issuhub.com

Reverse Engineering for Beginners

(avery) #1 
CHAPTER 7. SCANF() CHAPTER 7. SCANF()

17 ; prepare address of x:
18 4006f0: 8f858044 lw a1,-32700(gp)
19 4006f4: 0320f809 jalr t9
20 4006f8: 248408fc addiu a0,a0,2300 ; branch delay slot
21 ; call printf():
22 4006fc: 8fbc0010 lw gp,16(sp)
23 400700: 3c040040 lui a0,0x40
24 ; get address of x:
25 400704: 8f828044 lw v0,-32700(gp)
26 400708: 8f99803c lw t9,-32708(gp)
27 ; load value from "x" variable and pass it to printf() in $a1:
28 40070c: 8c450000 lw a1,0(v0)
29 400710: 0320f809 jalr t9
30 400714: 24840900 addiu a0,a0,2304 ; branch delay slot
31 ; function epilogue:
32 400718: 8fbf001c lw ra,28(sp)
33 40071c: 00001021 move v0,zero
34 400720: 03e00008 jr ra
35 400724: 27bd0020 addiu sp,sp,32 ; branch delay slot
36 ; pack of NOPs used for aligning next function start on 16-byte boundary:
37 400728: 00200825 move at,at
38 40072c: 00200825 move at,at


Now we see thexvariable address is read from a 64KiB data buffer using GP and adding negative offset to it (line 18). More

than that, the addresses of the three external functions which are used in our example (puts(),scanf(),printf()), are

also read from the 64KiB global data buffer using GP (lines 9, 16 and 26). GP points to the middle of the buffer, and such

offset suggests that all three function’s addresses, and also the address of thexvariable, are all stored somewhere at the

beginning of that buffer. That make sense, because our example is tiny.

Another thing worth mentioning is that the function ends with twoNOPs (MOVE $AT,$AT— an idle instruction), in order

to align next function’s start on 16-byte boundary.

Initialized global variable

Let’s alter our example by giving thexvariable a default value:

int x=10; // default value

Now IDA shows that thexvariable is residing in the .data section:

Listing 7.10: Optimizing GCC 4.4.5 (IDA)

.text:004006A0 main:

.text:004006A0

.text:004006A0 var_10 = -0x10

.text:004006A0 var_8 = -8

.text:004006A0 var_4 = -4

.text:004006A0

.text:004006A0 lui $gp, 0x42

.text:004006A4 addiu $sp, -0x20

.text:004006A8 li $gp, 0x418930

.text:004006AC sw $ra, 0x20+var_4($sp)

.text:004006B0 sw $s0, 0x20+var_8($sp)

.text:004006B4 sw $gp, 0x20+var_10($sp)

.text:004006B8 la $t9, puts

.text:004006BC lui $a0, 0x40

.text:004006C0 jalr $t9 ; puts

.text:004006C4 la $a0, aEnterX # "Enter X:"

.text:004006C8 lw $gp, 0x20+var_10($sp)

; prepare high part of x address:

.text:004006CC lui $s0, 0x41

.text:004006D0 la $t9, __isoc99_scanf

.text:004006D4 lui $a0, 0x40

; add low part of x address:

.text:004006D8 addiu $a1, $s0, (x - 0x410000)

; now address of x is in $a1.

.text:004006DC jalr $t9 ; __isoc99_scanf

.text:004006E0 la $a0, aD # "%d"

.text:004006E4 lw $gp, 0x20+var_10($sp)
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.