How to analyze the indirect jump in assembly code












0















I am a beginner of C and assembly code who currently working on an assembly project. However, I meet some problem with the indirect jump instruction.



The jmp instruction line is:



4006a6: ff 24 c5 50 08 40 00    jmpq   *0x400850(,%rax,8)


When I go to 400850, the line is:



400850: ad                      lods   %ds:(%rsi),%eax
400851: 06 (bad)
400852: 40 00 00 add %al,(%rax)
400855: 00 00 add %al,(%rax)
400857: 00 b3 06 40 00 00 add %dh,0x4006(%rbx)
40085d: 00 00 add %al,(%rax)
40085f: 00 bc 06 40 00 00 00 add %bh,0x40(%rsi,%rax,1)


Based on what I've learned, I should look at the address that stored in 400850 + 8 * rax, and jumps to that address to see instruction and do the specific operation. For example, if rax = 1, I should look at the address stored in 400858, but I cannot find 400858, and I also don't know what are the value such as "ab" mean, is it an address?



By the way, I believe this indirect jump represents an switch condition in the C code.










share|improve this question




















  • 1





    Start with 400857 and skip the first byte: b3 06 40 00, i.e. 004006b3 as a 32-bit little-endian (least significant first) word. It's often easier to look at a hex dump than disassembly when looking at data not code.

    – Rup
    Nov 15 '18 at 19:49













  • @zx485: it's not code, it's data (pointers). You don't want to disassemble from 0x400858 either.

    – Peter Cordes
    Nov 15 '18 at 19:59











  • 0x400850 contains data, not code. Pointers to code, 8 bytes each. A switch/case statement is often compiled that way, each pointer in the table points to the case statement.

    – Hans Passant
    Nov 15 '18 at 20:00
















0















I am a beginner of C and assembly code who currently working on an assembly project. However, I meet some problem with the indirect jump instruction.



The jmp instruction line is:



4006a6: ff 24 c5 50 08 40 00    jmpq   *0x400850(,%rax,8)


When I go to 400850, the line is:



400850: ad                      lods   %ds:(%rsi),%eax
400851: 06 (bad)
400852: 40 00 00 add %al,(%rax)
400855: 00 00 add %al,(%rax)
400857: 00 b3 06 40 00 00 add %dh,0x4006(%rbx)
40085d: 00 00 add %al,(%rax)
40085f: 00 bc 06 40 00 00 00 add %bh,0x40(%rsi,%rax,1)


Based on what I've learned, I should look at the address that stored in 400850 + 8 * rax, and jumps to that address to see instruction and do the specific operation. For example, if rax = 1, I should look at the address stored in 400858, but I cannot find 400858, and I also don't know what are the value such as "ab" mean, is it an address?



By the way, I believe this indirect jump represents an switch condition in the C code.










share|improve this question




















  • 1





    Start with 400857 and skip the first byte: b3 06 40 00, i.e. 004006b3 as a 32-bit little-endian (least significant first) word. It's often easier to look at a hex dump than disassembly when looking at data not code.

    – Rup
    Nov 15 '18 at 19:49













  • @zx485: it's not code, it's data (pointers). You don't want to disassemble from 0x400858 either.

    – Peter Cordes
    Nov 15 '18 at 19:59











  • 0x400850 contains data, not code. Pointers to code, 8 bytes each. A switch/case statement is often compiled that way, each pointer in the table points to the case statement.

    – Hans Passant
    Nov 15 '18 at 20:00














0












0








0


1






I am a beginner of C and assembly code who currently working on an assembly project. However, I meet some problem with the indirect jump instruction.



The jmp instruction line is:



4006a6: ff 24 c5 50 08 40 00    jmpq   *0x400850(,%rax,8)


When I go to 400850, the line is:



400850: ad                      lods   %ds:(%rsi),%eax
400851: 06 (bad)
400852: 40 00 00 add %al,(%rax)
400855: 00 00 add %al,(%rax)
400857: 00 b3 06 40 00 00 add %dh,0x4006(%rbx)
40085d: 00 00 add %al,(%rax)
40085f: 00 bc 06 40 00 00 00 add %bh,0x40(%rsi,%rax,1)


Based on what I've learned, I should look at the address that stored in 400850 + 8 * rax, and jumps to that address to see instruction and do the specific operation. For example, if rax = 1, I should look at the address stored in 400858, but I cannot find 400858, and I also don't know what are the value such as "ab" mean, is it an address?



By the way, I believe this indirect jump represents an switch condition in the C code.










share|improve this question
















I am a beginner of C and assembly code who currently working on an assembly project. However, I meet some problem with the indirect jump instruction.



The jmp instruction line is:



4006a6: ff 24 c5 50 08 40 00    jmpq   *0x400850(,%rax,8)


When I go to 400850, the line is:



400850: ad                      lods   %ds:(%rsi),%eax
400851: 06 (bad)
400852: 40 00 00 add %al,(%rax)
400855: 00 00 add %al,(%rax)
400857: 00 b3 06 40 00 00 add %dh,0x4006(%rbx)
40085d: 00 00 add %al,(%rax)
40085f: 00 bc 06 40 00 00 00 add %bh,0x40(%rsi,%rax,1)


Based on what I've learned, I should look at the address that stored in 400850 + 8 * rax, and jumps to that address to see instruction and do the specific operation. For example, if rax = 1, I should look at the address stored in 400858, but I cannot find 400858, and I also don't know what are the value such as "ab" mean, is it an address?



By the way, I believe this indirect jump represents an switch condition in the C code.







assembly x86-64 reverse-engineering att objdump






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 21:25









Peter Cordes

132k18201338




132k18201338










asked Nov 15 '18 at 19:46









AlotofSugarAlotofSugar

1




1








  • 1





    Start with 400857 and skip the first byte: b3 06 40 00, i.e. 004006b3 as a 32-bit little-endian (least significant first) word. It's often easier to look at a hex dump than disassembly when looking at data not code.

    – Rup
    Nov 15 '18 at 19:49













  • @zx485: it's not code, it's data (pointers). You don't want to disassemble from 0x400858 either.

    – Peter Cordes
    Nov 15 '18 at 19:59











  • 0x400850 contains data, not code. Pointers to code, 8 bytes each. A switch/case statement is often compiled that way, each pointer in the table points to the case statement.

    – Hans Passant
    Nov 15 '18 at 20:00














  • 1





    Start with 400857 and skip the first byte: b3 06 40 00, i.e. 004006b3 as a 32-bit little-endian (least significant first) word. It's often easier to look at a hex dump than disassembly when looking at data not code.

    – Rup
    Nov 15 '18 at 19:49













  • @zx485: it's not code, it's data (pointers). You don't want to disassemble from 0x400858 either.

    – Peter Cordes
    Nov 15 '18 at 19:59











  • 0x400850 contains data, not code. Pointers to code, 8 bytes each. A switch/case statement is often compiled that way, each pointer in the table points to the case statement.

    – Hans Passant
    Nov 15 '18 at 20:00








1




1





Start with 400857 and skip the first byte: b3 06 40 00, i.e. 004006b3 as a 32-bit little-endian (least significant first) word. It's often easier to look at a hex dump than disassembly when looking at data not code.

– Rup
Nov 15 '18 at 19:49







Start with 400857 and skip the first byte: b3 06 40 00, i.e. 004006b3 as a 32-bit little-endian (least significant first) word. It's often easier to look at a hex dump than disassembly when looking at data not code.

– Rup
Nov 15 '18 at 19:49















@zx485: it's not code, it's data (pointers). You don't want to disassemble from 0x400858 either.

– Peter Cordes
Nov 15 '18 at 19:59





@zx485: it's not code, it's data (pointers). You don't want to disassemble from 0x400858 either.

– Peter Cordes
Nov 15 '18 at 19:59













0x400850 contains data, not code. Pointers to code, 8 bytes each. A switch/case statement is often compiled that way, each pointer in the table points to the case statement.

– Hans Passant
Nov 15 '18 at 20:00





0x400850 contains data, not code. Pointers to code, 8 bytes each. A switch/case statement is often compiled that way, each pointer in the table points to the case statement.

– Hans Passant
Nov 15 '18 at 20:00












2 Answers
2






active

oldest

votes


















3














jmpq *0x400850(,%rax,8) is an indirect jmp indexing into a table of jump targets. Yes, it's probably compiler-generated from a switch statement.





You used objdump -D instead of objdump -s, so the output breaks the hexdump up into chunks according to nonsensical decoding as x86-64 instructions, not into qword addresses.



The format is



starting   machine code            disassembly
address hex byte(s) (AT&T syntax)

400850: ad lods %ds:(%rsi),%eax


The byte(s) on one line go with the instruction. lods is a single-byte instruction with opcode 0xad, so the low byte of the qword at 0x400850 is 0xad



The hexdump is all there, but not every 8-byte chunk has a numbered label. Every byte has its own address; you just need to count from a preceding marked address to find the start of a chunk of data you want.





Or use objdump -s as recommended in assembly jmp to a line that doesn't exist to get a simple hexdump of each ELF section, split into uniform size chunks.



Or from inside GDB, an x command.






share|improve this answer

































    0














    This address 0x400850 is a pointer table, so it's something like:
    400850: 00000000004006ad
    400858: 00000000004006b3
    400860: 00000000004006bc



    rax is and index to the pointer table. you need to know the index and find the jump address from the table.






    share|improve this answer























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326905%2fhow-to-analyze-the-indirect-jump-in-assembly-code%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      3














      jmpq *0x400850(,%rax,8) is an indirect jmp indexing into a table of jump targets. Yes, it's probably compiler-generated from a switch statement.





      You used objdump -D instead of objdump -s, so the output breaks the hexdump up into chunks according to nonsensical decoding as x86-64 instructions, not into qword addresses.



      The format is



      starting   machine code            disassembly
      address hex byte(s) (AT&T syntax)

      400850: ad lods %ds:(%rsi),%eax


      The byte(s) on one line go with the instruction. lods is a single-byte instruction with opcode 0xad, so the low byte of the qword at 0x400850 is 0xad



      The hexdump is all there, but not every 8-byte chunk has a numbered label. Every byte has its own address; you just need to count from a preceding marked address to find the start of a chunk of data you want.





      Or use objdump -s as recommended in assembly jmp to a line that doesn't exist to get a simple hexdump of each ELF section, split into uniform size chunks.



      Or from inside GDB, an x command.






      share|improve this answer






























        3














        jmpq *0x400850(,%rax,8) is an indirect jmp indexing into a table of jump targets. Yes, it's probably compiler-generated from a switch statement.





        You used objdump -D instead of objdump -s, so the output breaks the hexdump up into chunks according to nonsensical decoding as x86-64 instructions, not into qword addresses.



        The format is



        starting   machine code            disassembly
        address hex byte(s) (AT&T syntax)

        400850: ad lods %ds:(%rsi),%eax


        The byte(s) on one line go with the instruction. lods is a single-byte instruction with opcode 0xad, so the low byte of the qword at 0x400850 is 0xad



        The hexdump is all there, but not every 8-byte chunk has a numbered label. Every byte has its own address; you just need to count from a preceding marked address to find the start of a chunk of data you want.





        Or use objdump -s as recommended in assembly jmp to a line that doesn't exist to get a simple hexdump of each ELF section, split into uniform size chunks.



        Or from inside GDB, an x command.






        share|improve this answer




























          3












          3








          3







          jmpq *0x400850(,%rax,8) is an indirect jmp indexing into a table of jump targets. Yes, it's probably compiler-generated from a switch statement.





          You used objdump -D instead of objdump -s, so the output breaks the hexdump up into chunks according to nonsensical decoding as x86-64 instructions, not into qword addresses.



          The format is



          starting   machine code            disassembly
          address hex byte(s) (AT&T syntax)

          400850: ad lods %ds:(%rsi),%eax


          The byte(s) on one line go with the instruction. lods is a single-byte instruction with opcode 0xad, so the low byte of the qword at 0x400850 is 0xad



          The hexdump is all there, but not every 8-byte chunk has a numbered label. Every byte has its own address; you just need to count from a preceding marked address to find the start of a chunk of data you want.





          Or use objdump -s as recommended in assembly jmp to a line that doesn't exist to get a simple hexdump of each ELF section, split into uniform size chunks.



          Or from inside GDB, an x command.






          share|improve this answer















          jmpq *0x400850(,%rax,8) is an indirect jmp indexing into a table of jump targets. Yes, it's probably compiler-generated from a switch statement.





          You used objdump -D instead of objdump -s, so the output breaks the hexdump up into chunks according to nonsensical decoding as x86-64 instructions, not into qword addresses.



          The format is



          starting   machine code            disassembly
          address hex byte(s) (AT&T syntax)

          400850: ad lods %ds:(%rsi),%eax


          The byte(s) on one line go with the instruction. lods is a single-byte instruction with opcode 0xad, so the low byte of the qword at 0x400850 is 0xad



          The hexdump is all there, but not every 8-byte chunk has a numbered label. Every byte has its own address; you just need to count from a preceding marked address to find the start of a chunk of data you want.





          Or use objdump -s as recommended in assembly jmp to a line that doesn't exist to get a simple hexdump of each ELF section, split into uniform size chunks.



          Or from inside GDB, an x command.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 15 '18 at 20:35

























          answered Nov 15 '18 at 19:55









          Peter CordesPeter Cordes

          132k18201338




          132k18201338

























              0














              This address 0x400850 is a pointer table, so it's something like:
              400850: 00000000004006ad
              400858: 00000000004006b3
              400860: 00000000004006bc



              rax is and index to the pointer table. you need to know the index and find the jump address from the table.






              share|improve this answer




























                0














                This address 0x400850 is a pointer table, so it's something like:
                400850: 00000000004006ad
                400858: 00000000004006b3
                400860: 00000000004006bc



                rax is and index to the pointer table. you need to know the index and find the jump address from the table.






                share|improve this answer


























                  0












                  0








                  0







                  This address 0x400850 is a pointer table, so it's something like:
                  400850: 00000000004006ad
                  400858: 00000000004006b3
                  400860: 00000000004006bc



                  rax is and index to the pointer table. you need to know the index and find the jump address from the table.






                  share|improve this answer













                  This address 0x400850 is a pointer table, so it's something like:
                  400850: 00000000004006ad
                  400858: 00000000004006b3
                  400860: 00000000004006bc



                  rax is and index to the pointer table. you need to know the index and find the jump address from the table.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 23 '18 at 13:07









                  unknown_reverserunknown_reverser

                  11




                  11






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326905%2fhow-to-analyze-the-indirect-jump-in-assembly-code%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Florida Star v. B. J. F.

                      Danny Elfman

                      Lugert, Oklahoma