some libc jump targets fall in the middle of other instructions

pszostek / cp

C. profiler

1 stars 0 forks source link

some libc jump targets fall in the middle of other instructions #21

Open xs-exp opened 8 years ago

xs-exp commented 8 years ago

Examples:

  3ae4035e53:   74 01                   je     3ae4035e56 <__cxa_finalize+0x76>
  3ae4035e55:   f0 4c 0f b1 2b          lock cmpxchg %r13,(%rbx)

  3ae4035f79:   74 01                   je     3ae4035f7c <__cxa_finalize+0x19c>
  3ae4035f7b:   f0 4c 0f b1 2b          lock cmpxchg %r13,(%rbx)

...

  3ae40fbfa5:   74 01                   je     3ae40fbfa8 <__res_init+0x78>
  3ae40fbfa7:   f0 48 ff 05 29 77 29    lock incq 0x297729(%rip)        # 3ae43936d8 <__res_initstamp>

pszostek commented 8 years ago

Example from the libc found in ./real_data:

391cc35f79: 74 01 je 391cc35f7c <__cxa_finalize+0x19c> 391cc35f7b: f0 4c 0f b1 2b lock cmpxchg %r13,(%rbx)

pszostek commented 8 years ago

Disasm yields too long instructions in case of those single-byte prefixes: In [1]: import cp In [2]: e = cp.elf.ELFFile('./real_data/libc.so.6') In [3]: df = e.get_inst_lists([(0x35f7b, 0x35f7b)]) In [4]: df Out[4]: In [1]: import cp

In [2]: e = cp.elf.ELFFile('./real_data/libc.so.6')

In [3]: df = e.get_inst_lists([(0x35f7b, 0x35f7b)])

In [4]: df Out[4]: asm_line \ inst_length symbol bb_offset inst_offset __cxa_finalize 221051 0 lock add byte ptr [rax], al _3_

pszostek commented 8 years ago

Too bad, xed doesn't recognize f0 as an independent instruction.

./xed -64 -d f04c0fb12b ICLASS: CMPXCHG_LOCK CATEGORY: SEMAPHORE EXTENSION: BASE IFORM: CMPXCHG_LOCK_MEMv_GPRv ISA_SET: I486REAL SHORT: lock cmpxchg qword ptr [rbx], r13

./xed -64 -d f0

F0 ERROR: BUFFER_TOO_SHORT Could not decode at offset: 0x0 PC: 0x0: [F00000000000000000000000000000]

xs-exp commented 8 years ago

Debugging with AY, DL, SE as of 5 Sep 2016; Apparently gooda corrects for this