{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Luminary・发光体 的问题《Parsing Call and Ret with ptrace.》','https://www.manongdao.com/q-1328308.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I try to parse all the Calls and Rets from an executable with ptrace. Conforming the the x64opcode, I found opcodes for Calls: 0xe8 and for Rets: 0xc3, 0xc2, 0xca, 0xcb.
Since I parsed them I found more Rets than Calls.
There is the program I trace:
void func()
{
write(1, "i", 1);
}
int main(int ac)
{
func();
return(0);
}
There is my tracer:
int tracer(t_info *info)
{
int status;
long ptr;
int ret = 0;
int call = 0;
waitpid(info->pid, &status, 0);
while (WIFSTOPPED(status))
{
ptrace(PTRACE_GETREGS, info->pid, NULL, info->regs);
ptr = ptrace(PTRACE_PEEKDATA, info->pid, info->regs->rip);
if (((ptr & 0x000000ff) == 0xe8)) // Opcode for call
{
call++;
}
else if (((ptr & 0x000000ff) == 0xc3) // Opcodes for rets
|| ((ptr & 0x000000ff) == 0xc2)
|| ((ptr & 0x000000ff) == 0xca)
|| ((ptr & 0x000000ff) == 0xcb))
{
ret++;
}
ptrace(PTRACE_SINGLESTEP, info->pid, 0, 0);
waitpid(info->pid, &status, 0);
}
printf("Calls: %i\nRets: %i\nDiff: %i\n", call, ret, call - ret);
return (0);
}
There is my output:
Calls: 656
Rets: 666
Diff: -10
Why is there not the same number of rets and calls ? Do I miss some opcodes ? Is there functions that not return?
You for example miss indirect calls like
which use other opcodes. Libc standard initialization routines make use of these. Depending on the expression several opcodes are possible, two examples:
It's probably not easy to get them all. Maybe it would be easier and cleaner to decode the instructions with a library like libbfd and libopcodes