CODEWITHSUNDEEP
cassemblyx86reverse-engineering
user277465
user277465

Reputation:

reverse engineering doubt

8048563:       e8 0d 00 00 00          call   8048575 <exit@plt+0x141>

I was trying to reverse engineer a binary for fun and I saw this call in the objdump output. Looking at this line, I thought the call would be to the exit function which was dynamically linked. However, 8048575 seems to be an address in the .text section of this program!

  1. Why does this wrong naming of function happen?
  2. The place where the call lands has the following line; why is the function prologue missing?
8048575:       83 ec 6c                sub    esp,0x6c

Upvotes: 0

Views: 778

Answers (4)

mwk
mwk

Reputation: 46

That's not actually a IAT/PLT call, it's a call to another function in the same file. The file probably has had its internal symbol stripped, and objdump displays all addresses as the last defined symbol before the address + an offset. With no internal symbols, this will hit the last plt-linked function, since the plt section comes before text.

So, the displayed name is just bogus and can be ignored.

Upvotes: 3

Necrolis
Necrolis

Reputation: 26171

Thats a call to the IAT(import address table) entry so that it can perform an intermodular call(really a jump) to a function called 'exit`, this allow the avoidance of far calls and makes dynamic linkage simpler. As for the prologue being 'missing', setting up of a stack frame is not required at all, infact its totally unneeded for most functions, thus the stack allocation is the prologue, the only functions that really need stack frames are untrusted 'naked' assembly functions or those that do unpredictable changes to the stack.

Upvotes: 3

mark4o
mark4o

Reputation: 60843

When a program calls a function in a shared library it calls an address in the Procedure Linkage Table (PLT). Initially the PLT contains a call into the dynamic linker, which will look up the function address dynamically and then replace the address in the PLT with the address that it found.

Upvotes: 3

Jim Buck
Jim Buck

Reputation: 20726

Allocating stack space is the function prologue, no? How do you know that's not the beginning of the exit function? .text is totally fine since that is where code lives. (plt just refers to "program list table".)

Upvotes: 1

Related Questions