Output of nocode Invalid C++ Code?
humanitiesclinic opened this issue · comments
I've asked this on Stack Overflow first:
https://stackoverflow.com/questions/55790719/what-are-the-ways-a-goto-statement-can-be-used-in-c-code
I thought I was missing something because my C++ isn't that good, but as can be seen in the comments in the above post, the code isn't valid C++.
eg:
int64_t _printf = 0x100000dfc;
void _printf(int32_t* rdi, int32_t* rsi, int64_t rdx, int32_t* rcx, int64_t r8, ...) {
goto _printf;
}
int64_t _fflush = 0x100000dde;
void _fflush(int64_t rdi, int32_t* rsi, int64_t rdx, int32_t* rcx, int64_t r8) {
goto _fflush;
}
From my understanding, goto is supposed to cause a jump to a segment of the code indicated by a label e.g.:
goto label;
label:
…
However, this doesn’t seem to be the case for the code I have. I do not see anything that starts with “label:” at all.
How then should I interpret the code?
the code isn't valid C++.
The code shows a couple of thunks. C++ does not have a 'jump to address' operator, so, the decompiler goes with goto
for that. (Actually, some compilers, e.g., GCC, support goto to an address, although maybe with a slightly different syntax.)
I.e., _printf()
function immediately jumps to an address written in the 64-bit variable _printf
. The latter is initialized with 0x100000dfc
.
i see. but how do I know what code is located at the address specified? eg. 0x100000dfc for _printf()?
You look at this address, either in the instructions viewer or in the reconstructed code viewer.
IIRC in the latter you can right-click on the address and select 'Jump to address' menu item.
Most likely, the address is a stub and will be actually filled in with the actual printf address by the dynamic linker. Snowman does not implement a dynamic linker, so, it shows the stub addresses the way they are in the input file.
May I know where?
There was a bug: 0x hex integers were not supported. I will push a fix in a moment.
Also, does this mean I must use snowman instead of nocode (which does not have a GUI) for this?
Yes. Nocode is more like a tool for simple cases and tests. Real analysis should be done in a GUI.
Ok I have compiled and tried the latest version after the fix.
I managed to see the "Jump to address ... " option:
And when I clicked on it, I was brought to the relevant instruction on the assembly panel (as can be seen by the grey-highlighted line:
However, I can't tell which line in the C++ panel corresponds to this assembly instruction. (There's no corresponding grey-highlighted line in the C++ panel.) How does one do this?
You can try selecting a later instruction or a range of instructions starting with the instruction at the address.
Not all instructions show up in the high-level code: stack setup at the beginning of a function typically does not.
I see. I still have difficulty navigating and understanding the code, is there a manual or something that can help one to understand it?
Also, because I am not completely acquainted with assembly.
There is no manual.
do u have any suggestions?
If you want to understand executable code, you have to learn assembler.
There is no way around it.