Function calling

Nicolas Cormier n.cormier at gmail.com
Wed Apr 5 15:35:14 UTC 2006 

On 4/4/06, Lutz Boehne <lboehne at damogran.de> wrote:
> Hi,
>
> > But when the program uses the libc I have more RET than call ...
> > What's the good way to find function calls and return ?
>
> I'm doing something similar at the moment, utilizing the Branch Single
> Stepping feature available in most x86 CPUs and came across that same problem.
>
> While debugging the issue, I found out that the dynamic linker "calls"
> requested functions by returning to them. I believe this is done because this
> is a (the only) generic way to "call" a variable addresses without destroying
> register contents. Any further info or a confirmation of that guess would be
> much appreciated.
>
> --- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S:
> /*
>  * Binder entry point.  Control is transferred to here by code in the PLT.
>  * On entry, there are two arguments on the stack.  In ascending address
>  * order, they are (1) "obj", a pointer to the calling object's Obj_Entry,
>  * and (2) "reloff", the byte offset of the appropriate relocation entry
>  * in the PLT relocation table.
>  *
>  * We are careful to preserve all registers, even the the caller-save
>  * registers.  That is because this code may be invoked by low-level
>  * assembly-language code that is not ABI-compliant.
>  */
>         .align  4
>         .globl  _rtld_bind_start
>         .type   _rtld_bind_start, at function
> _rtld_bind_start:
>         pushf                           # Save eflags
>         pushl   %eax                    # Save %eax
>         pushl   %edx                    # Save %edx
>         pushl   %ecx                    # Save %ecx
>         pushl   20(%esp)                # Copy reloff argument
>         pushl   20(%esp)                # Copy obj argument
>
>         call    _rtld_bind at PLT          # Transfer control to the binder
>         /* Now %eax contains the entry point of the function being called. */
>
>         addl    $8,%esp                 # Discard binder arguments
>         movl    %eax,20(%esp)           # Store target over obj argument
>         popl    %ecx                    # Restore %ecx
>         popl    %edx                    # Restore %edx
>         popl    %eax                    # Restore %eax
>         popf                            # Restore eflags
>         leal    4(%esp),%esp            # Discard reloff, do not change eflags
>         ret                             # "Return" to target address
> ---
>
> Lutz
>
>
>

Thanks for your answer, it's more difficult than I thought :(

More information about the freebsd-hackers mailing list