I'm trying to understand a little code:
jg 0x00000047
dec esp
inc esi
add [ecx],eax
What is the value of eax? These are the four first sentences of the program and i don't know if there is a default value or if the previous sentences add something to eax.
My OS is Linux and the executable is compiled by gcc4.3 from a C source code (gcc file.c exec)
“register” keyword is used to declare the register variables. Scope − They are local to the function. Default value − Default initialized value is the garbage value.
The initial default value of the register local variables is 0. The register keyword is used for the variable which should be stored in the CPU register.
A register may hold an instruction, a storage address, or any kind of data (such as a bit sequence or individual characters).
Yes, it is quite common to pack multiple values into a single register. The mmx and xmm (incl. ymm and zmm) registers are specifically designed for this.
Depends on the platform, language, and/or calling convention. But yeah, the code before this normally should have set EAX to some value. EAX is one of those registers that's modified so often that it's not normally used for keeping stuff around in.
The instructions look kinda random. In particular, the "dec esp" is normally a huge no-no, as the stack should always be dword-aligned. Are you sure this is actual code? The instruction bytes translate to "\x7fELF" if i'm translating right, which suggests to me that this is just the header bytes of a Linux program, not actual code bytes.
I think what you are really asking about is calling convention, which describes how subroutines in a program pass information to one another, and how the operating system passes information to the program, and in general what the different registers are supposed to mean.
For example, the cdecl calling convention on the x86, which is used by most C compilers, says that when a function returns, the return value value goes on the eax register. So if you have a function int foo()
, you know that after foo
executes its ret
opcode, eax will contain that int that foo
returned.
By contrast, the PowerPC processor (usually) has (at least) 32 registers, simply named r0, r1, ... r31. The AIX calling convention for this chip says that the stack pointer goes on r1, that function parameters get passed on r3 through r11, that return values come back on r3, and so on.
It is important to remember that a calling convention is sort of like an agreement between the functions in a program, or between libraries. It isn't part of the hardware, or a law, and there are usually many different calling conventions that may be used on a platform. This is why sometimes you will see code like
struct CFoo { void __stdcall method(); };
That is an instruction to MSVC, which usually likes to use the fastcall convention, telling it to use a different convention for that one function. This is important if eg the function is defined in a library that was built by some other compiler which uses stdcall instead.
When we talk about how the operating system passes information to a program (or the hardware to the operating system), we usually call it an ABI instead of a calling convention, but it is the same idea. So in the case of your program, it was written assuming that the OS would pass it some particular piece of information on eax. That assumption would be particular to the operating system, the compiler, and possibly even the individual program.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With