I'm currently learning x86 assembly language at school, so I could ask a dumb question (though I found nothing useful).
I have some global variables declared in the data section in the main file, and then I have a second file where there are two functions that use these global variables.
.section .data
.globl file_desc
.globl init
.globl reset
.globl rpm
file_desc: .long
init: .int
reset: .int
rpm: .long
In the _start section, I call the sys_open syscall for getting the file descriptor and I save it in the file_desc variable.
Then I call a function in the other file:
read_init:
# read the INIT and convert it
movl $SYS_READ, %eax
movl file_desc, %ebx
leal init, %ecx
movl $1, %edx
int $0x80
cmp $0, %eax # check for EOF
jle eof
jmp get_init
eof:
movl $47, init # we make the init to -1 xD
get_init:
subb $48, init # get the real value of INIT
# skip 1 byte
movl $SYS_SEEK, %eax
movl file_desc, %ebx
movl $1, %ecx
movl $1, %edx
int $0x80
ret
The problem is that when I reach the sys_lseek syscall, file_desc has been modified! I debugged with GDB to see it and after calling the read syscall the value is not the same.
In theory it shouldn't modify it, so what the heck is doing my program?
Related
I'm writing an assembly program with GAS compiler and AT&T syntax.
I have 2 files: one to read from and another one to write in.
From terminal i launch the program in this way: ./myprogram inputfile.txt outputfile.txt
Now I want to read input data character by character and this is how I'm trying to do it:
.section .data
buff_size: .long 1
.section .bss
.lcomm buff, 18
.section .text # declaring our .text segment
.globl _start # telling where program execution should start
_start:
popl %eax # Get the number of arguments
popl %ebx # Get the program name
popl %ebx # Get the first actual argument - file to read
# open the file
movl $5, %eax # open
movl $0, %ecx # read-only mode
int $0x80
# read the file
movl $0, %esi
# these 6 instructions read first character from inputfile.txt
movl %eax, %ebx # file_descriptor,
movl $3, %eax
movl $buff, %edi
leal (%esi,%edi,1), %ecx
movl buff_size, %edx
int $0x80
# these 6 instructions can't read the second character from inputfile.txt and I can't understand why.
movl $1, %esi
movl $3, %eax
movl $buff, %edi
leal (%esi,%edi,1), %ecx
movl buff_size, %edx
int $0x80
# open the file
popl %ebx # Get the second actual argument - file to write
movl $5, %eax # open
movl $2, %ecx # read-only mode
int $0x80
# write to STDOUT
movl %eax, %ebx # file_descriptor
movl $4, %eax
leal buff, %ecx
movl buff_size, %edx
int $0x80
# exit
movl $1, %eax
movl $0, %ebx
int $0x80
This piece of code read the first character from inputfile.txt successfully and it writes that character inside outputfile.txt...
Now I want to read and write the second character but it doesn't work as suggested in the comment I've written through the code.
FYI:
OS: Ubuntu 14 - 64 bit
Compiler: GAS
My inputfile.txt looks so: 4,3,55,15,8,9
I wrote this to print argv[0] in x86:
.section .data
newline: .int 0xa, 0
.section .text
.globl _start
_start:
sub %al, %al
movl 4(%esp), %edi /* Pointer to argv[0]. */
sub %ecx, %ecx /* Set %ecx to 0.*/
not %ecx /* Set %ecx to -1.*/
repne scasb /* Search for %al over and over.*/
not %ecx /* Set %ecx to |%ecx| - 1.*/
dec %ecx
movl %ecx, %edx /* Move the strlen of argv[0] into %edx.*/
movl $4, %eax
movl $1, %ebx
movl 4(%esp), %ecx
int $0x80
movl $newline, %ecx
movl $1, %edx
int $0x80
movl $1, %eax
movl $0, %ebx
int $0x80
When I run this file ("print"), the output is this:
[08:27 assembly]$ ./print test
./print[08:30 assembly]$
When I ran this through gdb, the actual string length held in edx is 27, and the string it's checking is "/home/robert/assembly/print", not "./print". So I changed the %esp offsets to 8, to check argv[1]. With the same command as before, the output is this:
test
[08:33 assembly]$
Why does checking argv[0] cause the strange output, when argv[1] does as expected?
I think gdb is "helping" you by adding the full path to argv[0]. After printing, %eax holds the number of characters printed, so you'll want to reload %eax for sys_write again to print the $newline (%ebx should still be okay) - by luck, "test" is the right length. Lord knows what system call you're getting with that longer string!
I'd say you're doing good! (might be a good idea to check argc to make sure argv[1] is there before you try to print it).
asm_execve.s:
.section .data
file_to_run:
.ascii "/bin/sh"
.section .text
.globl main
main:
pushl %ebp
movl %esp, %ebp
subl $0x8, %esp # array of two pointers. array[0] = file_to_run array[1] = 0
movl file_to_run, %edi
movl %edi, -0x4(%ebp)
movl $0, -0x8(%ebp)
movl $11, %eax # sys_execve
movl file_to_run, %ebx # file to execute
leal -4(%ebp), %ecx # command line parameters
movl $0, %edx # environment block
int $0x80
leave
ret
makefile:
NAME = asm_execve
$(NAME) : $(NAME).s
gcc -o $(NAME) $(NAME).s
Program is executed, but sys_execve is not called:
alex#alex32:~/project$ make
gcc -o asm_execve asm_execve.s
alex#alex32:~/project$ ./asm_execve
alex#alex32:~/project$
Expected output is:
alex#alex32:~/project$ ./asm_execve
$ exit
alex#alex32:~/project$
This Assembly program is supposed to work like the following C code:
char *data[2];
data[0] = "/bin/sh";
data[1] = NULL;
execve(data[0], data, NULL);
Something wrong in system call parameters?
The execve system call is being called, but you are indeed passing it bad parameters.
(You can see this by running your executable using strace.)
There are three problems:
.ascii does not 0-terminate the string. (You might get lucky, as there is nothing following it in your .data section in this example, but that's not guaranteed...) Add a 0, or use .asciz (or .string) instead.
movl file_to_run, %edi moves the value pointed to by the file_to_run symbol into %edi, i.e. the first 4 bytes of the string (0x6e69622f). The address of the string is just the value of the symbol itself, so you need to use the $ prefix for literal values: movl $file_to_run, %edi. Similarly, you need to say movl $file_to_run, %ebx a few lines further down. (This is a common source of confusion between AT&T syntax and Intel syntax!)
The parameters are placed on the stack in the wrong order: -0x8(%ebp) is a lower address than -0x4(%ebp). So the address of the command string should be written to -0x8(%ebp), the 0 should be written to -0x4(%ebp), and the leal instruction should be leal -8(%ebp), %ecx.
Fixed code:
.section .data
file_to_run:
.asciz "/bin/sh"
.section .text
.globl main
main:
pushl %ebp
movl %esp, %ebp
subl $0x8, %esp # array of two pointers. array[0] = file_to_run array[1] = 0
movl $file_to_run, %edi
movl %edi, -0x8(%ebp)
movl $0, -0x4(%ebp)
movl $11, %eax # sys_execve
movl $file_to_run, %ebx # file to execute
leal -8(%ebp), %ecx # command line parameters
movl $0, %edx # environment block
int $0x80
leave
ret
You actually don't need to load anything in the other arguments. If you are doing this in x86 the following simpler code will also work:
.global _main
.section .text
.data
file_to_run:
.asciz "/bin/sh"
.section .text
.globl main
_main:
pushl %ebp
movl %esp, %ebp
movl $11, %eax # sys_execve
movl $file_to_run, %ebx # file to execute
movl $0, %ecx # Null value will work too
movl $0, %edx # Null will works too
int $0x80
leave
ret
This will essentially open a shell terminal after invoking the system call.
I'm trying to print a range of ascii characters with this assembly program.
I'm trying to do it using only the registers, but haven't been having much luck. Everything looks fine to me, but I'm a novice at assembly programming and might have missed something obvious. Any insight will be appreciated. Thanks :)
emphasized text
.text
.global _start
_start:
movl $1, %edx
movl $65, %ebx
start_loop:
addl $1, %ebx
movl $0x04, %eax
int $0x80
cmpl $126, %ebx
jle start_loop
jmp start_loop
exit
movl $0, %ebx
movl $1, %eax
int $0x80
You are invoking the sys_write system call. sys_write() takes three arguments, file descriptor of the output device(it should be 1 for stdout),address of the buffer where you stored the value to be printed, and the size of the data to be printed. So you have to store file descriptor in %ebx, and store address of the buffer in %ecx and size of the data in %edx. To store the file descriptor you can use the following instruction.
movl $1, %ebx // store 1 (stdout) in ebx)
To store the size of the data you can use:
movl $1, %edx // size is 1 byte
Now, you have to store the address of the buffer, you need to put your data in the memory some where and need to store the address of the memory in %ecx. Assume that you want store the data in the stack it self, then you can do like this:
subl $4, %esp // get 4 bytes of memory in the stack
movl $65, (%esp) // store data in the memory where esp points to
movl %esp, %ecx // store address of the data in the ecx
Now you can issue the int 0x80.
movl $04, %eax // store syscall number in eax
int $0x80 // issue the trap interrupt
As a whole you can write the following code:
movl $1, %ebx
subl $0x4, %esp
movl $64, (%esp)
start_loop:
movl (%esp), %eax
addl $1, %eax
movl %eax, (%esp)
movl %esp, %ecx
movl $1, %edx
movl $0x04, %eax
int $0x80
movl (%esp), %eax
cmpl $126, %eax
jle start_loop
addl $0x4, %esp
See Linux System Calls Part2 at http://www.rulingminds.com/syscallspart2 to know more about registers and system calls usage.
"Thank you very much for the informative answer, but is there a way to store and retrieve the value to be printed in a register without pointing to it?" -- this should probably have been edited into the question.
If you insist on using only syscalls (int $0x80) to interface with the system then the answer is no. You have to somehow pass a buffer to write and rullingminds answer applies.
Using the libc putchar(3) it's straight forward. I use %ebx to keep the ascii code as this register is on linux preserved between function calls. Simply assemble using gcc filename.S (remembering to use -m32 if you are on x86_64).
.text
.extern putchar
.global main
main:
# make room for argument to putchar on the stack
sub $4, %esp
# initialize ebx with first value to print
mov $'A', %ebx
1:
# give character to print as argument
mov %ebx, (%esp)
call putchar
# move to next character
inc %ebx
# are we done?
cmp $'~', %ebx
jle 1b
# print newline
movl $10, (%esp)
call putchar
# adjust stack back to normal
add $4, %esp
# return 0 from main
mov $0, %eax
ret
The following application generates a Segmentation Fault when executed:
.set __NR_reboot, 169
.set LINUX_REBOOT_CMD_POWER_OFF, 0x4321FEDC
.section .text
.globl _start
_start:
movl $LINUX_REBOOT_CMD_POWER_OFF, %ebx
movl $__NR_reboot, %eax
int $0x80
It's a quite simple application and I must be missing something really obvious. Can someone help me?
It was compiled with:
as shutdown.s -o shutdown.o
ld shutdown.o -o shutdown
EDIT:
Even a simple application that just calls syscall sync() generates a Segmentation Fault:
.set __NR_sync, 36
.section .text
.globl _start
_start:
movl $__NR_sync, %eax
int $0x80
movl $1, %eax #syscall exit
movl $0, %eax
int $0x80
WARNING: remember to sync(2) before calling reboot(2).
The reboot(2) system call takes 4 parameters.You are confusing it with the libc
wrapper.
WARNING: remember to sync(2) before calling reboot(2).
(It actually takes the magic* parameters so that people have to reread the documentation and don't forget calling sync(2).)
WARNING: Did I say that you have to sync(2) before calling reboot(2)?
I'm adding the final & working source code as this question might interest somebody in the future:
# For the right sys_call numbers on your arch,
# check <asm/unistd_32.h> (or unistd_64.h)
.set __NR_sync, 36 # sys_call sync()
.set __NR_reboot, 88 # sys_call reboot()
.set LINUX_REBOOT_MAGIC1, 0xfee1dead # flags are specified in: <linux/reboot.h>
.set LINUX_REBOOT_MAGIC2, 672274793
.set LINUX_REBOOT_CMD_POWER_OFF, 0x4321fedc
.set LINUX_REBOOT_CMD_RESTART, 0x01234567
.section .text
.globl _start
_start:
movl $__NR_sync, %eax # call sync()
int $0x80
movl $__NR_reboot, %eax
movl $LINUX_REBOOT_MAGIC1, %ebx
movl $LINUX_REBOOT_MAGIC2, %ecx
movl $LINUX_REBOOT_CMD_RESTART, %edx
#movl $0, %esi
int $0x80 # call reboot()
movl $1, %eax
movl $0, %ebx
int $0x80 # call exit()
From linux/i386/syscall.S: The function number should be placed in %eax and any arguments in the following registers in order: %ebx, %ecx, %edx, %esi, %edi, and %ebp.
Which is why the last movl %eax,0 in the code should be changed to movl %ebx, 0.