2

While reversing some x86 executables, I came across a pattern of addressing globals, that I don't familiar with, but it looks like IDA is, and I would like to know more about it.

.text:00002560 public start .text:00002560 start proc near .text:00002560 mov ebx, [esp+0] .text:00002563 ret .text:0001D233 push ebx .text:0001D234 call start ; ebx is initialized here .text:0001D239 add ebx, 1805Bh .text:0001D25A lea edi, (aLsi_0 - 35294h)[ebx] ; "lsi" <---- Ida recognizes here an access to global string.

I saw this pattern in many different binaries. Does anyone know what is the name of this kind of access and where can I read more about it?

Improve this question
2
  • 1
    I understand what happens, but I wonder what is the name of this kind of pattern Commented May 28, 2020 at 10:17
  • It is a variant of position-independent code. A more common construction (and much harder to disassemble) is call _next; _next: pop ebx. Commented May 28, 2020 at 10:42

2 Answers 2

Reset to default
2

The function you (or IDA) labeled start is commonly called __x86.get_pc_thunk.bx and is used by GCC and other compilers to calculate the current execution address for Position independent code (PIC). Usually the add instruction after the call results in ebx gettng the value of the GOT (Global offset table) so that external calls can be done without extra setup (the PLT stubs for external calls in PIC executables assume that ebx points to the GOT), but also global data can be addressed using a fixed offset relative to the GOT. This way the code can run regardless of the actual address at which it has been loaded by the OS (i.e. it is position independent).

Improve this answer
0

I have seen code like this, but it was quite a while ago! It only ever relates to the accessing of global variables: often called a Global Offset Table. More info here: https://stackoverflow.com/questions/55587313/why-use-the-global-offset-table-for-symbols-defined-in-the-shared-library-itself

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.