C pointers, assembler and GDB

Idea here is to do some multitasking, find out how C pointer looks like in assembler and use Linux system calls, GCC and GDB. We start with Hello World:

int main() { char *c = "Hello World!\n"; write(1, c, 13); return 0; }

Execute man 2 write in terminal to find out more about write, 1 is standard output and 12 is number of bytes to be written. I saved it as hello.c and this is how it was compiled:

gcc -O0 -m64 -save-temps -o hlo hello.c

GCC will emit assembly code as temp, I like 64 bit version and no optimizations. Content of temp file is:

.file "hello.c" .section .rodata .LC0: .string "Hello World!\n" .text .globl main .type main, @function main: .LFB0: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $16, %rsp movq $.LC0, -8(%rbp) movq -8(%rbp), %rax movl $13, %edx movq %rax, %rsi movl $1, %edi movl $0, %eax call write movl $0, %eax leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE0: .size main, .-main .ident "GCC: (Debian 4.7.2-5) 4.7.2" .section .note.GNU-stack,"",@progbits

It pushes base pointer onto stack, there is q at the end of the push and bp is called rbp, so it must be 64 bit code. Loads string into memory, later into rax, prepares call to write and so on. Now we take that temp file and compile it with -g switch so that we can use GDB.

gcc -g -O0 -o hlo hello.s
gdb hlo

We type in start at prompt and here is the GDB session:

Temporary breakpoint 1, main () at hello.s:16 16 subq $16, %rsp (gdb) n 17 movq $.LC0, -8(%rbp) (gdb) i r rbp rbp 0x7fffffffe360 0x7fffffffe360 (gdb) x 0x7fffffffe358 0x7fffffffe358: 0x00000000 (gdb) n 18 movq -8(%rbp), %rax (gdb) x 0x7fffffffe358 0x7fffffffe358: 0x004005ec (gdb) x/13c 0x004005ec 0x4005ec: 72 'H' 101 'e' 108 'l' 108 'l' 111 'o' 32 ' ' 87 'W' 111 'o' 0x4005f4: 114 'r' 108 'l' 100 'd' 33 '!' 10 '\n'

Label .LCO is our string, -8(%rbp) is where pointer is. After info registers in short form, I also restricted info to rbp, I find out that rbp points to  0x7fffffffe360 and at  0x7fffffffe360 - 8 = 0x7fffffffe358 is our pointer. No, 0x60 - 8 is not 0x52. After we send next instruction and line 17 is executed we can see our string in memory, slash 13 c is we want 13 characters from that address.
Since write is Linux system call, we can use strace to see what is going on.

strace -tt ./hlo 08:13:04.407694 execve("./hlo", ["./hlo"], [/* 37 vars */]) = 0 ... 08:13:04.412892 write(1, "Hello World!\n", 13Hello World! ) = 13 08:13:04.413108 exit_group(0) = ?

After quite few lines were replaced with three consecutive dots we see that we managed to write all 13 characters to standard output.
Using system calls is so easy that one may even attempt writing to real file:

#include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> int main() { char *c = "Hello World!\n"; int fd; fd = open("deleteme.blog", O_WRONLY | O_CREAT | O_TRUNC | O_APPEND, S_IRUSR | S_IWUSR); if (fd == -1){ write(1, "Open failed!", 12); return 1; } if(write(fd, c, 13)!=13) write(1, "Write failed!", 13); if(close(fd)==-1){ write(1, "Close failed!", 13); return 1; } return 0; }

We added more system calls. We applied common flags and modes in open, checked for all possible errors, after writing string to file we have closed file. If we compile it using

gcc -O0 -m64 -save-temps -o hello2 hello.c

We have binary and also assembly code. With help of strace

strace -tt ./hello2 09:24:49.906151 execve("./hello2", ["./hello2"], [/* 37 vars */]) = 0 ... 09:24:49.911601 open("deleteme.blog", O_WRONLY|O_CREAT|O_TRUNC|O_APPEND, 0600) = 3 09:24:49.911842 write(3, "Hello World!\n", 13) = 13 09:24:49.912018 close(3) = 0 09:24:49.912386 exit_group(0) = ?

Executing cat deleteme.blog we see that write really worked and strace didn't cheat. Examining assembly code will be interesting to those who are curious how if works on low level. Finally every project manager will take a note that from 08:13:04.407694 to 09:24:49.906151 I have written only 21 line of code.