Common assembler patterns explained

Work in progress article to explain much-seen assembler patterns with their accompanying source code.

Static variables

Static variables are located in the section .rodata.

source

    char *str="Hello world";
    printf(str);

gcc 32 bit

│           0x08048480      31c0           xor eax, eax
│           0x08048482      c74424184085.  mov dword [esp + 0x18], str.Hello_world ; hello.c:7     char *str="Hello world"; ; [0x8048540:4]=0x6c6c6548 LEA str.Hello_world ; "Hello world" @ 0x8048540 ; .//hello.c:7  {
│           0x0804848a      8b442418       mov eax, dword [esp + 0x18] ; hello.c:8     printf(str); ; [0x18:4]=0x8048370 section..text ; .//hello.c:8      char *str=\"Hello world\";
│           0x0804848e      890424         mov dword [esp], eax
│           0x08048491      e89afeffff     call sym.imp.printf

Stack canary

The stack canary will push a predefined or random value on the stack when entering the function, on return the value will be checked with the predefined value. If it fails _stackchck_fail will be called.

source

/* Hello World program */

#include<stdio.h>

main()  
{
    printf("Hello world");
}

gcc -g -fstack-protector-all -m32 -o hello hello.c

            ;-- main:
╒ (fcn) sym.main 53
│           ; DATA XREF from 0x08048387 (sym.main)
│           0x0804846d      55             push ebp                    ; hello.c:6 { ; .//hello.c:6  main()
│           0x0804846e      89e5           mov ebp, esp
│           0x08048470      83e4f0         and esp, 0xfffffff0
│           0x08048473      83ec20         sub esp, 0x20
│           0x08048476      65a114000000   mov eax, dword gs:[0x14]    ; [0x14:4]=1 ; .//hello.c:6  main()
│           0x0804847c      8944241c       mov dword [esp + 0x1c], eax
│           0x08048480      31c0           xor eax, eax
│           0x08048482      c70424408504.  mov dword [esp], str.Hello_World ; hello.c:7     printf("Hello World"); ; [0x8048540:4]=0x6c6c6548 LEA str.Hello_World ; "Hello World" @ 0x8048540 ; .//hello.c:7  {
│           0x08048489      e8a2feffff     call sym.imp.printf
│           0x0804848e      8b54241c       mov edx, dword [esp + 0x1c] ; hello.c:9 } ; [0x1c:4]=52 ; .//hello.c:9
│           0x08048492      653315140000.  xor edx, dword gs:[0x14]
│       ┌─< 0x08048499      7405           je 0x80484a0
│       │   0x0804849b      e8a0feffff     call sym.imp.__stack_chk_fail
│       │   ; JMP XREF from 0x08048499 (sym.main)
│       └─> 0x080484a0      c9             leave
╘           0x080484a1      c3             ret

clang-3.8 -g -fstack-protector-all -m32 -o hello hello.c

[0x08048370]> pdf @ main
            ;-- main:
╒ (fcn) sym.main 59
│           ; var int local_4h     @ ebp-0x4
│           ; var int local_8h     @ ebp-0x8
│           ; DATA XREF from 0x08048387 (sym.main)
│           0x08048470      55             push ebp                    ; hello.c:6 { ; .//hello.c:6  main()
│           0x08048471      89e5           mov ebp, esp
│           0x08048473      83ec18         sub esp, 0x18               ; hello.c:7     printf("Hello World"); ; .//hello.c:7  {
│           0x08048476      65a114000000   mov eax, dword gs:[0x14]    ; [0x14:4]=1
│           0x0804847c      8945fc         mov dword [ebp - local_4h], eax
│           0x0804847f      89e0           mov eax, esp
│           0x08048481      c70040850408   mov dword [eax], str.Hello_World ; [0x8048540:4]=0x6c6c6548 LEA str.Hello_World ; "Hello World" @ 0x8048540
│           0x08048487      e8a4feffff     call sym.imp.printf
│           0x0804848c      658b0d140000.  mov ecx, dword gs:[0x14]    ; [0x14:4]=1
│           0x08048493      3b4dfc         cmp ecx, dword [ebp - local_4h]
│           0x08048496      8945f8         mov dword [ebp - local_8h], eax
│       ┌─< 0x08048499      0f8507000000   jne 0x80484a6
│       │   0x0804849f      31c0           xor eax, eax
│       │   0x080484a1      83c418         add esp, 0x18               ; hello.c:9 } ; .//hello.c:9
│       │   0x080484a4      5d             pop ebp
│       │   0x080484a5      c3             ret
│       │   ; JMP XREF from 0x08048499 (sym.main)
╘       └─> 0x080484a6      e895feffff     call sym.imp.__stack_chk_fail

gcc -g -fstack-protector-all -m64 -o hello hello.c

;-- main:
╒ (fcn) sym.main 60
│           ; var int local_8h     @ rbp-0x8
│           ; DATA XREF from 0x004004cd (sym.main)
│           0x0040059d      55             push rbp                    ; hello.c:6 { ; .//hello.c:6  main()
│           0x0040059e      4889e5         mov rbp, rsp
│           0x004005a1      4883ec10       sub rsp, 0x10
│           0x004005a5      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=0x13d0 ; '(' ; .//hello.c:6  main()
│           0x004005ae      488945f8       mov qword [rbp - local_8h], rax
│           0x004005b2      31c0           xor eax, eax
│           0x004005b4      bf64064000     mov edi, str.Hello_World    ; hello.c:7     printf("Hello World"); ; "Hello World" @ 0x400664 ; .//hello.c:7  {
│           0x004005b9      b800000000     mov eax, 0
│           0x004005be      e8bdfeffff     call sym.imp.printf
│           0x004005c3      488b55f8       mov rdx, qword [rbp - local_8h] ; hello.c:9 } ; .//hello.c:9
│           0x004005c7      644833142528.  xor rdx, qword fs:[0x28]
│       ┌─< 0x004005d0      7405           je 0x4005d7
│       │   0x004005d2      e899feffff     call sym.imp.__stack_chk_fail
│       └─> 0x004005d7      c9             leave
╘           0x004005d8      c3             ret

clang-3.8 -g -fstack-protector-all -m64 -o hello hello.c

            ;-- main:
╒ (fcn) sym.main 74
│           ; var int local_8h     @ rbp-0x8
│           ; var int local_ch     @ rbp-0xc
│           ; DATA XREF from 0x004004cd (sym.main)
│           0x004005a0      55             push rbp                    ; hello.c:6 { ; .//hello.c:6  main()
│           0x004005a1      4889e5         mov rbp, rsp
│           0x004005a4      4883ec10       sub rsp, 0x10               ; hello.c:7     printf("Hello World"); ; .//hello.c:7  {
│           0x004005a8      64488b042528.  mov rax, qword fs:[0x28]    ; [0x28:8]=0x13b0 ; '('
│           0x004005b1      488945f8       mov qword [rbp - local_8h], rax
│           0x004005b5      b974064000     mov ecx, str.Hello_World    ; "Hello World" @ 0x400674
│           0x004005ba      89cf           mov edi, ecx
│           0x004005bc      31c9           xor ecx, ecx
│           0x004005be      88ca           mov dl, cl
│           0x004005c0      88d0           mov al, dl
│           0x004005c2      e8b9feffff     call sym.imp.printf
│           0x004005c7      64488b3c2528.  mov rdi, qword fs:[0x28]    ; [0x28:8]=0x13b0 ; '('
│           0x004005d0      483b7df8       cmp rdi, qword [rbp - local_8h]
│           0x004005d4      8945f4         mov dword [rbp - local_ch], eax
│       ┌─< 0x004005d7      0f8508000000   jne 0x4005e5
│       │   0x004005dd      31c0           xor eax, eax
│       │   0x004005df      4883c410       add rsp, 0x10               ; hello.c:9 } ; .//hello.c:9
│       │   0x004005e3      5d             pop rbp
│       │   0x004005e4      c3             ret
│       │   ; JMP XREF from 0x004005d7 (sym.main)
╘       └─> 0x004005e5      e886feffff     call sym.imp.__stack_chk_fail