1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
```
(gdb) info address System_Console_ReadLine
Symbol "System_Console_ReadLine" is a function at address 0x7f9a3ce60f50.
```
ok, time to look for something close to `0x7f9a3ce60f50` on the stack as a return address.
<div class="codebox"><pre>
(gdb) x/300xg $rsp
0x7ffd84d06930: 0x0000000000000000 0x0000000000603f21
0x7ffd84d06940: 0x0000000002106908 0x32bfbbdd7b4d2300
0x7ffd84d06950: 0x0000000000000004 0x0000000000000000
0x7ffd84d06960: 0x00007f9a3ec0a150 0x0000000000000400
0x7ffd84d06970: 0x00007ffd84d06a80 0x00000000005d7c20
0x7ffd84d06980: 0x000000003cd61c3d 0x32bfbbdd7b4d2300
0x7ffd84d06990: 0x0000000000000000 0x00007ffd84d06a60
0x7ffd84d069a0: 0x00007f9a3ec0a150 0x0000000000000000
0x7ffd84d069b0: 0x0000000000000400 0x0000000041951b2a
0x7ffd84d069c0: 0x0000000000000000 0x00007f9a3ec09ff8
0x7ffd84d069d0: 0x00007f9a3ec0a150 0x0000000000000000
0x7ffd84d069e0: 0x0000000000000400 0x00000000020b49b0
0x7ffd84d069f0: 0x00007f9a3ec0a150 0x00007ffd84d06a60
0x7ffd84d06a00: 0x00007ffd84d069c0 0x00007f9a3cd61b91
0x7ffd84d06a10: 0x00007ffd84d06a80 0x0000000000000400
0x7ffd84d06a20: 0x0000000000000000 0x00007f9a3ec0a150
0x7ffd84d06a30: 0x00007f9a3ec0a068 0x00007f9a3ec0a118
0x7ffd84d06a40: 0x00007f9a3ec0a170 0x0000000000000007
0x7ffd84d06a50: 0x00007f9a3ec0a501 0x0000000000000400
0x7ffd84d06a60: 0x0000000000000400 0x00007f9a3cd60348
0x7ffd84d06a70: 0x0000000000000000 0x0000000000000400
0x7ffd84d06a80: 0x00007f9a00000000 0x00007f9a3ec09ff8
0x7ffd84d06a90: 0x00007f9a3ec0a068 0x00007f9a3ec0a150
0x7ffd84d06aa0: 0x0000000000000400 0x00007f9a3cd5e517
0x7ffd84d06ab0: 0x0000000000000400 0x00007ffd84d06d00
0x7ffd84d06ac0: 0x00007f9a3ec09ff8 0x00007f9a3ec0a150
0x7ffd84d06ad0: 0x0000000000000000 0x0000000000000400
0x7ffd84d06ae0: 0x0000000000000400 0x00007f9a3cd5e382
0x7ffd84d06af0: 0x00000000020f1e30 0x0000000000000000
0x7ffd84d06b00: 0x00007f9a3ec00628 0x00007ffd84d06c38
0x7ffd84d06b10: 0x00007f9a3ec0a0b0 0x0000000000000000
0x7ffd84d06b20: 0x00007f9a3ec00628 0x00007f9a3cbcddc5
0x7ffd84d06b30: 0x00000000020f1e30 0x00007ffd84d06d00
0x7ffd84d06b40: 0x0000000000000000 0x00007f9a3ec00628
0x7ffd84d06b50: 0x00007ffd84d06c38 0x00007f9a3ec0a0b0
0x7ffd84d06b60: 0x00000000020f1e30 0x00007f9a3cbccc44
0x7ffd84d06b70: 0x00000000020f1e30 0x0000000000000000
0x7ffd84d06b80: 0x00007f9a3ec00628 0x00007f9a3ec00628
0x7ffd84d06b90: 0x00007ffd84d06c38 0x00007f9a00000000
0x7ffd84d06ba0: 0x00007ffd84d06b60 0x00007f9a3ce78294
0x7ffd84d06bb0: 0x0000000000000000 0x0000000000000004
0x7ffd84d06bc0: 0x00007f9a3ec272f8 0x00007ffd84d06c28
0x7ffd84d06bd0: 0x00007f9a3ec08328 0x00007f9a3cc6f872
0x7ffd84d06be0: 0x00007f9a3ec272f8 0x00007f9a3ce78a12
0x7ffd84d06bf0: 0x00000000020f1e30 0x00007ffd84d06fe0
0x7ffd84d06c00: 0x0000000000000000 0x00007f9a3ec08328
0x7ffd84d06c10: 0x00007f9a3ec08328 0x0000000041952328
0x7ffd84d06c20: 0x0000000041952315 0x0000000000000000
0x7ffd84d06c30: 0x00007f9a00000000 0x00007f9a3ec07800
0x7ffd84d06c40: 0x00007f9a3ec272f8 0x00007f9a3ce628c4
<b>0x7ffd84d06c50: 0x00007f9a3ec08328 0x00007f9a3ce61027 <--- this is our winner</b>
0x7ffd84d06c60: 0x000000004194fe50 0x00007ffd84d06fe0
0x7ffd84d06c70: 0x0000000000000005 0x000000004194fdca
0x7ffd84d06c80: 0x000000004194fd50 0x000000004194fd50
0x7ffd84d06c90: 0x000000004194fd50 0x000000004194ff19
0x7ffd84d06ca0: 0x000000000000001f 0x0000000000000000
0x7ffd84d06cb0: 0x31c01d4184d06f90 0x0000000000000000
0x7ffd84d06cc0: 0x0000000000000000 0x32bfbbdd7b4d2300
0x7ffd84d06cd0: 0x00000000020908b0 0x00000000020f1e30
0x7ffd84d06ce0: 0x00007ffd84d06f90 0x000000004194fe50
0x7ffd84d06cf0: 0x0000000002091d30 0x0000000000000000
0x7ffd84d06d00: 0x00007ffd84d06f90 0x00000000004266b8
0x7ffd84d06d10: 0x00000000020ed240 0x000000000208df90
0x7ffd84d06d20: 0x0000000000000000 0x00000000020f9c00
0x7ffd84d06d30: 0x0000000000000025 0x0000000000000000
0x7ffd84d06d40: 0x0000000000000000 0x0000000000000000
0x7ffd84d06d50: 0x000000000209bfa8 0x00007f9a00000000
0x7ffd84d06d60: 0x0000000000000000 0x00007f9a3f733b20
0x7ffd84d06d70: 0x0000000000000026 0x0000000000000025
0x7ffd84d06d80: 0x00007ffd84d06df4 0x00007f9a3f749c89
0x7ffd84d06d90: 0x0000000000000000 0x00000000006366fe
0x7ffd84d06da0: 0x00007f9a401b4130 0x00000000020f1d80
0x7ffd84d06db0: 0x00007ffd84d071f0 0x00007f9a3f3f398c
0x7ffd84d06dc0: 0x00007ffd84d071f0 0x00007f9a3f3f35d4
0x7ffd84d06dd0: 0x00000000020af860 0x0000000000632060
0x7ffd84d06de0: 0x00000000020f1d80 0x0000000000000000
0x7ffd84d06df0: 0x0000000000000000 0x000000000208df90
0x7ffd84d06e00: 0x00000000020f1d80 0x00000000020f1d80
0x7ffd84d06e10: 0x00007f9a401b4130 0x00000000020f1d80
0x7ffd84d06e20: 0x00007ffd84d071f0 0x00007f9a3f3f398c
0x7ffd84d06e30: 0x0000000000000000 0x32bfbbdd7b4d2300
0x7ffd84d06e40: 0x00007ffd84d06eb0 0x000000000054537c
0x7ffd84d06e50: 0x00000000020f1d80 0x000000000208df90
0x7ffd84d06e60: 0x00000000020f1d80 0x00000000020f1d80
0x7ffd84d06e70: 0x00007f9a401b4130 0x32bfbbdd7b4d2300
0x7ffd84d06e80: 0x0000000000000000 0x0000000002091d30
0x7ffd84d06e90: 0x0000000002091d30 0x0000000000000000
0x7ffd84d06ea0: 0x00007f9a401b4130 0x00000000020f1d80
0x7ffd84d06eb0: 0x00007ffd84d071f0 0x00000000005452d9
0x7ffd84d06ec0: 0x0000000000000000 0x0000000002091d30
0x7ffd84d06ed0: 0x00000000020911c0 0x0000000002091350
0x7ffd84d06ee0: 0x0000000000000040 0x00000000020f1d80
0x7ffd84d06ef0: 0x00007ffd84d071f0 0x000000000055fec6
0x7ffd84d06f00: 0x0000000000000040 0x0000000002091350
0x7ffd84d06f10: 0x00007f9a3ec00388 0x32bfbbdd7b4d2300
0x7ffd84d06f20: 0x00007f9a401b4130 0x0000000002091d30
0x7ffd84d06f30: 0x00000000020911c0 0x0000000000000000
0x7ffd84d06f40: 0x00007f9a401b4130 0x00000000005b910a
0x7ffd84d06f50: 0x000000000208df90 0x32bfbbdd7b4d2300
0x7ffd84d06f60: 0x00007f9a401b4130 0x0000000002091d30
0x7ffd84d06f70: 0x00007ffd84d06fe0 0x0000000000000000
0x7ffd84d06f80: 0x00000000020f1d80 0x00007ffd84d071f0
0x7ffd84d06f90: 0x0000000000000000 0x00000000005ac68d
0x7ffd84d06fa0: 0x000000000208df90 0x0000000002091d30
0x7ffd84d06fb0: 0x0000000000000000 0x0000000000000000
0x7ffd84d06fc0: 0x00007f9a401b4130 0x00000000005ae9cc
0x7ffd84d06fd0: 0x000000000208df90 0x0000000000000000
0x7ffd84d06fe0: 0x00007f9a3ec00328 0x32bfbbdd7b4d2300
0x7ffd84d06ff0: 0x00007ffd84d07484 0x000000000208df90
0x7ffd84d07000: 0x0000000000000001 0x00000000020ed390
0x7ffd84d07010: 0x0000000000000000 0x0000000000476967
0x7ffd84d07020: 0x0000000000000000 0x00000000161169ff
0x7ffd84d07030: 0x0000000000000000 0x0000000000000000
0x7ffd84d07040: 0x0000000000000000 0x0000000000000000
0x7ffd84d07050: 0x0000000000000004 0x0000000000000000
0x7ffd84d07060: 0x0000000000000000 0x0000000000000000
0x7ffd84d07070: 0x0000000000000000 0x0000000000000000
0x7ffd84d07080: 0x0000000000000002 0x0000000100000001
0x7ffd84d07090: 0x0000000000639710 0x000000000208df90
0x7ffd84d070a0: 0x00007ffd84d071e0 0x0000000000000002
0x7ffd84d070b0: 0x0000000000000000 0x0000000000422c0e
0x7ffd84d070c0: 0x0000000000000001 0x32bfbbdd7b4d2300
0x7ffd84d070d0: 0x0000000000000000 0x0000000000000000
0x7ffd84d070e0: 0x0000000000639710 0x0000000000422e50
0x7ffd84d070f0: 0x00007ffd84d071e0 0x0000000000000000
0x7ffd84d07100: 0x0000000000000000 0x00007f9a3f390830
0x7ffd84d07110: 0x0000000000000000 0x00007ffd84d071e8
0x7ffd84d07120: 0x0000000240290ca0 0x0000000000422be0
0x7ffd84d07130: 0x0000000000000000 0x42f8e52f22cfd5b5
0x7ffd84d07140: 0x0000000000422e50 0x00007ffd84d071e0
0x7ffd84d07150: 0x0000000000000000 0x0000000000000000
0x7ffd84d07160: 0xbd03ec48eecfd5b5 0xbdcc9b9a033fd5b5
0x7ffd84d07170: 0x00007ffd00000000 0x0000000000000000
0x7ffd84d07180: 0x0000000000000000 0x0000000000639780
0x7ffd84d07190: 0x00007f9a4007b8e0 0x00007f9a4007b5fb
0x7ffd84d071a0: 0x0000000000000000 0x0000000000000000
0x7ffd84d071b0: 0x0000000000422e50 0x00007ffd84d071e0
0x7ffd84d071c0: 0x0000000000000000 0x0000000000422e79
0x7ffd84d071d0: 0x00007ffd84d071d8 0x000000000000001c
0x7ffd84d071e0: 0x0000000000000002 0x00007ffd84d0747f
0x7ffd84d071f0: 0x00007ffd84d07484 0x0000000000000000
0x7ffd84d07200: 0x00007ffd84d0748e 0x00007ffd84d07499
0x7ffd84d07210: 0x00007ffd84d074aa 0x00007ffd84d074bd
0x7ffd84d07220: 0x00007ffd84d074da 0x00007ffd84d074eb
0x7ffd84d07230: 0x00007ffd84d074fb 0x00007ffd84d07507
0x7ffd84d07240: 0x00007ffd84d07519 0x00007ffd84d07529
0x7ffd84d07250: 0x00007ffd84d07536 0x00007ffd84d07565
0x7ffd84d07260: 0x00007ffd84d07aed 0x00007ffd84d07b1c
0x7ffd84d07270: 0x00007ffd84d07b33 0x00007ffd84d07e50
0x7ffd84d07280: 0x00007ffd84d07e71 0x00007ffd84d07e81
</pre></div>
0x7ffd84d06c58: 0x00007f9a3ce61027 <-- this is a return address to the native code Console.ReadLine()
which means slightly further up the stack:
0x7ffd84d06c78: 0x000000004194fdca <-- this is a return address to the caller of Console.ReadLine() (this is main)
Main(), for comparison:
<div class="codebox">
```cs
#include main.cs
```
</div>
<div class="codebox"><pre>
(gdb) x/10i 0x000000004194fdca
0x4194fdca: nop
0x4194fdcb: callq 0x41953b10 <-- so this is the last statement in main - mangler()
0x4194fdd0: inc %r15d <-- this is i++ in the loop on line 4 of main
0x4194fdd3: cmp $0x3c,%r15d
0x4194fdd7: jl 0x4194fd78
0x4194fdd9: xchg %ax,%ax
0x4194fddb: callq 0x4194fe26
0x4194fde0: movabs $0x7f9a401a4158,%rdi
0x4194fdea: movabs $0x4194fe1c,%r11
0x4194fdf4: callq *%r11
</pre></div>
this makes sense as a return address because we see the first thing after ReadLine(), which is mangler()!
stepping back a little:
<div class="codebox"><pre>
(gdb) x/30i 0x000000004194fdb0
0x4194fdb0: movabs $0x7f9a3ce609d0,%r11 <- pointer to native code System_Console_ReadLine()
0x4194fdba: callq *%r11
0x4194fdbd: movabs $0x7f9a3ce60f50,%r11 <- pointer to native code System_Console_WriteLine()
0x4194fdc7: callq *%r11
0x4194fdca: nop
0x4194fdcb: callq 0x41953b10 <- mangler()
0x4194fdd0: inc %r15d
0x4194fdd3: cmp $0x3c,%r15d
0x4194fdd7: jl 0x4194fd78 <- loop end
0x4194fdd9: xchg %ax,%ax
0x4194fddb: callq 0x4194fe26 <- also mangler()??
0x4194fde0: movabs $0x7f9a401a4158,%rdi <- ???
0x4194fdea: movabs $0x4194fe1c,%r11 <- ???
0x4194fdf4: callq *%r11 <- ???
0x4194fdf7: callq 0x4194fe26
0x4194fdfc: movabs $0x7f9a401a4180,%rdi
0x4194fe06: movabs $0x4194fe1c,%r11
0x4194fe10: callq *%r11
0x4194fe13: mov (%rsp),%r15
0x4194fe17: add $0x18,%rsp
0x4194fe1b: retq <- main's end, whew
</pre></div>
looking at the weird mangler() call:
<div class="codebox"><pre>
(gdb) x/10i 0x4194fe26
0x4194fe26: callq 0x40ee3000
0x4194fe2b: add $0xf0,%al
0x4194fe2d: lahf
0x4194fe2e: lar %ax,%ebp
0x4194fe31: lret
0x4194fe32: xor %ebx,-0x1(%rcx)
0x4194fe35: add $0xf0,%al
0x4194fe37: cmp %cl,(%rdi)
0x4194fe39: add %al,%ch
0x4194fe3b: (bad)
</pre></div>
the only part of this that makes sense is the callq 0x40ee3000 - the rest is... nonsense-y. long return, really??? maybe at the call site we'll see something useful...
<div class="codebox"><pre>
(gdb) x/70i 0x40ee3000
0x40ee3000: mov %r11,-0xd0(%rsp)
0x40ee3008: pop %r11 <------------ WHAT
0x40ee300a: push %rbp
0x40ee300b: mov %rsp,%rbp
0x40ee300e: sub $0x160,%rsp
0x40ee3015: sub $0x5,%r11
0x40ee3019: mov %r11,-0x10(%rbp)
0x40ee301d: mov %rax,-0x128(%rbp)
0x40ee3024: mov %rcx,-0x120(%rbp)
0x40ee302b: mov %rdx,-0x118(%rbp)
0x40ee3032: mov %rbx,-0x110(%rbp)
0x40ee3039: mov %rsp,%r11
0x40ee303c: add $0x170,%r11
0x40ee3043: mov %r11,-0x108(%rbp)
0x40ee304a: mov 0x0(%rbp),%rax
0x40ee304e: mov %rax,-0x100(%rbp)
0x40ee3055: mov %rsi,-0xf8(%rbp)
0x40ee305c: mov %rdi,-0xf0(%rbp)
0x40ee3063: mov %r8,-0xe8(%rbp)
0x40ee306a: mov %r9,-0xe0(%rbp)
0x40ee3071: mov %r10,-0xd8(%rbp)
0x40ee3078: mov %r12,-0xc8(%rbp)
0x40ee307f: mov %r13,-0xc0(%rbp)
0x40ee3086: mov %r14,-0xb8(%rbp)
0x40ee308d: mov %r15,-0xb0(%rbp)
0x40ee3094: mov 0x8(%rbp),%r11
0x40ee3098: mov %r11,-0xa8(%rbp)
0x40ee309f: movsd %xmm0,-0xa0(%rbp)
</pre></div>
that pop pops the return address of this function, 0x4194fe2b, into r11, meaning we actually return to the *caller* of 0x4194fe26, back into main. so this method must use that pointer as information and probably is a 'patch-and-invoke' mechanism. the `sub $0x5, %r11` at 0x40ee3015 seals the deal, because that moves r11 back 5 bytes to point to the call here.
|