Assignment 8: Some Assembly Required

Due (Hardcopy) Thursday, March 20th

This is a written assignment, not a coding assignment!

The goals for this assignment are:

  • Understand basic x86_64 assembly instructions, especially memory addressing

  • Visualize the execution of x86_64 assembly instructions

1. Operand practice

Suppose memory has the following values:

Address

Value

0xf08

0x10

0xf0a

0x3c

0xf0c

0x14

0xf0e

0x04

0xf10

0x34

0xf12

0xe4

And suppose our registers have the following values:

Register

Value

%rax

0xf08

%rbx

0x44

%rsi

0x08

%r8

0x01

Fill in the following table with the corresponding form, translation, and value for each of the given operands.

Operand

Form

Translation

Value

%rax

 
 
 
 
 
 
 

0x4(%rax)

 
 
 
 
 
 
 

0x4(%rax, %r8, 4)

 
 
 
 
 
 
 

0xf00(,%rsi,2)

 
 
 
 
 
 
 

2. The answer is 42

Recall the following example from class and Dive into Systems. This mysterious program reliably produces the output 42. In this question, you will trace the assembly to understand why.

#include <stdio.h>

int assign(void) {
    int y = 40;
    return y;
}

int adder(void) {
    int a;
    return a + 2;
}

int main(void) {
    int x;
    assign();
    x = adder();
    printf("x is: %d\n", x);
    return 0;
}

Suppose that compiling the above program results in the following assembly instructions (x86_64)

0000000000001149 <assign>:
    114d: 55                    push   %rbp
    114e: 48 89 e5              mov    %rsp,%rbp
    1151: c7 45 fc 28 00 00 00  movl   $0x28,-0x4(%rbp)
    1158: 8b 45 fc              mov    -0x4(%rbp),%eax
    115b: 5d                    pop    %rbp
    115c: c3                    retq

000000000000115d <adder>:
    1161: 55                    push   %rbp
    1162: 48 89 e5              mov    %rsp,%rbp
    1165: 8b 45 fc              mov    -0x4(%rbp),%eax
    1168: 83 c0 02              add    $0x2,%eax
    116b: 5d                    pop    %rbp
    116c: c3                    retq

000000000000116d <main>:
    1171: 55                    push   %rbp
    1172: 48 89 e5              mov    %rsp,%rbp
    1175: 48 83 ec 10           sub    $0x10,%rsp
    1179: e8 cb ff ff ff        callq  1149 <assign>
    117e: e8 da ff ff ff        callq  115d <adder>
    1183: 89 45 fc              mov    %eax,-0x4(%rbp)
    1186: 8b 45 fc              mov    -0x4(%rbp),%eax
    1189: 89 c6                 mov    %eax,%esi
    118b: 48 8d 3d 72 0e 00 00  lea    0xe72(%rip),%rdi
    1192: b8 00 00 00 00        mov    $0x0,%eax
    1197: e8 b4 fe ff ff        callq  1050 <printf@plt>
    119c: b8 00 00 00 00        mov    $0x0,%eax
    11a1: c9                    leaveq
    11a2: c3                    retq
In The Hitchhiker’s Guide to the Galaxy by Douglas Adams, the "Answer to the Ultimate Question of Life, the Universe, and Everything," calculated by an enormous supercomputer named Deep Thought over a period of 7.5 million years.

1) Suppose this is the state of the stack immediately prior to executing main Please show the before and after state (cross out old values).

000000000000116d <main>:
--> 1171: 55                    push   %rbp
    1172: 48 89 e5              mov    %rsp,%rbp
    1175: 48 83 ec 10           sub    $0x10,%rsp
    1179: e8 cb ff ff ff        callq  1149 <assign>
    117e: e8 da ff ff ff        callq  115d <adder>
    1183: 89 45 fc              mov    %eax,-0x4(%rbp)
    1186: 8b 45 fc              mov    -0x4(%rbp),%eax
    1189: 89 c6                 mov    %eax,%esi

Register

Value

%eax

379

%edi

1

%rsp

0xe68

%rbp

0x1578

%rip

0x1171

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

2) What are the contents of registers and the stack after executing mov %rsp, %rbp? Please show the before and after state (cross out old values).

000000000000116d <main>:
    1171: 55                    push   %rbp
--> 1172: 48 89 e5              mov    %rsp,%rbp
    1175: 48 83 ec 10           sub    $0x10,%rsp
    1179: e8 cb ff ff ff        callq  1149 <assign>
    117e: e8 da ff ff ff        callq  115d <adder>
    1183: 89 45 fc              mov    %eax,-0x4(%rbp)
    1186: 8b 45 fc              mov    -0x4(%rbp),%eax
    1189: 89 c6                 mov    %eax,%esi

Register

Value

%eax

%edi

%rsp

%rbp

%rip

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

3) What is the state of registers and the stack after executing sub $0x10, %rsp? Please show the before and after state (cross out old values).

000000000000116d <main>:
    1171: 55                    push   %rbp
    1172: 48 89 e5              mov    %rsp,%rbp
--> 1175: 48 83 ec 10           sub    $0x10,%rsp
    1179: e8 cb ff ff ff        callq  1149 <assign>
    117e: e8 da ff ff ff        callq  115d <adder>
    1183: 89 45 fc              mov    %eax,-0x4(%rbp)
    1186: 8b 45 fc              mov    -0x4(%rbp),%eax
    1189: 89 c6                 mov    %eax,%esi

Register

Value

%eax

%edi

%rsp

%rbp

%rip

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

4) What is the state of registers and the stack after executing callq 0x1149 <assign>? Please show the before and after state (cross out old values).

000000000000116d <main>:
    1171: 55                    push   %rbp
    1172: 48 89 e5              mov    %rsp,%rbp
    1175: 48 83 ec 10           sub    $0x10,%rsp
--> 1179: e8 cb ff ff ff        callq  1149 <assign>
    117e: e8 da ff ff ff        callq  115d <adder>
    1183: 89 45 fc              mov    %eax,-0x4(%rbp)
    1186: 8b 45 fc              mov    -0x4(%rbp),%eax
    1189: 89 c6                 mov    %eax,%esi

Register

Value

%eax

%edi

%rsp

%rbp

%rip

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

5) Skipping ahead, what is the state of registers and the stack when the program executes pop %rbp? What two changes occur during pop? Please show the before and after state (cross out old values).

0000000000001149 <assign>:
    114d: 55                    push   %rbp
    114e: 48 89 e5              mov    %rsp,%rbp
    1151: c7 45 fc 28 00 00 00  movl   $0x28,-0x4(%rbp)
    1158: 8b 45 fc              mov    -0x4(%rbp),%eax
--> 115b: 5d                    pop    %rbp
    115c: c3                    retq

Register

Value

%eax

%edi

%rsp

%rbp

%rip

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

6) What is the state of registers and the stack after executing retq? Please show the before and after state (cross out old values).

0000000000001149 <assign>:
    114d: 55                    push   %rbp
    114e: 48 89 e5              mov    %rsp,%rbp
    1151: c7 45 fc 28 00 00 00  movl   $0x28,-0x4(%rbp)
    1158: 8b 45 fc              mov    -0x4(%rbp),%eax
    115b: 5d                    pop    %rbp
--> 115c: c3                    retq

Register

Value

%eax

%edi

%rsp

%rbp

%rip

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

7) Skipping ahead, what are the state of registers and the stack when executing retq in adder? Please show the before and after state (cross out old values).

000000000000115d <adder>:
    1161: 55                    push   %rbp
    1162: 48 89 e5              mov    %rsp,%rbp
    1165: 8b 45 fc              mov    -0x4(%rbp),%eax
    1168: 83 c0 02              add    $0x2,%eax
    116b: 5d                    pop    %rbp
--> 116c: c3                    retq

Register

Value

%eax

%edi

%rsp

%rbp

%rip

"Stack top"

Address

Stack value

 

 

 

 

 

 

 

0xe68

8) Consider the call the printf, callq 1050 <printf@plt>. The previous lines place the first argument to printf into %rdi. Assume this contains "x is %d\n". The second argument will be placed in %esi. What value will %esi containin?

000000000000116d <main>:
    1171: 55                    push   %rbp
    1172: 48 89 e5              mov    %rsp,%rbp
    1175: 48 83 ec 10           sub    $0x10,%rsp
    1179: e8 cb ff ff ff        callq  1149 <assign>
    117e: e8 da ff ff ff        callq  115d <adder>
    1183: 89 45 fc              mov    %eax,-0x4(%rbp)
    1186: 8b 45 fc              mov    -0x4(%rbp),%eax
    1189: 89 c6                 mov    %eax,%esi
    118b: 48 8d 3d 72 0e 00 00  lea    0xe72(%rip),%rdi
    1192: b8 00 00 00 00        mov    $0x0,%eax
    1197: e8 b4 fe ff ff        callq  1050 <printf@plt>
    119c: b8 00 00 00 00        mov    $0x0,%eax
    11a1: c9                    leaveq
    11a2: c3                    retq

3. Submit your work

This is a written assignment. Please submit a hard-copy in either Lecture or Lab, or submit to either Nina Fichera’s office (Park 348) or Aline Normoyle’s office (Park 200B).

4. Extra Credit (0.3): Hackers

In class, we looked at how we can cheat at a guessing game by overriding the return address of a function to jump to the endGame function. In this question, you can use the same techniques to

1) What is the secret number?  
 
 
 
 
 

2) What is the secret string?  
 
 
 
 
 

3) Give the buffer contents that can be used to overwrite the stack and jump to the funtion, endGame.