0

I'm very new to assembly language. I've been studying it for 2 weeks now. Here is a dump generated by objdump. objdump -Mintel -d stack

00000560 <function>:
    560:    55                      push   ebp
    561:    89 e5                   mov    ebp,esp
    563:    83 ec 10                sub    esp,0x10
    566:    e8 26 00 00 00          call   591 <__x86.get_pc_thunk.ax>
    56b:    05 95 1a 00 00          add    eax,0x1a95
    570:    90                      nop
    571:    c9                      leave
    572:    c3                      ret

00000573 <main>:
    573:    55                      push   ebp
    574:    89 e5                   mov    ebp,esp
    576:    e8 16 00 00 00          call   591 <__x86.get_pc_thunk.ax>
    57b:    05 85 1a 00 00          add    eax,0x1a85
    580:    6a 03                   push   0x3
    582:    6a 02                   push   0x2
    584:    6a 01                   push   0x1
    586:    e8 d5 ff ff ff          call   560 <function>
    58b:    83 c4 0c                add    esp,0xc
    58e:    90                      nop
    58f:    c9                      leave
    590:    c3                      ret

I'm currently study stack. I'm not sure if prolog is only applicable to functions. I don't see sub on the third line of main function. Not sure if prolog always uses that pattern.

I'm also confused at <__x86.get_pc_thunk.ax> Not sure what it is.

I'm also wondering why it's adding 0x1a95 to eax and I'm not sure why it picked that number. In the main, the value that was added to eax was 0x1a85.

Here's the c that I compiled with gcc. I used gcc -m32 -ggdb stack.c -o stack

void function(int a, int b, int c) {
  char buffer1[5];
  char buffer2[10];
}

void main() {
  function(1, 2,3 );
}

Now I'm trying to find buffer1 and buffer2 in the disassembled code. The buffer1[5] I guess would be 0x05 and buffer2[10] would be 0x0a. I can't find it in the disassembled code.

1201ProgramAlarm
  • 32,384
  • 7
  • 42
  • 56
devwannabe
  • 3,160
  • 8
  • 42
  • 79
  • 3
    You do not use them for anything. Also, you did not enable optimization. Furthermore you seem to be generating position independent code, which is what the `get_pc_thunk` is about. Write some sensible code that actually does something and enable optimizations. If you don't care about position independence, disable that to get more readable output. – Jester Jun 19 '19 at 14:37
  • I'll be adding -O and -no-pie Thank you for the advice. I'm still learning. I did that kind of example to learn how stack works. – devwannabe Jun 20 '19 at 00:27

1 Answers1

2

The arrays buffer1 and buffer2 are allocated on the stack, using the instruction 

sub esp, 0x10

What this does is subtract 0x10 or 16 from the current value of the stack pointer, i.e. esp, which grows the stack space in your function by 16 bytes (a char is a single byte, and there is 5 of them in buffer1 and 10 of them in buffer2, and the result gets rounded up to 16 bytes for alignment reasons, AFAIK). There is no such instruction in main() because it has no local variables and hence needs no stack space.

(This is explained in far more detail in chapter 4 of this book: http://pacman128.github.io/pcasm/)

Martin Wanvik
  • 131
  • 3