Why does my assembly program give segfault?

I have the following piece of code that I have to debug:

    global _start
_start:
pop esp
js 0x36
xor [eax+edi*2+0x43],ebx
xor [eax+edi*2+0x35],bl
xor [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x37],bl
ss pop esp
js 0x49
aaa
pop esp
js 0x52
xor al,0x5c
js 0x56
xor al,0x5c
js 0x59
cmp [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x32]
xor al,0x5c
js 0x61
xor eax,0x3532785c
pop esp
js 0x6d
cmp [eax+edi*2+0x32],bl
xor [eax+edi*2+0x32],bl
xor ebx,[eax+edi*2+0x32]
xor eax,0x3332785c
pop esp
js 0x81
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],bl
xor al,0x5c
js 0x8e
xor eax,0x3532785c
pop esp
js 0x95
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],bl
xor [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x32]
xor [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor eax,0x3637785c
pop esp
js 0xbd
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0xc6
xor al,0x5c
js 0xca
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0xd1
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],ebx
aaa
pop esp
js 0xd9
xor al,0x5c
js 0xe2
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x37]
cmp [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x37],ebx
cmp [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x37],bl
ss pop esp
js 0xfd
aaa
pop esp
js 0x106
xor [eax+edi*2+0x32],bl
xor eax,0x3836785c
pop esp
js 0x112
cmp [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x32]
xor ebx,[eax+edi*2+0x32]
aaa
pop esp
js 0x121
cmp [eax+edi*2+0x32],bl
xor [eax+edi*2+0x37],bl
cmp [eax+edi*2+0x32],ebx
xor bl,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x13a
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],ebx
xor al,0x5c
js 0x141
xor ebx,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],ebx
xor ebx,[eax+edi*2+0x37]
cmp [eax+edi*2+0x37],ebx
xor [eax+edi*2+0x36],bl
cmp [eax+edi*2+0x32],bl
xor eax,0x3937785c
pop esp
js 0x16a
xor bl,[eax+edi*2+0x37]
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x17a
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x182
xor eax,0x3836785c
pop esp
js 0x18a
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x19e
xor bl,[eax+edi*2+0x37]
cmp [eax+edi*2+0x32],bl
xor ebx,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x1ad
xor eax,0x3032785c
pop esp
js 0x1ba
xor [eax+edi*2+0x32],bl
xor al,0x5c
js 0x1c1
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x32]
xor eax,0x3637785c
pop esp
js 0x1d2
xor ebx,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x32]
xor [eax+edi*2+0x37],bl
xor ebx,[eax+edi*2+0x37]
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],ebx
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],ebx
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
xor ebx,[eax+edi*2+0x37]
xor eax,0x3037785c
pop esp
js 0x20e
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
xor bl,[eax+edi*2+0x37]
xor al,0x5c
js 0x219
xor eax,0x3837785c
pop esp
js 0x225
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],ebx
aaa
pop esp
js 0x232
xor eax,0x3137785c
pop esp
js 0x239
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x242
xor bl,[eax+edi*2+0x37]
aaa
pop esp
js 0x245
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x37],bl
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x32],bl
aaa
pop esp
js 0x259
xor eax,0x3836785c
pop esp
js 0x266
aaa
pop esp
js 0x26a
xor ebx,[eax+edi*2+0x37]
cmp [eax+edi*2+0x32],bl
xor al,0x5c
js 0x275
cmp [eax+edi*2+0x37],bl
xor bl,[eax+edi*2+0x37]
cmp [eax+edi*2+0x37],bl
aaa
pop esp
js 0x286
xor al,0x5c
js 0x289
cmp [eax+edi*2+0x32],bl
aaa
pop esp
js 0x292
aaa
pop esp
js 0x291
aaa
pop esp
js 0x295
xor bl,[eax+edi*2+0x36]
cmp [eax+edi*2+0x32],bl
xor bl,[eax+edi*2+0x37]
xor al,0x5c
js 0x2a5
xor bl,[eax+edi*2+0x37]
xor eax,0x3836785c
pop esp
js 0x2b6
xor ebx,[eax+edi*2+0x37]
aaa
pop esp
js 0x2be
xor [eax+edi*2+0x37],bl
xor [eax+edi*2+0x35],bl
xor al,0x5c
js 0x2c8
inc ebp
pop esp
js 0x2cf
inc edx
pop esp
js 0x2e1
inc ebp
pop esp
js 0x2d7
inc edx
pop esp
js 0x2e7
aaa
pop esp
js 0x2ed
inc ebx
pop esp
js 0x2ed
cmp [eax+edi*2+0x38],ebx
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x42],bl
inc edx
pop esp
js 0x2f7
xor [eax+edi*2+0x30],ebx
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x30],bl
xor [eax+edi*2+0x33],bl
xor [eax+edi*2+0x43],ebx
xor [eax+edi*2+0x35],bl
xor [eax+edi*2+0x41],bl
inc ebx
pop esp
js 0x316
xor ebx,[eax+edi*2+0x43]
xor ebx,[eax+edi*2+0x41]
inc ecx
pop esp
js 0x334
xor bl,[eax+edi*2+0x46]
inc ecx
pop esp
js 0x32c
xor al,0x5c
js 0x330
inc ebp
pop esp
js 0x342
inc ebx
db 0x0a

After compiling and running that code I obtain a segmentation fault error, it seems that something goes wrong after the 5th line. My linux asm knowledge is very basic, any hints or ideas about what is exactly going wrong and how to fix it?

This piece of code is a part of a debugging exercise, I’m doing that for auto-learning only, this is not a part of any homework or something.

Answer

I have compiled your example and then looked at it using hexdump:

(I had to add BITS 32 to it to compile in 32-bit mode, because I’m using Linux-64):

$ vi test.asm
$ nasm test.asm
$ hexdump -C test

00000000  5c 0f 88 2f 00 00 00 31  5c 78 43 30 5c 78 35 30  |../...1xC0x50|
00000010  5c 78 36 38 5c 78 37 36  5c 0f 88 2a 00 00 00 37  |x68x76..*...7|
00000020  5c 0f 88 2b 00 00 00 34  5c 0f 88 27 00 00 00 34  |..+...4..'...4|
00000030  5c 0f 88 22 00 00 00 38  5c 78 37 33 5c 78 32 34  |.."...8x73x24|
00000040  5c 0f 88 1a 00 00 00 35  5c 78 32 35 5c 0f 88 1a  |......5x25...|
00000050  00 00 00 38 5c 78 32 30  5c 78 32 33 5c 78 32 35  |...8x20x23x25|
00000060  5c 78 32 33 5c 0f 88 16  00 00 00 38 5c 78 37 38  |x23......8x78|
00000070  5c 78 32 34 5c 0f 88 13  00 00 00 35 5c 78 32 35  |x24......5x25|
00000080  5c 0f 88 0e 00 00 00 38  5c 78 37 38 5c 78 32 30  |......8x78x20|
........

Do you see the pattern? At the right column (ASCII mode) you can see a lot of literal xNN, that is not the byte NN but the characters '' 'x' and two numbers!

My guess is that you are debugging a dump of some binary code, but that code has not been properly dumped. Thus the assembly you are looking at is nonsense.

Advertisement

Answer