This is an example copypasted from wikibooks (AT&T syntax), it just prints 'hello' string in Linux x64:
.text movq $1, %rax # `write` [fast] syscall movq $1, %rdi # stdout leaq .LC0, %rsi # offset movq $6, %rdx # write n characters syscall movq $60, %rax # `_exit` [fast] syscall movq $0, %rdi # error code 0 syscall .LC0: .string "hello\n"
Compile and run in Ubuntu Linux x64:
as test.s -o test.o ld test.o -o test
So far so good. It's a good exercise -- devise such a code that will print 'hello' no matter, at what address the code was loaded into memory.
If you don't know the address of 'hello' string, how can you pass it? One idea is to pass the string via stack, byte-by-byte.
.text .globl main main: # % echo hello, world! | xxd -g 1 # 00000000: 68 65 6c 6c 6f 2c 20 77 6f 72 6c 64 21 0a hello, world!. movq $0x00000a21646c726f, %rax # second half of the string push %rax movq $0x77202c6f6c6c6568, %rax # first half of the string push %rax movq %rsp, %rsi # RSI now points to the string, placed in stack movq $1, %rax # `write` [fast] syscall movq $1, %rdi # stdout movq $15, %rdx # write 15 characters syscall # get stack pointer back # may be omitted, because we exit anyway # pop %rax # pop %rax movq $60, %rax # `_exit` [fast] syscall movq $0, %rdi # error code 0 syscall
This piece of code doesn't care at what address it is loaded, it will print the string.
This technique was quite common (or still is?) in shellcodes, when you just never know at which address your code will be located.
This is important thing to understand about stack. Printing function in userland or kernel or wherever it is, doesn't care, where your string is located, in code/text section, in data section, or in stack. As long as the string is readable, it will be printed.
Another popular method is a CALL/POP pair of instructions:
.text call next next: pop %rbp # RBP at this point contains address of the 'next' label or POP instruction # difference between 'next' label and the address of the string: movq $(.LC0 - next), %rsi # add difference to the address of the 'next' label: addq %rbp, %rsi # RSI now points to the string movq $1, %rax # `write` [fast] syscall movq $1, %rdi # stdout movq $7, %rdx # write 7 characters syscall movq $60, %rax # `_exit` [fast] syscall movq $0, %rdi # error code 0 syscall .LC0: .string "hello\n"
CALL uses relative address, so, no matter where it is loaded, it will always jump to the next instruction. The subsequent POP instruction does two things at once: writing its address to RBP register, but also cancels effect of CALL, returning stack pointer back, to the state it was before executing CALL.
Let's see compiled executable's contents using objdump:
% objdump -D file.o 0000000000000000
: 0: e8 00 00 00 00 callq 5 0000000000000005 : 5: 5d pop %rbp 6: 48 c7 c6 32 00 00 00 mov $0x32,%rsi d: 48 01 ee add %rbp,%rsi 10: 48 c7 c0 01 00 00 00 mov $0x1,%rax 17: 48 c7 c7 01 00 00 00 mov $0x1,%rdi 1e: 48 c7 c2 07 00 00 00 mov $0x7,%rdx 25: 0f 05 syscall 27: 48 c7 c0 3c 00 00 00 mov $0x3c,%rax 2e: 48 c7 c7 00 00 00 00 mov $0x0,%rdi 35: 0f 05 syscall 37: 68 65 6c 6c 6f pushq $0x6f6c6c65 # 'hello' string 3c: 0a 00 or (%rax),%al
You see the opcode of 'CALL next' instruction? It's E8 00 00 00 00, i.e., relative address is zero (CALL opcode is 0xE8). So zero is added to the address of the next instruction, and jump to that point is occurred, effectively, calling the 'function' at the next instruction.
0x32 is the difference between 'next' label and the 'hello' string, in bytes.
This is a real piece of code from 1990s. It is a copy-protection dongle (HASP) emulator. It was intended to be compiled as a flat binary (COM-file for MS-DOS) and embedded in place of the original HASP driver (by overwriting) inside of a random executable. You see, it has a memory map in it, and it uses such a technique to determine the table's address, as well as other variables:
.386c hasp_krn segment byte public use32 assume cs:hasp_krn ; HASP Kernel entry point hasp_entry: cmp bh,0 jne l001 jmp NoService l001: cmp bh,1 jne l002 jmp IsHASP l002: cmp bh,2 jne l003 jmp HASPCode l003: cmp bh,3 jne l004 jmp ReadMemo l004: cmp bh,4 jne l005 jmp WriteMemo l005: cmp bh,5 jne l006 jmp HASPStatus l006: cmp bh,6 jne NoService jmp HASPID NoService: mov cx,0FC19h ; Invalid Service ... retn HASPStatus: mov ax,112 ; Memory Size mov bx,1 ; MemoHASP R3 ? mov cx,1 ; LPT1 retn IsHASP: mov ax,1 ; It's a really HASP ! retn HASPCode: call @@SeedIP @@SeedIP: pop ebp Seed$Rel = offset @@SeedIP lea si, offset Register + [ebp] - Seed$Rel lea di, offset Base_Seq + [ebp] - Seed$Rel mov ch, 07 @@ByteLoop: mov cl, 07 mov [si], byte ptr 0 @@BitLoop: xor dx, dx mov bx, 1989h ; First mul bx add ax, 5 push ax shr ax, 9 and ax, 3Fh mov bx, ax shr bx, 3 mov dl, byte ptr [di+bx] mov bx, ax shr bx, 3 shl bx, 3 sub ax, bx xchg ax, cx shl dl, cl xchg ax, cx shr dl, 7 shl dl, cl mov al, [si] or al, dl mov [si], al pop ax dec cl jns @@BitLoop inc si dec ch jns @@ByteLoop mov dx, [si-2] mov cx, [si-4] mov bx, [si-6] mov ax, [si-8] retn ReadMemo: call @@MemoIP @@MemoIP: pop ebp Memo$Rel = offset @@MemoIP lea ebx, offset HASP_Memo + [ebp] - Memo$Rel shl edi, 1 movzx ebx, word ptr [ebx+edi] shr edi, 1 mov eax, edi xor ecx,ecx retn WriteMemo: call @@MemoIP1 @@MemoIP1: pop ebp Memo$Rel1 = offset @@MemoIP1 lea ebx, offset HASP_Memo + [ebp] - Memo$Rel1 shl edi, 1 mov word ptr [ebx+edi], si shr edi, 1 mov eax, edi xor ecx,ecx retn HASPID: call @@IDIP @@IDIP: pop ebp ID$Rel = offset @@IDIP lea di, offset HASP_ID + [ebp] - ID$Rel mov ax, [di] mov bx, [di+2] xor ecx,ecx retn Register: dw 4 dup (0) ; used while seedcodes calc ; Here is dump of HASP PSW1: dw 0FFFFh ; 1st Password PSW2: dw 0FFFFh ; 2nd Password Base_Seq: db 11000100b ; Seed codes ... :( db 11011011b db 11100100b db 11111011b db 10000100b db 10011011b db 10100100b db 10111011b HASP_ID: dw 00000h, 01234h ; S/n ; --- Real Hardware memory HASP_Chunk: db 12 dup (0FFh) ; Future use ? :) HASP_Memo: ; Logical memory dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh dw 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh, 0FFFFh hasp_krn ends end HASP_Entry
See in my book: Ctrl-F: "Position-independent code".
List of my other blog posts. My company.
Yes, I know about these lousy Disqus ads. Please use adblocker. I would consider to subscribe to 'pro' version of Disqus if the signal/noise ratio in comments would be good enough.