Why does my assembly program give segfault?

I have the following piece of code that I have to debug:

    global _start
_start:
pop esp
js 0x36
xor [eax+edi*2+0x43],ebx
xor [eax+edi*2+0x35],bl
xor [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x37],bl
ss pop esp
js 0x49
aaa
pop esp
js 0x52
xor al,0x5c
js 0x56
xor al,0x5c
js 0x59
cmp [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x32]
xor al,0x5c
js 0x61
xor eax,0x3532785c
pop esp
js 0x6d
cmp [eax+edi*2+0x32],bl
xor [eax+edi*2+0x32],bl
xor ebx,[eax+edi*2+0x32]
xor eax,0x3332785c
pop esp
js 0x81
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],bl
xor al,0x5c
js 0x8e
xor eax,0x3532785c
pop esp
js 0x95
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],bl
xor [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x32]
xor [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor eax,0x3637785c
pop esp
js 0xbd
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0xc6
xor al,0x5c
js 0xca
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0xd1
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],ebx
aaa
pop esp
js 0xd9
xor al,0x5c
js 0xe2
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x37]
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x37],ebx
cmp [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x37],bl
ss pop esp
js 0xfd
aaa
pop esp
js 0x106
xor [eax+edi*2+0x32],bl
xor eax,0x3836785c
pop esp
js 0x112
cmp [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x32]
xor ebx,[eax+edi*2+0x32]
aaa
pop esp
js 0x121
cmp [eax+edi*2+0x32],bl
xor [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],ebx
xor bl,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x13a
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],ebx
xor al,0x5c
js 0x141
xor ebx,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],ebx
xor ebx,[eax+edi*2+0x37]
cmp [eax+edi*2+0x37],ebx
xor [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x32],bl
xor eax,0x3937785c
pop esp
js 0x16a
xor bl,[eax+edi*2+0x37]
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x17a
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x182
xor eax,0x3836785c
pop esp
js 0x18a
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x19e
xor bl,[eax+edi*2+0x37]
cmp [eax+edi*2+0x32],bl
xor ebx,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x1ad
xor eax,0x3032785c
pop esp
js 0x1ba
xor [eax+edi*2+0x32],bl
xor al,0x5c
js 0x1c1
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x32]
xor eax,0x3637785c
pop esp
js 0x1d2
xor ebx,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x32]
xor [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x37]
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],ebx
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],ebx
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
xor ebx,[eax+edi*2+0x37]
xor eax,0x3037785c
pop esp
js 0x20e
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
xor bl,[eax+edi*2+0x37]
xor al,0x5c
js 0x219
xor eax,0x3837785c
pop esp
js 0x225
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],ebx
aaa
pop esp
js 0x232
xor eax,0x3137785c
pop esp
js 0x239
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x242
xor bl,[eax+edi*2+0x37]
aaa
pop esp
js 0x245
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],bl
aaa
pop esp
js 0x259
xor eax,0x3836785c
pop esp
js 0x266
aaa
pop esp
js 0x26a
xor ebx,[eax+edi*2+0x37]
cmp [eax+edi*2+0x32],bl
xor al,0x5c
js 0x275
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x37]
cmp [eax+edi*2+0x37],bl
aaa
pop esp
js 0x286
xor al,0x5c
js 0x289
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x292
aaa
pop esp
js 0x291
aaa
pop esp
js 0x295
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
xor bl,[eax+edi*2+0x37]
xor al,0x5c
js 0x2a5
xor bl,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x2b6
xor ebx,[eax+edi*2+0x37]
aaa
pop esp
js 0x2be
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x35],bl
xor al,0x5c
js 0x2c8
inc ebp
pop esp
js 0x2cf
inc edx
pop esp
js 0x2e1
inc ebp
pop esp
js 0x2d7
inc edx
pop esp
js 0x2e7
aaa
pop esp
js 0x2ed
inc ebx
pop esp
js 0x2ed
cmp [eax+edi*2+0x38],ebx
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x42],bl
inc edx
pop esp
js 0x2f7
xor [eax+edi*2+0x30],ebx
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x33],bl
xor [eax+edi*2+0x43],ebx
xor [eax+edi*2+0x35],bl
xor [eax+edi*2+0x41],bl
inc ebx
pop esp
js 0x316
xor ebx,[eax+edi*2+0x43]
xor ebx,[eax+edi*2+0x41]
inc ecx
pop esp
js 0x334
xor bl,[eax+edi*2+0x46]
inc ecx
pop esp
js 0x32c
xor al,0x5c
js 0x330
inc ebp
pop esp
js 0x342
inc ebx
db 0x0a

JavaScript
​x
 
    global _start_start:pop espjs 0x36xor [eax+edi*2+0x43],ebxxor [eax+edi*2+0x35],blxor [eax+edi*2+0x36],blcmp [eax+edi*2+0x37],blss pop espjs 0x49aaapop espjs 0x52xor al,0x5cjs 0x56xor al,0x5cjs 0x59cmp [eax+edi*2+0x37],blxor ebx,[eax+edi*2+0x32]xor al,0x5cjs 0x61xor eax,0x3532785cpop espjs 0x6dcmp [eax+edi*2+0x32],blxor [eax+edi*2+0x32],blxor ebx,[eax+edi*2+0x32]xor eax,0x3332785cpop espjs 0x81cmp [eax+edi*2+0x37],blcmp [eax+edi*2+0x32],blxor al,0x5cjs 0x8exor eax,0x3532785cpop espjs 0x95cmp [eax+edi*2+0x37],blcmp [eax+edi*2+0x32],blxor [eax+edi*2+0x37],blxor bl,[eax+edi*2+0x32]xor [eax+edi*2+0x36],blcmp [eax+edi*2+0x37],blxor [eax+edi*2+0x37],blxor [eax+edi*2+0x37],blxor eax,0x3637785cpop espjs 0xbdcmp [eax+edi*2+0x32],blaaapop espjs 0xc6xor al,0x5cjs 0xcacmp [eax+edi*2+0x32],blaaapop espjs 0xd1cmp [eax+edi*2+0x37],blcmp [eax+edi*2+0x32],ebxaaapop espjs 0xd9xor al,0x5cjs 0xe2xor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x37],blxor bl,[eax+edi*2+0x37]cmp [eax+edi*2+0x37],blcmp [eax+edi*2+0x37],ebxcmp [eax+edi*2+0x36],blcmp [eax+edi*2+0x37],blss pop espjs 0xfdaaapop espjs 0x106xor [eax+edi*2+0x32],blxor eax,0x3836785cpop espjs 0x112cmp [eax+edi*2+0x37],blxor ebx,[eax+edi*2+0x32]xor ebx,[eax+edi*2+0x32]aaapop espjs 0x121cmp [eax+edi*2+0x32],blxor [eax+edi*2+0x37],blcmp [eax+edi*2+0x32],ebxxor bl,[eax+edi*2+0x37]xor eax,0x3836785cpop espjs 0x13axor [eax+edi*2+0x37],blxor [eax+edi*2+0x32],ebxxor al,0x5cjs 0x141xor ebx,[eax+edi*2+0x36]cmp [eax+edi*2+0x37],blxor [eax+edi*2+0x37],ebxxor ebx,[eax+edi*2+0x37]cmp [eax+edi*2+0x37],ebxxor [eax+edi*2+0x36],blcmp [eax+edi*2+0x32],blxor eax,0x3937785cpop espjs 0x16axor bl,[eax+edi*2+0x37]xor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x32],blaaapop espjs 0x17acmp [eax+edi*2+0x32],blaaapop espjs 0x182xor eax,0x3836785cpop espjs 0x18acmp [eax+edi*2+0x37],blxor [eax+edi*2+0x37],blxor ebx,[eax+edi*2+0x37]xor eax,0x3836785cpop espjs 0x19exor bl,[eax+edi*2+0x37]cmp [eax+edi*2+0x32],blxor ebx,[eax+edi*2+0x37]xor eax,0x3836785cpop espjs 0x1adxor eax,0x3032785cpop espjs 0x1baxor [eax+edi*2+0x32],blxor al,0x5cjs 0x1c1cmp [eax+edi*2+0x37],blxor bl,[eax+edi*2+0x32]xor eax,0x3637785cpop espjs 0x1d2xor ebx,[eax+edi*2+0x36]cmp [eax+edi*2+0x37],blxor bl,[eax+edi*2+0x32]xor [eax+edi*2+0x37],blxor ebx,[eax+edi*2+0x37]xor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x37],blxor [eax+edi*2+0x32],ebxxor [eax+edi*2+0x37],blxor [eax+edi*2+0x32],ebxxor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x32],blxor ebx,[eax+edi*2+0x37]xor eax,0x3037785cpop espjs 0x20exor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x32],blxor bl,[eax+edi*2+0x37]xor al,0x5cjs 0x219xor eax,0x3837785cpop espjs 0x225cmp [eax+edi*2+0x37],blxor [eax+edi*2+0x37],ebxaaapop espjs 0x232xor eax,0x3137785cpop espjs 0x239cmp [eax+edi*2+0x32],blaaapop espjs 0x242xor bl,[eax+edi*2+0x37]aaapop espjs 0x245xor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x37],blxor [eax+edi*2+0x37],blxor [eax+edi*2+0x32],blaaapop espjs 0x259xor eax,0x3836785cpop espjs 0x266aaapop espjs 0x26axor ebx,[eax+edi*2+0x37]cmp [eax+edi*2+0x32],blxor al,0x5cjs 0x275cmp [eax+edi*2+0x37],blxor bl,[eax+edi*2+0x37]cmp [eax+edi*2+0x37],blaaapop espjs 0x286xor al,0x5cjs 0x289cmp [eax+edi*2+0x32],blaaapop espjs 0x292aaapop espjs 0x291aaapop espjs 0x295xor bl,[eax+edi*2+0x36]cmp [eax+edi*2+0x32],blxor bl,[eax+edi*2+0x37]xor al,0x5cjs 0x2a5xor bl,[eax+edi*2+0x37]xor eax,0x3836785cpop espjs 0x2b6xor ebx,[eax+edi*2+0x37]aaapop espjs 0x2bexor [eax+edi*2+0x37],blxor [eax+edi*2+0x35],blxor al,0x5cjs 0x2c8inc ebppop espjs 0x2cfinc edxpop espjs 0x2e1inc ebppop espjs 0x2d7inc edxpop espjs 0x2e7aaapop espjs 0x2edinc ebxpop espjs 0x2edcmp [eax+edi*2+0x38],ebxxor [eax+edi*2+0x30],blxor [eax+edi*2+0x30],blxor [eax+edi*2+0x30],blxor [eax+edi*2+0x42],blinc edxpop espjs 0x2f7xor [eax+edi*2+0x30],ebxxor [eax+edi*2+0x30],blxor [eax+edi*2+0x30],blxor [eax+edi*2+0x33],blxor [eax+edi*2+0x43],ebxxor [eax+edi*2+0x35],blxor [eax+edi*2+0x41],blinc ebxpop espjs 0x316xor ebx,[eax+edi*2+0x43]xor ebx,[eax+edi*2+0x41]inc ecxpop espjs 0x334xor bl,[eax+edi*2+0x46]inc ecxpop espjs 0x32cxor al,0x5cjs 0x330inc ebppop espjs 0x342inc ebxdb 0x0a​

After compiling and running that code I obtain a segmentation fault error, it seems that something goes wrong after the 5th line. My linux asm knowledge is very basic, any hints or ideas about what is exactly going wrong and how to fix it?

This piece of code is a part of a debugging exercise, I’m doing that for auto-learning only, this is not a part of any homework or something.

Answer

I have compiled your example and then looked at it using hexdump:

(I had to add BITS 32 to it to compile in 32-bit mode, because I’m using Linux-64):

$ vi test.asm
$ nasm test.asm
$ hexdump -C test

00000000  5c 0f 88 2f 00 00 00 31  5c 78 43 30 5c 78 35 30  |../...1xC0x50|
00000010  5c 78 36 38 5c 78 37 36  5c 0f 88 2a 00 00 00 37  |x68x76..*...7|
00000020  5c 0f 88 2b 00 00 00 34  5c 0f 88 27 00 00 00 34  |..+...4..'...4|
00000030  5c 0f 88 22 00 00 00 38  5c 78 37 33 5c 78 32 34  |.."...8x73x24|
00000040  5c 0f 88 1a 00 00 00 35  5c 78 32 35 5c 0f 88 1a  |......5x25...|
00000050  00 00 00 38 5c 78 32 30  5c 78 32 33 5c 78 32 35  |...8x20x23x25|
00000060  5c 78 32 33 5c 0f 88 16  00 00 00 38 5c 78 37 38  |x23......8x78|
00000070  5c 78 32 34 5c 0f 88 13  00 00 00 35 5c 78 32 35  |x24......5x25|
00000080  5c 0f 88 0e 00 00 00 38  5c 78 37 38 5c 78 32 30  |......8x78x20|
........

JavaScript
 
$ vi test.asm$ nasm test.asm$ hexdump -C test​00000000  5c 0f 88 2f 00 00 00 31  5c 78 43 30 5c 78 35 30  |../...1xC0x50|00000010  5c 78 36 38 5c 78 37 36  5c 0f 88 2a 00 00 00 37  |x68x76..*...7|00000020  5c 0f 88 2b 00 00 00 34  5c 0f 88 27 00 00 00 34  |..+...4..'...4|00000030  5c 0f 88 22 00 00 00 38  5c 78 37 33 5c 78 32 34  |.."...8x73x24|00000040  5c 0f 88 1a 00 00 00 35  5c 78 32 35 5c 0f 88 1a  |......5x25...|00000050  00 00 00 38 5c 78 32 30  5c 78 32 33 5c 78 32 35  |...8x20x23x25|00000060  5c 78 32 33 5c 0f 88 16  00 00 00 38 5c 78 37 38  |x23......8x78|00000070  5c 78 32 34 5c 0f 88 13  00 00 00 35 5c 78 32 35  |x24......5x25|00000080  5c 0f 88 0e 00 00 00 38  5c 78 37 38 5c 78 32 30  |......8x78x20|........​

Do you see the pattern? At the right column (ASCII mode) you can see a lot of literal xNN, that is not the byte NN but the characters '' 'x' and two numbers!

My guess is that you are debugging a dump of some binary code, but that code has not been properly dumped. Thus the assembly you are looking at is nonsense.

Advertisement

Answer