Why am I getting an unexpected `0xcc` byte when lo

2020-05-05 01:34发布

问题:

I got some inconsistent result of instruction.
I don't know why this happens, so I suspect %es register is doing something weird, but I'm not sure.

Look at below code snippet.

08048400 <main>:
 8048400:   bf 10 84 04 08          mov    $HERE,%edi     
 8048405:   26 8b 07                mov    %es:(%edi),%eax  # <----- Result 1
 8048408:   bf 00 84 04 08          mov    $main,%edi
 804840d:   26 8b 07                mov    %es:(%edi),%eax  # <----- Result 2

08048410 <HERE>:
 8048410:   11 11                   adc    %edx,(%ecx)
 8048412:   11 11                   adc    %edx,(%ecx)


Result 1:

%eax : 0x11111111 

Seeing this result, I guessed that mov %es:(%edi),%eax to be something like mov (%edi),%eax.
Because 0x11111111 is stored at HERE.


Result 2:

%eax : 0x048410cc  

However, the result of Result 2 was quite different.
I assumed %eax to be 0x048410bf, because this value is stored at main.
But the result was different as you can see.


Question:
Why this inconsistency of the result happens?
By the way, value of %es was always 0x7b during execution of both instruction.

回答1:

es is a red herring. The difference you see is 1 byte at main, cc vs. bf. That is because you used a software breakpoint at main and your debugger inserted an int3 instruction which has machine code cc temporarily overwriting your actual code.

Do not set a breakpoint where you intend to read from, or use a hardware breakpoint instead which does not modify code.