[openssl.org #2775]

Mike Russo via RT Fri, 30 Mar 2012 14:07:59 -0700

Well I executed this right after the 'where' from last time (still had it up in 
a window though the connection has long since timed out):


(gdb) info reg
eax            0x0      0
ecx            0xb7e35f90   -1209835632
edx            0x80084ae8  -2146940184
ebx            0x3018         12312
esp            0xbfffb070    0xbfffb070
ebp            0xb7e35e70  0xb7e35e70
esi            0x80081bb8   -2146952264
edi            0xffffebb0      -5200
eip            0xb7e369fd    0xb7e369fd <vpaes_cbc_encrypt+189>
eflags         0x246 [ PF ZF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0       0
gs             0x33     51
(gdb) disassemble
Dump of assembler code for function vpaes_cbc_encrypt:
   0xb7e36940 <+0>:     push   %ebp
   0xb7e36941 <+1>:     push   %ebx
   0xb7e36942 <+2>:     push   %esi
   0xb7e36943 <+3>:     push   %edi
   0xb7e36944 <+4>:     mov    0x14(%esp),%esi
   0xb7e36948 <+8>:     mov    0x18(%esp),%edi
   0xb7e3694c <+12>:   mov    0x1c(%esp),%eax
   0xb7e36950 <+16>:   mov    0x20(%esp),%edx
   0xb7e36954 <+20>:   lea    -0x38(%esp),%ebx
   0xb7e36958 <+24>:   mov    0x24(%esp),%ebp
   0xb7e3695c <+28>:   and    $0xfffffff0,%ebx
   0xb7e3695f <+31>:    mov    0x28(%esp),%ecx
   0xb7e36963 <+35>:   xchg   %esp,%ebx
   0xb7e36965 <+37>:   movdqu 0x0(%ebp),%xmm1
   0xb7e3696a <+42>:   sub    %esi,%edi
   0xb7e3696c <+44>:   mov    %ebx,0x30(%esp)
   0xb7e36970 <+48>:   mov    %edi,(%esp)
   0xb7e36973 <+51>:   sub    $0x10,%eax
   0xb7e36976 <+54>:   mov    %edx,0x4(%esp)
   0xb7e3697a <+58>:   mov    %ebp,0x8(%esp)
   0xb7e3697e <+62>:   mov    %eax,%edi
   0xb7e36980 <+64>:   lea    0xfffff4e5,%ebp
   0xb7e36986 <+70>:   call   0xb7e361c0 <_vpaes_preheat>
---Type <return> to continue, or q <return> to quit---
   0xb7e3698b <+75>:   cmp    $0x0,%ecx
   0xb7e3698e <+78>:   je     0xb7e369d0 <vpaes_cbc_encrypt+144>
   0xb7e36990 <+80>:   jmp    0xb7e369a0 <vpaes_cbc_encrypt+96>
   0xb7e36992 <+82>:   lea    0x0(%esi,%eiz,1),%esi
   0xb7e36999 <+89>:   lea    0x0(%edi,%eiz,1),%edi
   0xb7e369a0 <+96>:   movdqu (%esi),%xmm0
   0xb7e369a4 <+100>: pxor   %xmm1,%xmm0
   0xb7e369a8 <+104>: call   0xb7e361d0 <_vpaes_encrypt_core>
   0xb7e369ad <+109>:  mov    (%esp),%ebx
   0xb7e369b0 <+112>: mov    0x4(%esp),%edx
   0xb7e369b4 <+116>: movdqa %xmm0,%xmm1
   0xb7e369b8 <+120>: movdqu %xmm0,(%ebx,%esi,1)
   0xb7e369bd <+125>: lea    0x10(%esi),%esi
   0xb7e369c0 <+128>: sub    $0x10,%edi
   0xb7e369c3 <+131>: jae    0xb7e369a0 <vpaes_cbc_encrypt+96>
   0xb7e369c5 <+133>: jmp    0xb7e36a05 <vpaes_cbc_encrypt+197>
   0xb7e369c7 <+135>: mov    %esi,%esi
   0xb7e369c9 <+137>: lea    0x0(%edi,%eiz,1),%edi
   0xb7e369d0 <+144>: movdqu (%esi),%xmm0
   0xb7e369d4 <+148>: movdqa %xmm1,0x10(%esp)
   0xb7e369da <+154>:  movdqa %xmm0,0x20(%esp)
   0xb7e369e0 <+160>: call   0xb7e36310 <_vpaes_decrypt_core>
   0xb7e369e5 <+165>: mov    (%esp),%ebx
   0xb7e369e8 <+168>: mov    0x4(%esp),%edx
---Type <return> to continue, or q <return> to quit---
   0xb7e369ec <+172>:  pxor   0x10(%esp),%xmm0
   0xb7e369f2 <+178>:  movdqa 0x20(%esp),%xmm1
   0xb7e369f8 <+184>:  movdqu %xmm0,(%ebx,%esi,1)
=> 0xb7e369fd <+189>:         lea    0x10(%esi),%esi
   0xb7e36a00 <+192>: sub    $0x10,%edi
   0xb7e36a03 <+195>: jae    0xb7e369d0 <vpaes_cbc_encrypt+144>
   0xb7e36a05 <+197>: mov    0x8(%esp),%ebx
   0xb7e36a09 <+201>: mov    0x30(%esp),%esp
   0xb7e36a0d <+205>:  movdqu %xmm1,(%ebx)
   0xb7e36a11 <+209>: pop    %edi
   0xb7e36a12 <+210>: pop    %esi
   0xb7e36a13 <+211>: pop    %ebx
   0xb7e36a14 <+212>: pop    %ebp
   0xb7e36a15 <+213>: ret
End of assembler dump.
(gdb) info reg
eax            0x0      0
ecx            0xb7e35f90   -1209835632
edx            0x80084ae8  -2146940184
ebx            0x3018         12312
esp            0xbfffb070    0xbfffb070
ebp            0xb7e35e70  0xb7e35e70
esi            0x80081bb8   -2146952264
edi            0xffffebb0      -5200
eip            0xb7e369fd    0xb7e369fd <vpaes_cbc_encrypt+189>
eflags         0x246 [ PF ZF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0       0
gs             0x33     51




Sincerely,

Michael Russo, Systems Engineer
PaperSolve, Inc.
268 Watchogue Road
Staten Island, NY 10314

Well I executed this right after the ‘where’ from last time (still had it up in a window though the connection has long since timed out):

(gdb) info reg

eax 0x0 0

ecx 0xb7e35f90 -1209835632

edx 0x80084ae8 -2146940184

ebx 0x3018 12312

esp 0xbfffb070 0xbfffb070

ebp 0xb7e35e70 0xb7e35e70

esi 0x80081bb8 -2146952264

edi 0xffffebb0 -5200

eip 0xb7e369fd 0xb7e369fd <vpaes_cbc_encrypt+189>

eflags 0x246 [ PF ZF IF ]

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

(gdb) disassemble

Dump of assembler code for function vpaes_cbc_encrypt:

0xb7e36940 <+0>: push %ebp

0xb7e36941 <+1>: push %ebx

0xb7e36942 <+2>: push %esi

0xb7e36943 <+3>: push %edi

0xb7e36944 <+4>: mov 0x14(%esp),%esi

0xb7e36948 <+8>: mov 0x18(%esp),%edi

0xb7e3694c <+12>: mov 0x1c(%esp),%eax

0xb7e36950 <+16>: mov 0x20(%esp),%edx

0xb7e36954 <+20>: lea -0x38(%esp),%ebx

0xb7e36958 <+24>: mov 0x24(%esp),%ebp

0xb7e3695c <+28>: and $0xfffffff0,%ebx

0xb7e3695f <+31>: mov 0x28(%esp),%ecx

0xb7e36963 <+35>: xchg %esp,%ebx

0xb7e36965 <+37>: movdqu 0x0(%ebp),%xmm1

0xb7e3696a <+42>: sub %esi,%edi

0xb7e3696c <+44>: mov %ebx,0x30(%esp)

0xb7e36970 <+48>: mov %edi,(%esp)

0xb7e36973 <+51>: sub $0x10,%eax

0xb7e36976 <+54>: mov %edx,0x4(%esp)

0xb7e3697a <+58>: mov %ebp,0x8(%esp)

0xb7e3697e <+62>: mov %eax,%edi

0xb7e36980 <+64>: lea 0xfffff4e5,%ebp

0xb7e36986 <+70>: call 0xb7e361c0 <_vpaes_preheat>

---Type <return> to continue, or q <return> to quit---

0xb7e3698b <+75>: cmp $0x0,%ecx

0xb7e3698e <+78>: je 0xb7e369d0 <vpaes_cbc_encrypt+144>

0xb7e36990 <+80>: jmp 0xb7e369a0 <vpaes_cbc_encrypt+96>

0xb7e36992 <+82>: lea 0x0(%esi,%eiz,1),%esi

0xb7e36999 <+89>: lea 0x0(%edi,%eiz,1),%edi

0xb7e369a0 <+96>: movdqu (%esi),%xmm0

0xb7e369a4 <+100>: pxor %xmm1,%xmm0

0xb7e369a8 <+104>: call 0xb7e361d0 <_vpaes_encrypt_core>

0xb7e369ad <+109>: mov (%esp),%ebx

0xb7e369b0 <+112>: mov 0x4(%esp),%edx

0xb7e369b4 <+116>: movdqa %xmm0,%xmm1

0xb7e369b8 <+120>: movdqu %xmm0,(%ebx,%esi,1)

0xb7e369bd <+125>: lea 0x10(%esi),%esi

0xb7e369c0 <+128>: sub $0x10,%edi

0xb7e369c3 <+131>: jae 0xb7e369a0 <vpaes_cbc_encrypt+96>

0xb7e369c5 <+133>: jmp 0xb7e36a05 <vpaes_cbc_encrypt+197>

0xb7e369c7 <+135>: mov %esi,%esi

0xb7e369c9 <+137>: lea 0x0(%edi,%eiz,1),%edi

0xb7e369d0 <+144>: movdqu (%esi),%xmm0

0xb7e369d4 <+148>: movdqa %xmm1,0x10(%esp)

0xb7e369da <+154>: movdqa %xmm0,0x20(%esp)

0xb7e369e0 <+160>: call 0xb7e36310 <_vpaes_decrypt_core>

0xb7e369e5 <+165>: mov (%esp),%ebx

0xb7e369e8 <+168>: mov 0x4(%esp),%edx

---Type <return> to continue, or q <return> to quit---

0xb7e369ec <+172>: pxor 0x10(%esp),%xmm0

0xb7e369f2 <+178>: movdqa 0x20(%esp),%xmm1

0xb7e369f8 <+184>: movdqu %xmm0,(%ebx,%esi,1)

=> 0xb7e369fd <+189>: lea 0x10(%esi),%esi

0xb7e36a00 <+192>: sub $0x10,%edi

0xb7e36a03 <+195>: jae 0xb7e369d0 <vpaes_cbc_encrypt+144>

0xb7e36a05 <+197>: mov 0x8(%esp),%ebx

0xb7e36a09 <+201>: mov 0x30(%esp),%esp

0xb7e36a0d <+205>: movdqu %xmm1,(%ebx)

0xb7e36a11 <+209>: pop %edi

0xb7e36a12 <+210>: pop %esi

0xb7e36a13 <+211>: pop %ebx

0xb7e36a14 <+212>: pop %ebp

0xb7e36a15 <+213>: ret

End of assembler dump.