Author Topic: What is this line of assembly doing (IDA disassembler) cs:stdin@@GLIBC_2_2_5  (Read 14510 times)

Offline turtle13

  • Jr. Member
  • *
  • Posts: 73
what is going on in this line of assembly code?


Offline Frank Kotler

  • NASM Developer
  • Hero Member
  • *****
  • Posts: 2667
  • Country: us
Hi Turtle13,
Good to see ya!

Appears to be setting the file for fgets (man 3 fgets) to read to stdin. Then calls fgets and goes elsewhere if nothing read.

Best,
Frank


Offline turtle13

  • Jr. Member
  • *
  • Posts: 73
Frank nice to hear from you,

thanks for giving some clarification. Specifically what is the cs:GLIBC_2_2_5 doing... cs is a segment register correct? and LibC is the "C library of functions" so I'm assuming that that points to some offset in the .bss or .data section that has the "fgets" function call? And loading that offset into rdx? For 64- bit the 3rd arg is put into rdx register, so in this case that would be the "FILE *stream" argument for fgets

Code: [Select]
char *fgets(char *s, int size, FILE *stream)
« Last Edit: December 21, 2018, 06:42:06 PM by turtle13 »

Offline Frank Kotler

  • NASM Developer
  • Hero Member
  • *****
  • Posts: 2667
  • Country: us
Ahhh, I've been thinking I should have tried to explain that better, although I do NOT claim to know C! The C Standard Library contains open(). read(), write(). etc.  - equivalent (?) to the system calls you're probably used to. It also includes fopen(), fread(), etc. If you learn C "from the book", it probably tells you to use fread(), etc. and may not even mention that the other versions exist. The difference is that the "f" versions are "buffered I/O".  These use a "different stdin" (etc.) than the small integer "STDIN" you'd use for system calls. This "stdin" (I think) is the address of a structure which knows where the actual buffer is and the current position in the buffer 0 as well as STDIN=0, I suppose. If you're not aware that you've asked for buffered I/O, the results may not be what you expect.
"cs" is a segment register, but in this case it's a segment override - the address of "stdin" is with respect to section .text rather than .data or .bss. "fgets" itself would be in .text, although the address of it might be found elsewhere(?). I think IDA is adding that (and the underscore on "fgets). I don't think you'd need them if you were writing the code yourself.

Best,
Frank


Offline turtle13

  • Jr. Member
  • *
  • Posts: 73
So by "segment override" that means that the cs register will have whatever was stored in it before replaced with the segment starting address for the "GLIBC_2_2_5" segment?

Offline dreamCoder

  • Full Member
  • **
  • Posts: 107
From the looks of it, I think you're referring to GOT/PLT stuff. Nothing serious about it. It's just how (or where) all your external dependencies (glibc in this case) are stored in memory. This should help explaining