CHAPTER 3. HELLO, WORLD! CHAPTER 3. HELLO, WORLD!
#include <stdio.h>
const char $SG3830[]="hello, world\n";
int main()
{
printf($SG3830);
return 0;
}
Let’s go back to the assembly listing. As we can see, the string is terminated by a zero byte, which is standard for C/C++
strings.More about C strings: 25.1.1 on page 112.
In the code segment, _TEXT, there is only one function so far: main(). The function main() starts with prologue code
and ends with epilogue code (like almost any function)
1
.
After the function prologue we see the call to the printf() function : CALL _printf. Before the call the string address
(or a pointer to it) containing our greeting is placed on the stack with the help of the PUSH instruction.
When the printf() function returns the control to the main() function, the string address (or a pointer to it) is still on
the stack.Since we do not need it anymore, the stack pointer (the ESP register) needs to be corrected.
ADD ESP, 4 means add 4 to the ESP register value. Why 4? Since this is a 32-bit program, we need exactly 4 bytes for
address passing through the stack. If it was x64 code we would need 8 bytes. ADD ESP, 4 is effectively equivalent to
POP register but without using any register
2
.
For the same purpose, some compilers (like the Intel C++ Compiler) may emit POP ECX instead of ADD (e.g., such a pattern
can be observed in the Oracle RDBMS code as it is compiled with the Intel C++ compiler). This instruction has almost the
same effect but the ECX register contents will be overwritten. The Intel C++ compiler probably uses POP ECX since this
instruction’s opcode is shorter than ADD ESP, x (1 byte for POP against 3 for ADD).
Here is an example of using POP instead of ADD from Oracle RDBMS:
Listing 3.2: Oracle RDBMS 10.2 Linux (app.o file)
.text:0800029A push ebx
.text:0800029B call qksfroChild
.text:080002A0 pop ecx
After calling printf(), the original C/C++ code contains the statement return 0 —return 0 as the result of the main()
function. In the generated code this is implemented by the instruction XOR EAX, EAX. XOR is in fact just “eXclusive
OR”
3
but the compilers often use it instead of MOV EAX, 0— again because it is a slightly shorter opcode (2 bytes for XOR
against 5 for MOV).
Some compilers emit SUB EAX, EAX, which means SUBtract the value in the EAX from the value in EAX, which, in any case,
results in zero.
The last instruction RET returns the control to the caller. Usually, this is C/C++ CRT
4
code, which, in turn, returns control to
the OS.
3.2 x86-64
3.2.1 MSVC—x86-64
Let’s also try 64-bit MSVC:
Listing 3.3: MSVC 2012 x64
$SG2989 DB 'hello, world', 0AH, 00H
main PROC
sub rsp, 40
lea rcx, OFFSET FLAT:$SG2989
call printf
xor eax, eax
1
You can read more about it in the section about function prologues and epilogues ( 4 on page 8).
2
CPU flags, however, are modified
3
wikipedia
4
C runtime library
6
我的内容管理
展开
