CODEWITHSUNDEEP
linuxassemblyx86program-entry-point
Edee
Edee

Reputation: 1816

Assist to understand linux _start

000003b0 <_start>:
 3b0:   31 ed                   xor    %ebp,%ebp
 3b2:   5e                      pop    %esi
 3b3:   89 e1                   mov    %esp,%ecx
 3b5:   83 e4 f0                and    $0xfffffff0,%esp
 3b8:   50                      push   %eax
 3b9:   54                      push   %esp
 3ba:   52                      push   %edx
 3bb:   e8 22 00 00 00          call   3e2 <_start+0x32>
 3c0:   81 c3 1c 1c 00 00       add    $0x1c1c,%ebx
 3c6:   8d 83 94 e5 ff ff       lea    -0x1a6c(%ebx),%eax
 3cc:   50                      push   %eax
 3cd:   8d 83 34 e5 ff ff       lea    -0x1acc(%ebx),%eax
 3d3:   50                      push   %eax
 3d4:   51                      push   %ecx
 3d5:   56                      push   %esi
 3d6:   ff b3 1c 00 00 00       pushl  0x1c(%ebx)
 3dc:   e8 af ff ff ff          call   390 <__libc_start_main@plt>
 3e1:   f4                      hlt    
 3e2:   8b 1c 24                mov    (%esp),%ebx
 3e5:   c3                      ret    
 3e6:   66 90                   xchg   %ax,%ax
 3e8:   66 90                   xchg   %ax,%ax
 3ea:   66 90                   xchg   %ax,%ax
 3ec:   66 90                   xchg   %ax,%ax
 3ee:   66 90                   xchg   %ax,%ax

Hey, guys, plz do me a favour to understand this code snippet after addr 3b8. I can guess what it is doing but not really specific.

BTW, if you guys have any clue to teach me how to figure out the implementation of Linux calling system ON SPECIFIC CODE, plz let me know. Thx.

After check the ABI doc, still not quite understand why it jumps to 3e2, cuz it seems that they did nothing but jump back.

Upvotes: 0

Views: 102

Answers (1)

Peter Cordes
Peter Cordes

Reputation: 363980

Have a look at the i386 System V ABI doc. (https://github.com/hjl-tools/x86-psABI/wiki/X86-psABI). It also documents the function-calling convention in complete detail. (It gets intense, sometimes it's easier to just look at how GCC -O2 compiles arg-passing or return of a struct by value. e.g. on https://godbolt.org/)

It specifies the user-space stack layout on entry to _start. e.g. ESP points at argc, and argv[] is above that (the array contents, not a pointer). envp[] above that. Also note that in a dynamically-linked executable, _start is jumped to from the dynamic linker's own startup code. That's where the atexit pointer comes from.

Also note that this is a PIE executable so it thunks the return address into EBX for PC-relative addressing with the call 3e2.

Upvotes: 2

Related Questions