How to interpret disassembed C code

Question

Let's say I run objdump -d on an object file generated by a C compiler and I get this disassembly:

0000000000400b5e <main>:
 400b5e: 55 push %rbp
 400b5f: 48 89 e5 mov %rsp,%rbp
 400b62: bf 50 0a 49 00 mov $0x490a50,%edi
 400b67: e8 04 0b 00 00 callq 401670 <_IO_puts>
 400b6c: 5d pop %rbp
 400b6d: c3 retq 
 400b6e: 66 90 xchg %ax,%ax

I'm not sure how to interpret everything here. Take the line:

400b62: bf 50 0a 49 00 mov $0x490a50,%edi

I get what the mov statement is doing, but what does the 400b62 mean? What does the bf 50 0a 49 00 mean? I couldn't find anything on the Internet explaining how to read this stuff.

Answer 1

The 400b62 is the address of the instruction. The bf 50 0a 49 00 are the bytes that make up the instruction. In this case, the instruction at 400b62 it sets the register %edi to 0x490a50. Here bf means "set edi" and 50 0a 49 00 are the bytes for 0x490a50 in little endian order (as Intel processors do).

If you want to be able to read each of the instructions, it takes a bit of decoding but can be done. The best reference in my experience is the Intel® 64 and IA-32 Architectures Software Developer Manuals , but they are not for the faint of heart.

Answer 2

Start with an assembly language primer, such as https://speakerdeck.com/vsergeev/x86-assembly-primer-for-c-programmers which is good if you already know C.

In your code, what matters is

mov $0x490a50,%edi
callq 401670 <_IO_puts>

First 6 arguments on x86-64 are passed through registers rdi, rsi, rdx, rcx r8, r9 . ( edi is half of rdi ), so this passes one argument to a to-be called function and then calls the function.

The decoded name ( _IO_puts ) suggests you're dealing with an implementation of puts , which implies 0x490a50 is the hexadecimal representation of the memory address of a string that was passed to it.

The original main will likely be something like:

#include <stdio.h>
int main() { puts("hello world"); }