Please for ROP refer to this paper
I'm building the gadget catalog for AVR-8bit but I have some doubts.
I'll ask my question using the following example.
In order to have v1=v1+v2; (v1 and v2 are variables)
the corresponding assembly is:
ldi r17, #value
ldi r18, #value
add r18,r17;
or
ldi r17, #value
mov r1, r17;
ldi r18, #value
add r18,r1;
or
ldi r17, #value
ldi r18, #value
mov r1, r18;
add r1,r17;
or
ldi r17, #value
mov r1, r17;
ldi r18, #value
mov r2, r18;
add r2,r1;
Will the gadget be the following?
ldi r#, #value;
ldi r#, value;
add r#, r#;
ret
or just the following combined with ldi r#,r#; ret and with the combination with mov?
add r#,r#;
ret
ldi is loading a constant and there is not much point in adding two constants at runtime. As such, your gadget will be the add; ret only, and you'll want to ensure the two operands are in the appropriate registers by using other gadgets.
It might make sense to have a gadget for adding a constant to a register, though.
Related
I have an example here. I checked on the debug and realized that in the beginning, the SP's value is 0x20001000. Why does the compiler use 0x20001000 for the intitial value of stack pointer? I created some data segments but it's still 0x20001000.
soA EQU 25
soB EQU 30
AREA RESET, DATA, READONLY
DCD 0x20001000
DCD Reset_Handler
AREA MYCODE, CODE, READONLY
EXPORT Reset_Handler
ENTRY
Reset_Handler
MOV R0, #soA
MOV R1, #soB
KiemTra
CMP R0, R1
BLT NhoHon
BEQ KetThuc
LonHon
SUB R0, R1
B KiemTra
NhoHon
SUB R1, R0
B KiemTra
KetThuc
END
this image showcase the error im getting when running the command "bochs" in the bootDIr directory where my assembly file , the image ,the binary and the script are at , the tutorial i watched was using ubuntu while im using kali,i dont think that was relevant but i would love your help
the goal is to show the "Hello" String when booting (+some messages generated by the emulator)
here is the nasm code:
[BITS 16]
[ORG 0x7c00]
start :
xor ax,ax
mov ds,ax
mov es,ax
mov ss, ax
mov sp, 0x7c00
PrintMessage :
mov ah,0x13
mov al, 1
mov bx,0xa
xor dx,dx
mov bp, Message
mov cx, MessageLen
int 0x10
End :
hlt
jmp End
Message : db "Hello"
MessageLen : equ $-Message
times (0x1be -($-$$)) db 0
db 80h
db 0,2,0
db 0f0h
db 0ffh,0ffh,0ffh
dd 1
dd (20*16*63 - 1 )
times (16*3) db 0
db 0x55
db 0xaa
I was going to post this on codereview.stackexchange.com but the problem is this code does not work correctly.
I have an AT89C4051 processor which only has one hardware UART, however I will attach two UART-based devices to it of which one is my computer. The configuration across all devices is 9600,N,8,1 (9600bps, no parity, 8 data bits, 1 stop bit)
I attempted to create two software-based UARTs with machine-optimized code that can interface between the two devices, however the data I received on my computer is incorrect.
I was expecting 'ABCD' or 'abcd' to appear on the screen but all I received was 'DDDD'.
What can I do here to fix this problem without resorting to buying extra hardware?
;dual 9600bps channels
;RX1,TX1 = uart channel
;RX2,TX2 = uart channel
;start with uart configuration
org 0000h
ljmp uartcfg
;every 1/2 bit time execute function
org 000Bh
sjmp swuartint
SWCFG equ 20h ;serial config
;config for uart 1
SWRI bit 20h.0 ;data fully received if SWRI set
serrxslow bit 20h.2 ;bit flip-flop for receive. cpl 2x = 1 full bit time
SWTI bit 20h.1 ;data fully transmitted if SWTI set
sertxslow bit 20h.3 ;bit flip-flop for transmit. cpl 2x = 1 full bit time
;config for uart 2: same format
SWRI2 bit 20h.4
serrxslow2 bit 20h.6
SWTI2 bit 20h.5
sertxslow2 bit 20h.7
SWUARTNO bit 21h.0 ;current Software Uart Number
SWRNR bit 21h.1 ;Software Uart Receiver Not Ready
SWTMP equ 0Fh ;Temporary variable to pass indirect address value to register
SBUFR2 equ 0Eh ;Uart 2 received byte value
SBUFR equ 0Dh ;Uart 1 received byte value
SBUFT2 equ 0Ch ;Uart 2 sent byte value
SBUFT equ 0Bh ;Uart 1 sent byte value
swuartint:
;1/2 bit time detected.
;save registers
push PSW
push ACC
;set register bank RS1:RS0 = 1:1 or 1:0 depending on UART wanted
;so we have our own private set of R0-R7 variables for each UART
setb RS1
mov C,SWUARTNO
mov RS0,C
;Get bit from UART 2
mov C,RX2
jb RS0,nour1
mov C,RX1 ;Get bit from UART 1 if RS0 not set
nour1:
jb SWTI,extx
;Transmit routine is only used if transmit complete flag is NOT set.
cpl sertxslow
jnb sertxslow,extx
;Only do the real transmit work on full bit times
;save existing carry flag (it has received value)
push PSW
mov A,R2 ;R2=transmit counter to load
jnz tnz
;Counter=0: Load transmitted value to R3 through temporary variable
mov SWTMP,#R1
mov R3,SWTMP
;Set counter to 1 and clear C to output start bit (of 0)
inc A
clr C
sjmp extx1
tnz:
jnb ACC.3,tne
jnb ACC.0,tne
;Counter is 9 so set transmit complete flag
setb SWTI
clr A ;set counter to 0 and set C to output stop bit (of 1)
setb C
sjmp extx1
tne:
;Counter is between 1 and 8
;Save accumulator to R5 since push/pop wastes cycles
mov R5,A
mov A,R3 ;load accumulator with outgoing data
RRC A ;shift out one byte to C
mov R3,A ;save data
mov A,R5
inc A ;increment count
extx1:
;Use right transmit channel based on chosen UART number
jb RS0,nour2
mov TX1,C
sjmp extx2
nour2:
mov TX2,C
extx2:
;Save count
mov R2,A
;and load back receiver value C
pop PSW
extx:
mov A,R7 ;load receiving count
jnz rnz
;Counter=0. Store ready status
mov SWRNR,C
jc exrx
;increment counter only if start bit=0
inc A
clr serrxslow ;reset flip flop so we wait 1 bit time to get bit.
sjmp exrx
rnz:
cpl serrxslow
jb serrxslow,exrx
;Counter > 0, 1 bit time waited
jnb ACC.3,rne
jnb ACC.0,rne
;Counter = 9. Status = Stop bit. 1=complete. 0=fail.
mov SWRI,C
;Store data
mov SWTMP,R4
mov #R0,SWTMP
;Clear count
clr A
sjmp exrx
rne:
;Counter = 1 to 8.
;Load data same way as transmit routine
mov R6,A
mov A,R4
RRC A
mov R4,A
mov A,R6
inc A ;increment count
exrx:
mov R7,A ;save count to receive count variable
;Don't switch UARTs when in the middle of a bit time
jnb sertxslow,nextuart
;Don't switch UARTs if receiver has data to process
jnb SWRNR,nextuart
;Don't switch UARTs if transmitter has data to process
jnb SWTI,nextuart
;Switch UART
cpl SWUARTNO
;Flip nibbles in configuration as each nibble
;belongs to its own UART
mov A,SWCFG
swap A
mov SWCFG,A
nextuart:
;restore registers and exit
pop ACC
pop PSW
reti
uartcfg:
setb RS1
setb RS0
mov R0,#SBUFR2 ;If RS1=RS0=1, #R0 = contents of SBUFR2
mov R1,#SBUFT2 ;If RS1=RS0=1, #R1 = contents of SBUFT2
clr RS0
mov R0,#SBUFR ;If RS1=1 and RS0=0, #R0 = contents of SBUFR
mov R1,#SBUFT ;If RS1=1 and RS0=0, #R1 = contents of SBUFT
clr RS1 ;Restore register bank (RS1=0, RS0=0)
mov SWCFG,#22h ;Set transmit complete to both UARTs at once
mov TH0,#0A0h ;Value = 256-(((crystal/baud)/12)/2) = 9.6kbps 1/2 bit rate
mov TL0,#0A0h
mov TMOD,#22h ;8-bit timers auto reload
mov SP,#50h ;get stack pointer away from our work
setb TR0 ;enable timer
mov IE,#082h ;enable Timer 0 interrupt
ljmp startapp ;go to program
;serial port 1
;plugged into computer for data testing
RX1 equ P3.0
TX1 equ P3.1
;serial port 2
RX2 equ P3.3
TX2 equ P1.2
startapp:
; Trying to output 'ABCD' or 'abcd' but all I get is 'DDDD'
mov SBUFT,#0h ;Set character for UART 1
clr SWTI ;clear complete flag
jnb SWTI,$ ;stall until character transmitted
mov SBUFT,#'A' ;repeat...
clr SWTI
jnb SWTI,$
mov SBUFT,#'B'
clr SWTI
jnb SWTI,$
mov SBUFT,#'C'
clr SWTI
jnb SWTI,$
mov SBUFT,#'D'
clr SWTI
jnb SWTI,$
mov SBUFT2,#0h ;Set character for UART 2
clr SWTI2 ;clear complete flag
jnb SWTI2,$ ;stall until character transmitted
mov SBUFT2,#'a' ;repeat...
clr SWTI2
jnb SWTI2,$
mov SBUFT2,#'b'
clr SWTI2
jnb SWTI2,$
mov SBUFT2,#'c'
clr SWTI2
jnb SWTI2,$
mov SBUFT2,#'d'
clr SWTI2
jnb SWTI2,$
sjmp $
I have some questions dealing with reading assembly instruction. I know the basic instruction syntax, but it gets confusing when some of the register comes with some address in front of it, or the question uses any of the strange instruction. Is there any easy to understand set of reference to the assembly instructions?
For example, I have a question to read these instruction:
0x401050 <what>: push %ebp
0x401051 <what+1>: mov %esp,%ebp
0x401053 <what+3>: sub $0xc,%esp
0x401056 <what+6>: mov 0x8(%ebp),%eax
0x401059 <what+9>: add $0x4,%eax
0x40105c <what+12>: mov %eax,0xfffffffc(%ebp)
0x40105f <what+15>: mov 0x8(%ebp),%eax
0x401062 <what+18>: imul 0xc(%ebp),%eax
0x401066 <what+22>: mov %eax,0xfffffff8(%ebp)
0x401069 <what+25>: mov 0xc(%ebp),%edx
0x40106c <what+28>: mov 0x8(%ebp),%eax
0x40106f <what+31>: sub %edx,%eax
0x401071 <what+33>: mov %eax,0xfffffff4(%ebp)
0x401074 <what+36>: mov 0xfffffff8(%ebp),%eax
0x401077 <what+39>: add 0xfffffffc(%ebp),%eax
0x40107a <what+42>: add 0xfffffff4(%ebp),%eax
0x40107d <what+45>: leave
0x40107e <what+46>: ret
0x401089 <main>: push %ebp
0x40108a <main+1>: mov %esp,%ebp
0x40108c <main+3>: sub $0x18,%esp
0x40108f <main+6>: and $0xfffffff0,%esp
0x401092 <main+9>: mov $0x0,%eax
0x401097 <main+14>: mov %eax,0xfffffff0(%ebp)
0x40109a <main+17>: mov 0xfffffff0(%ebp),%eax
0x40109d <main+20>: call 0x401420 <_alloca>
0x4010a2 <main+25>: call 0x4014b0 <__main>
0x4010a7 <main+30>: mov 0xc(%ebp),%eax
0x4010aa <main+33>: add $0x4,%eax
0x4010ad <main+36>: mov (%eax),%eax
0x4010af <main+38>: mov %eax,(%esp)
0x4010b2 <main+41>: call 0x4014d0 <atoi>
0x4010b7 <main+46>: mov %eax,0xfffffffc(%ebp)
0x4010ba <main+49>: mov 0xc(%ebp),%eax
0x4010bd <main+52>: add $0x8,%eax
0x4010c0 <main+55>: mov (%eax),%eax
0x4010c2 <main+57>: mov %eax,(%esp)
0x4010c5 <main+60>: call 0x4014d0 <atoi>
0x4010ca <main+65>: mov %eax,0xfffffff8(%ebp)
0x4010cd <main+68>: mov 0xfffffff8(%ebp),%eax
0x4010d0 <main+71>: inc %eax
0x4010d1 <main+72>: mov %eax,0x4(%esp)
0x4010d5 <main+76>: mov 0xfffffffc(%ebp),%eax
0x4010d8 <main+79>: add $0x2,%eax
0x4010db <main+82>: mov %eax,(%esp)
0x4010de <main+85>: call 0x401050 <what>
0x4010e3 <main+90>: mov %eax,0xfffffff4(%ebp)
0x4010e6 <main+93>: mov 0xfffffff4(%ebp),%eax
0x4010e9 <main+96>: mov %eax,0x4(%esp)
0x4010ed <main+100>: movl $0x40107f,(%esp)
0x4010f4 <main+107>: call 0x4014c0 <printf>
0x4010f9 <main+112>: mov $0x0,%eax
0x4010fe <main+117>: leave
0x4010ff <main+118>: ret
The questions are:
This program is invoked from the command line as shown:
./program 5 7
The procedure named what is called from main, with the following argument(s):
1) 6, 8
2) 7, 8
3) 5, 7
4) 7, 5
The procedure named what is called from main, and returns to main with the value:
1) 11
2) 24
3) 42
4) 66
Could anyone guide me how the instructions in this example works? Any suggestion or help would be appreciated. Thanks.
You should try and loading that binary into IDA. IDA gives you a better view of the structure and its easier to understand what it is you are trying to ask (aside from reading instructions).
Edit: https://www.hex-rays.com/products/ida/
This is for binaries, if it fits your needs, there is a free version of this software on the above page as well. You can use the demo version to do your work as well. I have used IDA Pro (demo) for viewing and editing iOS App Binaries.
To the comments below, you are the worst thing about Stack Exchange - therefore this is the last time I try to help. Reddit it is.
This is close to Using GCC to produce readable assembly?, but my context here is avr-gcc (and correspondingly, avr-objdump) for Atmel (though, I guess it would apply across the GCC board).
The thing is, I have a project of multiple .c and .cpp files; which ultimately get compiled into an executable, with the same name as the 'master' .cpp file. In this process, I can obtain assembly listing in two ways:
I can instruct gcc to emit assembly listing source (see Linux Assembly and Disassembly an Introduction) using the -S switch; in this case, I get a file, with contents like:
...
loop:
push r14
push r15
push r16
push r17
push r28
push r29
/* prologue: function /
/ frame size = 0 */
ldi r24,lo8(13)
ldi r22,lo8(1)
call digitalWrite
rjmp .L2
.L3:
ldi r24,lo8(MyObj)
ldi r25,hi8(MyObj)
call _ZN16MYOBJ7connectEv
.L2:
ldi r24,lo8(MyObj)
ldi r25,hi8(MyObj)
call _ZN16MYOBJ11isConnectedEv
...
(Haven't tried it yet; but I guess this code is compilable/buildable....)
I can inspect the final executable with, and instruct, objdump to emit assembly listing source using the -S switch; in this case, I get a file, with contents like:
...
0000066a <init>:
void init()
{
// this needs to be called before setup() or some functions won't
// work there
sei();
66a: 78 94 sei
66c: 83 b7 in r24, 0x33 ; 51
66e: 84 60 ori r24, 0x04 ; 4
670: 83 bf out 0x33, r24 ; 51
...
000006be <loop>:
6be: ef 92 push r14
6c0: ff 92 push r15
6c2: 0f 93 push r16
6c4: 1f 93 push r17
6c6: cf 93 push r28
6c8: df 93 push r29
6ca: 8d e0 ldi r24, 0x0D ; 13
6cc: 61 e0 ldi r22, 0x01 ; 1
6ce: 0e 94 23 02 call 0x446 ; 0x446
6d2: 04 c0 rjmp .+8 ; 0x6dc
6d4: 8d ef ldi r24, 0xFD ; 253
6d6: 94 e0 ldi r25, 0x04 ; 4
6d8: 0e 94 25 06 call 0xc4a ; 0xc4a <_ZN16MYOBJ7connectEv>
6dc: 8d ef ldi r24, 0xFD ; 253
6de: 94 e0 ldi r25, 0x04 ; 4
6e0: 0e 94 21 06 call 0xc42 ; 0xc42 <_ZN16MYOBJ11isConnectedEv>
...
(I did try to build this code, and it did fail - it reads the 'line numbers' as labels)
Obviously, both listings (for the loop function, at least) represent the same assembly code; except:
The gcc one (should) compile -- the objdump one does not
The objdump one contains listings of all referred functions, which could be defined in files other than the 'master' (e.g., digitalWrite) -- the gcc one does not
The objdump one contains original C/C++ source lines 'interspersed' with assembly (but only occasionally, and seemingly only for C files?) -- the gcc one does not
So, is there a way to obtain an assembly listing that would be 'compilable', however with all in-linked functions, and where source C/C++ code is (possibly, where appropriate) interspersed as comments (so they don't interfere with compilation of assembly file)? (short of writing a parser for the output of objdump, that is :))
Add the option -fverbose-asm to your gcc command line up there. (This is in the gcc manual, but it's documented under 'Code Gen Options')
The "dependencies" that you talk about often come from libraries or separate object files, so they don't have a source - they're just linked as binary code into the final executable. Since such code is not passed through the assembler, you will have to extract it using other ways - e.g. using objdump.
Maybe you should tell us what you really want to achieve because I don't see much point in such an exercise by itself.
The best I have been able to get is to use -Wa,-ahl=outfile.s instead of -S. It isn't compilable code though, but a listing file for diagnostic purposes; the compiled object file is emitted as usual.