what is this assembly code in C?

Question

I have some assembly code below that I don't really understand. My thoughts are that it is meaningless. Unfortunately I can't provide any more instruction information. What would the output in C be?

0x1000: iretd   
0x1001: cli 
0x1002: in  eax, dx
0x1003: inc byte ptr [rdi]
0x1005: add byte ptr [rax], al
0x1007: add dword ptr [rbx], eax
0x1009: add byte ptr [rax], al
0x100b: add byte ptr [rdx], 0
0x100e: add byte ptr [rax], al

Thanks

It isn't homework! I absolutely promise. It's more to verify the output based on some disassembly. — , Nov 09 '17 at 14:16
It looks meaningless, probably some random bytes in memory. Not all of it can even be translated to C. — interjay, Nov 09 '17 at 14:17
Thanks @interjay. That's pretty much all I was after! Wasn't expecting it to be anything meaningful — , Nov 09 '17 at 14:18
@interjay I misread. But what do you mean? Do you wonder what the equivalent C program would be? — klutt, Nov 09 '17 at 14:18
The first instruction is "return from ISR". The "function" ends here. — harper, Nov 09 '17 at 14:19
@klutt No, as I said there's no equivalent C program. I just wondered how you think running this would help. — interjay, Nov 09 '17 at 14:19

Ped7g · Accepted Answer · 2017-11-09T14:33:23.253

16

The first four bytes (if I did reconstruct them correctly) form 32 bit value 0xFEEDFACF.

Putting that into google led me to:

https://gist.github.com/softboysxp/1084476#file-gistfile1-asm-L15

%define MH_MAGIC_64                 0xfeedfacf

Aren't you by accident disassembling Mach-o x64 executable from Mac OS X as raw machine code, instead of reading meta data of file correctly, and disassembling only code section?

P.S. in questions like this one, rather include also the source machine code data, so experienced people may check disassembly by targetting different platform, like 32b x86 or 16b real mode code, or completely different CPU, which may help in case you would mistakenly treat machine code with wrong target platform disassembly. I had to first assemble your disassembly to see the raw bytes.

edited Nov 09 '17 at 14:33

answered Nov 09 '17 at 14:31

Ped7g

16,236
3
26
63

Funnily enough, that binary **MAY** be product of pure C/C++ source (even simple "hello world" example may be source) after all... but the particular bytes you disassembled can't be created by C language construct in source (except defining them as `const uint8_t* data { 0xCF, 0xFA, ...};`), these are fixed meta data defined by target platform, linker, and executable binary specification, outside of C language source scope. – Ped7g Nov 09 '17 at 14:38
1

This SO answer has ore details on the magic header itself. https://stackoverflow.com/questions/27669766/how-to-read-mach-o-header-from-object-file – Michael Petch Nov 09 '17 at 15:04

score 3 · Answer 2 · answered Nov 09 '17 at 14:28

3

iretd is "return from interrupt", cli is "clear interrupt flag" which means disable all maskable interrupts. The C language does not understand the concept of an interrupt, so it is unlikely that this was compiled from C. In fact, this isn't a single complete fragment of code.

Also add byte ptr [rdx], 0 is adding 0 to a value which doesn't make sense to me unless it is the result of an unoptimised compilation or the result of disassembling something that isn't code.

answered Nov 09 '17 at 14:28

JeremyP

84,577
15
123
161

In this case it is the Mach-O header (data) being disassembled as code https://stackoverflow.com/a/27669948/3857942 . – Michael Petch Nov 09 '17 at 15:59

what is this assembly code in C?

2 Answers2