I have installed gdp-peda which will help to understand the disassembly better.
So first of all I set the disassembly to intel flavor using the following command:
$ set disassembly-flavor intel
After this I used the command disas main to disassemble the main function.
Now let’s set a breakpoint to the main function, this simply means that here we told the gdb to stop the execution whenever it hits the main function and after that we will analyze different registers. We have set the breakpoint, now let’s run the program.
As you can see in the above image there are so many registers and each register has its own purpose. Let’s understand them one by one.
We start with EBP i.e. Base pointer, EBP points to the higher memory address at the bottom of stack and as far as I have studied about this register, it generally stores the ESP, which means the top of the stack keeps changing (esp). So to perform some operations we can store esp in ebp using the mov instruction:
mov ebp, esp
This register points to the top of the stack and as the program adds data to the stack. It grows from higher memory address to lower memory address and as we know that different operations can be performed on the stack like push and pop, so accordingly the stack will grow and shrink.
This register points to the address of the next instruction to be executed. So in this particular example, EIP points to the address 0x565561b6 and what basically going to happen is when this instruction will be executed, the value 0x00 will be stored in the address [ebp-0xc], so let’s first analyze this memory address before execution of instruction.
gdb-peda$ print $ebp-0xc $1 = (void *) 0xffffd1bc gdb-peda$ x/b $1 0xffffd1bc: 0x0d
As you can see that currently this memory address is holding some random value. Now by using the command nexti, we are going to execute the instruction.
As you can see in the above image that the EIP is now pointing to the memory address 0x565561bd. Earlier we have examined the address [ebp -0xc] before the execution and now let’s examine it after the execution (It should contain the value 0x00 instead of 0x0d, please verify it by yourself.)
The next instruction to be executed looks something like:
0x000011bd <+36>: jmp 0x11d5 <main+60>
So now let us try to understand this instruction. Here we can see JMP is used, this means that now the program flow will be directed to the memory address 0x565561d5. Now by using the command nexti we can execute this instruction and now program flow will be directed to the specified address .
Okay, so That’s it for today, we will continue this program in the next article and will try to understand what this program is actually doing. I have shared the screenshot of the disassemble of main so you can also try yourself to understand this program.
I am a beginner in this field so if you find any mistakes or have any query, then please let me know, you can send an email to firstname.lastname@example.org.
NOTE: The awesome artwork used in this article was created by Sean Dockery.