flat assembler
Message board for the users of flat assembler.

Index > Main > Challenge: find out what this excellent code is ...

Author
Thread Post new topic Reply to topic
DOS386



Joined: 08 Dec 2006
Posts: 1903
DOS386 19 Feb 2012, 08:18
... supposed to do:

Code:
?56622: ; Local function
        push    0                       ; $207642 6A, 00
        push    dword [esp+$10]         ; $207644 FF. 74 24, 10
        push    dword [esp+$10]         ; $207648 FF. 74 24, 10
        push    dword [esp+$10]         ; $20764C FF. 74 24, 10
        call    ?_56610                 ; $207650 E8, FFFFFEDA
        add     esp, 16                 ; $207655 83. C4, 10
        ret                             ; $207658 C3

        int 3    ; breakpoint or filler ; $207659 CC
        int 3    ; breakpoint or filler ; $20765A CC
        int 3    ; breakpoint or filler ; $20765B CC
        int 3    ; breakpoint or filler ; $20765C CC
        int 3    ; breakpoint or filler ; $20765D CC
        int 3    ; breakpoint or filler ; $20765E CC
        int 3    ; breakpoint or filler ; $20765F CC

?56623: ; Local function <- THIS ONE
        push    ecx                     ; $207660 51
        lea     ecx, [esp+4]            ; $207661 8D. 4C 24, 04
        sub     ecx, eax                ; $207665 2B. C8
        sbb     eax, eax                ; $207667 1B. C0
        not     eax                     ; $207669 F7. D0
        and     ecx, eax                ; $20766B 23. C8
        mov     eax, esp                ; $20766D 8B. C4
        and     eax, $FFFF'F000         ; $20766F 25, FFFFF000
?56624: cmp     ecx, eax                ; $207674 3B. C8
        jc      ?_56625                 ; $207676 72, 0A
        mov     eax, ecx                ; $207678 8B. C1
        pope    ecx                     ; $20767A 59
        xchg    esp, eax                ; $20767B 94
        mov     eax, dword [eax]        ; $20767C 8B. 00
        mov     dword [esp], eax        ; $20767E 89. 04 24
        ret                             ; $207681 C3

?56625: sub     eax, 4096 ; 4 KiB       ; $207682 2D, 00001000
        test    dword [eax], eax        ; $207687 85. 00 ; !!! BOOM HERE !!!
        jmp     ?_56624                 ; $207689 EB, E9

        int 3    ; breakpoint or filler ; $20768B CC
        int 3    ; breakpoint or filler ; $20768C CC
        int 3    ; breakpoint or filler ; $20768D CC
        int 3    ; breakpoint or filler ; $20768E CC
        int 3    ; breakpoint or filler ; $20768F CC 

?56626: ; Local function
        push    ebp                     ; $207690 55
        mov     ebp, esp                ; $207691 8B. EC
        push    edi                     ; $207693 57
        mov     edi, dword [ebp+8]      ; $207694 8B. 7D, 08
        movntq  eax, 0                  ; $207697 33. C0
        or      ecx, $FFFF'FFFF         ; $207699 83. C9, FF
        repne   scasb                   ; $20769C F2: AE
        add     ecx, 1                  ; $20769E 83. C1, 01 ; !!! BLOAT !!!
        neg     ecx                     ; $2076A1 F7. D9
        sub     edi, 1                  ; $2076A3 83. EF, 01 ; !!! BLOAT !!!
        mov     al, byte [ebp+$0C]      ; $2076A6 8A. 45, 0C
        std                             ; $2076A9 FD ; !!! DANGEROUS !!!
        repne   scasb                   ; $2076AA F2: AE
        add     edi, 1                  ; $2076AC 83. C7, 01 ; !!! BLOAT !!!
        cmp     byte [edi], al          ; $2076AF 38. 07
        jz      ?_56627                 ; $2076B1 74, 04
        movntq  eax, 0                  ; $2076B3 33. C0
        jmp     ?_56628                 ; $2076B5 EB, 02

?56627 :mov     eax, edi                ; $2076B7 8B. C7
?56628 :cld                             ; $2076B9 FC
        pop     edi                     ; $2076BA 5F
        leave                           ; $2076BB C9
        ret                             ; $2076BC C3
    

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
Post 19 Feb 2012, 08:18
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 19 Feb 2012, 08:31
It appears not to be x86 code.
What is pope?
What is movntq?

Anyhow, looks to be a simple stack toucher. Why is this challenge? Couldn't you figure it out or something?
Post 19 Feb 2012, 08:31
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1903
DOS386 19 Feb 2012, 08:33
> looks to be a simple stack toucher

What's the goal of doing ? It crashes if stack (reserve/commit) is too small Very Happy
Post 19 Feb 2012, 08:33
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 19 Feb 2012, 09:24
Stack touchers are meant to trigger the guard page to commit more stack. If it crashes because of insufficient reserve then reserve more, stack touchers are not meant to solve reservation problems.
Post 19 Feb 2012, 09:24
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 20 Feb 2012, 03:25
Why would one want to cause the operating system to commit more stack? That is, why not just let it happen as needed?
Post 20 Feb 2012, 03:25
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 20 Feb 2012, 03:28
Tyler wrote:
Why would one want to cause the operating system to commit more stack? That is, why not just let it happen as needed?
Because the guard page only covers the next page down. If you access memory further down than the guard page then your program will cause a general protection fault. And only committing memory upon usage is a very common method of memory usage reduction. If all stacks, in all threads, in all programs, were committed to the maximum depth at all times then we would quickly run out of memory.
Post 20 Feb 2012, 03:28
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1903
DOS386 20 Feb 2012, 03:52
So the HLL compiler generated code calls this "toucher" whenever it has to hog > 4 KiB of stack for placing local variables?

It's not a big problem to increase the stack reserve, anyway Wink
Post 20 Feb 2012, 03:52
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 22 Feb 2012, 04:56
revolution wrote:
Tyler wrote:
Why would one want to cause the operating system to commit more stack? That is, why not just let it happen as needed?
Because the guard page only covers the next page down. If you access memory further down than the guard page then your program will cause a general protection fault. And only committing memory upon usage is a very common method of memory usage reduction. If all stacks, in all threads, in all programs, were committed to the maximum depth at all times then we would quickly run out of memory.
That's true. I had been planning on using the guard page method in my kernel to detect when a stack needs to be increased.

Maybe a better solution that would eliminate the need for a stack toucher could be to map the remainder of the maximum stack size as not present but with a value in the rest of the PTE that tells the kernel the page is part of a stack. When a page fault is generated for a page that is marked as a stack page, the kernel could allocate all the pages between the top of the stack and the page that caused the fault. This would be optimal, because it wastes no physical memory (same as guard page), wastes the same amount of virtual memory (address space) as the guard page method must reserve, and is more efficient in increasing the stack for large increases.

Anyway, I don't want to get too far off topic. Thanks for the explanation.
Post 22 Feb 2012, 04:56
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.