0

I have some closed-source library. I need to create a hook (LD_PRELOAD) around a function draw_something defined and called inside this library. I want to disable it (make no actions instead of its actions). objdump nicely disassembled a function for me, but I'm a total noob in asm. Library is built for MIPS architecture.

I have no clue how to extract C function prototype from the assembly. Is it possible? Can you say how many parameters takes a function and what it returns? Please give me links to some docs/blogs on this theme if you have one.

UPD: compiler is mips-linux-gnu-gcc (Sourcery G++ Lite 4.3-51) 4.3.2

Disassembled function:

00004fe0 <draw_something>:
    4fe0:   3c1c0002    lui gp,0x2
    4fe4:   279c9cc0    addiu   gp,gp,-25408
    4fe8:   0399e021    addu    gp,gp,t9
    4fec:   27bdff90    addiu   sp,sp,-112
    4ff0:   afbf006c    sw  ra,108(sp)
    4ff4:   afbe0068    sw  s8,104(sp)
    4ff8:   afb70064    sw  s7,100(sp)
    4ffc:   afb60060    sw  s6,96(sp)
    5000:   afb5005c    sw  s5,92(sp)
    5004:   afb40058    sw  s4,88(sp)
    5008:   afb30054    sw  s3,84(sp)
    500c:   afb20050    sw  s2,80(sp)
    5010:   afb1004c    sw  s1,76(sp)
    5014:   afb00048    sw  s0,72(sp)
    5018:   afbc0020    sw  gp,32(sp)
    501c:   8c99001c    lw  t9,28(a0)
    5020:   00809821    move    s3,a0
    5024:   8c84000c    lw  a0,12(a0)
    5028:   30a500ff    andi    a1,a1,0xff
    502c:   0320f809    jalr    t9
    5030:   00003021    move    a2,zero
    5034:   afa20038    sw  v0,56(sp)
    5038:   8fa30038    lw  v1,56(sp)
    503c:   24020006    li  v0,6
    5040:   10620010    beq v1,v0,5084 <draw_something+0xa4>
    5044:   8fbc0020    lw  gp,32(sp)
    5048:   24020009    li  v0,9
    504c:   afa20038    sw  v0,56(sp)
    5050:   8fbf006c    lw  ra,108(sp)
    5054:   8fa20038    lw  v0,56(sp)
    5058:   8fbe0068    lw  s8,104(sp)
    505c:   8fb70064    lw  s7,100(sp)
    5060:   8fb60060    lw  s6,96(sp)
    5064:   8fb5005c    lw  s5,92(sp)
    5068:   8fb40058    lw  s4,88(sp)
    506c:   8fb30054    lw  s3,84(sp)
    5070:   8fb20050    lw  s2,80(sp)
    5074:   8fb1004c    lw  s1,76(sp)
    5078:   8fb00048    lw  s0,72(sp)
    507c:   03e00008    jr  ra
    5080:   27bd0070    addiu   sp,sp,112
    5084:   3c0200da    lui v0,0xda
    5088:   02622021    addu    a0,s3,v0
    508c:   2405000b    li  a1,11
    5090:   8c8377a0    lw  v1,30624(a0)
    5094:   10650006    beq v1,a1,50b0 <draw_something+0xd0>
    5098:   2402000d    li  v0,13
    509c:   10620075    beq v1,v0,5274 <draw_something+0x294>
    50a0:   2402000a    li  v0,10
    50a4:   1462ffeb    bne v1,v0,5054 <draw_something+0x74>
    50a8:   8fbf006c    lw  ra,108(sp)
    50ac:   ac8577a0    sw  a1,30624(a0)
    50b0:   8f858024    lw  a1,-32732(gp)
    50b4:   27a3002c    addiu   v1,sp,44
    50b8:   8f998040    lw  t9,-32704(gp)
    50bc:   afa30040    sw  v1,64(sp)
    50c0:   00602021    move    a0,v1
    50c4:   0320f809    jalr    t9
    50c8:   24a56b00    addiu   a1,a1,27392
    50cc:   3c020013    lui v0,0x13
    50d0:   02621021    addu    v0,s3,v0
    50d4:   24030008    li  v1,8
    50d8:   8c5785f4    lw  s7,-31244(v0)
    50dc:   8c5585f8    lw  s5,-31240(v0)
    50e0:   3c02cccc    lui v0,0xcccc
    50e4:   3442cccd    ori v0,v0,0xcccd
    50e8:   02e20019    multu   s7,v0
    50ec:   00001010    mfhi    v0
    50f0:   0075a80a    movz    s5,v1,s5
    50f4:   8fb20040    lw  s2,64(sp)
    50f8:   241100c8    li  s1,200
    50fc:   02408021    move    s0,s2
    5100:   0002a0c2    srl s4,v0,0x3
    5104:   001418c0    sll v1,s4,0x3
    5108:   00141040    sll v0,s4,0x1
    510c:   00431021    addu    v0,v0,v1
    5110:   02e2a023    subu    s4,s7,v0
    5114:   27a20028    addiu   v0,sp,40
    5118:   afa2003c    sw  v0,60(sp)
    511c:   27be0033    addiu   s8,sp,51
    5120:   24160028    li  s6,40
    5124:   92020000    lbu v0,0(s0)
    5128:   3c03c000    lui v1,0xc000
    512c:   8e64000c    lw  a0,12(s3)
    5130:   8e790014    lw  t9,20(s3)
    5134:   346340c0    ori v1,v1,0x40c0
    5138:   8fa7003c    lw  a3,60(sp)
    513c:   02202821    move    a1,s1
    5140:   a3a20028    sb  v0,40(sp)
    5144:   a3a00029    sb  zero,41(sp)
    5148:   afa30010    sw  v1,16(sp)
    514c:   afb60014    sw  s6,20(sp)
    5150:   afa00018    sw  zero,24(sp)
    5154:   afa0001c    sw  zero,28(sp)
    5158:   240600c8    li  a2,200
    515c:   0320f809    jalr    t9
    5160:   26100001    addiu   s0,s0,1
    5164:   8fbc0020    lw  gp,32(sp)
    5168:   17d0ffee    bne s8,s0,5124 <draw_something+0x144>
    516c:   26310028    addiu   s1,s1,40
    5170:   3c02cccc    lui v0,0xcccc
    5174:   02f43823    subu    a3,s7,s4
    5178:   3442cccd    ori v0,v0,0xcccd
    517c:   00e20019    multu   a3,v0
    5180:   00003810    mfhi    a3
    5184:   8f858024    lw  a1,-32732(gp)
    5188:   8f998040    lw  t9,-32704(gp)
    518c:   02a03021    move    a2,s5
    5190:   8fa40040    lw  a0,64(sp)
    5194:   3c15c000    lui s5,0xc000
    5198:   afb40010    sw  s4,16(sp)
    519c:   24a56b08    addiu   a1,a1,27400
    51a0:   000738c2    srl a3,a3,0x3
    51a4:   36b540c0    ori s5,s5,0x40c0
    51a8:   241000c8    li  s0,200
    51ac:   27b40034    addiu   s4,sp,52
    51b0:   0320f809    jalr    t9
    51b4:   24110028    li  s1,40
    51b8:   92420000    lbu v0,0(s2)
    51bc:   8e64000c    lw  a0,12(s3)
    51c0:   8e790014    lw  t9,20(s3)
    51c4:   8fa7003c    lw  a3,60(sp)
    51c8:   02002821    move    a1,s0
    51cc:   a3a20028    sb  v0,40(sp)
    51d0:   a3a00029    sb  zero,41(sp)
    51d4:   afb50010    sw  s5,16(sp)
    51d8:   afb10014    sw  s1,20(sp)
    51dc:   afa00018    sw  zero,24(sp)
    51e0:   afa0001c    sw  zero,28(sp)
    51e4:   240600fa    li  a2,250
    51e8:   0320f809    jalr    t9
    51ec:   26520001    addiu   s2,s2,1
    51f0:   8fbc0020    lw  gp,32(sp)
    51f4:   1692fff0    bne s4,s2,51b8 <draw_something+0x1d8>
    51f8:   26100028    addiu   s0,s0,40
    51fc:   3c0200da    lui v0,0xda
    5200:   02628021    addu    s0,s3,v0
    5204:   2411000b    li  s1,11
    5208:   8e0377a4    lw  v1,30628(s0)
    520c:   10710037    beq v1,s1,52ec <draw_something+0x30c>
    5210:   2c62000c    sltiu   v0,v1,12
    5214:   10400029    beqz    v0,52bc <draw_something+0x2dc>
    5218:   2402000c    li  v0,12
    521c:   2402000a    li  v0,10
    5220:   14620008    bne v1,v0,5244 <draw_something+0x264>
    5224:   3c02c000    lui v0,0xc000
    5228:   8f858024    lw  a1,-32732(gp)
    522c:   8f998040    lw  t9,-32704(gp)
    5230:   8fa40040    lw  a0,64(sp)
    5234:   0320f809    jalr    t9
    5238:   24a56b14    addiu   a1,a1,27412
    523c:   ae1177a4    sw  s1,30628(s0)
    5240:   3c02c000    lui v0,0xc000
    5244:   8e64000c    lw  a0,12(s3)
    5248:   8e790014    lw  t9,20(s3)
    524c:   344240c0    ori v0,v0,0x40c0
    5250:   24030028    li  v1,40
    5254:   8fa70040    lw  a3,64(sp)
    5258:   afa20010    sw  v0,16(sp)
    525c:   afa30014    sw  v1,20(sp)
    5260:   afa00018    sw  zero,24(sp)
    5264:   afa0001c    sw  zero,28(sp)
    5268:   240501e0    li  a1,480
    526c:   0320f809    jalr    t9
    5270:   240600c8    li  a2,200
    5274:   8e64000c    lw  a0,12(s3)
    5278:   8e790020    lw  t9,32(s3)
    527c:   0320f809    jalr    t9
    5280:   00002821    move    a1,zero
    5284:   8fbf006c    lw  ra,108(sp)
    5288:   8fa20038    lw  v0,56(sp)
    528c:   8fbc0020    lw  gp,32(sp)
    5290:   8fbe0068    lw  s8,104(sp)
    5294:   8fb70064    lw  s7,100(sp)
    5298:   8fb60060    lw  s6,96(sp)
    529c:   8fb5005c    lw  s5,92(sp)
    52a0:   8fb40058    lw  s4,88(sp)
    52a4:   8fb30054    lw  s3,84(sp)
    52a8:   8fb20050    lw  s2,80(sp)
    52ac:   8fb1004c    lw  s1,76(sp)
    52b0:   8fb00048    lw  s0,72(sp)
    52b4:   03e00008    jr  ra
    52b8:   27bd0070    addiu   sp,sp,112
    52bc:   10620013    beq v1,v0,530c <draw_something+0x32c>
    52c0:   2402000d    li  v0,13
    52c4:   1462ffdf    bne v1,v0,5244 <draw_something+0x264>
    52c8:   3c02c000    lui v0,0xc000
    52cc:   8f858024    lw  a1,-32732(gp)
    52d0:   8f998040    lw  t9,-32704(gp)
    52d4:   8fa40040    lw  a0,64(sp)
    52d8:   0320f809    jalr    t9
    52dc:   24a56b20    addiu   a1,a1,27424
    52e0:   2402000a    li  v0,10
    52e4:   1000ffd6    b   5240 <draw_something+0x260>
    52e8:   ae0277a4    sw  v0,30628(s0)
    52ec:   8f858024    lw  a1,-32732(gp)
    52f0:   8f998040    lw  t9,-32704(gp)
    52f4:   8fa40040    lw  a0,64(sp)
    52f8:   0320f809    jalr    t9
    52fc:   24a56b18    addiu   a1,a1,27416
    5300:   2402000c    li  v0,12
    5304:   1000ffce    b   5240 <draw_something+0x260>
    5308:   ae0277a4    sw  v0,30628(s0)
    530c:   8f858024    lw  a1,-32732(gp)
    5310:   8f998040    lw  t9,-32704(gp)
    5314:   8fa40040    lw  a0,64(sp)
    5318:   0320f809    jalr    t9
    531c:   24a56b1c    addiu   a1,a1,27420
    5320:   2402000d    li  v0,13
    5324:   1000ffc6    b   5240 <draw_something+0x260>
    5328:   ae0277a4    sw  v0,30628(s0)
JIghtuse
  • 846
  • 5
  • 11
  • 2
    You can't extract an exact function prototype from assembler code. It might be possible to *guess* how it will look, but your best bet is to see if the library have a publicly available header file and take the prototype from there. – Some programmer dude Aug 07 '14 at 07:52
  • @JoachimPileborg, I see. The library have a header file, but this function not listed in it, it is entirely sits in some closed source file. – JIghtuse Aug 07 '14 at 07:54
  • 1
    Then have considered that you're not actually supposed to call, use or wrap this function? It might even not exist in the next version of the library? – Some programmer dude Aug 07 '14 at 07:55
  • This function called from another one, which does some useful actions. The function I want to hook, on the other hand, does nothing particularly useful and I want to disable it. – JIghtuse Aug 07 '14 at 08:01
  • @JoachimPileborg I think there is nothing to say more here. Can you make your comment an answer to accept? – JIghtuse Aug 07 '14 at 08:03
  • If you just want to _disable_ it as you say ... then `LD_PRELOAD`'ing a function `void draw_something(...) {}` would do that. Can you extend your description, please ? – FrankH. Aug 07 '14 at 20:28
  • @FrankH. , done, thanks. – JIghtuse Aug 08 '14 at 02:00

1 Answers1

3

You don't need the prototype, you just need to know:

  • how to adjust the stack pointer
  • Which registers to save/restore.

In the case of Linux/MIPS as far as I can tell, the answers are like classical C:

  • Caller restores stack used for parameters
  • Caller saves registers used for parameters
  • Called function saves and restores other registers it uses.

See here for details: http://math-atlas.sourceforge.net/devel/assembly/mipsabi32.pdf

This means it doesn't matter how you prototype the function, since it is the caller's responsibility to restore the stack and argument registers, and the compiler will automatically emit code to save/restore registers it uses. So you can just make it void draw_something(){}.

Or it may require specific return values, in which case int draw_something(){return 0;} will probably do the trick.

This will not work if the function causes side-effects which are later relied upon (such as updating a cursor position for example) because of course you won't be producing code to do that.

Ben
  • 32,512
  • 6
  • 68
  • 102
  • Oh, such prototype really works for my hello-world example with LD_PRELOAD (just discovered it today). Thanks! It don't works with my function though. Probably it is inlined or something. Anyway, good answer! – JIghtuse Aug 07 '14 at 10:21