Reputation:
Weird behavior when dereferencing pointer that points to the address of an instruction
I'm doing some reverse engineering on a ELF 32-Bit executable. Here is the code of the .text section :
08048080 <.text>:
8048080: b8 04 00 00 00 mov eax,0x4
8048085: bb 01 00 00 00 mov ebx,0x1
804808a: b9 a1 91 04 08 mov ecx,0x80491a1
804808f: ba 26 00 00 00 mov edx,0x26
8048094: cd 80 int 0x80
8048096: b8 03 00 00 00 mov eax,0x3
804809b: 31 db xor ebx,ebx
804809d: b9 88 91 04 08 mov ecx,0x8049188
80480a2: ba 33 00 00 00 mov edx,0x33
80480a7: cd 80 int 0x80
80480a9: 31 c9 xor ecx,ecx
80480ab: b8 80 80 04 08 mov eax,0x8048080
80480b0: bb 23 81 04 08 mov ebx,0x8048123
80480b5: e8 5b 00 00 00 call 0x8048115
80480ba: 89 ca mov edx,ecx
80480bc: b9 19 00 00 00 mov ecx,0x19
80480c1: b8 55 91 04 08 mov eax,0x8049155
80480c6: bb 88 91 04 08 mov ebx,0x8049188
80480cb: d1 ca ror edx,1
80480cd: 8a 44 08 ff mov al,BYTE PTR [eax+ecx*1-0x1]
80480d1: 8a 5c 0b ff mov bl,BYTE PTR [ebx+ecx*1-0x1]
80480d5: 30 d8 xor al,bl
80480d7: 30 d0 xor al,dl
80480d9: 75 1b jne 0x80480f6
80480db: 49 dec ecx
80480dc: 75 e3 jne 0x80480c1
80480de: b8 04 00 00 00 mov eax,0x4
80480e3: bb 01 00 00 00 mov ebx,0x1
80480e8: b9 24 91 04 08 mov ecx,0x8049124
80480ed: ba 26 00 00 00 mov edx,0x26
80480f2: cd 80 int 0x80
80480f4: eb 16 jmp 0x804810c
80480f6: b8 04 00 00 00 mov eax,0x4
80480fb: bb 01 00 00 00 mov ebx,0x1
8048100: b9 4a 91 04 08 mov ecx,0x804914a
8048105: ba 0b 00 00 00 mov edx,0xb
804810a: cd 80 int 0x80
804810c: b8 01 00 00 00 mov eax,0x1
8048111: 31 db xor ebx,ebx
8048113: cd 80 int 0x80
8048115: 29 c3 sub ebx,eax
8048117: 31 c9 xor ecx,ecx
8048119: 02 08 add cl,BYTE PTR [eax]
804811b: c1 c1 03 rol ecx,0x3
804811e: 40 inc eax
804811f: 4b dec ebx
8048120: 75 f7 jne 0x8048119
8048122: c3 ret
But i don't know what this line is supposed to do :
8048119: 02 08 add cl,BYTE PTR [eax]
I know that at this point, EAX gets the address of the <.text> section and ECX = 0 but i don't know where's the point to dereference the pointer that points to this adress : it gives me ECX = 0xcc
Could you explain to me why ? I really appreciate your help. I'm sorry for my bad english.
Upvotes: 0
Views: 106
Answers (1)
Reputation:
In the comments, Margaret Bloom said:
eaxdoesn't point to.text, just look at the instruction at0x80480ab. The function just loops fromeaxtoebxand computes = ROL(s + ptr[i], 3)withs=0initially. The compiler implemented the loop by first computing the difference between the start end (ebx) and the start one (eax) and then looping as many times as this difference value.
And Jester replied:
As for the
0xccI assume you used a debugger with a software breakpoint which works by inserting the instructionint3into the code. As you might have guessed,int3has opcode0xcc. If you want to avoid that, use a hardware breakpoint instead.
Upvotes: 1
Related Questions
- What happens if `objdump -d --start-address` starts printing from the middle of an x86 instruction?
- Why the differences in memory address or offset between xxd and objdump?
- Why does objdump show a null opcode for this assembly language instruction?
- Is this assembler bug? bound instruction
- How to recognize an assembly "call" instruction within memory?
- Why addresses of instructions from GDB and Objdump are the same?
- Strange behavior in AMD64 Instruction pointer
- masm x86 assembly does a dereference *only* return the value being stored at a given address
- IDA Pro Dereference Pointer from a Register and a Constant offset
- x86 asm, dereferenced pointer not getting updated