Helloworld
File used -> 1-helloworld.c, 1-helloworld.exe
Last updated
File used -> 1-helloworld.c, 1-helloworld.exe
Last updated
Talking about coding some or the other how can we forget our Hello World program.
NOTE: Below mentioned code was compiled and executed in Linux using gcc. As a motive that when a code is compiled using different compiler they can produced different set of instructions.
On the left we have the disassembly and on the right we have the source code.
Before directly corelating the source code and disassembly, lets look a few things.
Here we see argc= dword ptr 8 ; argv= dword ptr 0Ch ; envp= dword ptr 10h
This is not a command or part of assembly language. These are markers used by IDA for ease in reading assembly instructions relating to the stack. Syntax is as following:
<arg/var name> = <size> ptr <offset from stack base>
They can used as offset value (to ebp) to access the value of argc, argv and envp. As these arguments are not referenced in the C code, no real assembler code was emitted that uses these constants.
Right after that, we see→ push ebp ; mov ebp, esp.
As we looked in previous part (Learning Assembly), we looked into Prologue/Epilogue. What we see here is the Prologue.
Then we see and esp, 0FFFFFFF0h ;
This is used to align the stack as needed by compiler .i.e, 16 byte alignment.
https://stackoverflow.com/questions/28472455/what-is-and-esp-0xfffffff0/28475252
https://stackoverflow.com/questions/24588858/and-esp-0xfffffff0
After that we have sub esp, 10h ; This is used to reserve space space on the stack which is used by local variables etc.
After all this the actual code is executed. Inshort, Between Prologue and Epilogue our actual code’s assembly exists.
And we can see, “Hello World!\n” being stored in stack which then is passed to call _printf as argument..
mov eax, 0 is the return value.
Lastly the execution ends with epilogue→ leave, retn
Using Developer Build Tools, cl.exe to compile our code and getting the compiled executable. Loading the executable in IDA-Freeware.
This file(1-helloworld.exe) is loaded in IDA Freeware and we land here.
We see a Functions Window, where we can see start and other functions named as sub_######.
Then we have the entry point i.e. start. This is the address where execution starts from.
Then we can see the disassembly of code.
We then have graph view of the whole disassembly. And we can see, for a small code like HelloWorld amount of disassembly produced is large. Although motive will be to look at main function and then proceed ahead. As we know, even the execution starts from start(entrypoint), user code will be executed from main function.
Here, first task is to locate the main function from this large number of blocks and disassembly.
For this, we will proceed to end by scrolling, and look for instructions, where a few push instructions are seen and just after that call to a function is taken. At the left bottom, position of graph can also be seen, to see where this is located. As shown in below image.
Here, we can see 3 push instructions and then call sub_401000. This relates to the passing of arguments and calling the function. And main takes 3 arguments generally, argc, **argv, **envp.
Lets look into this particular function (sub_401000).
We get to see the main function, now we can proceed ahead and follow along. We can see prologue to set up the stack frame, then “Hello World” strings is pushed onto the stack and passed as argument to next function ‘sub_401060’ , and since we know it is printing the strings, then this function can be printf function. Then it restores the stack by ‘add esp, 4’. We have then, ‘xor eax, eax’ and we know that xor can also be used to clear the register. Additionally eax contains return value. That means, here xor is setting eax to 0 which is our return value.
Actual Source Code →
Lets load the same file in IDA Pro, to see what difference it gives normally.
Here, Functions window have some meaningful function names and we can see main as well.
Secondly, we are directly taken into main function of code rather start.
Also, we can look in graph, and can see the user code is relatively small.
Also, we have a decompiler as well in this.
But we will continue with IDA Freeware.
