Assembly Language for Beginners

(nextflipdebug2) #1

8.11. ORACLE RDBMS


Listing 8.15: kqf.o

.rodata:08042680 kqftap_element <0, offset kqvt_c_0, offset kqvrow, 0> ;⤦
Çelement 0x1f6


It is interesting that this element here is0x1f6th(502nd), just like the pointer to theX$VERSIONstring in
thekqftabtable.


Probably, thekqftapandkqftabtables complement each other, just likekqfvipandkqfviw.


We also see a pointer to thekqvrow()function. Finally, we got something useful!


So we will add these tables to our oracle tables^40 utility too. ForX$VERSIONwe get:


Listing 8.16: Result of oracle tables

kqftab_element.name: [X$VERSION] ?: [kqvt] 0x4 0x4 0x4 0xc 0xffffc075 0x3
kqftap_param.name=[ADDR] ?: 0x917 0x0 0x0 0x0 0x4 0x0 0x0
kqftap_param.name=[INDX] ?: 0xb02 0x0 0x0 0x0 0x4 0x0 0x0
kqftap_param.name=[INST_ID] ?: 0xb02 0x0 0x0 0x0 0x4 0x0 0x0
kqftap_param.name=[BANNER] ?: 0x601 0x0 0x0 0x0 0x50 0x0 0x0
kqftap_element.fn1=kqvrow
kqftap_element.fn2=NULL


Withthehelpoftracer, itiseasytocheckthatthisfunctioniscalled6timesinrow(fromtheqerfxFetch()
function) while querying theX$VERSIONtable.


Let’s runtracerinccmode (it comments each executed instruction):


tracer -a:oracle.exe bpf=oracle.exe!_kqvrow,trace:cc


kqvrow proc near


var_7C = byte ptr -7Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
Dest = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h


; FUNCTION CHUNK AT .text1:056C11A0 SIZE 00000049 BYTES


push ebp
mov ebp, esp
sub esp, 7Ch
mov eax, [ebp+arg_14] ; [EBP+1Ch]=1
mov ecx, TlsIndex ; [69AEB08h]=0
mov edx, large fs:2Ch
mov edx, [edx+ecx*4] ; [EDX+ECX*4]=0xc98c938
cmp eax, 2 ; EAX=1
mov eax, [ebp+arg_8] ; [EBP+10h]=0xcdfe554
jz loc_2CE1288
mov ecx, [eax] ; [EAX]=0..5
mov [ebp+var_4], edi ; EDI=0xc98c938

loc_2CE10F6: ; CODE XREF: kqvrow+10A
; kqvrow+1A9
cmp ecx, 5 ; ECX=0..5
ja loc_56C11C7
mov edi, [ebp+arg_18] ; [EBP+20h]=0
mov [ebp+var_14], edx ; EDX=0xc98c938
mov [ebp+var_8], ebx ; EBX=0
mov ebx, eax ; EAX=0xcdfe554
mov [ebp+var_C], esi ; ESI=0xcdfe248


(^40) yurichev.com

Free download pdf