A simple C program
Analyze a simple C program main.c such as:
Compile the assembly file with the command gcc–s–o main.s main.c-m32 . There are many virtual instructions in the assembly file that do not form machine instructions , in order to make the analysis simple we remove most of the:
Get as shown:
Introduction to the Stack
Apue that each C program has a separate address space, the typical layout in memory is as follows:
The operation of the stack is similar to that of our stack in the data structure, and the EBP,ESP (the specific name is related to the CPU architecture) are directly related to the operation of the stack.
The stack address is assigned from the high to the low direction.
- When starting a new stack, make Ebp,esp point to the next bit of the start address of the stack. Eg:ebp,esp Point to 0x10000
- PUSHL operation, Esp-4 (32-bit machine for example), at this time the value of ESP is 0XFFFC, the operand is put into the stack
- POPL operation, the operand is out of the stack, esp+4
Function call
Call command calls a subroutine, the CPU will be transferred to go to execute subroutine code, in order to be able to accurately return when the subroutine executes, need to push the address of the next instruction of the call instruction into the stack. Then create a new stack for the subroutine, the assembly instructions are as follows:
- PUSHL%EBP
- MOVL%esp,%EBP
The PUSHL%ebp instruction pushes the base address of the stack of the keynote program into the stack, and ESP,EBP all points to the next bit of the start of the new stack after the MOVL%esp,%ebp instruction is executed. When you want to restore the stack of the keynote function, the stack of the keynote function is restored as long as the following instruction is executed:
- MOVL%ebp,%esp
- POPL%EBP
These two sentences can be replaced by the leave directive, and of course it is possible to execute POPL%EBP directly.
When restoring the stack of the keynote function, at the top of the stack is the address of the instruction to be executed, the address of the instruction is returned to the instruction counter via the RET instruction, and the CPU will continue to run from the next instruction of call.
"Linux kernel Analysis" MOOC course disassembly a simple C program, analysis Assembly code