tags:

views:

361

answers:

2
Q: 

Trying to no-op an instruction

Is it possible using GNU tools (gcc, binutils, etc) to modify all occurrences of an assembly instruction into a no-op? Specifically, gcc with the -pg option generates the following assembly (ARM):

   0x0: e1a0c00d  mov ip, sp
   0x4: e92dd800  stmdb sp!, {fp, ip, lr, pc}
   0x8: e24cb004  sub fp, ip, #4 ; 0x4
   0xc: ebfffffe  bl 0 <mcount>

I want to record the address of this last instruction, and then change it to a nop like in the following code

   0x0: e1a0c00d  mov ip, sp
   0x4: e92dd800  stmdb sp!, {fp, ip, lr, pc}
   0x8: e24cb004  sub fp, ip, #4 ; 0x4
   0xc: e1a00000  nop   (mov r0,r0)

The Linux kernel can do something similar to this at run-time, but I'm looking for a build-time solution.

+3  A: 

This will certainly be easier with a RISC-ish fixed-length instruction format than for e.g. x86.

It should be relatively straightforward to use libelf (nice tutorial here: http://people.freebsd.org/~jkoshy/download/libelf/article.html) or libbfd (http://sourceware.org/binutils/docs-2.19/bfd/index.html) to open the object file, modify instructions within the .text section, and write it out again using provided APIs. Whether it's worth the effort or not will depend on non-technical considerations (I am a bit curious though...).

It's worth mentioning that there might be a few wrinkles with using libelf or libbfd if this needs to work in a cross-development environment.

Lance Richardson  2009-04-25 00:49:18
While your point is valid, 'nop' on x86 is a single byte instruction, so you can just write as many of them as you need over the variable-length instruction that you want to remove.
Roger Lipscombe  2009-06-01 17:47:01
The part that would become more problematic for the variable-length instruction case is searching for the instruction pattern to be turned into a no-op, since you can't tell whether a given byte offset is the beginning of an instruction without decoding the instructions before that offset. It's even worse if you consider the clever hand-coded assembler tricks like branching into the middle of an instruction that are sometimes used to defeat (or at least impede) reverse engineering of binaries.
Lance Richardson  2009-06-01 18:14:58
True; I wasn't thinking about it from that direction. Good point.
Roger Lipscombe  2009-06-02 04:55:33
+5  A: 

You can compile the code with gcc -S to output an assembler listing, instead of compiling fully into an object file or executable. Then, just replace the desired instructions with no-ops (e.g. using sed), and continue compilation from there.

If you also want to do this for object files or libraries that you don't have the original source code for, you'll instead have to use a tool such as objdump(1) to disassemble them and get the addresses of the instructions you wish to replace. Then, parse the object file headers to find the offsets within the file of those instructions, and then replace the machine instructions with no-ops directly in the object files. This is a little trickier, but doable.

Adam Rosenfield  2009-04-25 01:18:54
Just be sure you don't overwrite the data when replacing as well (e.g. binary data and strings in the source).
strager  2009-04-26 17:15:12
True, although 'gcc -S' won't produce assembly code for data (it will product data directives), and objdump is usually smart enough to only disassemble segments containing code, although both of these techniques are defeated by any sort of runtime code generation or self-modifying code. But that's just asking for trouble.
Adam Rosenfield  2009-04-27 14:41:19

related questions

Java Compiler Options to produce .exe files.
Which compiles to faster code: "n * 3" or "n+(n*2)"?
profile-guided optimization (C)
Tools for converting non-Java into Java source
What's safe for a C++ plug-in system?
C++ Compiler Error C2371 - Redefinition of WCHAR
function declaration isn't a prototype
Learning Resources on Parsers, Interpreters, and Compilers
Compiler Error C2143 when using a struct
Which 4.x version of gcc should one use?
How to remove debug statements from production code in Java
.NET Compiler -- DEBUG vs. RELEASE
C on Visual Studio
What's a 'null defined macro'?
Warning: Found conflicts between different versions of the same dependent assembly
Mixed C++/CLI TypeLoadException Internal limitation: too many fields.
Bootstrapping a language
Checking for string contents? string Length Vs Empty String
What are the best resources on designing a new language?
Code crash in MS Visual Studio 2005 in RELEASE configuration
Invalid Resource File
C# logic order and compiler behavior
CSharpCodeProvider Compilation Performance
Learning to write a compiler
Adding Scripting functionality to .NET applications