1

I have very simple C program:

int foobar(int a)
{
    int b = a;
}

int main(int argc, char *argv[])
{
    foobar(0xDEAD);
    return 0;
}

Using objdump -d main.out I got disassembled binary with a lot of assembler instructions:

  4004a3:   55                      push   %ebp
  4004a4:   48 89 e5                mov    %esp,%ebp
  4004a7:   48 83 ec 10             sub    $0x10,%esp

How can I find for example address of every push instruction from another C program? Can it be done this way?:

position = 0;
while (...)
{
   ...
   int act_value;
   read(binary_file, &act_value, 4);

   if (act_value == /*what value?*/)
   {
      printf("Instruction: push\n");
      printf("Address: %X\n", position * 4); /* is this correct?*/
   }
   position++;
   ...
}
Improve this question
6
  • 7
    You can't do it that way. x86 instructions are variable length (as you can observe in your disassembler output); not all bytes correspond to opcodes.
    – Oliver Charlesworth
    Commented Mar 10, 2012 at 19:29
  • Oli Charlesworth is correct. You'll actually have to parse the executable to differentiate between an actual push and a coincidental sequence of bytes. Furthermore, executables can rewrite themselves at run time, so you won't necessarily get all the instructions this way. It may be easier to delegate the task of disassembly to an external program like objdump rather than reinventing the wheel.
    – Borealid
    Commented Mar 10, 2012 at 19:41
  • 2
    What is it exactly you're trying to do?
    – Adam Rosenfield
    Commented Mar 10, 2012 at 19:52
  • objdump -d binary|grep push
    – Gunther Piez
    Commented Mar 10, 2012 at 20:19
  • @drhirsch Was my answer too wordy? :)
    – Anders Sjöqvist
    Commented Mar 10, 2012 at 20:23

1 Answer 1

Reset to default
2

As Oli Charlesworth already pointed out, instructions are of variable length on the x86 architecture. You can still write a program to do this for you, but you'll need to parse all the instructions to properly know how long they are and where the next one starts.

I don't understand why you want to write your own program to solve the problem, or is there something you're not telling us? Are you only looking for a way to find the addresses of the push instructions? If so, just do this:

objdump -d another_c_program | grep push

Of course, this will also find pushl and so on. I guess you want them too, otherwise the command can be modified.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.