According to this post, in x64, you can perform lea rax, [rip] to get the current instruction. How would I do this using asmjit?
I figured out the solution: assembler.lea(asmjit::x86::rax, asmjit::x86::ptr(asmjit::x86::rip));
Related
Occasionally I want to analyse the assembler produced by gcc for a function, and have long used a little script that fires up gdb with expect, fetches the disassembly, and postprocesses the result to turn it into something approximating readable assembly code.
However gdb output appears to have changed - I'm now using Ubuntu's gdb-10.2 - such that a short way through the output switches from showing locations as positive offsets from the named function to negative offsets from what I assume is the next symbol:
Dump of assembler code for function S_group_end:
0x00000000001d6320 <+0>: push %r13
0x00000000001d6322 <+2>: push %r12
...
0x00000000001d63cf <+175>: call 0xf0450 <Perl_croak>
0x00000000001d63d4 <+180>: nopl 0x0(%rax)
0x00000000001d63d8 <-1176>: cmp %rcx,%rbx
0x00000000001d63db <-1173>: jbe 0x1d6452 <S_next_symbol-1054>
...
In this case they appear to be relative to the (coincidentally named) S_next_symbol, but there's no indication of that (and it is not emitting S_next_symbol itself as a label).
Is there an option to revert the output style to what it was before (eg <S_group_end+184>), or some other way to make this output more readily parsable?
I'm reversing a compiled program (written in C) and this one opens a file (which I don't have permission to read) like this:
fopen("/home/user00/.pass", 'r')
then it checks the return:
...
0x4008a8 <main+148>: call 0x400700 <fopen#plt>
0x4008ad <main+153>: mov QWORD PTR [rbp-0x8],rax
=> 0x4008b1 <main+157>: cmp QWORD PTR [rbp-0x8],0x0
0x4008b6 <main+162>: jne 0x4008e6 <main+210>
0x4008dc <main+200>: mov edi,0x1
0x4008e1 <main+205>: call 0x400710 <exit#plt>
...
So if the file doesn't open the program exits.
I obviously can trick this, setting $rax=1, but then the program will try to read the file and it receives a segfault.
So I thought I can:
gdb call fopen("/a/file/I/can/read", 'r')
And continue my reverse work, but sadly the program receives a different segfault when I execute this command.
So I wonder, is it possible in some way (by allocating or whatever) to call fopen ?
I already searched answers on the internet without success.
This program is part of my school's Security ISO CTF challenge.
Thanks!
sadly the program receives a different segfault when I execute this command.
That's because you have a bug in your command. It should be:
(gdb) call fopen("/a/file/I/can/read", "r")
(Unlike in Python, the kind of quotes you use in C matters.)
I need help compiling the source code for Quake III Arena. I'm using the version provided by ID Software's Github account (https://github.com/id-Software/Quake-III-Arena). I'm trying to compile it in VS2015, is that a problem? It converts the project without any issues. However, when I compile, all I get is a black screen and a messed up color scheme. The debugger tells me the problem is in this funcion:
#ifdef _WIN32
__asm {
pushad
mov esi, programStack;
mov edi, opStack
call entryPoint
mov programStack, esi
mov opStack, edi
popad
}
More precisely, in the line mov programStack, esi. Any ideas? I'm trying to make a game with this engine, since it's basically the "mother" of all Fpses today :D
Any help is appreciated.
Make sure to clean all the projects in VS2015, and to the quake3 project add the following command line agruments:
+set sv_pure 0 +set vm_game 0 +set vm_cgame 0 +set vm_ui 0
Also, make sure to copy the baseq3 folder from your Quake 3 arena game into the Quake-III-Arena/code folder.
I am trying to export a .dll file and trying to use it in my c# application to write a data to a port. In my .cpp file (to create a .dll) if I use "out" command it gives "error C2415: improper operand type" error message. Do you have any idea why i cannot use this "out" command? ("mov" command is working well btw)
See my code below:
#include <stdio.h>
extern "C" __declspec(dllexport) void enableWatchDog()
_asm {
out 66,41
out 62,4
}
}
out has six forms:
out imm8, AL
out imm8, AX
out imm8, EAX
out DX, AL
out DX, AX
out DX, EAX
Your usages match none of them. Perhaps this would work (not tested):
mov al, 41
out 66, al
mov al, 4
out 62, al
I don't have too much experience with IO ports on x86, but from what I've been able to find, 66 and 62 seem a little suspicious to me. Shouldn't they be 66h and 62h? 41h (could be two flags set, or ASCII 'A') also makes a little more sense to me than 41 (a rather arbitrary number).
Assembly is not a high level language, where you can plug an arbitrary expression anywhere. The out command can only take an Ax register for a second operand, where Ax means AL, AX, or EAX. So reformulate like this:
mov al, 41
out 66, al
mov al, 4
out 62, al
The out command is privileged; it only works in kernel level drivers on Windows, trying to do it in a regular program will get you an "Invalid operation" error.
What target platform are you using for your C++ dll? You need to compile to x86 code, not CLR.
I've got a software application which some users report reliably crashes in certain situations. I can't reproduce it on any of the machines I've got so I'm feeling pretty stuck as to how to solve it.
A user posted me the assembly line where the crash happens, like this:
00505e58 1000 adc [eax],al
00505e5a cc int 3
00505e5b cc int 3
00505e5c cc int 3
00505e5d cc int 3
00505e5e cc int 3
00505e5f cc int 3
00505e60 55 push ebp
00505e61 8bec mov ebp,esp
00505e63 83ec1c sub esp,0x1c
FAULT -> 00505e66 ff4f08 dec dword ptr [edi+0x8] ds:0023:00000008=????????
00505e69 53 push ebx
00505e6a 56 push esi
00505e6b 0f85b0000000 jne Construct2+0x105f21 (00505f21)
00505e71 8d9894010000 lea ebx,[eax+0x194]
00505e77 8d45f0 lea eax,[ebp-0x10]
00505e7a 8bcb mov ecx,ebx
00505e7c e8ef4ff1ff call Construct2+0x1ae70 (0041ae70)
00505e81 8d45e4 lea eax,[ebp-0x1c]
00505e84 8bcb mov ecx,ebx
00505e86 e88580fdff call Construct2+0xddf10 (004ddf10)
I'm using Visual Studio 2010 and have my .pdbs for the build I gave the user. Is it possible to turn this assembly trace in to the faulting code line?
If you could get a full crash dump of your app when it crashes, then you could bring up the dmp in either windbg or Visual Studio and debug with source code rather easily. There's plenty of info on the web for getting a dump and debugging. For example, if you have a dump and matching pdb and bring thsi up in windbg, you can just do a ".lines" and see exactly where this is happening.
If you don't have a dump, then one way to do this is to run your app locally and look at the code at this address. It looks like your app, which I'm assuming is Construct2.exe, starts off at a base address of 0x0040000 and you're crashing at 0x00505E66 where EDI is 0. So if you flip to diassembly view, go to this address (or set a bp) then look at the source and you're good to go.