I would like to get the operand of an i386 instruction that is executed in my QEMU guest. for example ,I'd like to get the operand0x400400 of 40053a:e8 c1 fe ff ff callq 400400 <puts#plt> ,But it seems that I can not find the C function used to get the operand.
Related
I'm relying on broadcasting in the following element-by-element multiplication of a 2x2x2 matrix by a 1x2 matrix (broadcasting means the smaller matrix is repeated as many times as necessary to match the size of the larger one - see end for more explanation). One command gives a "nonconformant arguments" error when in a script run from the octave command line. But exactly the same command runs fine if typed at the octave command line.
Occasionally, the script doesn't give the error, but I haven't worked out exactly what arrangement the Universe has to be in to avoid the error (see later) -- whatever, running it within a script is as robust as a cheap garden strimmer.
I give a workround below, but I'd like to understand what's behind this error.
Here's my script file mwe_bcast.m:
# Minimum working example of broadcasting an element-by-element multiplication.
# The last line errors when run from octave as a script,
# but not when typed at the octave command line.
clear
test = [0,1;2,3];
test(:,:,2) = 3 - test;
test .*= 2;
factors = [1,2;3,4];
test .*= factors(1,:)
But here's the error when run as a script:
>> mwe_bcast
error: mwe_bcast: .*=: nonconformant arguments (op1 is 2x2x2, op2 is 1x2)
error: called from
mwe_bcast at line 9 column 6
Nonetheless, when I then type the last line at the command line there is no error, and the following output shows that the broadcasting has worked as expected:
>> test .*= factors(1,:)
test =
ans(:,:,1) =
0 4
4 12
ans(:,:,2) =
6 8
2 0
Even weirder: I checked whether this is repeatable after restarting octave. It is and it isn't! Sometimes, if I run the script any amount of times straight after starting octave (after just a cd to the appropriate directory), it runs without errors. But as soon as I edit the script in any way (just changing a comment, and sometimes even just opening it in the octave editor), then re-run the script, I get the error. But, other times, I get the error the first time I run the script after restarting octave.
Workround: I get no error from the script if I don't use the abbreviated assignment (.*=) for this broadcast element-by-element multiplication, i.e. replace the last line with:
test = test .* factors(1,:);
However, just as weirdly, note that the earlier use of .*= in the script to multiply the same matrix by a scalar always works without an error, even though it also relies on broadcasting.
Explanation of broadcasting: Essentially, the last line multiplies the matrix
test(:,:,1) = 0,1
2,3
test(:,:,2) = 3,2
1,0
element-by-element by [1,2] which broadcasts as if it were the matrix:
factors(:,:,1) = 1,2
1,2
factors(:,:,2) = 1,2
1,2
System:
GNU Octave, version 5.2.0
Ubuntu 20.04 LTE
Linux 5.15
I need to draw and label contours of data given on a Delaunay grid. The function tricontour, part of the apparently no longer supported plot pkg, cannot do this, because the function returns a single argument (h):
pkg load plot
nx=ny=11;
[x,y]=ndgrid(linspace(-1,1,nx),linspace(-1,1,ny));
xp=[x(:),y(:)];
tp=[1,2,nx+1;nx+2,nx+1,2];
tp=kron(tp,ones(ny-1,1))+kron(ones(size(tp)),(0:ny-2)'*nx);
tp=kron(tp,ones(nx-1,1))+kron(ones(size(tp)),(0:nx-2)');
G=xp(:,1)+xp(:,2);
h=tricontour(tp,xp(:,1),xp(:,2),G,[-1:.5:1],'b');
[h]=clabel(c,h,[-4:2:6])
This MWE fails with
error: 'c' undefined near line 10 column 12
error: called from
Testricontourlabel at line 10 column 4
The matlab version of this function returns both c and h, and so is compatible with the matlab version of clabel.
Any ideas for a work around?
I've got a binary that I've disassembled into viewable assembly in gdb. However, I'd like to see the actual binary of each instruction (i.e. the actual instruction in whatever instruction format it is actually issued to the CPU in). Is there a way to input the address of an instruction and see that instruction in binary?
I tried p /t 0x-------- for whatever address, but it decoded the address itself into binary.
I tried the same, but with $0x--------, this produced a "Value can't be converted to integer" error.
I'd just like to be able to see an instruction such as lwi or ori at a given address, such as 0x00000300, in binary as gdb is seeing it.
You are looking for disassemble/r 0x....
From the manual:
print the raw instructions in hex as well as in symbolic
form by specifying the /r modifier.
Update:
I can see, in layout asm, the assembly instructions obtained from my binary. But running the disassemble command on its own does not allow me to see anything, as it says "No function contains specified address."
So your binary is stripped (or at least GDB doesn't know where the nearest function is).
The solution is to disassemble just the instruction you are interested in. For example:
(gdb) disas 0x0000555555556d60
No function contains specified address.
(gdb) disas 0x0000555555556d60,+1
Dump of assembler code from 0x555555556d60 to 0x555555556d61:
0x0000555555556d60: mov %edi,%eax
End of assembler dump.
(gdb) disas/r 0x0000555555556d60,+1
Dump of assembler code from 0x555555556d60 to 0x555555556d61:
0x0000555555556d60: 89 f8 mov %edi,%eax
End of assembler dump.
I found the solution, it was to write the following command:
p /x *[hex address]
So for example:
p /x *0x00000300
For a simple test case for my compiler project, I'm trying to divide 88 by 11, but when I call idivq my program throws a Floating Point Exception. Here is the relevant section of generated code where the exception occurs:
# push 88
movq $88,%r10
# push 11
movq $11,%r13
# \
movq %r10,%rax
idivq %r13
I have looked up examples of how to use div, and I thought I was following the same format, so I don't understand why I am getting an exception.
idiv concatenates rdx and rax before performing the division (that is, it is actually 128-bit division). If you want to do single-word division, put a zero in rdx. What you're getting is not an FP exception, but an integer overflow exception: there's something left over in rdx which is making the quotient too big to fit in the destination register.
I'm currently analyzing a program I wrote in assembly and was thinking about moving some code around in the assembly. I have a procedure which takes one argument, but I'm not sure if it is passed on the stack or a register.
When I open my program in IDA Pro, the first line in the procedure is:
ThreadID= dword ptr -4
If I hover my cursor over the declaration, the following also appears:
ThreadID dd ?
r db 4 dup(?)
which I would assume would point to a stack variable?
When I open the same program in OllyDbg however, at this spot on the stack there is a large value, which would be inconsistent with any parameter that could have been passed, leading me to believe that it is passed in a register.
Can anyone point me in the right direction?
The way arguments are passed to a function depends on the function's calling convention. The default calling convention depends on the language, compiler and architecture.
I can't say anything for sure with the information you provided, however you shouldn't forget that assembly-level debuggers like OllyDbg and disassemblers like IDA often use heuristics to reverse-engineer the program. The best way to study the code generated by the compiler is to instruct it to write assembly listings. Most compilers have an option to do this.
It is a local variable for sure. To check out arguments look for [esp+XXX] values. IDA names those [esp+arg_XXX] automatically.
.text:0100346A sub_100346A proc near ; CODE XREF: sub_100347C+44p
.text:0100346A ; sub_100367A+C6p ...
.text:0100346A
.text:0100346A arg_0 = dword ptr 4
.text:0100346A
.text:0100346A mov eax, [esp+arg_0]
.text:0100346E add dword_1005194, eax
.text:01003474 call sub_1002801
.text:01003474
.text:01003479 retn 4
.text:01003479
.text:01003479 sub_100346A endp
And fastcall convention as was outlined in comment above uses registers to pass arguments. I'd bet on Microsoft or GCC compiler as they are more widely used. So check out ECX and EDX registers first.
Microsoft or GCC [2] __fastcall[3]
convention (aka __msfastcall) passes
the first two arguments (evaluated
left to right) that fit into ECX and
EDX. Remaining arguments are pushed
onto the stack from right to left.
http://en.wikipedia.org/wiki/X86_calling_conventions#fastcall