search

eteran / edb-debugger

edb is a cross-platform AArch32/x86/x86-64 debugger.
GNU General Public License v2.0
2.68k stars 322 forks source link

EDB shows very long list of instruction on Disassembly View #806

Closed damian3012 closed 2 years ago

damian3012 commented 3 years ago

Hi.the debugger shows very long list of instructions on Disassembly View on very trivial program,is this normal,or I do something wrong?the debugger correctly displays the instructions of the program itself but apart of that there is a very long list.I am a beginner

merces commented 3 years ago

It's hard to say without looking at your binary but yes, that should be normal. Even a simple "hello, world" program can disassemble to many lines of code as the compiler needs to add lots of code to deal with lots of things (I won't go into details since you just mentioned you're a beginner and I don't want to confuse you). For example, take the following source code:

$ cat hello.c
#include <stdio.h>

int main(void) {
    printf("Hello, world!\n");
    return 0;
}

Compiling it in a 64-bit system with gcc -o hello hello.c here, the output file has 6.4 KB. It's a lot. If I look at the disassemble (using objdump for that), here's the output:

$ objdump -dM intel hello

hello:     file format elf64-x86-64

Disassembly of section .init:

00000000004003a8 <_init>:
  4003a8:   48 83 ec 08             sub    rsp,0x8
  4003ac:   48 8b 05 fd 04 20 00    mov    rax,QWORD PTR [rip+0x2004fd]        # 6008b0 <_DYNAMIC+0x1d0>
  4003b3:   48 85 c0                test   rax,rax
  4003b6:   74 05                   je     4003bd <_init+0x15>
  4003b8:   e8 43 00 00 00          call   400400 <__gmon_start__@plt>
  4003bd:   48 83 c4 08             add    rsp,0x8
  4003c1:   c3                      ret

Disassembly of section .plt:

00000000004003d0 <puts@plt-0x10>:
  4003d0:   ff 35 ea 04 20 00       push   QWORD PTR [rip+0x2004ea]        # 6008c0 <_GLOBAL_OFFSET_TABLE_+0x8>
  4003d6:   ff 25 ec 04 20 00       jmp    QWORD PTR [rip+0x2004ec]        # 6008c8 <_GLOBAL_OFFSET_TABLE_+0x10>
  4003dc:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]

00000000004003e0 <puts@plt>:
  4003e0:   ff 25 ea 04 20 00       jmp    QWORD PTR [rip+0x2004ea]        # 6008d0 <_GLOBAL_OFFSET_TABLE_+0x18>
  4003e6:   68 00 00 00 00          push   0x0
  4003eb:   e9 e0 ff ff ff          jmp    4003d0 <_init+0x28>

00000000004003f0 <__libc_start_main@plt>:
  4003f0:   ff 25 e2 04 20 00       jmp    QWORD PTR [rip+0x2004e2]        # 6008d8 <_GLOBAL_OFFSET_TABLE_+0x20>
  4003f6:   68 01 00 00 00          push   0x1
  4003fb:   e9 d0 ff ff ff          jmp    4003d0 <_init+0x28>

0000000000400400 <__gmon_start__@plt>:
  400400:   ff 25 da 04 20 00       jmp    QWORD PTR [rip+0x2004da]        # 6008e0 <_GLOBAL_OFFSET_TABLE_+0x28>
  400406:   68 02 00 00 00          push   0x2
  40040b:   e9 c0 ff ff ff          jmp    4003d0 <_init+0x28>

Disassembly of section .text:

0000000000400410 <_start>:
  400410:   31 ed                   xor    ebp,ebp
  400412:   49 89 d1                mov    r9,rdx
  400415:   5e                      pop    rsi
  400416:   48 89 e2                mov    rdx,rsp
  400419:   48 83 e4 f0             and    rsp,0xfffffffffffffff0
  40041d:   50                      push   rax
  40041e:   54                      push   rsp
  40041f:   49 c7 c0 70 05 40 00    mov    r8,0x400570
  400426:   48 c7 c1 00 05 40 00    mov    rcx,0x400500
  40042d:   48 c7 c7 e7 04 40 00    mov    rdi,0x4004e7
  400434:   e8 b7 ff ff ff          call   4003f0 <__libc_start_main@plt>
  400439:   f4                      hlt
  40043a:   66 0f 1f 44 00 00       nop    WORD PTR [rax+rax*1+0x0]

0000000000400440 <deregister_tm_clones>:
  400440:   55                      push   rbp
  400441:   b8 f0 08 60 00          mov    eax,0x6008f0
  400446:   48 3d f0 08 60 00       cmp    rax,0x6008f0
  40044c:   48 89 e5                mov    rbp,rsp
  40044f:   74 17                   je     400468 <deregister_tm_clones+0x28>
  400451:   b8 00 00 00 00          mov    eax,0x0
  400456:   48 85 c0                test   rax,rax
  400459:   74 0d                   je     400468 <deregister_tm_clones+0x28>
  40045b:   5d                      pop    rbp
  40045c:   bf f0 08 60 00          mov    edi,0x6008f0
  400461:   ff e0                   jmp    rax
  400463:   0f 1f 44 00 00          nop    DWORD PTR [rax+rax*1+0x0]
  400468:   5d                      pop    rbp
  400469:   c3                      ret
  40046a:   66 0f 1f 44 00 00       nop    WORD PTR [rax+rax*1+0x0]

0000000000400470 <register_tm_clones>:
  400470:   be f0 08 60 00          mov    esi,0x6008f0
  400475:   55                      push   rbp
  400476:   48 81 ee f0 08 60 00    sub    rsi,0x6008f0
  40047d:   48 89 e5                mov    rbp,rsp
  400480:   48 c1 fe 03             sar    rsi,0x3
  400484:   48 89 f0                mov    rax,rsi
  400487:   48 c1 e8 3f             shr    rax,0x3f
  40048b:   48 01 c6                add    rsi,rax
  40048e:   48 d1 fe                sar    rsi,1
  400491:   74 15                   je     4004a8 <register_tm_clones+0x38>
  400493:   b8 00 00 00 00          mov    eax,0x0
  400498:   48 85 c0                test   rax,rax
  40049b:   74 0b                   je     4004a8 <register_tm_clones+0x38>
  40049d:   5d                      pop    rbp
  40049e:   bf f0 08 60 00          mov    edi,0x6008f0
  4004a3:   ff e0                   jmp    rax
  4004a5:   0f 1f 00                nop    DWORD PTR [rax]
  4004a8:   5d                      pop    rbp
  4004a9:   c3                      ret
  4004aa:   66 0f 1f 44 00 00       nop    WORD PTR [rax+rax*1+0x0]

00000000004004b0 <__do_global_dtors_aux>:
  4004b0:   80 3d 35 04 20 00 00    cmp    BYTE PTR [rip+0x200435],0x0        # 6008ec <_edata>
  4004b7:   75 17                   jne    4004d0 <__do_global_dtors_aux+0x20>
  4004b9:   55                      push   rbp
  4004ba:   48 89 e5                mov    rbp,rsp
  4004bd:   e8 7e ff ff ff          call   400440 <deregister_tm_clones>
  4004c2:   c6 05 23 04 20 00 01    mov    BYTE PTR [rip+0x200423],0x1        # 6008ec <_edata>
  4004c9:   5d                      pop    rbp
  4004ca:   c3                      ret
  4004cb:   0f 1f 44 00 00          nop    DWORD PTR [rax+rax*1+0x0]
  4004d0:   f3 c3                   repz ret
  4004d2:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]
  4004d6:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]
  4004dd:   00 00 00

00000000004004e0 <frame_dummy>:
  4004e0:   55                      push   rbp
  4004e1:   48 89 e5                mov    rbp,rsp
  4004e4:   5d                      pop    rbp
  4004e5:   eb 89                   jmp    400470 <register_tm_clones>

00000000004004e7 <main>:
  4004e7:   55                      push   rbp
  4004e8:   48 89 e5                mov    rbp,rsp
  4004eb:   bf 90 05 40 00          mov    edi,0x400590
  4004f0:   e8 eb fe ff ff          call   4003e0 <puts@plt>
  4004f5:   b8 00 00 00 00          mov    eax,0x0
  4004fa:   5d                      pop    rbp
  4004fb:   c3                      ret
  4004fc:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]

0000000000400500 <__libc_csu_init>:
  400500:   41 57                   push   r15
  400502:   41 89 ff                mov    r15d,edi
  400505:   41 56                   push   r14
  400507:   49 89 f6                mov    r14,rsi
  40050a:   41 55                   push   r13
  40050c:   49 89 d5                mov    r13,rdx
  40050f:   41 54                   push   r12
  400511:   4c 8d 25 b8 01 20 00    lea    r12,[rip+0x2001b8]        # 6006d0 <__frame_dummy_init_array_entry>
  400518:   55                      push   rbp
  400519:   48 8d 2d b8 01 20 00    lea    rbp,[rip+0x2001b8]        # 6006d8 <__init_array_end>
  400520:   53                      push   rbx
  400521:   4c 29 e5                sub    rbp,r12
  400524:   31 db                   xor    ebx,ebx
  400526:   48 c1 fd 03             sar    rbp,0x3
  40052a:   48 83 ec 08             sub    rsp,0x8
  40052e:   e8 75 fe ff ff          call   4003a8 <_init>
  400533:   48 85 ed                test   rbp,rbp
  400536:   74 1e                   je     400556 <__libc_csu_init+0x56>
  400538:   0f 1f 84 00 00 00 00    nop    DWORD PTR [rax+rax*1+0x0]
  40053f:   00
  400540:   4c 89 ea                mov    rdx,r13
  400543:   4c 89 f6                mov    rsi,r14
  400546:   44 89 ff                mov    edi,r15d
  400549:   41 ff 14 dc             call   QWORD PTR [r12+rbx*8]
  40054d:   48 83 c3 01             add    rbx,0x1
  400551:   48 39 eb                cmp    rbx,rbp
  400554:   75 ea                   jne    400540 <__libc_csu_init+0x40>
  400556:   48 83 c4 08             add    rsp,0x8
  40055a:   5b                      pop    rbx
  40055b:   5d                      pop    rbp
  40055c:   41 5c                   pop    r12
  40055e:   41 5d                   pop    r13
  400560:   41 5e                   pop    r14
  400562:   41 5f                   pop    r15
  400564:   c3                      ret
  400565:   90                      nop
  400566:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]
  40056d:   00 00 00

0000000000400570 <__libc_csu_fini>:
  400570:   f3 c3                   repz ret

Disassembly of section .fini:

0000000000400574 <_fini>:
  400574:   48 83 ec 08             sub    rsp,0x8
  400578:   48 83 c4 08             add    rsp,0x8
  40057c:   c3                      ret

As you can see, there's way more than what the programmer wrote. There's a long journey to understand all that. A few references that may help you out:

Good luck!

damian3012 commented 3 years ago

Actually the program is writtten in assembly language,this is my code in assembly language

section .data
section .text global _start _start: nop mov eax,0FFFFFFFFh mov ebx,02Dh dec ebx inc eax nop section .bss

And I get 52 lines of instructions highlighte in gray(the whole part of the disassembly view)next i get another quite a list of something like 0804:8075|00 00 | add[eax] , al in above case only address with memory changes number after I get the actual code

nop mov eax,0FFFFFFFFh mov ebx,02Dh dec ebx inc eax nop

bellow that I get extra instructions scattered all over the place after that I get again very long list with something like that 0804:8075|00 00 | add[eax] , al

I am confused anyway,where all of this is comming from

10110111 commented 3 years ago

The grayed-out 52 bytes at the beginning of the page belong to the ELF header. Although they aren't really instruction, they are disassembled anyway, because you're looking at them in Disassembly View.

eteran commented 3 years ago

@damian3012 Unless you are providing your own linker script, you can expect even the most trivial programs written in ASM to be at least a few KB big!

A lot of that is as @10110111 described, ELF-related headers. Since you are a beginner, you may find this article interesting https://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

They go from a simple C program compiling to about 2K to just 45 bytes! (the last bit using a LOT of absolutely insane and unadvisable trickery

eteran commented 3 years ago

It's also worth noting that both the OS and edb deal with things in terms of whole pages. So even if your program is less than 4K, it will display, at a minimum 4096 bytes. Most of which will be zero filled. And of course, all zeros in intel ASM decodes to add [eax], al :-)

eteran commented 2 years ago

Closing this issue. I think the core of this is that the user simply doesn't expect the disassembly to be in whole pages, which is just "how edb works" since we try to provide a visualization that is representative of what the actual CPU is going to see in those "regions".