stackoom
  简体   繁体   中英

reverse engineering doubt

 原文  2011-04-23 18:02:19       c/ assembly/ x86/ reverse-engineering

Question

8048563:       e8 0d 00 00 00          call   8048575 <exit@plt+0x141>

I was trying to reverse engineer a binary for fun and I saw this call in the objdump output. Looking at this line, I thought the call would be to the exit function which was dynamically linked. However, 8048575 seems to be an address in the .text section of this program!

  1. Why does this wrong naming of function happen?
  2. The place where the call lands has the following line; why is the function prologue missing? 
8048575:       83 ec 6c                sub    esp,0x6c

4 answers

solution1
 3  2011-04-23 18:29:56

When a program calls a function in a shared library it calls an address in the Procedure Linkage Table (PLT). Initially the PLT contains a call into the dynamic linker, which will look up the function address dynamically and then replace the address in the PLT with the address that it found.

solution2
 3  2011-04-23 19:41:27

Thats a call to the IAT(import address table) entry so that it can perform an intermodular call(really a jump) to a function called 'exit`, this allow the avoidance of far calls and makes dynamic linkage simpler. As for the prologue being 'missing', setting up of a stack frame is not required at all, infact its totally unneeded for most functions, thus the stack allocation is the prologue, the only functions that really need stack frames are untrusted 'naked' assembly functions or those that do unpredictable changes to the stack.

solution3
 3 ACCPTED  2011-04-25 19:22:04

That's not actually a IAT/PLT call, it's a call to another function in the same file. The file probably has had its internal symbol stripped, and objdump displays all addresses as the last defined symbol before the address + an offset. With no internal symbols, this will hit the last plt-linked function, since the plt section comes before text.

So, the displayed name is just bogus and can be ignored.

solution4
 1  2011-04-23 18:16:23

Allocating stack space is the function prologue, no? How do you know that's not the beginning of the exit function? .text is totally fine since that is where code lives. (plt just refers to "program list table".)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question reverse engineering c programs Reverse Engineering a recursive function Reverse engineering - compile with debug info Reverse engineering assembly code to C Protecting executable from reverse engineering? reverse engineering in C; bomb lab ARM reverse engineering ROM dump fgets exploit - reverse engineering with IDA Reverse engineering to get CRC16 Polynomial Reverse engineering from c code to sequence chart
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM