[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Accessing Stack to get Function Arguments

Posted on 2004-10-28
14
Medium Priority
?
374 Views
Last Modified: 2012-08-13
Hi

[Working on LINUX]

I have an a.out file( compiled without debugging info  I.E. gcc <filename>). Source is not availbale.
I want to find out the details of the user defined function parameters( not system call parameters or library call parameters.)
I know that with the help of EBP + offset, i can get the function parameters.
Right now i am using ptrace to trace my a.out object file. But i am not able to get the values properly. Can anyone direct me to a source of information on this aspect or suggest me a tool. I have tried fenris which gives only first function parameter but not all. Even if the tool is a binary instrumentation tool, i dont mind using it.


Thanks
Sreeram
0
Comment
Question by:uday_bayan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
14 Comments
 
LVL 45

Expert Comment

by:sunnycoder
ID: 12441414
Hi Sreeram,

check these
tools
www.backerstreet.com/rec/rec.htm

theory
http://www.acm.uiuc.edu/sigmil/RevEng/

There was one particular book I used sometime ago .. cant find it now ... It had several referneces to some good tools (Yes, I used them too) ... will try to look for it in the meanwhile ....

for your purpose, rec should be some good help

cheers
sunnycoder
0
 

Author Comment

by:uday_bayan
ID: 12441970
Hi Sunny,

Can i get the values of the function arguments  using the above ?  what i need is the run time values of the user defined function arguments.

int main()
{
int i=100,j;
scanf("%d", &j);
if(j==20)
foo(i,j);
else
foobar(j);
}

what i need is something like this

suppose i=20
main()
foo(100,20)


if i not equal to 20
main()
foobar(30) {some arbitary value other than 20}


The main thing is the value of the function parameters. I was able to get the trace of the user defined functions using fenris, but not the values of the parameters.

Thanks,
Sreeram






0
 
LVL 45

Accepted Solution

by:
sunnycoder earned 272 total points
ID: 12442548
hi Sreeram,

>what i need is the run time values of the user defined function arguments.
No ... this will not work to get you run time values .... For these values you have to turn to a good debugger like gdb ...

Set a break point at the specific function and you can examine the values at that point of time .... however, if the executable is not a debug build and has symbol information stripped then the task becomes lot more difficult.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Assisted Solution

by:pratap_r
pratap_r earned 264 total points
ID: 12442677
hmm.. reminds me of a small trick.. i used in my college days to debug binaries

if you know the function address probably you can put a breakpoint there and examine the stack once the breakpoint is hit.

another cool method is to patch the function call with your own function call (in assembly of course) and examine the stack programatically.. havn't come across any tools for this though..

0
 
LVL 3

Expert Comment

by:georg74
ID: 12448608
if you know the function signature, than it's easy.
use the debugger, set breakpoint on the function.
on hit, read params from the stack.

if the function signature is not known, or the function accepts variable parameters
(like printf), then you have to analyse the way parameters are put on the stack
before the function is called.

once you do that and make your assumptions about the signature, you can
let the debugger write the actual arguments into a log file when the breakpoint is hit.
then let the program run and you will get a log file almost the way you want it,
something like:
b_foobar 30
b_foobar 45
b_foo 100, 20
...

HTH,
georg
0
 

Author Comment

by:uday_bayan
ID: 12454238
Hi Pratap & Georg


I have put a break point at the function name. Format of the stack is also known. The first paramet er of the function  is located at location EBP+8.
i used the following to print the parameters
print $EBP
THe value of EBP is printed.( Some value in Hexadecimal)
I added 8 to that value and printed again.
print $(added value)

But i was not able to see the value of the parameter instead i saw  assembly  code of mov instuction.

Any suggestions how to print it.


Thanks,
Sreeram.
0
 
LVL 11

Expert Comment

by:pratap_r
ID: 12455769
oh that could be a memory address, try dumping the memory at that address specified in EBP+8 see if thats what you are expecting

Pratap
0
 
LVL 45

Expert Comment

by:sunnycoder
ID: 12461607
>The first paramet er of the function  is located at location EBP+8.
Are you sure that your stack is growing down and not up? Check EBP-8. Also, could it be that the hex value at that address just happens to correspond to mov.
0
 
LVL 11

Expert Comment

by:pratap_r
ID: 12461719
you mean the opcodes for mov?? hopefully sreeram is looking at the disassembly rather than a hex dump!!!!!
0
 

Author Comment

by:uday_bayan
ID: 12489272
Hi SunnyCoder,

I tried using the REC tool but it doesnt seem to give me the function signature. Are u aware of any decompilation tools that gives the function definition. I need to know
some thing like this

foo(int,float, char *, double)

what type of parameters does a function have ?

Thanks,
Sreeram
0
 
LVL 3

Assisted Solution

by:georg74
georg74 earned 264 total points
ID: 12491121
hi Sreeram,

theoretically speaking, it is not possible to make a tool that could
decompile a binary and give you 100% correct function declarations.

you have ti investigate a bit. make a disassembly of the code and
find your function(s). find all places where this function is called from
(a good disassembler will give you this information). analyse how
the parameters are put onto stack.

analyse the target function and find out how the parameters are used.
pointers will be loaded into a register, eventually an offset is added
and they will be dereferenced. often there is a test fror 0.
doubles and floats get loaded into FPU registers.

then return to debugging and inspect the actual parameters.
for char pointer, you'll find the string at the address.
usually, pointers don't contain small numbers, as ints do.
etc.

code few sample functions in C, compile them and
analyse the produced assembly.

after some practice in reading assembly code, you
will be able to translate it simultaneously in C :-)

gl,
georg
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question