scratch, caller-saved) registers EAX, ECX, EDX

Non-volatile (preserved, callee-saved) registers

EBX, EDI, ESI, EBP, ESP Stack aligned on 4B boundary

Some compilers use even larger alignment

8/12/2019 02-ia32

11/47


IA-32 Instructions

Hundreds of instructions Most of them have several variants (operands as

registers, operands as memory addresses, etc.) Informal classification

General purpose (arithmetic, logic, jumps, etc.) System instructions (altering processor mode) FPU instructions SIMD and other instructions (MMX, SSE, etc.)

8/12/2019 02-ia32

12/47


IA-32 Instructions (2)

Most general purpose instructions have twooperands

register register immediate register memory register immediate memory

INST opl, opr AT&T syntax

opr opr INST opl Intel syntax

opl opl INST opr

ADDL EAX, EBX EBX EBX + EAX

8/12/2019 02-ia32

13/47


IA-32 AT&T Syntax

Left operand source Right operand destination

Register names prefixed by % (e. g. %eax ) Immediate operands prefixed by $ (e. g. $0x1 ) Operand size encoded as instruction suffix

b (byte, 8 bit), w (word, 16 bit), l (long, 32 bit) Example: movl $0x1, %eax

8/12/2019 02-ia32

14/47


IA-32 AT&T Syntax (2)

Memory operands Using implicit segment register

displacement (base , index , scale ) base and index are GPRs scale is 1, 2, 4 or 8 (defaults to 1 if not specified) displacement is an immediate offset

Effective address is calculated as

EA = displacement + base + index * scale 0x8111f30 , 0x8(%ebp) , -0x28(%eax) ,-0x2(%esi, %eax, 2)

mov (%esp), %edi

8/12/2019 02-ia32

15/47


IA-32 AT&T Syntax (3)

Memory operands with explicit segment register segment_register :displacement (base , index , scale ) Segmentation is not used widely in modern OSes

Cannot be turned off Mostly used for thread-local storage and in kernel

movl %gs:0x10, %eax

When accessing memory, the segment base isalways applied (added) to the effective address Also in the case of implicit segment registers

8/12/2019 02-ia32

16/47


Common Instructions

Real programs tend to use a limited set ofinstructions most of the time

NOP, MOV, LEA ADD, SUB, INC, DEC XOR, AND, OR PUSH, POP, CALL, RET CMP, TEST JMP, JE, JNE, JL, JB, JG, JA

8/12/2019 02-ia32

17/47


Common Instructions (2)

NOP Single byte instruction, opcode 0x90 No operation (actually XCHG EAX, EAX) Important role for optimization and debugging

MOV Move between registers Memory loads and stores

8/12/2019 02-ia32

18/47



LEA Evaluate effective address in memory operand Compiler often use it as a fast calculator

EA = displacement + base + index * scale

leal (%edx, %edx, 8), %eax

EAX EDX + 8 * EDX = 9 * EDX

8/12/2019 02-ia32

19/47



ADD, SUB, XOR, AND, OR Addition, subtraction, logical exclusive OR, logical

AND, logical OR Example: xorl %ebx, %ebx

INC, DEC Increment, decrement Only one operand Example: incb %al

8/12/2019 02-ia32

20/47



PUSH Push a register

content on the stack Example: pushl %ecx

ESP ESP - 4(ESP ) ECX

POP Pop a value from the

stack Example: popl %edx

EDX (ESP )ESP ESP + 4

8/12/2019 02-ia32

21/47



CALL Call function

Example: call -0x8da0

ESP ESP - 4(ESP ) EIP + inst_size

EIP EIP - 0x8da0

RET Return from function

call Example: ret

ESP ESP + 4EIP (ESP - 4)

8/12/2019 02-ia32

22/47



CMP Compare two operands

Like SUB, but the result is discarded Modifies bits in EFLAGS register Example: cmpb $0x2f, (%esi)

TEST Test bits

Like AND, but result is discarded and EFLAGS modified Example: test %eax, %eax

8/12/2019 02-ia32

23/47



JMP Unconditional jump Relative address in operand or a long jump

JE, JNE, JL, JB, JG, JA Conditional jumps (there are many more) The condition ~ state of bits in EFLAGS

Jump if (not) equal, less (signed), below (unsigned),greater (signed), above (unsigned)

Relative address in operand ( 128 B)

8/12/2019 02-ia32

24/47


Function Prologue

pushl %ebp

movl %esp, %ebp

subl $imm, %esp movl %ebx, 4(%esp)

pushl %edi

8/12/2019 02-ia32

25/47


Function Epilogue

popl %edi

movl 4(esp), %ebx movl %ebp, %esp

popl %ebp

ret

popl %edi movl 4(esp), %ebx

leave

ret

8/12/2019 02-ia32

26/47


Stack and Code Example

Remember the foo() , bar() and foobar() from previous slides?

Compile using gcc -O1 Disassemble and single step main() and foo() Observe the stack

8/12/2019 02-ia32

27/47


Stack and Code Example (2)

main 0us4# 5eb0main6" mo1# 5es075eb0main63 sub# !9875es0main6: and# !9fffffff!75es0

main6; sub# !9"c75es0main6!9c 0us4# !98foo?main6!9" #ea1emain6!9"@ ret

foo 0us4# 5eb0foo6" mo1# 5es075eb0foo63 sub# !9" 75es0foo6: 0us4# !98bar?foo6!9e add# !9"!75es0foo6!9"" #ea1efoo6!9"2 ret

8/12/2019 02-ia32

28/47





!98! :bf! start6!98!

Initial state No instructions executed Inherited stack pointer from

main() 's caller

8/12/2019 02-ia32

29/47



Save previous framepointer on the stack



!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

30/47



Establish a new, fixedframe pointer in EBP

It points to where we saved

the previous one

!98! :bec !98! :c!!98! :bf! start6!98!



8/12/2019 02-ia32

31/47



Allocate some space on thestack

Will not be used



!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

32/47



Align the stack pointer on16 B boundary

Not required by the ABI Performance reasons



!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

33/47



Allocate some more spaceon the stack

Will not be used



!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

34/47



Copy the incomingargument ( argc ) to theoutgoing argument ( a )



!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

35/47



Call foo()



!98! :bbc main6!9"!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

36/47



Save the previous framepointer to the stack

foo 0us4# 5eb0foo6" mo1# 5es075eb0foo63 sub# !9" 75es0foo6: 0us4# !98bar?foo6!9e add# !9"!75es0

foo6!9"" #ea1efoo6!9"2 ret!98! :bb8 !98! :bec!98! :bbc main6!9"!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

37/47



Establish a new framepointer in EBP

It points to the addresswhere the previous one isstored


foo6!9"" #ea1efoo6!9"2 ret !98! :bb8 !98! :bec!98! :bbc main6!9"!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

38/47



Allocate some space on thestack

Will not be used


foo6!9"" #ea1efoo6!9"2 ret

!98! :ba !98!@!;e8!98! :ba8 dbg desc!98! :bac 8!98! :bb! "!98! :bb !

!98! :bb8 !98! :bec!98! :bbc main6!9"!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

8/12/2019 02-ia32

39/47



Copy the incomingargument of foo() to theoutgoing argument forbar()



!98! :ba! "!98! :ba !98!@!;e8!98! :ba8 dbg desc!98! :bac 8!98! :bb! "!98! :bb !


8/12/2019 02-ia32

40/47



Call bar()



!98! :b;c foo6!9e!98! :ba! "!98! :ba !98!@!;e8!98! :ba8 dbg desc!98! :bac 8!98! :bb! "!98! :bb !


8/12/2019 02-ia32

41/47



Step through and returnfrom bar()

bar() 's return value is inEAX



!98! :ba! "!98! :ba !98!@!;e8!98! :ba8 dbg desc!98! :bac 8!98! :bb! "!98! :bb !


8/12/2019 02-ia32

42/47



Free some stack space Not necessary because of

the next instruction



!98! :bb! "!98! :bb !


k d d l ( )

8/12/2019 02-ia32

43/47



Destroy foo() 's stackframe


foo6!9"" #ea1efoo6!9"2 ret !98! :bbc main6!9"!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda

!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

S k d C d E l (2)

8/12/2019 02-ia32

44/47



Return back to main() Return value is again in EAX


foo6!9"" #ea1efoo6!9"2 ret!98! :bc! "!98! :bc f0start6!92c!98! :bc8 !92;!98! :bcc f0 4C!98! :bd! !9"33f!98! :bd !98!@!cda

!98! :bd8 !98!:!d3c!98! :bdc !98! :bcc!98! :be! !98! :bec!98! :be init6!9"a!98! :be8 !9feffbBdc!98! :bec !98! :c!!98! :bf! start6!98!

S k d C d E l (2)

8/12/2019 02-ia32

45/47



Destroy main() 's stackframe

main 0us4# 5eb0main6" mo1# 5es075eb0main63 sub# !9875es0main6: and# !9fffffff!75es0main6; sub# !9"c75es0main6!9c 0us4# !98foo?main6!9" #ea1e main6!9"@ ret

!98! :bf! start6!98!

S k d C d E l (2)

8/12/2019 02-ia32

46/47



Return from main()

main 0us4# 5eb0main6" mo1# 5es075eb0main63 sub# !9875es0main6: and# !9fffffff!75es0main6; sub# !9"c75es0main6!9c 0us4# !98foo?main6!9" #ea1e main6!9"@ ret

IA 32 ABI Ch t Sh t

8/12/2019 02-ia32

47/47


IA-32 ABI Cheat Sheet

EAX return valueEBXECXEDXESIEDIEBP frame pointerESP stack pointer

non-volatile registers volatile registers

Date post:	03-Jun-2018
Category:	Documents
Upload:	achilles7
View:	216 times
Download:	0 times

02-ia32

Documents