flat assembler
Message board for the users of flat assembler.
![]() Goto page Previous 1, 2, 3 Next |
Author |
|
Endre
Yes, debugging assembly is a weakness of linux. It's because there are just very few debuggers on linux. Fasm doesn't generate debug info into the binary. It makes debugging with gdb a bit hard. That's why I don't use gdb for such a task. Once I found a hacked version of nasm which was able to generate quite correct debug info but it was not the best eihter. Then I found ald (see: http://ald.sourceforge.net/) which has not too much comfort (no symbols, etc.), but it's usable really well. When I work on my OS then I use bochs' debugging facilities which are similar to that of ald.
Objdump was/is/will be unable to interpret ELF binary generated by fasm. I don't know why. For disassembling I either use ndisassm (nasm) or disassembler features of the above mentioned tools. I acknowledge ollydbg is a great tool that we unfortunately have to miss under unices ![]() Another opportunity is to use gas which now accepts also intel syntax, and can generate perfect debug info (http://www.cs.pdx.edu/~bjorn/CS200/linux_tutorial/). P.S.: when debbugging the code with ald then you can debug also the signal handler.[/url] |
|||
![]() |
|
nixnoob
hi endre,
sorry to be pestish and noobish but did you leave out the url for an ald tutorial ? ![]() any way after struggling to compile it (cant find readline and the rpms that i wgot into the shells were spitting more errors than i could handle i some how got another friend of mine to install it in his shell and tried it out seems fine ![]() i cant seem to find a way i tried the idiotic way of setting a break on handler hopin it would break there when i hit s ![]() but it doesnt seem to be the case Code: ald> disassemble 0x80480ce -num 5 080480CE B804000000 mov eax, 0x4 080480D3 BB02000000 mov ebx, 0x2 080480D8 B9ED900408 mov ecx, 0x80490ed 080480DD BA1E000000 mov edx, 0x1e 080480E2 CD80 int 0x80 ald> examine 0x80490ed Dumping 64 bytes of memory starting at 0x080490ED in hex 080490ED: 48 6D 6D 6D 2C 20 53 49 47 53 45 47 56 20 73 69 Hmmm, SIGSEGV si 080490FD: 67 6E 61 6C 20 72 65 63 65 69 76 65 64 0A 62 75 gnal received.bu 0804910D: 74 20 49 27 6D 20 73 74 69 6C 6C 20 61 6C 69 76 t I'm still aliv 0804911D: 65 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e............... ald> Code: ald> break 080480CE Invalid symbol: 080480CE ald> break 0x80480CE Breakpoint 1 set for 0x080480CE ald> s Program received signal SIGSEGV (Segmentation fault) Location: 0x0804809D eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBFFFFB80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000 ss = 0x002B cs = 0x0023 eip = 0x0804809D eflags = 0x00010346 Flags: PF ZF TF IF RF 0804809D FF3500000000 push dword [] ald> lbreak Num Type Enabled Address IgnoreCount HitCount 1 Breakpoint y 0x080480CE none 0 ald> s Hmmm, SIGSEGV signal received eax = 0x00000004 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBFFFFB80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000 ss = 0x002B cs = 0x0023 eip = 0x080480B4 eflags = 0x00000346 Flags: PF ZF TF IF 080480B4 BB02000000 mov ebx, 0x2 ald> could you post a little tutorial ![]() well the main reason for me behind this course is to land on the handler and write a little trampoline inline to some blankspace in the exe jump there and try the pokeusr sytem call and jump back to the flow yeah too much hackish way i sense but i want to do it that way ![]() thanks and regards |
|||
![]() |
|
Endre
Here it works quite seamlessly. I had no problem when compiling ald. Without readline it's perhaps a pain to work with - I never tried yet. I guess libreadline should be a component of every distribution.
Code: $ ldd /usr/local/bin/ald linux-gate.so.1 => (0xffffe000) libreadline.so.4 => /usr/lib/libreadline.so.4 (0xb7f92000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7f8e000) libc.so.6 => /lib/libc.so.6 (0xb7e74000) /lib/ld-linux.so.2 (0xb7fc8000) $ Code: ald> d ... 080480C3 CD80 int 0x80 080480C5 31DB xor ebx, ebx 080480C7 B801000000 mov eax, 0x1 080480CC CD80 int 0x80 080480CE B804000000 mov eax, 0x4 ; <--- here starts the signal handler 080480D3 BB02000000 mov ebx, 0x2 080480D8 B9ED900408 mov ecx, 0x80490ed 080480DD BA1E000000 mov edx, 0x1e 080480E2 CD80 int 0x80 Hit <return> to continue, or <q> to quitq ald> b 0x080480CE Breakpoint 1 set for 0x080480CE ald> c Program received signal SIGSEGV (Segmentation fault) Location: 0x0804809D eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBF8CEC80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x007B es = 0x007B fs = 0x0000 gs = 0x0000 ss = 0x007B cs = 0x0073 eip = 0x0804809D eflags = 0x00210246 Flags: PF ZF IF RF ID 0804809D FF3500000000 push dword [] ald> c ; <--- debugger detected this error as well, so continue Breakpoint 1 encountered at 0x080480CE eax = 0x0000000B ebx = 0x00000000 ecx = 0xBF8CE990 edx = 0xBF8CE910 esp = 0xBF8CE900 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x007B es = 0x007B fs = 0x0000 gs = 0x0000 ss = 0x007B cs = 0x0073 eip = 0x080480CE eflags = 0x00200246 Flags: PF ZF IF ID 080480CE B804000000 mov eax, 0x4 ald> |
|||
![]() |
|
nixnoob
Hi Endre.
thanks for replying you use c while i used s and if i use c it breaks on handler ![]() Code: 0804809D FF3500000000 push dword [] ald> c Breakpoint 1 encountered at 0x080480CE eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBFFFF800 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000 ss = 0x002B cs = 0x0023 eip = 0x080480CE eflags = 0x00000246 Flags: PF ZF IF 080480CE B804000000 mov eax, 0x4 ald> so now one head ache is over i tried to find some space in the executable but i see the executable is very compact no padding zeroes etc where can i insert my trampoline code can i add a section to the end ?? you know windows breaks the sections into .data .code .rsrc. .reloc .wahatever etc so if you have a massive code addition to do via binary editing (not coding compiling) you can add a section at the end and then divert the flow there like wise now instead of mov eax,04 i want to put code this jmp far somewhere //<addr of trampoline pushad //<save regs pushfd //<save flags so hope fully we can trash anything from here onwards mov eax,pokeusr addr or whatever it takes ... ... ... int 0x80 parse the data code here; do whatever you fancy code here; cleanup the mess code here; popfd popad execute the trashed instruction that accomadated the trampoline jmp; jmp back to instruction next to trampoline // continue as if nothing happened Code: xxd endre 0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............ 0000010: 0200 0300 0100 0000 8480 0408 3400 0000 ............4... 0000020: 0000 0000 0000 0000 3400 2000 0200 2800 ........4. ...(. 0000030: 0000 0000 0100 0000 7400 0000 7480 0408 ........t...t... 0000040: 7480 0408 7900 0000 7900 0000 0500 0000 t...y...y....... 0000050: 0010 0000 0100 0000 ed00 0000 ed90 0408 ................ 0000060: ed90 0408 3200 0000 3200 0000 0600 0000 ....2...2....... 0000070: 0010 0000 ce80 0408 0000 0000 0400 0000 ................ 0000080: 0000 0000 b843 0000 00bb 0b00 0000 b974 .....C.........t 0000090: 8004 0831 d2cd 8085 c089 c375 2aff 3500 ...1.......u*.5. 00000a0: 0000 00a3 0000 0000 64ff 3500 0000 00b8 ........d.5..... 00000b0: 0400 0000 bb02 0000 00b9 0b91 0408 ba14 ................ 00000c0: 0000 00cd 8031 dbb8 0100 0000 cd80 b804 .....1.......... 00000d0: 0000 00bb 0200 0000 b9ed 9004 08ba 1e00 ................ 00000e0: 0000 cd80 8b44 240c 8340 4c12 c348 6d6d .....D$..@L..Hmm 00000f0: 6d2c 2053 4947 5345 4756 2073 6967 6e61 m, SIGSEGV signa 0000100: 6c20 7265 6365 6976 6564 0a62 7574 2049 l received.but I 0000110: 276d 2073 7469 6c6c 2061 6c69 7665 0a 'm still alive. so shall i just shift and insert some 0000 between 0xe0 and 0xf0 will it be ok (oh yeah i am going to do those shady things but it would be good if i have some answers beforehand so that i dont have to reinvent the wheel ![]() thank you Best Regards |
|||
![]() |
|
Endre
I don't know I exactly understood what you want to do, but you can compile in an aptly sized area:
Code: ... my_signal_handler: ; print exception message jmp trampoline ; jump into the nothing mov eax, SYSCALL_WRITE mov ebx, STDERR mov ecx, signal_handler_msg mov edx, signal_handler_msg_size int 0x80 ; get parameter ucontext mov eax, [esp+12] ; modify eip add dword [eax+ucontext.uc_mcontext+sigcontext.eip], sizeof.do_dirty ret db 0xff, 0xff ; arbitrary marker trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline ; define section for data section readable writeable signal_handler_msg db 'Hmmm, SIGSEGV signal received', 0xa signal_handler_msg_size = $-signal_handler_msg reborn_msg db "but I'm still alive", 0xa reborn_msg_size = $-reborn_msg |
|||
![]() |
|
nixnoob
ok ill compile that and do a file compare between the existing version
and the new version ![]() i think that would shed some light jfyi i just want to inline assemble inplace on the binary without compiling assume i have this binary only and i dont have its source and i still want to add some extra code inside that binary so that it works the way i want it to work (never heard of adding functionality rock music ![]() ![]() ok edit i tried compiling that but it seems to spit lot of erros here is a diff ill try it later but if you find my mistake inbettween post back thanks diff endre.asm endremod.asm 147a148,149 > db 0xff, 0xff ; arbitrary marker > trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline |
|||
![]() |
|
Endre
nixnoob wrote:
Sorry, I could have been a bit more verbosive ![]() |
|||
![]() |
|
nixnoob
Hi Endre,
well that was compiling well sorry but i was using a nasm assemble.bat earlier stupid me ![]() i think you misunderstood me when i said i wanted to add code i am not going to ask the program write it i meant when i have the program open in debugger and when it broke on handler i use the debuggers assemble capability to assemble code in place (some thing similar to set write on set byte 0x80### == 0x90 (nopping code) in gdb ) well ald doesnt have assemble capacity so its out of question ![]() ![]() btw does ald skip instructions ? i cant see it stoppping on your test eax,eax after setting seh handler it directly passes to mov ebx,eax is it normal behaviour for that debugger ? or is it a bug ? Quote:
what ever its a nice debugger with nice format and in intel syntax thanks for suggesting it i think i am too much confused it seems i can genrate any kind of useless errors even with gdb too ![]() it seems gdb errs in many other ways or i do not understand jack about linux debuggers i dont know whats the fact Code: (gdb) break *0x8048089 Breakpoint 1 at 0x8048089 (gdb) set di i (gdb) r Starting program: /home/bluffer/myfirst/myfirstasm/endre warning: shared library handler failed to enable breakpoint Breakpoint 1, 0x08048089 in ?? () (gdb) x/6i $eip 0x8048089: mov ebx,0xb 0x804808e: mov ecx,0x8048074 0x8048093: xor edx,edx 0x8048095: int 0x80 0x8048097: test eax,eax 0x8048099: mov ebx,eax (gdb) si 0x0804808e in ?? () (gdb) si 0x08048093 in ?? () (gdb) 0x08048095 in ?? () <----------------------skips 0x8048097 test eax,eax |
|||
![]() |
|
nixnoob
ok it seems it is a feature that may or may not be fixed in kernel
http://www.ussg.iu.edu/hypermail/linux/kernel/0406.3/1126.html there are arguments and counter arguments saying it slows down etc i am not a guru in these debates but i know if i single step and if gdb breaks in the middle of an instruction completely fucking up the disassembly and screwing a seg fault that is nasty behaviour to force break on 0x8048097 i set a breakpoint on 0x8048097 and the result as follows Code: Breakpoint 2, 0x08048089 in ?? () (gdb) si 0x0804808e in ?? () (gdb) si 0x08048093 in ?? () (gdb) si 0x08048095 in ?? () (gdb) si 0x08048098 in ?? () (gdb) x/i $eip 0x8048098: rorb $0x35,0xff2a75c3(%ecx) (gdb) si Program received signal SIGSEGV, Segmentation fault. 0x08048098 in ?? () hope linus torvalds sees this thread and compiles the code and runs it on gdb ![]() and i should thank Isomer at #wlug undernet for finding this post |
|||
![]() |
|
f0dder
So... signals are the way of exception handling on *u*x. What about thread safety?
|
|||
![]() |
|
vid
|
|||
![]() |
|
f0dder
Hm, seems sucky. There's no default, standardized, and solid per-thread exception routine? Christ. That's even worse than a single global 'errno'. Bad design.
|
|||
![]() |
|
vid
yup - seems it was designed before exceptions were
![]() most linuxers are wondering what is reason not to kill "bad program" immediately but at least you can request exception info (where, register values) as extra bonus ![]() |
|||
![]() |
|
f0dder
Quote:
iiiiichhhnorantz! ![]() Linus should've had a clue and copied VMS instead of MINIX. |
|||
![]() |
|
vid
http://www.linuxjournal.com/article/2121
now someone just make an example of multithreaded linux exception handling ![]() |
|||
![]() |
|
arafel
f0dder wrote: That's even worse than a single global 'errno'. Bad design. Leave this 'errno' to C coders. They made it, they shall suffer. ![]() |
|||
![]() |
|
vid
i've heard "errno" is a macro emulating global variable, after they realized design wasn't very good for multithreading
|
|||
![]() |
|
arafel
yep, defined something like iirc: #define errno (*__errno_location())
I think that this faulty design is not much a result of multithreading since it's global-per-thread, in multi threaded environments anyway. |
|||
![]() |
|
vid
someone should write new thread with article and example how to do linux exception handling, and then i will make it sticky in Linux, and move interesting links there. It would be nicer than having to read through 10 posts to find one working etc...
|
|||
![]() |
|
Goto page Previous 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.