How can I find the node6 - x86-64

I found that I needed to input 6 integers, and that the integers consist of 1 to 6.
And I found the node1 ~ node5. But, this phase needs 6 nodes.
So I looked for more, but instead of node 6, I found'host_table'.
(gdb) x/3x 0x555555559230
0x555555559230 <node1>: 0x00000303 0x00000001 0x55559240
(gdb) x/3x 0x555555559240
0x555555559240 <node2>: 0x000001dc 0x00000002 0x55559250
(gdb) x/3x 0x555555559250
0x555555559250 <node3>: 0x00000332 0x00000003 0x55559260
(gdb) x/3x 0x555555559260
0x555555559260 <node4>: 0x000003c6 0x00000004 0x55559270
(gdb) x/3x 0x555555559270
0x555555559270 <node5>: 0x000002d9 0x00000005 0x55559110
(gdb) x/3x 0x555555559280
0x555555559280 <host_table>: 0x5555745f 0x00005555 0x55557468
What is the 'host_table'? I thought 'host_table' was node6. But it wasn't.
This is the code of this phase.
0x00005555555558ab <+0>: endbr64
0x00005555555558af <+4>: push %r14
0x00005555555558b1 <+6>: push %r13
0x00005555555558b3 <+8>: push %r12
0x00005555555558b5 <+10>: push %rbp
0x00005555555558b6 <+11>: push %rbx
0x00005555555558b7 <+12>: sub $0x60,%rsp
0x00005555555558bb <+16>: mov %fs:0x28,%rax
0x00005555555558c4 <+25>: mov %rax,0x58(%rsp)
0x00005555555558c9 <+30>: xor %eax,%eax
0x00005555555558cb <+32>: mov %rsp,%r13
0x00005555555558ce <+35>: mov %r13,%rsi
0x00005555555558d1 <+38>: callq 0x555555555e53 <read_six_numbers>
0x00005555555558d6 <+43>: mov $0x1,%r14d
0x00005555555558dc <+49>: mov %rsp,%r12
0x00005555555558df <+52>: jmp 0x555555555909 <phase_6+94>
0x00005555555558e1 <+54>: callq 0x555555555e11 <explode_bomb>
0x00005555555558e6 <+59>: jmp 0x555555555918 <phase_6+109>
0x00005555555558e8 <+61>: add $0x1,%rbx
0x00005555555558ec <+65>: cmp $0x5,%ebx
0x00005555555558ef <+68>: jg 0x555555555901 <phase_6+86>
0x00005555555558f1 <+70>: mov (%r12,%rbx,4),%eax
0x00005555555558f5 <+74>: cmp %eax,0x0(%rbp)
0x00005555555558f8 <+77>: jne 0x5555555558e8 <phase_6+61>
0x00005555555558fa <+79>: callq 0x555555555e11 <explode_bomb>
0x00005555555558ff <+84>: jmp 0x5555555558e8 <phase_6+61>
0x0000555555555901 <+86>: add $0x1,%r14
0x0000555555555905 <+90>: add $0x4,%r13
0x0000555555555909 <+94>: mov %r13,%rbp
0x000055555555590c <+97>: mov 0x0(%r13),%eax
0x0000555555555910 <+101>: sub $0x1,%eax
0x0000555555555913 <+104>: cmp $0x5,%eax
0x0000555555555916 <+107>: ja 0x5555555558e1 <phase_6+54>
0x0000555555555918 <+109>: cmp $0x5,%r14d
0x000055555555591c <+113>: jg 0x555555555923 <phase_6+120>
0x000055555555591e <+115>: mov %r14,%rbx
0x0000555555555921 <+118>: jmp 0x5555555558f1 <phase_6+70>
0x0000555555555923 <+120>: mov $0x0,%esi
0x0000555555555928 <+125>: mov (%rsp,%rsi,4),%ecx
0x000055555555592b <+128>: mov $0x1,%eax
0x0000555555555930 <+133>: lea 0x38f9(%rip),%rdx # 0x555555559230 <node1>
0x0000555555555937 <+140>: cmp $0x1,%ecx
0x000055555555593a <+143>: jle 0x555555555947 <phase_6+156>
0x000055555555593c <+145>: mov 0x8(%rdx),%rdx
0x0000555555555940 <+149>: add $0x1,%eax
0x0000555555555943 <+152>: cmp %ecx,%eax
0x0000555555555945 <+154>: jne 0x55555555593c <phase_6+145>
0x0000555555555947 <+156>: mov %rdx,0x20(%rsp,%rsi,8)
0x000055555555594c <+161>: add $0x1,%rsi
0x0000555555555950 <+165>: cmp $0x6,%rsi
0x0000555555555954 <+169>: jne 0x555555555928 <phase_6+125>
0x0000555555555956 <+171>: mov 0x20(%rsp),%rbx
0x000055555555595b <+176>: mov 0x28(%rsp),%rax
0x0000555555555960 <+181>: mov %rax,0x8(%rbx)
0x0000555555555964 <+185>: mov 0x30(%rsp),%rdx
0x0000555555555969 <+190>: mov %rdx,0x8(%rax)
0x000055555555596d <+194>: mov 0x38(%rsp),%rax
0x0000555555555972 <+199>: mov %rax,0x8(%rdx)
0x0000555555555976 <+203>: mov 0x40(%rsp),%rdx
0x000055555555597b <+208>: mov %rdx,0x8(%rax)
0x000055555555597f <+212>: mov 0x48(%rsp),%rax
0x0000555555555984 <+217>: mov %rax,0x8(%rdx)
0x0000555555555988 <+221>: movq $0x0,0x8(%rax)
0x0000555555555990 <+229>: mov $0x5,%ebp
0x0000555555555995 <+234>: jmp 0x5555555559a0 <phase_6+245>
0x0000555555555997 <+236>: mov 0x8(%rbx),%rbx
0x000055555555599b <+240>: sub $0x1,%ebp
0x000055555555599e <+243>: je 0x5555555559b1 <phase_6+262>
0x00005555555559a0 <+245>: mov 0x8(%rbx),%rax
0x00005555555559a4 <+249>: mov (%rax),%eax
0x00005555555559a6 <+251>: cmp %eax,(%rbx)
0x00005555555559a8 <+253>: jle 0x555555555997 <phase_6+236>
0x00005555555559aa <+255>: callq 0x555555555e11 <explode_bomb>
0x00005555555559af <+260>: jmp 0x555555555997 <phase_6+236>
0x00005555555559b1 <+262>: mov 0x58(%rsp),%rax
0x00005555555559b6 <+267>: xor %fs:0x28,%rax
0x00005555555559bf <+276>: jne 0x5555555559ce <phase_6+291>
0x00005555555559c1 <+278>: add $0x60,%rsp
0x00005555555559c5 <+282>: pop %rbx
0x00005555555559c6 <+283>: pop %rbp
0x00005555555559c7 <+284>: pop %r12
0x00005555555559c9 <+286>: pop %r13
0x00005555555559cb <+288>: pop %r14
0x00005555555559cd <+290>: retq
0x00005555555559ce <+291>: callq 0x555555555250 <__stack_chk_fail#plt>
When I saw other people's solutions, They did x/3x $esi to find out the node1.
But, when I did it, I got an error.
what should I do?

Related

Is "step-out" / "step-over-instruction" broken in Simics 2021.24?

Step-out seems to be broken in Simics 2021.24. I did "enable-debugger" but it still doesn't work. Please see below:
simics>
[board.mb.cpu0.core[0][0]] cs:0x00000000def963ae p:0x0def963ae sbb rax,rax
sbb rax,rax
cs:0x00000000def963ae p:0x0def963ae sbb rax,rax
cs:0x00000000def963b1 p:0x0def963b1 and rax,rcx
cs:0x00000000def963b4 p:0x0def963b4 mov rdi,qword ptr [rsp+0x8]
cs:0x00000000def963b9 p:0x0def963b9 ret
cs:0x00000000def963ba p:0x0def963ba mov rcx,r11
cs:0x00000000def963bd p:0x0def963bd lea rax,[r9-0x1]
cs:0x00000000def963c1 p:0x0def963c1 shr rdx,cl
cs:0x00000000def963c4 p:0x0def963c4 cmp rdx,rax
cs:0x00000000def963c7 p:0x0def963c7 jb 0xdef96363
cs:0x00000000def963c9 p:0x0def963c9 sub rdx,r9
simics> step-out
simics> da %rip 10
cs:0x00000000def963ae p:0x0def963ae sbb rax,rax
cs:0x00000000def963b1 p:0x0def963b1 and rax,rcx
cs:0x00000000def963b4 p:0x0def963b4 mov rdi,qword ptr [rsp+0x8]
cs:0x00000000def963b9 p:0x0def963b9 ret
cs:0x00000000def963ba p:0x0def963ba mov rcx,r11
cs:0x00000000def963bd p:0x0def963bd lea rax,[r9-0x1]
cs:0x00000000def963c1 p:0x0def963c1 shr rdx,cl
cs:0x00000000def963c4 p:0x0def963c4 cmp rdx,rax
cs:0x00000000def963c7 p:0x0def963c7 jb 0xdef96363
cs:0x00000000def963c9 p:0x0def963c9 sub rdx,r9
Likewise "step-over-instruction" doesn't seem to step over calls, it steps into them...
simics> step-over-instruction
call rax
cs:0x00000000dee41d19 p:0x0dee41d19 call rax
cs:0x00000000dee41d1b p:0x0dee41d1b jmp 0xdee41d2d
cs:0x00000000dee41d1d p:0x0dee41d1d mov rax,qword ptr [rip+0x265bc]
cs:0x00000000dee41d24 p:0x0dee41d24 mov rcx,rbp
cs:0x00000000dee41d27 p:0x0dee41d27 call qword ptr [rax+0xf8]
cs:0x00000000dee41d2d p:0x0dee41d2d cmp si,r13w
cs:0x00000000dee41d31 p:0x0dee41d31 jb 0xdee41ced
cs:0x00000000dee41d33 p:0x0dee41d33 mov r13d,0x400
cs:0x00000000dee41d39 p:0x0dee41d39 mov eax,dword ptr [rbx+0x114]
cs:0x00000000dee41d3f p:0x0dee41d3f sub eax,0x10
simics> step-over-instruction
sub rsp,0x28
cs:0x00000000dee39160 p:0x0dee39160 sub rsp,0x28
cs:0x00000000dee39164 p:0x0dee39164 test rdx,rdx
cs:0x00000000dee39167 p:0x0dee39167 je 0xdee39179
cs:0x00000000dee39169 p:0x0dee39169 mov rax,qword ptr [rip+0x1b58]
cs:0x00000000dee39170 p:0x0dee39170 mov rcx,rdx
cs:0x00000000dee39173 p:0x0dee39173 call qword ptr [rax+0xf8]
cs:0x00000000dee39179 p:0x0dee39179 add rsp,0x28
cs:0x00000000dee3917d p:0x0dee3917d ret
cs:0x00000000dee3917e p:0x0dee3917e int3
cs:0x00000000dee3917f p:0x0dee3917f int3
simics> print -x %rax
0xdee39160
So you can see it called to where rax was set, instead of stepping over the call.

both the step-out and step-over-instruction requires debug information. You can add debug information with add-symbol-file.
If you don't have the debug information, you will have to set a breakpoint or run until the instruction after the call. In this case, that would be one of:
bp.memory.run-until -x address = p:0x0dee41d1b
or
bp.memory.break -x address = p:0x0dee41d1b
c
#IAmIntel

how can i print text in 16 bit real mode (graphical)?

i'm trying to write a boot sector that displays a small message on boot, but running the following on QEMU produces malformed text and any string with more than 5 characters doesn't show at all.
here's the code i assembled with NASM to a raw .bin file
[bits 16]
[org 0x7c00]
start:
xor ax,ax
mov ds,ax
mov es,ax
mov bx,0x8000
mov ax,0x13
int 0x10
mov ah,02
int 0x10
mov ah,0x02
mov bh,0x00
mov dh,0x12
mov dl,0x03
int 0x10
mov si , welcome
welcome db "hello",13,0
call RainbowPrint
RainbowPrint:
mov bl,1
mov ah, 0x0E
.repeat_next_char:
lodsb
cmp al, 0
je .done_print
add bl,6
int 0x10
jmp .repeat_next_char
.done_print:
ret
times (510 - ($ - $$)) db 0x00
dw 0xAA55
EDIT : here's an image showing the program running in qemu

You seem to overlapping your char_stream
welcome db "hello", 13, 0
I reviewed your code and came up with the following that has a clear display of your specific char_stream
[bits 16]
[org 0x7c00]
start:
xor ax,ax
mov ds,ax
mov es,ax
mov bx,0x8000
mov ax,0x13
int 0x10
mov ah,02
int 0x10
mov ah,0x02
mov bh,0x00
mov dh,0x12
mov dl,0x03
int 0x10
mov si , welcome
; Your [welcome] stream was here before...
call RainbowPrint
;***********
; Don't mind this area... just a simple key detection and reboot method...
xor ax, ax
int 0x16
xor ax, ax
int 0x19
;***********
; Move your stream away from operatable code areas:
welcome db "Hello, World!", 0x0D, 0x0A, 0x00
RainbowPrint:
mov bl,1
mov ah, 0x0E
.repeat_next_char:
lodsb
cmp al, 0
je .done_print
add bl,6
int 0x10
jmp .repeat_next_char
.done_print:
ret
times (510 - ($ - $$)) db 0x00
dw 0xAA55
The prefered text stream

Thread issues happened whenever I tried to touch specific functions on my phone

My app does not crash on iOS 8.
But after updating it to 10 version on my phone, my app crashes when I try to use specific functions in the app.
But on simulator, it works well.
Whenever I installed the app on my phone, Thread # issues happened. And the number on # part always changes like below and I don't know why.
libsystem_kernel.dylib`__abort_with_payload:
0x1c5eb440 <+0>: mov r12, sp
0x1c5eb444 <+4>: push {r4, r5, r6, r8}
0x1c5eb448 <+8>: ldm r12, {r4, r5, r6}
0x1c5eb44c <+12>: mov r12, #512
0x1c5eb450 <+16>: orr r12, r12, #9
0x1c5eb454 <+20>: svc #0x80
-> 0x1c5eb458 <+24>: pop {r4, r5, r6, r8}
0x1c5eb45c <+28>: blo 0x1c5eb474 ; <+52>
0x1c5eb460 <+32>: ldr r12, [pc, #0x4] ; <+44>
0x1c5eb464 <+36>: ldr r12, [pc, r12]
0x1c5eb468 <+40>: b 0x1c5eb470 ; <+48>
0x1c5eb46c <+44>: bne 0x1cea6364 ; CFStringROMTableHashData + 14212
0x1c5eb470 <+48>: bx r12
0x1c5eb474 <+52>: bx lr
what does the below error mean?
0x1c5eb458 <+24>: pop {r4, 45, r6, r8} = Thread #: signal SIGABRT
And some comments mentioned that I can solve this issues if I deleted "search path" on info.plist. So I tried to delete "Search Path" on info following them but it didn't work at all.

This issue is solved.
The reason is microphone provisioning on info.plist.
Therefore, I added "privacy-microphone" menu on it.
And it's solved.

Assembly printing system date

I have a problem with printing system date because of cx register size. How can it be solved without any big changes?
title casadatum
zas segment stack
db 256 dup(?)
zas ends
strsize EQU 64
dat segment
print db 'Current System Date is : $'
date db 'dd:mm:rrrr$'
nl db 10,13,'$'
dat ends
code segment
assume cs:code, ss:zas, ds:dat
get_date proc
mov ah,2ah
int 21h
mov al,dl
call convert
mov [bx],ax
mov al,dh
call convert
mov [bx+3],ax
mov al,cx
call convert
mov [bx+6],ax
ret
endp
convert proc
push dx
mov ah,0
mov dl,10
div dl
or ax, 3030h
pop dx
ret
endp
start:
mov ax, seg dat
mov ds,ax
LEA BX, date
CALL GET_date
lea dx,print
mov ah,09h
int 21h
lea dx,date
mov ah,09h
int 21h
koniec:
mov ah, 4ch
int 21h
code ends
end start

Replace this part of your code
mov al,cx
call convert
mov [bx+6],ax
with these instructions
mov al,100
xchg ax,cx
div cl
mov ch,ah
call convert
mov [bx+6],ax
mov al,ch
call convert
mov [bx+8],ax

Carry bit, GAS constraint

I am writing assembly long addition in GAS inline assembly,
template <std::size_t NumBits>
void inline KA_add(vli<NumBits> & x, vli<NumBits> const& y);
If I specialize I could do :
template <>
void inline KA_add<128>(vli<128> & x, vli<128> const& y){
asm("addq %2, %0; adcq %3, %1;" :"+r"(x[0]),"+r"(x[1]):"g"(y[0]),"g"(y[1]):"cc");
}
Nice it works, now if I try to generalize to allow the inline of template, and let work my compiler for any length ...
template <std::size_t NumBits>
void inline KA_add(vli<NumBits> & x, vli<NumBits> const& y){
asm("addq %1, %0;" :"+r"(x[0]):"g"(y[0]):"cc");
for(int i(1); i < vli<NumBits>::numwords;++i)
asm("adcq %1, %0;" :"+r"(x[i]):"g"(y[i]):"cc");
};
Well, it does not work I have no guarantee that the carry bit (CB) is propagated. It is not conserve between the first asm line and the second one. It may be logic because the loop increment i and so "delete" the CB I thing, it should exist a GAS constraint to conserve the CB over the two ASM call. Unfortunately I do not find such informations.
Any idea ?
Thank you, Merci !
PS I rewrite my function to remove the C++ ideology
template <std::size_t NumBits>
inline void KA_add_test(boost::uint64_t* x, boost::uint64_t const* y){
asm ("addq %1, %0;" :"+r"(x[0]):"g"(y[0]):"cc");
for(int i(1); i < vli<NumBits>::numwords;++i)
asm ("adcq %1, %0;" :"+r"(x[i]):"g"(y[i]):"cc");
};
The asm gives (GCC Debug mode),
APP
addq %rdx, %rax;
NO_APP
movq -24(%rbp), %rdx
movq %rax, (%rdx)
.LBB94:
.loc 9 55 0
movl $1, -4(%rbp)
jmp .L323
.L324:
.loc 9 56 0
movl -4(%rbp), %eax
cltq
salq $3, %rax
movq %rax, %rdx
addq -24(%rbp), %rdx <----------------- Break the carry bit
movl -4(%rbp), %eax
cltq
salq $3, %rax
addq -32(%rbp), %rax
movq (%rax), %rcx
movq (%rdx), %rax
APP
adcq %rcx, %rax;
NO_APP
As we can read there is additional addq, it destroys the propagation of the CB

I see no way to explicitly tell the compiler that the loop code must be created without instructions affecting the C flag.
It's surely possible to do so - use lea to count the array addresses upwards, dec to count the loop downwards and test Z for end condition. That way, nothing in the loop except the actual array sum changes the C flag.
You'd have to do a manual thing, like:
long long tmp; // hold a register
__asm__("0:
movq (%1), %0
lea 8(%1), %1
adcq %0, (%2)
lea 8(%2), %2
dec %3
jnz 0b"
: "=r"(tmp)
: "m"(&x[0]), "m"(&y[0]), "r"(vli<NumBits>::numwords)
: "cc", "memory");
For hot code, a tight loop isn't optimal though; for one, the instructions have dependencies, and there's significantly more instructions per iteration than inlined / unrolled adc sequences. A better sequence would be something like (%rbp resp. %rsi having the start addresses for the source and target arrays):
0:
lea 64(%rbp), %r13
lea 64(%rsi), %r14
movq (%rbp), %rax
movq 8(%rbp), %rdx
adcq (%rsi), %rax
movq 16(%rbp), %rcx
adcq 8(%rsi), %rdx
movq 24(%rbp), %r8
adcq 16(%rsi), %rcx
movq 32(%rbp), %r9
adcq 24(%rsi), %r8
movq 40(%rbp), %r10
adcq 32(%rsi), %r9
movq 48(%rbp), %r11
adcq 40(%rsi), %r10
movq 56(%rbp), %r12
adcq 48(%rsi), %r10
movq %rax, (%rsi)
adcq 56(%rsi), %r10
movq %rdx, 8(%rsi)
movq %rcx, 16(%rsi)
movq %r8, 24(%rsi)
movq %r13, %rbp // next src
movq %r9, 32(%rsi)
movq %r10, 40(%rsi)
movq %r11, 48(%rsi)
movq %r12, 56(%rsi)
movq %r14, %rsi // next tgt
dec %edi // use counter % 8 (doing 8 words / iteration)
jnz 0b // loop again if not yet zero
and looping only around such blocks. The advantage would be that the loads are blocked, and you'd deal with loop count / termination condition only once-per-that.
I would, quite honestly, try not to make the general bit width particularly "neat", but rather specialcase explicitly unrolled code for, say, bit widths of powers-of-two. Rather add a flag / constructor message to the non-optimized template instantiation telling the user "use a power of two" ?