首页
社区
课程
招聘
[翻译]ARM汇编简介(六)堆栈和函数
发表于: 2018-7-21 21:22 8490

[翻译]ARM汇编简介(六)堆栈和函数

2018-7-21 21:22
8490

1.Prologue  序言

2.Body 函数主体

3.Epilogue 尾声

So now we know, that:所以我们知道了:

Prologue sets up the environment for the function; 序言部分建立了函数的运行环境

Body implements the function’s logic and stores result to R0;函数体部分实现函数的逻辑并将返回值存储进R0

Epilogue restores the state so that the program can resume from where it left of before calling the function.尾声部分恢复了函数被调用之前的状态并继续运行。

The example above contains two functions: main, which is a non-leaf function, and max – a leaf function. As mentioned before, the non-leaf function calls/branches to another function, which is true in our case, because we branch to a function max from the function main. The function max in this case does not branch to another function within it’s body part, which makes it a leaf function.

上面的例子包含了两个函数,main函数是非叶函数而max是叶函数。正如之前所提到的,非叶函调用/分支到其他函数,本例就是这样的,因为我们从在main函数里分支到max函数了。但本例中的max函数并没有在他的函数内部分支到其他函数,这使他成为了叶函数


Another key difference is the way the prologues and epilogues are implemented. The following example shows a comparison of prologues of a non-leaf and leaf functions另一个很关键的差异是:序言和尾声的实现方式不同。下面的例子比较了叶函数和非叶函数的序言

The main difference here is that the entry of the prologue in the non-leaf function saves more register’s onto the stack. The reason behind this is that by the nature of the non-leaf function, the LR gets modified during the execution of such a function and therefore the value of this register needs to be preserved so that it can be restored later. Generally, the prologue could save even more registers if it’s necessary.

主要的不同在于,非叶函数的序言需要将更多的寄存器保存在堆栈里。背后的原因在于,由于非叶函数的天然属性,在执行这样的函数期间LR被修改了,因此需要保存该寄存器的值,以便以后能够恢复。一般来说,如果必要的话,序言可以保存更多的寄存器。


The comparison of the epilogues of the leaf and non-leaf functions, which we see below, shows us that the program’s flow is controlled in different ways: by branching to an address stored in the LR register in the leaf function’s case and by direct POP to PC register in the non-leaf function.

Finally, it is important to understand the use of BL and BX instructions here. In our example, we branched to a leaf function by using a BL instruction. We use the the label of a function as a parameter to initiate branching. During the compilation process, the label gets replaced with a memory address. Before jumping to that location, the address of the next instruction is saved (linked) to the LR register so that we can return back to where we left off when the function max is finished.

最后,重要的是理解BL和BX指令在这里的使用。在我们的例子中,我们使用BL指令分支到叶函数。我们使用函数的标签作为参数来启动分支。在编译过程中,标签被替换为内存地址。在跳转到该位置之前,下一条指令的地址被保存(链接)到LR寄存器,这样我们就可以返回到函数max结束时离开的位置。


The BX instruction, which is used to leave the leaf function, takes LR register as a parameter. As mentioned earlier, before jumping to function max the BL instruction saved the address of the next instruction of the function main into the LR register. Due to the fact that the leaf function is not supposed to change the value of the LR register during it’s execution, this register can be now used to return to the parent (main) function. As explained in the previous chapter, the BX instruction  can exchange between the ARM/Thumb modes during branching operation. In this case, it is done by inspecting the last bit of the LR register: if the bit is set to 1, the CPU will change (or keep) the mode to thumb, if it’s set to 0, the mode will be changed (or kept) to ARM. This is a nice design feature which allows to call functions from different modes.

用于离开叶函数的BX指令以LR寄存器作为参数。如前所述,在跳转到函数max之前,BL指令将函数main的下一个指令的地址保存到LR寄存器中。由于叶函数不在执行期间改变LR寄存器的值,所以该寄存器现在可以用于返回父(main)函数。如前一章所解释的,BX指令可以在分支操作期间在ARM/Thumb模式之间进行交换。在这种情况下,它是通过检查LR寄存器的最后一位来完成的:如果位被设置为1,CPU将模式切换(或保持)为Thumb,如果设置为0,则模式将被改变(或保持)为ARM模式。这是一个很好的设计特性,允许从不同模式来调用函数。


To take another perspective into functions and their internals we can examine the following animation which illustrates the inner workings of non-leaf and leaf functions.

为了从另一个角度观察函数及其内部结构,我们可以看看下面的动画,它说明了非叶和叶函数的内部工作状况。

In this part we will look into a special memory region of the process called the Stack. This chapter covers Stack’s purpose and operations related to it. Additionally, we will go through the implementation, types and differences of functions in ARM.
本节我们将关注一块叫栈的特殊的内存区域。本章介绍了堆栈的作用和与之相关的操作。此外,我们将介绍ARM函数如何实施,函数类型及其差异。

Generally speaking, the Stack is a memory region within the program/process. This part of the memory gets allocated when a process is created. We use Stack for storing temporary data such as local variables of some function, environment variables which helps us to transition between the functions, etc. We interact with the stack using PUSH and POP instructions. As explained in Part 4: Memory Instructions: Load And Store,PUSH and POP are aliases to some other memory related instructions rather than real instructions, but we use PUSH and POP for simplicity reasons.
一般来说,堆栈是程序/进程内的一块内存区域。创建进程后,会开辟出这样一块内存空间。我们使用堆栈来存储临时数据,例如一些函数的局部变量、环境变量,这些变量可以帮助我们在函数之间转换,等等。我们使用push,pop指令来和栈交互,正如第4部分《载入和存储》中所解释的:PUSH和POP是一系列其他的内存相关指令的总称的别名,而不是实际指令,但为了让事情变得简单,我们使用了PUSH和POP。 

Before we look into a practical example it is import for us to know that the Stack can be implemented in various ways. First, when we say that Stack grows, we mean that an item (32 bits of data) is put on to the Stack. The stack can grow UP(when the stack is implemented in a Descending fashion) or DOWN (when the stack is implemented in a Ascending fashion). The actual location where the next (32 bit) piece of information will be put is defined by the Stack Pointer, or to be precise, the memory address stored in the SP register. Here again, the address could be pointing to the current (last) item in the stack or the next available memory slot for the item. If the SP is currently pointing to the last item in the stack (Full stack implementation) the SP will be decreased (in case of Descending Stack) or increased (in case of Ascending Stack) and only then the item will placed in the Stack. If the SP is currently pointing to the next empty slot in the Stack, the data will be first placed and only then the SP will be decreased (Descending Stack) or increased (Ascending Stack).
在看一个实际的例子之前,我们应该知道,堆栈可以用不同的方式来实现。首先,当我们说堆栈生长了,意思是一个项目(32位长度的数据)被压入堆栈了。堆栈可以长大(以堆栈地址降低方式实现)或减小(以堆栈地址升高方式实现)。下个项目(32位)信息将被放置的实际地址由堆栈指针定义,或者确切地说,这个地址是被存储在SP寄存器中的。地址可能会指向堆栈中当前(最新)的项目,或指向当前项的下一项的可用的内存槽。如果SP当前指向堆栈中的最后一个项目(完整堆栈实现),SP将先减少(在堆栈降序排列的情况下)或增加(在栈升序排列的情况下),并且只有这么做后,项目才能被放置在堆栈中。如果SP当前指向栈中的下一个空白内存槽,则数据将首先被放置在这里,并且SP将被减少(降序堆栈)或增加(升序堆栈)。


As a summary of different Stack implementations we can use the following table which describes which Store Multiple/Load Multiple instructions are used in different cases.
以下总结了不同堆栈实现方式,我们可以使用下表来描述在不同情况下,存储多个指令和载入多个指令在不同情形下是如何使用的。


In our examples we will use the Full descending Stack. Let’s take a quick look into a simple exercise which deals with such a Stack and it’s Stack Pointer.
本例中我们使用全递减堆栈。让我们快速查看一个处理堆栈和堆栈指针的简单练习。
/* azeria@labs:~$ as stack.s -o stack.o && gcc stack.o -o stack && gdb stack */
.global main

main:
     mov   r0, #2  /* set up r0 设置R0的数值 */
     push  {r0}    /* save r0 onto the stack 将R0压入栈*/
     mov   r0, #3  /* overwrite r0 覆盖R0*/
     pop   {r0}    /* restore r0 to it's initial state 将R0恢复到初始状态*/
     bx    lr      /* finish the program 程序结束*/

At the beginning, the Stack Pointer points to address 0xbefff6f8 (could be different in your case), which represents the last item in the Stack. At this moment, we see that it stores some value (again, the value can be different in your case):

一开始堆栈指针指向地址0xBEFFF6F8(可能与您的地址不同),它表示堆栈中的最后一个项。此时,我们看到它存储了一些数值(同样,在您的情况下,值可以不同):
gef> x/1x $sp
0xbefff6f8: 0xb6fc7000

After executing the first (MOV) instruction, nothing changes in terms of the Stack. When we execute the PUSH instruction, the following happens: first, the value of SP is decreased by 4 (4 bytes = 32 bits). Then, the contents of R0 are stored to the new address specified by SP. When we now examine the updated memory location referenced by SP, we see that a 32 bit value of integer 2 is stored at that location:

在执行第一个指令 (MOV)之后,堆栈方面没有任何改变。当执行完PUSH指令时,发生以下情况:首先,SP的值减少了4(4字节=32位)。然后,R0的内容被存储到由SP指定的新地址中。当我们现在检查SP所引用的更新过的内存地址时,我们看到在该地址存储了32位的整数2:
gef> x/x $sp
0xbefff6f4: 0x00000002

The instruction (MOV r0, #3) in our example is used to simulate the corruption of the R0. We then use POP to restore a previously saved value of R0. So when the POP gets executed, the following happens: first, 32 bits of data are read from the memory location (0xbefff6f4) currently pointed by the address in SP. Then, the SP register’s value is increased by 4 (becomes 0xbefff6f8 again). The register R0 contains integer value 2 as a result.
我示例中的指令(MOV R0,#3)用于模拟R0被损坏了。然后,我们使用POP恢复先前保存的R0值。因此,当POP被执行时,发生以下情况:首先,从SP中当前地址指向的内存位置(0xBEFFF6F4)读取32位长度的数据。然后,SP寄存器的值增加4(再次成为0xBeffF6F8)。结果寄存器R0包含整数值2。
gef> info registers r0
r0       0x2          2

Please note that the following gif shows the stack having the lower addresses at the top and the higher addresses at the bottom, rather than the other way around like in the first illustration of different Stack variations. The reason for this is to make it look like the Stack view you see in GDB)
请注意,下面的GIF显示堆栈的顶部地址较低,底部的地址较高(译者注:之前是相反的)。此时堆栈变化了,已经不同于第一个图片里的那种形式。这样做的原因是使它看起来更像在GDB中看到的堆栈视图。


We will see that functions take advantage of Stack for saving local variables, preserving register state, etc. To keep everything organized, functions use Stack Frames, a localized memory portion within the stack which is dedicated for a specific function. A stack frame gets created in the prologue (more about this in the next section) of a function. The Frame Pointer (FP) is set to the bottom of the stack frame and then stack buffer for the Stack Frame is allocated. The stack frame (starting from it’s bottom) generally contains the return address (previous LR), previous Frame Pointer, any registers that need to be preserved, function parameters (in case the function accepts more than 4), local variables, etc. While the actual contents of the Stack Frame may vary, the ones outlined before are the most common. Finally, the Stack Frame gets destroyed during the epilogue of a function.

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2018-7-22 09:56 被r0Cat编辑 ,原因:
收藏
免费 1
支持
分享
打赏 + 5.00雪花
打赏次数 1 雪花 + 5.00
 
赞赏  junkboy   +5.00 2018/07/21
最新回复 (3)
雪    币: 210
活跃值: (641)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
2
感谢!
2018-8-15 11:46
0
雪    币: 1906
活跃值: (712)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
非常感谢,很有用,学习
2018-9-10 09:20
0
雪    币: 102
活跃值: (2050)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
mark
2018-9-10 20:59
0
游客
登录 | 注册 方可回帖
返回
//