Search⌘ K
Home
Courses
Debugging, Disassembly & Reversing in Linux for x64 Architecture

A Disassembly Project with Function and Stack

Explore how to disassemble C++ programs and analyze function parameters and stack usage using GDB. Learn to set breakpoints, examine register contents, and understand parameter-passing mechanisms in x64 Linux architecture for better debugging and memory analysis.

We'll cover the following...

Project disassembled code with comments

Here is the commented code disassembly of main with memory addresses removed for visual clarity.

Assembly (GAS x86)
push %rbp              # establishing stack frame
mov %rsp,%rbp
sub $0x20,%rsp         # creating stack frame for local variables
                       #    and function parameters
mov %edi,-0x14(%rbp)   # saving the first main parameter
mov %rsi,-0x20(%rbp)   # saving the second main parameter
mov $0x1,%esi          # setting the second parameter for
                       # arithmetic function
mov $0x1,%edi          # setting the first parameter for arithmetic
                       # function
callq 0x55555555514d <_Z10arithmeticii>
mov %eax,-0x4(%rbp)    # setting the result local variable
mov $0x0,%eax          # main should return 0
leaveq                 # restoring the previous stack pointer
                       # and stack frame, equivalent to
                       # mov %rbp, %rsp
                       # pop %rbp
retq                   # return from main

Below is the commented disassembly of the arithmetic function, with memory addresses removed for visual clarity.

Assembly (GAS x86)
push %rbp              # establishing stack frame
mov %rsp,%rbp
mov %edi,-0x4(%rbp)    # saving the first arithmetic parameter (a)
mov %esi,-0x8(%rbp)    # saving the second arithmetic parameter (b)
mov -0x4(%rbp),%eax    # (a) -> eax
add %eax,-0x8(%rbp)    # eax + (b) -> (b)
addl $0x1,-0x4(%rbp)   # 1 + (a) -> (a)
mov -0x8(%rbp),%eax    # (b) -> eax
imul -0x4(%rbp),%eax   # (a) * eax -> eax
mov %eax,-0x8(%rbp)    # eax -> (b)
mov -0x8(%rbp),%eax    # (b) -> eax
pop %rbp               # restoring the previous stack frame
                       # no need to restore stack pointer as
                       # it didn’t change
retq                   # result value is in eax

We can put a breakpoint on the first arithmetic calculation’s address and examine the raw stack data pointed to by the %RBP register:

gcc FunctionParameters.cpp Arithmetic.cpp -o FunctionParameters 
gdb ./FunctionParameters

After executing and loading the program, we get into the GDB container:

We create the breakpoint of the programs with the break main command:

break main

The breakpoint ...