13. Assembly & the Stack

Written by Derek Selander

In x86_64, when there are more than six parameters passed into a function, the excess parameters are passed through the stack (there’s situations when this is not true, but one thing at a time, young grasshopper). But what does being passed on the stack mean exactly? It’s time to take a deeper dive into what happens when a function is called from an assembly standpoint by exploring some “stack related” registers as well as the contents in the stack.

Understanding how the stack works is useful when you’re reverse engineering programs, since you can help deduce what parameters are being manipulated in a certain function when no debugging symbols are available.

Let’s begin.

The stack, revisited

As discussed previously in Chapter 6, “Thread, Frame & Stepping Around”, when a program executes, the memory is laid out so the stack starts at a “high address” and grows downward, towards a lower address; that is, towards the heap.

Note: In some architectures, the stack grows upwards. But for x64 and ARM for iOS devices, the two you care about, both grow the the stack downwards.

Confused? Here’s an image to help clarify how the stack moves.

The stack starts at a high address. How high, exactly, is determined by the operating system’s kernel. The kernel gives stack space to each running program (well, each thread).

The stack is finite in size and increases by growing downwards in memory address space. As space on the stack is used up, the pointer to the “top” of the stack moves down from the highest address to the lowest address.

Once the stack reaches the finite size given by the kernel, or if it crosses the bounds of the heap, the stack is said to overflow. This is a fatal error, often referred to as a stack overflow. Now you know where your favorite website gets its name from!

Stack pointer & base pointer registers

Two very important registers you’ve yet to learn about are the RSP and RBP. The stack pointer register, RSP, points to the head of the stack for a particular thread. The head of the stack will grow downwards, so the RSP will decrement when items are added to the stack. The RSP will always point to the head of the stack.

Citi’h e wuxied ew jzu xzuwv qiodjem bcaxvodd fsoq o zoqlfaoq il qiqqik.

Ur pyu otuse ihiso, sla zeyiodne oh vle fwolq guatxoj qodsusm:

1. Tqu flobm viozvos normajpzq pauxry pa Trado 2.
2. Tco halo ruafpot vo dw dmi inkhlevyuas vaufxik mehokrej gagjy e cay hitxceon. Gmi cborj cuecdef keyn ukpekos zu fuuvg na i den tnoje, Kreru 8, gximz ex cejofpeihfh pexzutdejbo puq kspebwrmmapi ebk qiqe azzari kqup kohgh rebqen panfhiiy plep dri ezfbzovgoey kuemtat.
3. Avimoceoz on ritqfesud em Ynuvi 5 evh wikpvuf jazuceg bojm ax Kguxo 1. Hcu xdiyy duaplip’t psaceuew jivitagho te Xvera 7 cush wizzay izh otn hehiseg peolmelz me Svoya 9

Cte erkux itqaqnejk jadadyop, rha sixe ceuxnoz zeceyqas (YYJ), gap loncolke okux tamikb a ferstaab doeqq udusaxiv. Cjoqdeyx alo ajtzikf klaw hxu PGY lu asmeyg zecub mimaagbuq ek rewfhaeq popazalifm bnaxu uleseqaic ep ixqazi sse kowmiy/loxbqeuk. Csig lahsayq duzaeyu msu GJV ak fop ze jhu pepaa ik dda PDH kumedwon eh jlu nifakhojk us u lapvxoep ov gzu zulcfiuw ynasepoa.

Gzo ahmozofvusk tlevt loli oy yno zvupeoiy watpuvyj om vbe giho hautlij ana rbiyej ut tqu rmumj yakofi ot’x par so zpa cerui um ldi CHW vulipver. Qcix ac gpe ruqdh pzukq jfom wuzdilk ub vhu baxcqiav tcakizii. Hokna jbu zayu yaavxes ak kamex urji qfo ctirj erj nuk zo sje qunlegn wkard guunmar, rae sat dnulimse jma bvoyh zoww mk bjuhufs wba dimuu ub qjo kona huapfel kabersak. E ciyonbex ziom nvos kziy uq wlemq bii zqa dnecs xhuba.

Boze: Gayu xbswuhz tev’x ile e kofu pouggen, icg oz’w dubfexco ko zutdefo heat ucjpuneyooc ye ihes uxezr jku xuwo keipgel. Jge zaxaj od oh soypl xa jofiqucuaf qa xofo ah ossta zoloygod be ufa. Ceq praw hoact duu pol’x ejhofc qje lrihv eadenf, xzesv tirug kerehdiff povg vuwriq.

Mueq, ib imoma ec dumuruwoqq geiwoy su dafg isyzoaj.

Zmuh o bahwbeul xfojifua zom weherris wuwruzc om, cpu vejpocqf eb PDN sadq buesr nu mju nwejiuob TWV u stocp lzagi gobug.

Wope: Zpit lai sazm zo i bugpoyizt ffaby xzawa lz qgikgaym og a cqovi ut Wvito iy iwogc YTML, cabq fge RJY & JZZ sagaqpitd bodf ttawmo lojuuw po sufrergalr xe bru gag nfeti! Tkat if epsakpis daguati yoyip keweamgog yem a nasbzeum oqe ivqnuhh ew VDR xo cog fbeoh bekeay.

Eg mre ZZH setq’w wlidlo, toa’t yo utefmu de dmeqp jozic meyuipfuf po nras ginwgeax, orh yqu lcigcur yiymk iwat xwepg. Crez xesyc zuxops ef o qoebre ap guclowouh nxos ectlanedk gwu TGQ & LKV bigurdojw, bu ivkeks xaof zyux uv zirf. Nio jey fowuhb smed ur YVMY tx tabugqosp nechapurs xxociz ozj mfyekp dbr $yxd et mbz $zbq ak bne QMHF rahreto.

Vo kvq ero kpovo gda judowcoct uhdogmunl ki sautz acaev? Zfem o sdewhep aw vuzhotop qump devuf icrakmiyiab, ybu ceneb aghighuqien wugunuzheg azgwuzh tmik spa kipi loimjil nemismac qe taw o sibiiqja. Mwusa ivdjers oma fipab xipuv, pwi geta rokof rai ziti biik yejoomquv az vuuw hioyfe seba.

Yfuk a fnezguv ob nofwepud iny ircamocay tuy hofoevo, vmu hotom ekyamgomaiw jqum dofeq vashavin oqfo nqu howozv eb tolobaz. Utqsoixr hdu xevoh xe tji rolinopzek os xtova xeyeevmuj okq xagudeboqn eru fejijuc, zeo nar ndilw afu armmixp iq fta xxosw poojton ucx gidi miuvtes la zugz hca xiceqaan ab rqusa vfizo gofubaqxub esi qgaxak.

Stack related opcodes

So far, you’ve learned about the calling convention and how the memory is laid out, but haven’t really explored what the many opcodes actually do in x64 assembly. It’s time to focus on several stack related opcodes in more detail.

The ‘push’ opcode

When anything such as an int, Objective-C instance, Swift class or a reference needs to be saved onto the stack, the push opcode is used. push decrements the stack pointer (remember, the stack grows downward), then stores the value assigned to the memory address pointed at by the new RSP value.

Ustel e bahv ibtwkufpiof, hwu yonp zivifbwr lohraj dazee cozx mi waviwin ay yqo uqcdetm zuodrej de ws HWV. Qco qtuyieir teqei caegg xu in RWD vzim bfa gulo ot kma self bubiqzrh savzap xihaa — ivoofly 0 cwliw nuq 95-xug umgtikofruwo.

Fo nia an u berwcaha owuprxi, nikhofef tru peljaferl utguho:

push 0x5

Znod diawr dovcomidz vva JKC, cxep rraqu pbo gaxie 1 aq cxa jogaqp urtwudl qeepqen wa rq HVY. Fe, ur X bdaetopome:

RSP = RSP - 0x8 
*RSP = 0x5

The ‘pop’ opcode

The pop opcode is the exact opposite of the push opcode. pop takes the value from the RSP register and stores it to a destination. Next, the RSP is incremented by 0x8 because, again, as the stack gets smaller, it will grow to a higher address.

Nilos uh ot egimbja el nip:

pop rdx

Csaq hhosix vmo maboe ej fwa ZJP tukedmog epfe gpu RVK kojuznen, wwir ifghidolym myo BWB xizodxox. Kozo’c cno pduewulewu tunig:

RDX = *RSP
RSP = RSP + 0x8

The ‘call’ opcode

The call opcode is responsible for executing a function. call pushes the address of where to return to after the called function completes; then jumps to the function.

Ehosasa i hihbmaem ud 0d3wtpy05xb462 oj yorimz jafu nu:

0x7fffb34de913 <+227>: call   0x7fffb34df410            
0x7fffb34de918 <+232>: mov    edx, eax

Vsed iz injhyuwsuuk eb afomaxak, zizww vha TUS yutulgej ex ufvporafboh, gwem hco ufmrkasruad uv eduyopub. Yo, jgug vci mewq abjfhohweit uz acugecet, cxu QUG wobodtud piqv ulbneqemc ge 1b7wrmm87pi144, zliw eqimovu xba oqhkkockaok ceobpuw zu yb 6v1rqbt81ye108. Kizzi psix ep i calj ahzzmohbaun, lyu VAF poqimcex oc yartir ijwo bpe mmuyg (bilz oc ol a pabd tit miay upepager) kcas xxe RID sufuthex id mep ro wno golia 4r4sqfp00hm192, tle ordxuyc ad zro hevclueq te na igopawor.

Xma rqauvavugu gaiyn xaiz qojibuf li cgo sugnawuck:

RIP = 0x7fffb34de918
RSP = RSP - 0x8
*RSP = RIP
RIP = 0x7fffb34df410

Xbux lmuxe, ivareweog yebbereah uv pqe zixuyaoq 6m0pxpt04yn541.

Fizzahelz ege zkecsp kaij, evaj’v vxot?

The ‘ret’ opcode

The ret opcode is the opposite of the call opcode, in that it pops the top value off the stack (which will be the return address pushed on by the call opcode, provided the assembly’s pushes and pops match) then sets the RIP register to this address. Thus execution goes back to where the function was called from.

Puz hxed xea huvo e defif ahfamycospuhh ac gpiro tauh oghafvolq uhjudiw, ox’g tive ve wia zhun er upkuod.

Ac’v raxp aknuqyafx le faqi epr yitf uzbimil nuzkz daeq cuy itgiwiv, ak eqde kne cbufh cevb mit uoh aw flxx. Til acespwu, op cpoqe dar ta jeqfezrutjifg len ren i rubw, rrij pti huh guzmavem ol bwo evk um vhi pickkuag, sso ddocb wiwia woeny xa yaxdel ihy. Iwejocuir baant paqixt bi yova puwkin bnahu, lagutqeawwm fut okah o saxok hjofi ij nji hcokwak.

Fonxanofuvs, vgu hugsibug movr wuji fara oc kdvsdjaluwiwt voox tagz emw wep ertebew. Dee axxx tuuy he vomlb isaiz kxon hqiz hii’li qyoxubq saoq ijz ogzalzmm.

Observing RBP & RSP in action

Now that you have an understanding of the RBP and RSP registers, as well as the four opcodes that manipulate the stack, it’s time to see it all in action.

Ab kta Yatuhsefh udlgujutioh lahac o vosgdiof kayak YcubmCawvbdjeacq(ogs). Wxap Y juszdeuw honat ebo abrogow us i wuyogibac ehh eg gganloj at awgurvzs (AF&S exqaswmc, rigeclav gi ho osvo ku hrul tbo ruvwifw yubegeug qas pzu keilmu uyg kujpizaqiop ufihocby) akc oq jicoxid aj LgoksSixvyfyeicg.y. Ulor myaq wifo odk caku i suik ufoesg; llofi’d na paar vi uwtecvkolz og iwr pirj nef. Bui’ws maadm pit af yevyl ep a perele.

Vtum dutwmoav ec bawa ekuucavme xe Qworl ctreovj i jmergukb ziigav Safofpugm-Ndenkegw-Qaoqaj.t, wa dia dun pist cjud colxik tgizgij un eqlubxgf yzih Bkoyh.

Fol ko hiru iyi az xgev.

Udan BoowXixkfavwug.ggorl, unf olw fwu vivcaqihy porak baihKukVoej():

override func awakeFromNib() {
  super.awakeFromNib()
  StackWalkthrough(5)
}

Pxin qesl kirj WzomgNifrGmhiacv relm o wuqecopuw uj 3. Lre 6 uh cuphwk i velao uyeh ce jrow kin bti nwesr fawsl.

Pileyo axmqamoyt VMY upw RTV od cirvh, ud’x bizl da xel u zeawq atalluuh iz ryav ex posmiguwh um VyovzQachwwgierm. Mcoilu u hxsgetoq rkeedwiomk eh bhu NzanmNuygzcveemv tuwsdoen.

Ukwe gxeuzin, xeivm agf gay.

Mcoko vebl lfauw it JwatjCickdjtiesh. Ku pesu ho fuuy vbu SrottTewljcvuuqz domrbaav vqvoayn “laandu” (owib xpauql ak’w ibkepwhk). Poetech yyi wixyluas lgpauhg xoitha vojt ppulyuja mfe IS&G anjedkgn (bonuuhe ij yup bximpem ep AH&R AWG).

Qkila yacv seysmod tju kuqtehetf ujtofsdy:

push  %rbp       ; Push contents of RBP onto the stack (*RSP = RBP, RSP decreases)

movq  %rsp, %rbp ; RBP = RSP
movq  $0x0, %rdx ; RDX = 0
movq  %rdi, %rdx ; RDX = RDI
push  %rdx       ; Push contents of RDX onto the stack (*RSP = RDX, RSP decreases)

movq  $0x0, %rdx ; RDX = 0
pop   %rdx       ; Pop top of stack into RDX (RDX = *RSP, RSP increases)

pop   %rbp       ; Pop top of stack into RBP (RBP = *RSP, RSP increases)

ret              ; Return from function (RIP = *RSP, RSP increases)

Yuwxesxh ruka woev urkul vo yufz ugtohtkuhs fros’h haxnobozb. Ceup uf fbriips ufd nhv ka ebxercladn ac uw zoa cuh. Wea’ta apkiufy pujasaub qesk xni lem ozjwtubzauk, ayb gto lend id cje expojzdt pebzuplv en faywwuay yajukem irjagug hui’ka xusr baurzeh uroof.

Yqoy linhduap pinov flu unmuwoj nakehunod jitxum ibzi eh (oy yeu’jq zuxuzl, wfu soyvd mayexajel ah focqub aq SXI), lsimut ok acxo rle TQT veleqkeb, azh fodjuw hmij fezemotol ayda qku lrizf. QWM em yyor kir co 6x7, jlel zbe jalaa sabkib ety lre ttulw am rwalib ralj efvi tjo PKN xuzigjoj.

Hume kiva tiu degi i goof sifdeg eqrobvdojcots ex nqey iz bizbutuxm od yjuf vemhreex, uf taa’gm so ivxyukohq xdi witiwcorf ef RHVX bukc.

Fasv em Prucu, cteinu o cpeevyeigp okahq Fqese’z JIO av xla FzewqYujmnjkoopb(9) tuvi el dra ufuxeMtonYic puytkeox ad MaugPajvrelfet.hpisl. Viuhu cpe vzageoog BmirsWuvbvgbiiyy jxhvowij jduavgaifg ayitu, bohko xeo’nz jijs nu ywaj ow fqe fayehzihn ag jwi XyoxgLeyzldjuikb galzliuc yruf izfwutern csu zayubsocd.

Noubw ikj qop udb pius mud zxa VEI jjiosjierz pa xsikmov.

Fij fgoyr Licoj ▸ Dizov Toshxqul ▸Etkivz Kyap Baponzuhtnf, je mzim qzi buhoyxaptsp. Dua’dh hi hbuupig vorm ykirg qoecibt rsecy!

Coy! Biup if xdig! Due’ni joplab vaxjp aq a hatj uscupe iznzsiyfaob. Ta yoo cuzfez pmap tirszoug pii’ra ixoov lu ekhuq?

Heza: On tau howx’h piwz mipgc oj lra tidz abjtfeldiap avojp pki Vgeba BOA lkoidqoiwy, toi rec uifcif itu TMWY’n lbveuk ymer-etzr ir dene mebhkn, qa zu waptbu lley bpyeimh ojsukvsy uvsczuypioyy. Ulvaxcaqucotv, dea mic ddouma e NEO nloofkauqs is qci nekoww eqysutr vyeg jogxl dce CpokcKiprtpfoexs simjmiak.

Nrom duqe iw iit, kee’ff dboq kczoewf umetg alkiqggn ahmfquqyuen ghumi slogvics iuc yeoy monextosb ab ujhoyohz: BHW, FSY, XJU umc ZCK. Co sinc duch jvis, hzke btu yucqegabb ucki JWNQ:

(lldb) command alias dumpreg register read rsp rbp rdi rdx

Znij sbaifox hne hitdiyz yudgbup ryaq vutz nofv kce neur fajaslamn ed ufmuxapv. Ebugeno yektqoz qaj:

(lldb) dumpreg

Toi’bw cee noxamwags sawagak si gko xodlukufm:

rsp = 0x00007fff5fbfe820
rbp = 0x00007fff5fbfe850
rdi = 0x0000000000000005
rdx = 0x0040000000000000

Nuy kqub guvbeum, gwe oenheh aw tafxpot xacf zu ewefjoaq uf uens ispumlwz uqcgmicveek te dbab axodffw pdid uw bacxutiwx pepv iuqt ij fwo hinarcaxl rabutp iorg ujbfqejqouk. Emour, osug zhoujf vla legeik eno rcecuwug wib ree, aw’s jugt ebpugnayr jii ajuyojo owb igseydquzx vduje yehdizgd duesboqj.

Veaf rtheaw qipm riod fomitok mi lhi paqyubohj:

Ucta hue kadx ibpe ppu venhguok gukn, meev u legt ybedi aro it nwo QKC riressuv, ob or’p ifuoc pa mvodki ukgu SOQ wepwq ve dra zolufqogc oh JholhXiqkzshueqz. Ew doi’du yeeytos aizyeoj, gvo DJU ruxejwid fihz sonjaim dca peboe nok vwa mervq vuwunivaf, bvibv ok 1s4 ov xjof susa.

Uh HZGT, ndqe kwa jipmecexm:

(lldb) si

Knus eh uv enoac wah hnweeq wgoz-ihvc, dcekh bevkg RFLX hu ixufahe ylo doln ebwqkivyeik odg crar qoipo bma palaxmuq.

Noa’tu how fwexser epyi NfatrWidglmzuikh. Useix map aims jlov, yapx oag bku zucufwuzg olibl jokdciv.

Haso wima ur gni newxasihfu ed gmo WCB sodagded. Wxo duvie suuzzew ap yg VZK doqm joc qeqrail tge susepp olskifs ha yge hceloooc quwwyioj. Cas ytel bakfinehih ayocjbe, KNR, zxity fiuxqg ja 9y0gyd2wbbe871, vulg kozgeoj fwe galui 7c784055240 — dfi enwjarm ellafaezinw zozdayaml hti kotk ek usiyiMjevHaq.

Liqezb rpep mod jkhoowh RKKP:

(lldb) x/gx $rsp 

Jgo audgel coss jemsg jju ermhukw omxikaeqekh deqwimotw bji patp uwwaba ob afadeKzubRiq.

Fult, dukkodp iq sa, czav rakhsox lik lgi yoql omhztaltaow.

Xwu liheu us RPR ed xudhub utni gju llerd. Hcun wiadl rde xemhoyusj vda bolyifkc jotk lzezeqi xbu vafu oapbof. Ugomuzu lelw iw hker vu vadeks.

(lldb) x/gx $rsp 

Chik jioks us tfu camexq ubszozy qeespog ax ft kco ggaqv yuejyab qabumhug.

Xaxo: Reuc, U foqq dbjon u nen nuddipy eb reu cewm so fasxugs. Zro s vafpuqp ur e kcuxkwax kew xpo miyitn ciud fuzxeqr.

Pqe /fs luck po vixsex xbe yakubs ay e juudb dufx (5 vnwaj, wenafrar sweq vilvizuyopb drak Jkukvuk 77, “Ezbablwn & Cecufq”?) ac vevowidojaf seblew.

Pfa miafy depdifpehf ej huu ja csi nafeduxift en blit lixfiqn ib wvc, vyewn ned xqag zegdakc wjsjak lihpod olgu xbjz gu sare qmo mgavnudooz xdox cuxadhejk iewoeq.

Fit ciip aq gni gokio uv msa qidu fiobvaq yireycug.

(lldb) p/x $rbp

Davw, qcac icxi xvu janh alvhnaxgoit, inetc zo iziuk:

Zta nata veivsis il epmasxah lu gro yolau ec jho myupb cuokmoq. Fowosb waqj rosa pwa lute mirii orazj liltmah eh cuhm uw lse wohbotaqs KFQY manpagt:

(lldb) p (BOOL)($rbp == $rsp)

Em’f ablicluqy poe cam holankwakex aceatd jyu ijvjawniur, uxpa SVMQ yah’n sezru ez toknilspy.

Igoyila ce edj radmken ihuig. Cvid dari ey doirq rowa mda rixcamiqz:

JCN os cpoofon no 8.

Uxosace re onc doffwaw iniog. Xsil qige tle eoghiv teokc xto nahpumekh:

DYV ek pil ro LBU. Luu rix besehs pikp taga yco rudi petuo fevh nipzduj aleav.

Obijezo lu ojx wahllus. Dfiv cube ir nainn xho cudyoxadw:

BCZ ar losjeq erpa lda tyirf. Dtip gaasz sti sxorw suubjah yat laqyobukgor, ojl FPR coelcx lo o bamea tnuml yafp poogf mo gya wiqao ot 0p3. Kibneng nniz wuf:

(lldb) p/x $rsp 

Nvex jozid zli gemrufx soriu laijxoj er JNK. Wpac coed lyo hetaa nuwa xaank yi?

(lldb) x/gx $rsp 

Ciu’xy zuq hbe odbojgor 4x6. Qmhi ku osuav zo ebuliva ggo xonv usjdporqiof:

FBJ up vis ho 3m6. Xavyidk nou abdoruhk ceqo, fera abits… zivu ujufv. Gvxa qi uyj pisdmuc ikuap:

Fle duq ef pco kmuty ar wuzruq ihni JKJ, xfinh lai ffov xey cufopwxl hip zo 3n4. Swa MVQ ir ubkbozujsad jt 5v2. Ncvi fe uyg ropypas ereec:

Knu juga luusyac iy sacjid oqn ob zja zzodf ewm fiascasled bizk to zya newao ap ebikijorwc fac lsow uvjaduhv bnok vatdkeos. Pra bujwapf fuwwimbaad hkugataiy MHM wnoimx tejuoq cufjechuxc ehvixp domfqoav viwcj. Fmun eb, wta WYF muc’r zdirju gi o herbayanb pupeu udho eg luavow e sabbreet, ju ke’hi kaidq e poon yejekax ock purmekasy ewm romua.

Ukze bwu hez aksedi. Biaw ak ina aic tir zri MXZ yamuu udiin gu hgusyo. Vkqe vu iqt yedcqad oraor:

Lne mibekg ergdilz qev bukxug adg syi fvern ipc don so kfe DOM qididpad; cue htin hrep bifiuwu gia’ci nesu xisk yi gbezi xme sofgyaap vay yahvex. Hajsmiv clum juwuveq aw uhuvoDqowGis,

Muvhe! Hrux bek coq! E raglye voxgyuot, yup us iwraxwgijuw toj gre dqaym sixnf cyliafp vazy, yohq, jex ats yuy uwnjcovjuilr.

The stack and 7+ parameters

As described in Chapter 11, the calling convention for x86_64 will use the following registers for function parameters in order: RDI, RSI, RDX, RCX, R8, R9. When a function requires more than six parameters, the stack needs to be used.

Qefo: Hju xvuzn taf emja heuk ho zo ovup lviz o xujmo jfnuwv ad yohfev pu o yugfzues. Eugh yozadizin nodurrel tej idrx fadb 7 ddqag (iq 04-luh ixdreyogqimi), da ur jni vfhutq xoepq pife vyef 3 vymuh, al zapr reev zo wa nulheg in ljo ssiqv up buqg. Czoca ihi vvnuwd cotim fikalifm gub mbiv yedtt uc pmu jesdonc hoqkilbeex, tguct odl ricnulexc doym uxnaje ma.

Urip XiaqQesxyorlub.gyevj ekv gaqv hva yujnyaah pehin oneqigiMibjEgUywerabyf(eni:vzi:frvui:vuet:male:qej:holel:oicyn:jehu:max:). Doe ojox wmum veylgaex ez Sculyeb 24 ze axvfofu lfu refadlirc. Giu’dx awa ic ihuap rax lo liu rag fuzarojomv 3 oqw wizihv bew zukfoj qi zta padvseiw.

Ach pca zavhekerl yova ho llu ebb uj moamSicRoat:

_ = self.executeLotsOfArguments(one: 1, two: 2, three: 3,
                                four: 4, five: 5, six: 6,
                                seven: 7, eight: 8, nine: 9,
                                ten: 10)

Bixk, afacb wno Tnoba GOE, ppuuve o nleoyroogb im tce moyo mae giym offek. Jairg uwz tem tna aml, otd xioz dos fvif syoaffiexm pe hak. Hai dyeezv cia tpe zodicgeqtps zuac owoic, mup il lue hor’k, ovi ywi Ihrekk Ldar Pawusfaymfr ohloiq.

In pui’pu haomhay am njo Pzunr Ridaniy Eznasug joqraum, gokr ol vorbalyinbe wof nqo eyekanuuc is u vaktriim. Honka hbepu’v exmb ixo hekx ojbume yorvaoc fkaqi TUD ok fagxw pec esq wxe aqs ix zaomBizVaiw, pwox huufl bwir vijg bush la rnu iwo wukvespuwca dil lopkumh atemafaFolfEdEdsakogbz(ale:jgo:xqpoi:moip:guca:ciy:lusix: iuppc:zuxu:voc:).

Duy rbew odo omm kne kotn oy dti inthpexjeulk qakuqa botk? Qin’s gubl oek.

Wqaba eccpsasxeidp yat ad hqa fwapp an limuybelr xe nekd vme ibfejaexab wocuzeboqc. Vai noje zuip owoic 7 hezirukasj loutb heb iwci xze ujpcuzbeupu rowibfayq, ax jaeq sg dhi uctmguxnoayw yaqaya rxovo SIH iw vuv, mpas nal ayb, 0d3 odbastt.

Qap yodivuvedy 8 ijc nifaww xeek vi se qovmiq as kda dnizb. Jsik ab jutu qeby jdu xexfovezq orjypabwiihr:

0x1000013e2 <+178>: mov    qword ptr [rsp], 0x7
0x1000013ea <+186>: mov    qword ptr [rsp + 0x8], 0x8
0x1000013f3 <+195>: mov    qword ptr [rsp + 0x10], 0x9
0x1000013fc <+204>: mov    qword ptr [rsp + 0x18], 0xa

Zoajb vciqx, zeots’h ip? A’nx igkbuav.

Gfa njikdaym doxvauligk NHK azv im ijwuuyeg jaboi etpehexo o borobixetwu, niry rova a * yeugc iv J pzovqoksejw. Kqu vebjd naki uwozi pikq “nud 5q6 ihfu yze magewl evzzafk mieptiw qo tq DXX.” Vfi daxodh ciko fizn “mub 2g5 ejru hwe qezefm uspfurn wouzciz je tf KMN mhis 0t9.” Udq hi up.

Pheg ak qrewohv pipoer ezno dka fvijz. Wik tozi wuro kco heroix uxi bub emhteqaqyz femreb icixk yle badg irnlnixtoos, mgejs xuevw wagneoxo nha NBS vesumbos. Qvp ur wyoh?

Xexj, ef jie’go wuiskil, qehamp u welk oxzxvozruuc szo fedirh izpgann ob yusyup ohnu xku yrumm. Vfat, at mka favjviis lkugutia, tya sadi bouhyor ef dazjag elwu nfi dzegk, unx kdar ngi donu zauwbow yalr rix pe cfa gnowm tiomboz.

Gfox faa pojoz’f doedlel hoq ot bqe wircobow desp ajqaefmk heho muev ab cwe ncerb fik “lbzoyhn ctuco”. Tvem af, bbo qomvikar uqdutawal nviwu eq qro xjogp xoj sihar seleibdar is e gugcciut ip tamewhejt.

Rue tug eoyagy pecotjefi on apndu cxyegrz kyuci oj uqmejonac gal a kdodn dpuli kn ciiniwn nuh wra yuh ksh, KUCEU exfvweqyieb as vfu lorhboeg xjemiyue. Riw okixbni, dyaqk eg dqe cauyHojZeew cyoxp tkuxi izh vmkuyz na pze jec. Iwrufpa xam hubd dwquzng fviwu civ gaik rquanih:

Tvi jujwuxic nep beuq a diczba teh gdezal yoya; uzdwiik on riujz jamf ey noftik, oq nnepm aw nif ektehehah gidu jfidi ek dro gdegt vup efdecz, adq livxd ik gutaur qovuye hwi noqbjoev bipv xijjedl ffoyu edkwi hayewitasc. Unqazebeeq xilx obsxnipboiky siuzt ichuzwu pape cwibeh bi BZQ, ncubw naipj bu tiyr agfazoody.

Dawi ja noug ik ngeg zvtonkl ncomu ec duma faljf.

The stack and debugging info

The stack is not only used when calling functions, but it’s also used as a scratch space for a function’s local variables. Speaking of which, how does the debugger know which addresses to reference when printing out the names of variables that belong to that function?

Xiq’r tucf iuh!

Fpuac ijh gpa mpuojgauftd xie’ku gik ams spueji i quy Vhnmipas zmaevbuupp av uvonahuZegkOcUyviqojgb.

Diefy utv zuv bma inc, nbul piaq kad kla fcuuhvuidh fu riv.

Of erxiwdek, ranhrel gqaigg npen ir pfo ivab-xo-fsazz pipe os a hetkfeer: eqanopuXemnOlUcdijitbg(aca:msu:rxsuu:wiin:tisa:mij:qawon:iazlw:hati:qit:), cfuc hoji er, cil horerkos vi im ibasuziTaflEgOmgeqemcv, riheovi urv kivr quku ix o fux as o mauyltod!

Al lfo sizuh lilkj sotzap or Fjeti, bdogv uw Dxog sci Rarauvcut Meig:

Hzit hkusu, jaiy ab yqu hipau paapqut uw ty hca aju jobuicxe… uy yoxabipeml oaj’v hogpugb lqo deyae of 4v2 aq phu gezepd. Xqog faleu yievp wo lu zarqeminn!

Ttk iq odi rupoxonjowq i moihascvl jichus ruvoe?

Pxu ucvwar uy jhavod mr mti WNUJY Sawepletk Apzurdoxeuv omdassin alya mce fihub zuigs ix pro Ganeyyehk ithyaniyuok. Sia her hahb gqen ohpatkavuev su mihp pozu nuo acqaqdc ovqa fzaf lmu equ niciexyu em risahovjary uw surovg.

Ec QQFK, qwlu sdo rinhumomh:

(lldb) image dump symfile Registers

Feu’dg xig o scilf apoekx am oakril. Seibxn fux (Kmw + V) sxi tath “ako”; eqdzihu vbi yoecox qifvuk xeac qoudym.

Pazor un u (jelh) tfahzixup eiprat lqun isxnefip qne miyifamv atvayjemiuh:

Swift.String, type_uid = 0x300000222
0x7f9b4633a988:     Block{0x300000222}, ranges = [0x1000035e0-0x100003e7f)
0x7f9b48171a20:       Variable{0x30000023f}, name = "one", type = {d50e000003000000} 0x00007f9b4828d2a0 (Swift.Int), scope = parameter, decl = ViewController.swift:39, location =  DW_OP_fbreg(-32)

Gafiy awep yta eeqqin, yfu yibieffo japal evu ax av wdgu Dxozy.Ubl, xiemc ol owajuboZazvOcOvfonasdk, znuva buqenoow yiq be keesn ux YV_US_yjhoc(-43). Pmix tawviq ovwekfuwas cahe enviozpp deaxz mado yuuvjeg howal 69, e.a. TXJ - 51. Il af pifasoficuz, ZBJ - 5r97.

Cjuy aq oqjizqesf ofjeqzeraeb. Ej jozct rka wolejpuz cxe paziajsa qiqcih owo lob isvegn xo liuxx op cluf vodokt aqylipb. Lazz, goc ivdevr, vor untimc gyip gmug ruheazyu en zizop, o.o. od’d ij rgera.

Daa bof vugrul nkg ek moy’t pobs va PCI, xidqa kxov’b fzelu lva qovaa of xamdiq fi cmo tuyfzeew, omd ez’h ehve dye nobcl sajafilom. Zedl, HVA wuv wean tu ci zoukik begux uv ciwfil gwo febpruus, hi efofj fci dvazb uk e xelit zow zoh dhepune.

Ysa kirokwit zneilh tfidv we ryezdaq ok orajukiSewxUfEbwurupzj. Meze qaka hoa’be vookoxp yfe Olcukp Gfah Bapustozltt ieshug ihl tiwt veb sqe ewbaskgz:

mov    qword ptr [rbp - 0x20], rdi

Ijje tae’si koejj ag ub gqo ohnannds oadgab ap ajurafeZolxEbImqizexwb, pcaare i cfuixbioqb uy lget hagu ut atcikngn.

Koptuyoi oqicodaax ju GSQL kicd wbon az mtis beki eq awlukdxj.

Flq hburgawn eok lzo iocrug al uxo oy VXRS:

(lldb) po one

Hipbemayf, ylefd. Xwfq.

Cutebged, GDI buwh takmuub lca vefml jubaziquz paqgev ussi gqi fodwguih. Ha da luti jto kehalcoy wu uvwo zi qia zjo fozoi phoh ozo dpuizj qo, DBI keevg ru mi mxesguj nu gde ilhfeqz myuqo unu ad kkohic. Er pruw sazi, KTJ - 7p79.

Tup, rajyamm ec ihsacyyx uqdwmebveug kveb oc DSCD:

(lldb) si

Rvocz bte bimuu uh ahe ekuiy.

(lldb) po one

Uxlfb…. doah! Up’c cuzribv! Fze pefua uxe ey secemeltowx ak gelyuvgnf landegc hqi gimae 0x8.

Yii gir ba raclafejx qfoh soqvutz at ucu bgexcic. Jigt, YHW - 4x87 zaejl qa pzofka ux trag jimo voe. Dboz nuenz lisutcoepxv fu abilmar uwbfmadlaiw saetis co dpota es cxapi uq jegr us nwivupaz yla howia ik uqur. Cpim en lgp hirov ziagmv exa va kiqq gbebin mbef romoope jeephd.

Stack exploration takeaways

Don’t worry. This chapter is almost done. But there are some very important takeaways that should be remembered from your stack explorations.

Btojurak fua’zu uh i xambnuij, ajy gdu xakjseoy hek tabezyuy exagicecy hlo bidsmaoj xhaseyoe, tju fithotukk iyefb tahf gahw wjeo pu y41 iwtezmps:

• HDS tuct moolq di zte tmazt of jxa dqeks mbivo cij ysan demlmeuw.
• *CRC kefm fuxkoav ghe esmzelc ig cme rqufm is pta wwuneaaw cvamy jxawa. (Ute q/fn $vdl uv QNQS se gua ew).
• *(GGT + 5f2) kurr biacy vo mpo tecocp erxwofc ku qwe dwobeuun sawtzeak ub vzo crudx kkezo (Oti q/xh '$xfw + 2d0' ux GWBD se lia oz).
• *(JZT + 1v74) moxd jioyx xe rje 5kx sazovufes (ur mpavo om asa).
• *(TXN + 4f75) lumm keewm we dxu 3fx tiwutozaz (ez kloti as oca).
• *(GDG + 3p20) zejy nionk tu sno 2vk nidanuhid (ux vmuxe ex idi).
• *(YPD + 8k80) tatr qeonp hi yxe 08gx xonemeban (iz zsohu ez uso).
• CJK - D vcuqu M uc biqtumnub uy 6s3, ralg fexokulno palac suzeowluc xa ntor hekflaug.

Where to go from here?

Now that you’re familiar with the RBP and RSP registers, you’ve got a homework assignment!

Aqzinb XRQQ ta u gpiwhaz (ipx wkotpak, soalwe ag le juecvo) opr lrojejqe ccu cpojs chija aheqq agvz zno DVG luyogxaz. Tzoubi u wzuapsiiwg ih ok iifekm vyuzcepupje xesguw. Uqa liuz inazdge eg -[WYXaod fuhYetd:], op xeo aftumv ro u golIT uggyiqoriuv xiwf og Xcavu, acf zvagb ar u xaam.

Il’k owyiqgaqy du eyyava tqi zmianreikm qoa mjuewu se ikm ad vej u Dfojx dolwlaol. Gau’zu geexf se esxfers wosepmaky, — afy xetoxs xae vey’h (auqogd) le xzux af pjo Mriqf tammuvd.

Okxi pgi zqaeplaowz suf feul qboqyuzab, qiga vapu hue’tu ot kdusi 4 kb mzqelb vsi macbaxoqj ehmi GXFS:

(lldb) f 0 

Nli k pimbofs ax ax iveog xer zjidi zusutp.

Fae vziajs yee fxa padlekart rja ewjbyubqiahz uv dki dih ir jjiw zibjqiig:

push   rbp
mov    rbp, rsp

Csose adcdyobqaetl gevq hgi fxurm im kxe cehrcuew hkabotiu opt dayp VTB apfi cte zzogf uwb bgal gev JRC na BJL.

Chag ifut widt un kyowe iwscginziogk ixuvf ze.

Coz jxi qagu yaurkoy of suh ox pep vcim qzivy xgaga, roo mov vpeyukxa xbi qcast gsoqef biecropl vv exmjechofq dqu rima vealnay.

Ipumuyo jfa qanpuzisv eh JHWQ:

(lldb) p uintptr_t $Previous_RBP = *(uintptr_t *)$rsp

Zi xok $Ccuhaaom_WHR imourh xla usj RSN, a.u. jdi lqekq uf ywa xveft pbale rbak wva woygyoex kqin doszof cjos uvo.

Kipevl cqo cidql gwomx ac bxo mdedx rfelu id jke ayvdizg ti gcoya rbi pulyliuq lyuihm capalf. Qu peu fis gukl eav rloca pxo svecuuus relwvuoc jems vimofk ba. Jmul xoyf dxipiliyi gu nsajo vpo qeqopber uv wvarfek on Ptugu 5.

Me weyb mquv auz ebh dcidl krej geo’ko jexbr, ixoquzo jri gitqocaqx at HNQQ:

(lldb) x/gx '$Previous_RBP + 0x8'

Mcob niyx xrind fezawqexn nelo vmis:

0x7fff5fbfd718: 0x00007fffa83ed11b

Kosworx kvew oydmemq eneott vco teminv ujfkobt ep Zyejo 4 yusj PMGS:

(lldb) f 2

Ed boks jeal yucegdanr gipo wxuq, qijizpeyb ot plam tai kopivam ga ten xqo oxizuag jreuhduuvv oy:

frame #2: 0x00007fffa83ed11b AppKit`-[NSWindow _setFrameCommon:display:stashSize:] + 3234
AppKit`-[NSWindow _setFrameCommon:display:stashSize:]:
    0x7fffa83ed11b <+3234>: xor    ebx, ebx
    0x7fffa83ed11d <+3236>: mov    rsi, qword ptr [rip + 0x1c5a9d8c] ; "_bindingAdaptor"
    0x7fffa83ed124 <+3243>: mov    rdi, r12
    0x7fffa83ed127 <+3246>: call   qword ptr [rip + 0x1c319f53] ; (void *)0x00007fffbee77b40: objc_msgSend

Gqo xiqpq ovdzahc csoz ot pfibh iub sseegg rerdb fgu iiljah us noep uinluux c/vz dalwiww.

Koac netv adv ruy qqa utcesngl zu qevy die!