Function calling

Lutz Boehne lboehne at damogran.de
Tue Apr 4 10:14:35 UTC 2006 

Hi,

> But when the program uses the libc I have more RET than call ...
> What's the good way to find function calls and return ?

I'm doing something similar at the moment, utilizing the Branch Single
Stepping feature available in most x86 CPUs and came across that same problem.

While debugging the issue, I found out that the dynamic linker "calls" 
requested functions by returning to them. I believe this is done because this 
is a (the only) generic way to "call" a variable addresses without destroying 
register contents. Any further info or a confirmation of that guess would be 
much appreciated.

--- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S:
/*
 * Binder entry point.  Control is transferred to here by code in the PLT.
 * On entry, there are two arguments on the stack.  In ascending address
 * order, they are (1) "obj", a pointer to the calling object's Obj_Entry,
 * and (2) "reloff", the byte offset of the appropriate relocation entry
 * in the PLT relocation table.
 *
 * We are careful to preserve all registers, even the the caller-save
 * registers.  That is because this code may be invoked by low-level
 * assembly-language code that is not ABI-compliant.
 */
	.align	4
	.globl	_rtld_bind_start
	.type	_rtld_bind_start, at function
_rtld_bind_start:
	pushf				# Save eflags
	pushl	%eax			# Save %eax
	pushl	%edx			# Save %edx
	pushl	%ecx			# Save %ecx
	pushl	20(%esp)		# Copy reloff argument
	pushl	20(%esp)		# Copy obj argument

	call	_rtld_bind at PLT		# Transfer control to the binder
	/* Now %eax contains the entry point of the function being called. */

	addl	$8,%esp			# Discard binder arguments
	movl	%eax,20(%esp)		# Store target over obj argument
	popl	%ecx			# Restore %ecx
	popl	%edx			# Restore %edx
	popl	%eax			# Restore %eax
	popf				# Restore eflags
	leal	4(%esp),%esp		# Discard reloff, do not change eflags
	ret				# "Return" to target address
---

Lutz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20060404/e861e748/attachment.pgp

More information about the freebsd-hackers mailing list