Foundations of Linux Debugging, Disassembling,

and Reversing: Analyze Binary Code, Understand

Stack Memory Usage, and Reconstruct C/C++ Code
with Intel x64 1st Edition Dmitry Vostokov
install download
https://ebookmeta.com/product/foundations-of-linux-debugging-
disassembling-and-reversing-analyze-binary-code-understand-stack-
memory-usage-and-reconstruct-c-c-code-with-intel-x64-1st-edition-
dmitry-vostokov/

Download more ebook from https://ebookmeta.com

We believe these products will be a great fit for you. Click
the link to download now, or visit ebookmeta.com
to discover even more!

Foundations of ARM64 Linux Debugging, Disassembling,

and Reversing: Analyze Code, Understand Stack Memory
Usage, and Reconstruct Original C/C++ Code with ARM64
1st Edition Dmitry Vostokov
https://ebookmeta.com/product/foundations-of-arm64-linux-
debugging-disassembling-and-reversing-analyze-code-understand-
stack-memory-usage-and-reconstruct-original-c-c-code-with-
arm64-1st-edition-dmitry-vostokov/

Cambridge IGCSE and O Level History Workbook 2C - Depth

Study: the United States, 1919-41 2nd Edition Benjamin
Harrison

https://ebookmeta.com/product/cambridge-igcse-and-o-level-
history-workbook-2c-depth-study-the-united-states-1919-41-2nd-
edition-benjamin-harrison/

Accelerated Linux Core Dump Analysis Third Edition

Dmitry Vostokov

https://ebookmeta.com/product/accelerated-linux-core-dump-
analysis-third-edition-dmitry-vostokov/

The Archive Project Archival Research in the Social

Sciences 1st Edition Niamh Moore

https://ebookmeta.com/product/the-archive-project-archival-
research-in-the-social-sciences-1st-edition-niamh-moore/
The Silver Crown: An Alien Sci-Fi Harem Adventure (The
Makalang Book 8) 1st Edition Michael Dalton

https://ebookmeta.com/product/the-silver-crown-an-alien-sci-fi-
harem-adventure-the-makalang-book-8-1st-edition-michael-dalton-2/

Love Unfu*ked 1st Edition Gary John Bishop

https://ebookmeta.com/product/love-unfuked-1st-edition-gary-john-
bishop/

The Tundzha Regional Archaeology Project Surface Survey

Palaeoecology and Associated Studies in Central and
Southeast Bulgaria 2009 2015 Final Report Shawn A Ross
Editor Adela Sobotkova Editor Julia Tzvetkova Editor
Georgi Nekhrizov Editor Simon Connor Editor
https://ebookmeta.com/product/the-tundzha-regional-archaeology-
project-surface-survey-palaeoecology-and-associated-studies-in-
central-and-southeast-bulgaria-2009-2015-final-report-shawn-a-
ross-editor-adela-sobotkova-editor-julia-t/

DEVELOPING HOSPITALITY PROPERTIES AND FACILITIES 3rd

Edition Developing Hospitality Properties And
Facilities

https://ebookmeta.com/product/developing-hospitality-properties-
and-facilities-3rd-edition-developing-hospitality-properties-and-
facilities/

Managerial Economics 12th Edition Christopher Thomas

https://ebookmeta.com/product/managerial-economics-12th-edition-
christopher-thomas/
Special Delivery Friends to Lovers Love After Romance
Divorce Romance Forever Stamps Book 3 1st Edition
Piper Cook

https://ebookmeta.com/product/special-delivery-friends-to-lovers-
love-after-romance-divorce-romance-forever-stamps-book-3-1st-
edition-piper-cook/
Foundations of Linux
Debugging, Disassembling,
and Reversing
Analyze Binary Code, Understand
Stack Memory Usage, and Reconstruct
C/C++ Code with Intel x64
—
Dmitry Vostokov
Foundations of Linux
Debugging,
Disassembling, and
Reversing
Analyze Binary Code,
Understand Stack Memory
Usage, and Reconstruct C/C++
Code with Intel x64

Dmitry Vostokov
Foundations of Linux Debugging, Disassembling, and Reversing: Analyze
Binary Code, Understand Stack Memory Usage, and Reconstruct C/C++
Code with Intel x64
Dmitry Vostokov
Dublin, Ireland

ISBN-13 (pbk): 978-1-4842-9152-8 ISBN-13 (electronic): 978-1-4842-9153-5

https://doi.org/10.1007/978-1-4842-9153-5

Copyright © 2023 by Dmitry Vostokov

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or
part of the material is concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way,
and transmission or information storage and retrieval, electronic adaptation, computer software,
or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark
symbol with every occurrence of a trademarked name, logo, or image we use the names, logos,
and images only in an editorial fashion and to the benefit of the trademark owner, with no
intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of
publication, neither the authors nor the editors nor the publisher can accept any legal
responsibility for any errors or omissions that may be made. The publisher makes no warranty,
express or implied, with respect to the material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Celestin Suresh John
Development Editor: James Markham
Coordinating Editor: Mark Powers
Cover designed by eStudioCalamar
Cover image by Eugene Golovesov on Unsplash (www.unsplash.com)
Distributed to the book trade worldwide by Apress Media, LLC, 1 New York Plaza, New York, NY
10004, U.S.A. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail [email protected],
or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member
(owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance
Inc is a Delaware corporation.
For information on translations, please e-mail [email protected]; for
reprint, paperback, or audio rights, please e-mail [email protected].
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Print
and eBook Bulk Sales web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is
available to readers on GitHub (https://github.com/Apress). For more detailed information,
please visit http://www.apress.com/source-code.
Printed on acid-free paper
Table of Contents
About the Author���������������������������������������������������������������������������������ix

About the Technical Reviewer�������������������������������������������������������������xi

Preface����������������������������������������������������������������������������������������������xiii

Chapter 1: Memory, Registers, and Simple Arithmetic�������������������������1

Memory and Registers Inside an Idealized Computer������������������������������������������1
Memory and Registers Inside Intel 64-Bit PC�������������������������������������������������������2
“Arithmetic” Project: Memory Layout and Registers��������������������������������������������3
“Arithmetic” Project: A Computer Program�����������������������������������������������������������5
“Arithmetic” Project: Assigning Numbers to Memory Locations���������������������������5
Assigning Numbers to Registers���������������������������������������������������������������������������8
“Arithmetic” Project: Adding Numbers to Memory Cells���������������������������������������8
Incrementing/Decrementing Numbers in Memory and Registers�����������������������11
Multiplying Numbers�������������������������������������������������������������������������������������������14
Summary������������������������������������������������������������������������������������������������������������17

Chapter 2: Code Optimization�������������������������������������������������������������19

“Arithmetic” Project: C/C++ Program�����������������������������������������������������������������19
Downloading GDB�����������������������������������������������������������������������������������������������20
GDB Disassembly Output – No Optimization�������������������������������������������������������20
GDB Disassembly Output – Optimization������������������������������������������������������������25
Summary������������������������������������������������������������������������������������������������������������26

iii
Table of Contents

Chapter 3: Number Representations��������������������������������������������������27

Numbers and Their Representations�������������������������������������������������������������������27
Decimal Representation (Base Ten)��������������������������������������������������������������������28
Ternary Representation (Base Three)������������������������������������������������������������������29
Binary Representation (Base Two)����������������������������������������������������������������������29
Hexadecimal Representation (Base Sixteen)������������������������������������������������������30
Why Are Hexadecimals Used?�����������������������������������������������������������������������������30
Summary������������������������������������������������������������������������������������������������������������32

Chapter 4: Pointers�����������������������������������������������������������������������������33
A Definition���������������������������������������������������������������������������������������������������������33
“Pointers” Project: Memory Layout and Registers����������������������������������������������34
“Pointers” Project: Calculations��������������������������������������������������������������������������36
Using Pointers to Assign Numbers to Memory Cells�������������������������������������������36
Adding Numbers Using Pointers�������������������������������������������������������������������������42
Incrementing Numbers Using Pointers���������������������������������������������������������������45
Multiplying Numbers Using Pointers�������������������������������������������������������������������48
Summary������������������������������������������������������������������������������������������������������������51

Chapter 5: Bytes, Words, Double, and Quad Words�����������������������������53

Using Hexadecimal Numbers������������������������������������������������������������������������������53
Byte Granularity��������������������������������������������������������������������������������������������������53
Bit Granularity�����������������������������������������������������������������������������������������������������54
Memory Layout���������������������������������������������������������������������������������������������������55
Summary������������������������������������������������������������������������������������������������������������58

Chapter 6: Pointers to Memory�����������������������������������������������������������59

Pointers Revisited�����������������������������������������������������������������������������������������������59
Addressing Types������������������������������������������������������������������������������������������������59

iv
 Table of Contents

Registers Revisited���������������������������������������������������������������������������������������������65
NULL Pointers�����������������������������������������������������������������������������������������������������65
Invalid Pointers���������������������������������������������������������������������������������������������������65
Variables As Pointers������������������������������������������������������������������������������������������66
Pointer Initialization��������������������������������������������������������������������������������������������67
Initialized and Uninitialized Data�������������������������������������������������������������������������67
More Pseudo Notation�����������������������������������������������������������������������������������������68
“MemoryPointers” Project: Memory Layout�������������������������������������������������������68
Summary������������������������������������������������������������������������������������������������������������79

Chapter 7: Logical Instructions and RIP���������������������������������������������81

Instruction Format����������������������������������������������������������������������������������������������81
Logical Shift Instructions������������������������������������������������������������������������������������82
Logical Operations����������������������������������������������������������������������������������������������82
Zeroing Memory or Registers�����������������������������������������������������������������������������83
Instruction Pointer�����������������������������������������������������������������������������������������������84
Code Section�������������������������������������������������������������������������������������������������������85
Summary������������������������������������������������������������������������������������������������������������86

Chapter 8: Reconstructing a Program with Pointers��������������������������87

Example of Disassembly Output: No Optimization����������������������������������������������87
Reconstructing C/C++ Code: Part 1��������������������������������������������������������������������90
Reconstructing C/C++ Code: Part 2��������������������������������������������������������������������92
Reconstructing C/C++ Code: Part 3��������������������������������������������������������������������93
Reconstructing C/C++ Code: C/C++ Program����������������������������������������������������94
Example of Disassembly Output: Optimized Program�����������������������������������������95
Summary������������������������������������������������������������������������������������������������������������96

v
Table of Contents

Chapter 9: Memory and Stacks����������������������������������������������������������97

Stack: A Definition�����������������������������������������������������������������������������������������������97
Stack Implementation in Memory�����������������������������������������������������������������������98
Things to Remember�����������������������������������������������������������������������������������������100
PUSH Instruction�����������������������������������������������������������������������������������������������101
POP Instruction�������������������������������������������������������������������������������������������������101
Register Review������������������������������������������������������������������������������������������������102
Application Memory Simplified�������������������������������������������������������������������������105
Stack Overflow��������������������������������������������������������������������������������������������������105
Jumps���������������������������������������������������������������������������������������������������������������106
Calls������������������������������������������������������������������������������������������������������������������108
Call Stack����������������������������������������������������������������������������������������������������������110
Exploring Stack in GDB�������������������������������������������������������������������������������������112
Summary����������������������������������������������������������������������������������������������������������115

Chapter 10: Frame Pointer and Local Variables�������������������������������117

Stack Usage������������������������������������������������������������������������������������������������������117
Register Review������������������������������������������������������������������������������������������������118
Addressing Array Elements�������������������������������������������������������������������������������118
Stack Structure (No Function Parameters)�������������������������������������������������������119
Function Prolog�������������������������������������������������������������������������������������������������121
Raw Stack (No Local Variables and Function Parameters)�������������������������������121
Function Epilog�������������������������������������������������������������������������������������������������123
“Local Variables” Project����������������������������������������������������������������������������������124
Disassembly of Optimized Executable��������������������������������������������������������������127
Summary����������������������������������������������������������������������������������������������������������128

vi
 Table of Contents

Chapter 11: Function Parameters�����������������������������������������������������129

“FunctionParameters” Project��������������������������������������������������������������������������129
Stack Structure�������������������������������������������������������������������������������������������������130
Function Prolog and Epilog�������������������������������������������������������������������������������132
Project Disassembled Code with Comments����������������������������������������������������133
Parameter Mismatch Problem��������������������������������������������������������������������������137
Summary����������������������������������������������������������������������������������������������������������138

Chapter 12: More Instructions����������������������������������������������������������139

CPU Flags Register��������������������������������������������������������������������������������������������139
The Fast Way to Fill Memory�����������������������������������������������������������������������������140
Testing for 0������������������������������������������������������������������������������������������������������141
TEST – Logical Compare�����������������������������������������������������������������������������������142
CMP – Compare Two Operands�������������������������������������������������������������������������143
TEST or CMP?���������������������������������������������������������������������������������������������������144
Conditional Jumps��������������������������������������������������������������������������������������������144
The Structure of Registers��������������������������������������������������������������������������������145
Function Return Value���������������������������������������������������������������������������������������146
Using Byte Registers�����������������������������������������������������������������������������������������146
Summary����������������������������������������������������������������������������������������������������������147

Chapter 13: Function Pointer Parameters����������������������������������������149

“FunctionPointerParameters” Project���������������������������������������������������������������149
Commented Disassembly���������������������������������������������������������������������������������150
Summary����������������������������������������������������������������������������������������������������������159

vii
Table of Contents

Chapter 14: Summary of Code Disassembly Patterns����������������������161

Function Prolog/Epilog��������������������������������������������������������������������������������������161
LEA (Load Effective Address)����������������������������������������������������������������������������164
Passing Parameters������������������������������������������������������������������������������������������164
Accessing Parameters and Local Variables������������������������������������������������������165
Summary����������������������������������������������������������������������������������������������������������166

Index�������������������������������������������������������������������������������������������������167

viii
About the Author
Dmitry Vostokov is an internationally
recognized expert, speaker, educator, scientist,
and author. He is the founder of the pattern-
oriented software diagnostics, forensics,
and prognostics discipline and Software
Diagnostics Institute (DA+TA: DumpAnalysis.
org + TraceAnalysis.org). Vostokov has also
authored more than 50 books on software
diagnostics, anomaly detection and analysis,
software and memory forensics, root cause analysis and problem solving,
memory dump analysis, debugging, software trace and log analysis,
reverse engineering, and malware analysis. He has more than 25 years
of experience in software architecture, design, development, and
maintenance in various industries, including leadership, technical, and
people management roles. Dmitry also founded Syndromatix, Anolog.
io, BriteTrace, DiaThings, Logtellect, OpenTask Iterative and Incremental
Publishing (OpenTask.com), Software Diagnostics Technology and
Services (former Memory Dump Analysis Services; PatternDiagnostics.
com), and Software Prognostics. In his spare time, he presents various
topics on Debugging TV and explores Software Narratology, its further
development as Narratology of Things and Diagnostics of Things (DoT),
and Software Pathology. His current areas of interest are theoretical
software diagnostics and its mathematical and computer science
foundations, application of artificial intelligence, machine learning and

ix
About the Author

data mining to diagnostics and anomaly detection, software diagnostics

engineering and diagnostics-driven development, and diagnostics
workflow and interaction. Recent areas of interest also include cloud
native computing, security, automation, functional programming, and
applications of category theory to software development and big data.

x
About the Technical Reviewer
Vikas Talan is a senior engineer at Qualcomm
(an American multinational corporation). He is
the founder of S.M.A.R.T Solutions, a technical
company. He also worked at MediaTek and
Cadence in core technical domains. He has
in-depth experience in Linux kernel
programming, Linux device drivers, ARM 64,
ARM, and porting of Android OS and Linux
drivers on chipsets. He hails from Delhi
NCR, India.

xi
Preface
The book covers topics ranging from Intel x64 assembly language
instructions and writing programs in assembly language to pointers, live
debugging, and static binary analysis of compiled C and C++ code.
Diagnostics of core memory dumps, live and postmortem debugging
of Linux applications, services, and systems, memory forensics, malware,
and vulnerability analysis require an understanding of x64 Intel assembly
language and how C and C++ compilers generate code, including
memory layout and pointers. This book is about background knowledge
and practical foundations that are needed to understand internal Linux
program structure and behavior, start working with the GDB debugger, and
use it for disassembly and reversing. It consists of practical step-by-step
exercises of increasing complexity with explanations and many diagrams,
including some necessary background topics.
By the end of the book, you will have a solid understanding of how
Linux C and C++ compilers generate binary code. In addition, you will be
able to analyze such code confidently, understand stack memory usage,
and reconstruct original C/C++ code.
The book will be useful for

• Software technical support and escalation engineers

• Software engineers coming from JVM background

• Software testers

• Engineers coming from non-Linux environments, for

example, Windows or Mac OS X

xiii
Preface

• Linux C/C++ software engineers without assembly

language background

• Security researchers without assembly language

background

• Beginners learning Linux software reverse engineering

techniques

This book can also be used as an x64 assembly language and Linux
debugging supplement for relevant undergraduate-level courses.

Source Code
All source code used in this book can be downloaded from github.com/
apress/linux-debugging-disassembling-reversing.

xiv
CHAPTER 1

Memory, Registers,
and Simple Arithmetic
 emory and Registers Inside
M
an Idealized Computer
Computer memory consists of a sequence of memory cells, and each cell
has a unique address (location). Every cell contains a “number.” We refer
to these “numbers” as contents at addresses (locations). Because memory
access is slower than arithmetic instructions, there are so-called registers
to speed up complex operations that require memory to store temporary
results. We can also think about them as stand-alone memory cells. The
name of a register is its address. Figure 1-1 illustrates this concept.

© Dmitry Vostokov 2023 1

D. Vostokov, Foundations of Linux Debugging, Disassembling, and Reversing,
https://doi.org/10.1007/978-1-4842-9153-5_1
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-1. Computer memory represented as a sequence of memory

cells and locations

 emory and Registers Inside Intel

M
64-Bit PC
Figure 1-2 shows addresses for memory locations containing integer
values usually differ by four or eight, and we also show two registers called
%RAX and %RDX. The first halves of them are called %EAX and %EDX.

2
 Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-2. Typical Intel x64 memory and register layout

Because memory cells contain “numbers,” we start with simple

arithmetic and ask a PC to compute the sum of two numbers to see how
memory and registers change their values.

“ Arithmetic” Project: Memory Layout

and Registers
For our project, we have two memory addresses (locations) that we call
“a” and “b.” We can think about “a” and “b” as names of their respective
addresses (locations). Now we introduce a special notation where (a) means

3
Chapter 1 Memory, Registers, and Simple Arithmetic

contents at the memory address (location) “a.” If we use the C or C++

language to write our project, we declare and define memory locations “a”
and “b” as

static int a, b;

By default, when we load a program, static memory locations are filled

with zeroes, and we can depict our initial memory layout after loading the
program, as shown in Figure 1-3.

Figure 1-3. Initial memory layout after loading the program

4
 Chapter 1 Memory, Registers, and Simple Arithmetic

“Arithmetic” Project: A Computer Program

We can think of a computer program as a sequence of instructions for
the manipulation of contents of memory cells and registers. For example,
addition operation: add the contents of memory cell №12 to the contents
of memory cell №14. In our pseudo-code, we can write

(14) + (12) -> (14)

Our first program in pseudo-code is shown on the left of the table:

1 -> (a) Here, we put assembly instructions corresponding

1 -> (b) to pseudo-code.
(b) + (a) -> (b)
(a) + 1 -> (a)
(b) * (a) -> (b)

“->” means moving (assigning) the new value to the contents of a

memory location (address). “;” is a comment sign, and the rest of the line is
a comment. “=” shows the current value at a memory location (address).
To remind, a code written in a high-level programming language is
translated to a machine language by a compiler. However, the machine
language can be readable if its digital codes are represented in some
mnemonic system called assembly language. For example, INC a is
increment by one of what is stored at a memory location “a.”

“ Arithmetic” Project: Assigning Numbers

to Memory Locations
We remind that “a” means location (address) of the memory cell, and it is
also the name of the location (address) 000055555555802c (see Figure 1-3).
(a) means the contents (number) stored at the address “a.”

5
Chapter 1 Memory, Registers, and Simple Arithmetic

If we use the C or C++ language, “a” is called “the variable a,” and we
write the assignment as

a = 1;

In the Intel assembly language, we write

mov $1, a

In the GDB disassembly output, we see the following code where the
variable “a” and address are shown in comments:

movl   $0x1,0x2ef2(%rip)        # 0x55555555802c <a>

We show the translation of our pseudo-code into assembly language in

the right column:

1 -> (a)          ; (a) = 1 movl $1, a

1 -> (b)          ; (b) = 1 movl $1, b
(b) + (a) -> (b)
(a) + 1 -> (a)
(b) * (a) -> (b)

Notice movl instructions instead of mov. This is because “a” and “b”
can point to both 32-bit (like %EAX or %EDX registers) and 64-bit memory
cells (like %RAX and %RDX registers). In the registers’ case, it is clear from
their names whether we use 64-bit %RAX or 32-bit %EAX. But in the case
of memory addresses “a” and “b,” it is not clear whether they refer to 64-bit
or 32-bit cells. We use movl to disambiguate and show that we use 32-bit
memory cells that are enough to hold integers from 0 to 4294967295.
0x2ef2(%rip) is how the compiler generates code to calculate the
address “a” instead of specifying it directly. Such code requires less
memory space. We explain this in later chapters.

6
 Chapter 1 Memory, Registers, and Simple Arithmetic

Literal constants have the $ prefix, for example, $0x1. The 0x prefix
means the following number is hexadecimal. The leading four zeroes of
the address are also omitted in the comment. We explain such numbers in
Chapter 3. Please also notice that the movement direction is the same in
both the disassembly output and the pseudo-code: from left to right.
After executing the first two assembly language instructions, we have
the memory layout shown in Figure 1-4.

Figure 1-4. Memory layout after executing the first two assembly
language instructions

7
Chapter 1 Memory, Registers, and Simple Arithmetic

Assigning Numbers to Registers

This is similar to memory assignments. We can write in pseudo-code:

1 -> register
(a) -> register

Note that we do not use brackets when we refer to register contents.

The latter instruction means assigning (copying) the number at the
location (address) “a” to a register.
In assembly language, we write

mov  $1, %eax   # 1 is copied to the first half of %RAX

register
mov  $1, %rax   # full contents of %RAX register are
replaced with 1
mov  a, %eax
mov  a, %rax

In the GDB disassembly output, we may see the following code:

mov    $0x0,%eax

“ Arithmetic” Project: Adding Numbers

to Memory Cells
Now let’s look at the following pseudo-code statement in more detail:

(b) + (a) -> (b)

To recall, “a” and “b” mean the names of locations (addresses)

000055555555802c and 0000555555558030, respectively (see Figure 1-4).
(a) and (b) mean contents at addresses “a” and “b,” respectively, simply
some numbers stored there.

8
 Chapter 1 Memory, Registers, and Simple Arithmetic

In the C or C++ language, we write the following statement:

b = b + a;
b += a;

In assembly language, we use the instruction ADD. Because of AMD64

and Intel EM64T architecture’s limitations, we cannot use both memory
addresses in one step (instruction), for example, add a, b. We can only use
the add register, b instruction to add the value stored in the register to
the contents of the memory cell b. Recall that a register is like a temporary
memory cell itself here:

(a) -> register

(b) + register -> (b)

Alternatively, we can use two registers:

(a) -> register1

(b) -> register2
register2 + register1 -> register2
register2 -> (b)

In assembly language, we write

mov a, %eax
add %eax, b

or we can add two registers and move the result to the memory cell b:

mov b, %edx
mov a, %eax
add %edx, %eax
mov %eax, b

9
Chapter 1 Memory, Registers, and Simple Arithmetic

In the GDB disassembly output, we may see the following code:

mov    0x2ee6(%rip),%edx        # 0x555555558030 <b>

mov    0x2edc(%rip),%eax        # 0x55555555802c <a>
add    %edx,%eax
mov    %eax,0x2ed8(%rip)        # 0x555555558030 <b>

Now we can translate our pseudo-code into assembly language:

1 -> (a)          ; (a) = 1 movl $1, a

1 -> (b)          ; (b) = 1 movl $1, b
(b) + (a) -> (b)  ; %eax = 1 mov a, %eax
; %edx = 1     mov  b, %edx
; %eax = 2
   add  %edx, %eax
; (b) = 2
   mov %eax, b
(a) + 1 -> (a)
(b) * (a) -> (b)

After the execution of ADD and MOV instructions, we have the

memory layout illustrated in Figure 1-5.

10
 Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-5. Memory layout after executing ADD and MOV

instructions

Incrementing/Decrementing Numbers
in Memory and Registers
In pseudo-code, it looks simple and means increment (decrement) a
number stored at the location (address) “a”:

(a) + 1 -> (a)

(a) – 1 -> (a)

11
Chapter 1 Memory, Registers, and Simple Arithmetic

In the C or C++ language, we can write this using three possible ways:

a = a + 1;
++a;
a++;
b = b – 1;
--b;
b--;

In assembly language, we use instructions INC and DEC and write

incl    a
inc     %eax
decl    a
dec     %eax

We use incl when we need to specify the 32-bit memory cell. It is

ambiguous when we use “a.” However, using %eax implies using 32-bit
values, so inc is unambiguous.
In the GDB disassembly output, we may see the same instruction:

inc    %eax

or

add    $0x1,%eax   # a compiler may decide to use ADD

instead of INC

12
 Chapter 1 Memory, Registers, and Simple Arithmetic

Now we add the assembly language translation of increment:

1 -> (a)          ; (a) = 1 movl $1, a

1 -> (b)          ; (b) = 1 movl $1, b
(b) + (a) -> (b)  ; %eax = 1 mov a, %eax
; %edx = 1 mov  b, %edx
; %eax = 2 add  %edx, %eax
; (b) = 2 mov %eax, b
(a) + 1 -> (a)    ; %eax = 1 mov  a, %eax
; %eax = 2 add  $1, %eax
; (a) = 2 mov  %eax, a
(b) * (a) -> (b)

After the execution of INC or ADD instruction, we have the memory

layout illustrated in Figure 1-6.

13
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-6. Memory layout after the execution of INC or ADD

instruction

Multiplying Numbers
In pseudo-code, we write

(b) * (a) -> (b)

It means that we multiply the number at the location (address) “b” by

the number at the location (address) “a.”
In the C or C++ language, we can write that using two ways:

b =  b * a;
b *= a;

14
 Chapter 1 Memory, Registers, and Simple Arithmetic

In assembly language, we use instruction IMUL (Integer MULtiply)

and write

mov  a, %eax
imul b, %eax
mov  %eax, b

The multiplication instruction means (b) * %eax -> %eax, and we

must put the contents of “a” into %EAX. The multiplication result is put
into the register %EAX, and its contents are saved at the location (address)
“b.” Alternatively, we may put all multiplication operands into registers:

mov  a, %eax
mov  b, %edx
imul %edx, %eax
mov  %eax, b

In the GDB disassembly output, we may see the following code:

mov    0x2ec3(%rip),%edx        # 0x555555558030 <b>

mov    0x2eb9(%rip),%eax        # 0x55555555802c <a>
imul   %edx,%eax
mov    %eax,0x2eb4(%rip)        # 0x555555558030 <b>

15
Chapter 1 Memory, Registers, and Simple Arithmetic

Now we add two additional assembly instructions to our pseudo-code

assembly language translation:

1 -> (a)          ; (a) = 1 movl $1, a

1 -> (b)          ; (b) = 1 movl $1, b
(b) + (a) -> (b)  ; %eax = 1 mov a, %eax
; %edx = 1 mov  b, %edx
; %eax = 2 add  %edx, %eax
; (b) = 2 mov %eax, b
(a) + 1 -> (a)    ; %eax = 1 mov  a, %eax
; %eax = 2 add  $1, %eax
; (a) = 2 mov  %eax, a
(b) * (a) -> (b)  ; %edx = 2 mov  b, %edx
; %eax = 2 mov  a, %eax
; %eax = 4 imul %edx, %eax
; (b) = 4 mov  %eax, b

After the execution of IMUL and MOV instructions, we have the

memory layout illustrated in Figure 1-7.

16
 Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-7. Memory layout after the execution of IMUL and MOV
instructions

Summary
This chapter introduced CPU registers and explained the memory layout
of a simple arithmetic program. We learned basic x64 instructions and
manually translated simple C and C++ code to assembly language.
The next chapter looks at assembly language code produced by a
debugger via disassembling binary code. Then, we reverse it to C and C++
code. We also compare the disassembly output of nonoptimized code to
optimized code.

17
CHAPTER 2

Code Optimization
“Arithmetic” Project: C/C++ Program
Let’s rewrite our “Arithmetic” program in C/C++. Corresponding assembly
language instructions are put in comments:

int a, b;

int main(int argc, char* argv[])

{
      a = 1;               // movl $1, a

      b = 1;               // movl $1, b

      b = b + a;           // mov  a, %eax

                           // mov  b, %edx
                           // add  %edx, %eax
                           // mov  %eax, b

      ++a;                 // mov  a, %eax

                           // add  $1, %eax
                           // mov  %eax, a

© Dmitry Vostokov 2023 19

D. Vostokov, Foundations of Linux Debugging, Disassembling, and Reversing,
https://doi.org/10.1007/978-1-4842-9153-5_2
Chapter 2 Code Optimization

      b = b * a;           // mov  b, %edx

                           // mov  a, %eax
                           // imul %edx, %eax
                           // mov  %eax, b

                           // results: (a) = 2 and (b) = 4

      return 0;
}

Downloading GDB
We used WSL2 and "Debian GNU/Linux 10 (buster)" as a working
environment. We chose Debian because we used it for the “Accelerated
Linux Core Dump Analysis” training course.1 After installing Debian, we
need to install essential build tools and GDB:

sudo apt install build-essential

sudo apt install gdb

You may also need to download git to clone source code:

sudo apt install git

cd ~
git clone github.com/apress/linux-debugging-disassembling-­
reversing .

GDB Disassembly Output – No Optimization

The source code can be downloaded from the following location:
github.com/apress/linux-debugging-disassembling-reversing/
Chapter2/

1
www.dumpanalysis.org/accelerated-linux-core-dump-analysis-book

20
 Chapter 2 Code Optimization

If we compile and link the program in no optimization mode (default):

coredump@DESKTOP-IS6V2L0:~/pflddr/x64/Chapter2$ gcc
ArithmeticProjectC.cpp -o ArithmeticProjectC

we get the binary executable module we can load in GDB and inspect
assembly code.
First, we run GDB with the program as a parameter:

coredump@DESKTOP-IS6V2L0:~/pflddr/x64/Chapter2$ gdb ./
ArithmeticProjectC
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/
licenses/gpl.html>
This is free software: you are free to change and
redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources
online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ArithmeticProjectC...(no debugging
symbols found)...done.
(gdb)

21
Chapter 2 Code Optimization

Next, we put a breakpoint at our main C/C++ function to allow the

program execution to stop at that point and give us a chance to inspect
memory and registers. Symbolic names/function names like "main" can be
used instead of code memory locations:

(gdb) break main

Breakpoint 1 at 0x1129

Then we start execution of the program (let it run). The program then
stops at the previously set breakpoint:

(gdb) run
Starting program: /home/coredump/pflddr/x64/Chapter2/
ArithmeticProjectC

Breakpoint 1, 0x0000555555555129 in main ()

Now we disassemble the main function:

(gdb) disass main

Dump of assembler code for function main:
   0x0000555555555125 <+0>:     push   %rbp
   0x0000555555555126 <+1>:     mov    %rsp,%rbp
=> 0x0000555555555129 <+4>:     mov    %edi,-0x4(%rbp)
   0x000055555555512c <+7>:     mov    %rsi,-0x10(%rbp)
   0x0000555555555130 <+11>:    movl   $0x1,0x2ef2(%rip)        
# 0x55555555802c <a>
   0x000055555555513a <+21>:    movl   $0x1,0x2eec(%rip)        
# 0x555555558030 <b>
   0x0000555555555144 <+31>:    mov    0x2ee6(%rip),%edx        
# 0x555555558030 <b>
   0x000055555555514a <+37>:    mov    0x2edc(%rip),%eax        
# 0x55555555802c <a>
   0x0000555555555150 <+43>:    add    %edx,%eax

22
 Chapter 2 Code Optimization

   0x0000555555555152 <+45>:    mov    %eax,0x2ed8(%rip)        
# 0x555555558030 <b>
   0x0000555555555158 <+51>:    mov    0x2ece(%rip),%eax        
# 0x55555555802c <a>
   0x000055555555515e <+57>:    add    $0x1,%eax
   0x0000555555555161 <+60>:    mov    %eax,0x2ec5(%rip)        
# 0x55555555802c <a>
   0x0000555555555167 <+66>:    mov    0x2ec3(%rip),%edx        
# 0x555555558030 <b>
   0x000055555555516d <+72>:    mov    0x2eb9(%rip),%eax        
# 0x55555555802c <a>
   0x0000555555555173 <+78>:    imul   %edx,%eax
   0x0000555555555176 <+81>:    mov    %eax,0x2eb4(%rip)        
# 0x555555558030 <b>
   0x000055555555517c <+87>:    mov    $0x0,%eax
   0x0000555555555181 <+92>:    pop    %rbp
   0x0000555555555182 <+93>:    retq
End of assembler dump.

We repeat the part of the formatted disassembly output here that

corresponds to our C/C++ code:

   0x0000555555555130 <+11>:    movl   $0x1,0x2ef2(%rip)        
# 0x55555555802c <a>
   0x000055555555513a <+21>:    movl   $0x1,0x2eec(%rip)        
# 0x555555558030 <b>
   0x0000555555555144 <+31>:    mov    0x2ee6(%rip),%edx        
# 0x555555558030 <b>
   0x000055555555514a <+37>:    mov    0x2edc(%rip),%eax        
# 0x55555555802c <a>
   0x0000555555555150 <+43>:    add    %edx,%eax

23
Chapter 2 Code Optimization

   0x0000555555555152 <+45>:    mov    %eax,0x2ed8(%rip)        
# 0x555555558030 <b>
   0x0000555555555158 <+51>:    mov    0x2ece(%rip),%eax        
# 0x55555555802c <a>
   0x000055555555515e <+57>:    add    $0x1,%eax
   0x0000555555555161 <+60>:    mov    %eax,0x2ec5(%rip)        
# 0x55555555802c <a>
   0x0000555555555167 <+66>:    mov    0x2ec3(%rip),%edx        
# 0x555555558030 <b>
   0x000055555555516d <+72>:    mov    0x2eb9(%rip),%eax        
# 0x55555555802c <a>
   0x0000555555555173 <+78>:    imul   %edx,%eax
   0x0000555555555176 <+81>:    mov    %eax,0x2eb4(%rip)        
# 0x555555558030 <b>

We can directly translate it to bare assembly code we used in the

previous chapter and put corresponding pseudo-code in comments:

movl   $1, a              # 1 -> (a)

movl   $1, b              # 1 -> (b)
mov    b, %edx            # (b) + (a) -> (b)
mov    a, %eax
add    %edx, %eax
mov    %eax, b
mov    a, %eax            # (a) + 1 -> (a)
add    $1, %eax
mov    %eax, a
mov    b, %edx            # (b) * (a) -> (b)
mov    a, %eax
imul   %edx, %eax
mov    %eax, b

24
 Chapter 2 Code Optimization

Now we can exit GDB:

(gdb) q
A debugging session is active.

        Inferior 1 [process 2249] will be killed.

Quit anyway? (y or n) y
coredump@DESKTOP-IS6V2L0:~/pflddr/x64/Chapter2$

GDB Disassembly Output – Optimization

If we compile and link the program in optimization mode:

coredump@DESKTOP-IS6V2L0:~/pflddr/x64/Chapter2$ gcc
ArithmeticProjectC.cpp -O1 -o ArithmeticProjectC

and after repeating the same steps in GDB, we get the following output:

(gdb) disass main

Dump of assembler code for function main:
=> 0x0000555555555125 <+0>:     movl   $0x2,0x2f01(%rip)        
# 0x555555558030 <a>
   0x000055555555512f <+10>:    movl   $0x4,0x2ef3(%rip)        
# 0x55555555802c <b>
   0x0000555555555139 <+20>:    mov    $0x0,%eax
   0x000055555555513e <+25>:    retq
End of assembler dump.

This corresponds to the following pseudo-code:

mov $2, a   # 2 -> (a)

mov $4, b   # 4 -> (b)

Please note that the compiler also chose to put memory cell “b” first
(000055555555802c) and then memory cell “a” (0000555555558030).

25
Chapter 2 Code Optimization

What happened to all our assembly code in this executable? This code
seems to be directly placing the end result into the “b” memory cell if we
observe. Why is this happening? The answer lies in compiler optimization.
When the code is compiled in optimization mode, the compiler can
calculate the final result from the simple C/C++ source code itself and
generate only the necessary code to update corresponding memory
locations.

Summary
In this chapter, we looked at assembly language code produced by a
debugger via disassembling binary code. Then, we reversed it to C and C++
code. We also compared the disassembly output of nonoptimized code to
optimized code and understood why.
The next chapter refreshes number representations, especially the
hexadecimal one.

26
CHAPTER 3

Number
Representations
Numbers and Their Representations
Imagine a herder in ancient times trying to count his sheep. He has a
certain number of stones (twelve):

However, he can only count up to three and arranges the total into
groups of three:

© Dmitry Vostokov 2023 27

D. Vostokov, Foundations of Linux Debugging, Disassembling, and Reversing,
https://doi.org/10.1007/978-1-4842-9153-5_3
Chapter 3 Number Representations

The last picture is a representation (a kind of notation) of the number

of stones. We have one group of three groups of three stones plus a
separate group of three stones. If he could count up to ten, we would see a
different representation of the same number of stones. We would have one
group of ten stones and another group of two stones.

Decimal Representation (Base Ten)

Let’s now see how twelve stones are represented in arithmetic notation if
we can count up to ten. We have one group of ten numbers plus two:

12dec = 1 * 10 + 2 or 1 * 101 + 2 * 100

Here is another exercise with 123 stones. We have 1 group of ten by

ten stones, another group of 2 groups of ten stones, and the last group
of 3 stones:

123dec = 1 * 10*10 + 2 * 10 + 3 or 1 * 102 + 2 * 101 + 3 * 100

We can formalize it in the following summation notation:

Ndec = an*10n + an-1*10n-1 + … + a2*102 + a1*101 + a0*100

0 <= ai <= 9
Using the summation symbol, we have this formula:

n
Ndec = ∑ ai*10i
i=0

28
 Chapter 3 Number Representations

Ternary Representation (Base Three)

Now we come back to our herder’s example of twelve stones. We have 1
group of three by three stones, 1 group of three stones, and an empty (0)
group (which is not empty if we have one stone only or have thirteen
stones instead of twelve). We can write down the number of groups
sequentially: 110. Therefore, 110 is a ternary representation (notation) of
twelve stones, and it is equivalent to 12 written in decimal notation:

12dec = 1*32 + 1*31 + 0*30

Ndec = an*3n + an-1*3n-1 + … + a2*32 + a1*31 + a0*30

ai = 0 or 1 or 2

n
Ndec = ∑ ai*3i
i=0

Binary Representation (Base Two)

In the case of counting up to two, we have more groups for twelve stones:
1100. Therefore, 1100 is a binary representation (notation) for 12 in
decimal notation:

12dec = 1*23 + 1*22 + 0*21 + 0*20

123dec = 1*26 + 1*25 + 1*24 + 1*23 + 0*22 + 1*21 + 1*20 or

11110112

Ndec = an*2n + an-1*2n-1 + … + a2*22 + a1*21 + a0*20

ai = 0 or 1

n
Ndec = ∑ ai*2i
i=0

29
Chapter 3 Number Representations

Hexadecimal Representation (Base Sixteen)

If we can count up to sixteen, twelve stones fit in one group, but we
need more symbols: A, B, C, D, E, and F for ten, eleven, twelve, thirteen,
fourteen, and fifteen, respectively:
12dec = C in hexadecimal representation (notation)

123dec = 7Bhex

123dec = 7*161 + 11*160

n
Ndec = ∑ ai*16i
i=0

Why Are Hexadecimals Used?

Consider this number written in binary notation: 1100010100112. Its
equivalent in decimal notation is 3155:

3155dec = 1*211 + 1*210 + 0*29 + 0*28 + 0*27 + 1*26 + 0*25

+ 1*24 + 0*23 + 0*22 + 1*21 + 1*20

Now we divide the binary number digits into groups of four and write
them down in decimal and hexadecimal notation:

110001010011

12dec 5dec 3dec

Chex 5hex 3hex

We see that hexadecimal notation is more compact because every

four binary digit group number corresponds to one hexadecimal number.
Table 3-1 lists hexadecimal equivalents for every four binary digit
combination.

30
 Chapter 3 Number Representations

Table 3-1. Hexadecimal Equivalents for Every Four

Binary Digit Combination
Binary Decimal Hexadecimal

0000 0 0
0001 1 1
0010 2 2
0011 3 3
0100 4 4
0101 5 5
0110 6 6
0111 7 7
1000 8 8
1001 9 9
1010 10 A
1011 11 B
1100 12 C
1101 13 D
1110 14 E
1111 15 F

In GDB and other debuggers, memory addresses are displayed in

hexadecimal notation.

31
Chapter 3 Number Representations

Summary
This chapter refreshed different representations of a number, including
hexadecimal notation.
The next chapter introduces pointers. We rewrite our arithmetic
program from Chapter 1 using pointers to memory and use the GDB
debugger to execute instructions one by one and watch changes
to memory.

32
Discovering Diverse Content Through
Random Scribd Documents
The Project Gutenberg eBook of 'Possum
 This ebook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this ebook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

Title: 'Possum

Creator: Mary Grant Bruce

Release date: January 8, 2016 [eBook #50881]

Language: English

Credits: Produced by Al Haines

*** START OF THE PROJECT GUTENBERG EBOOK 'POSSUM ***

Cover art
"Then he shot down, head foremost, and again
found himself in the grass." (Page 96.)
 'POSSUM

BY
MARY GRANT BRUCE
Author of "Glen Eyre," "Mates at Billabong,"
"Norah of Billabong," "Jim and Wally,"
etc., etc.

WARD, LOCK & CO., LIMITED

LONDON, MELBOURNE AND TORONTO

To
My Mother

CONTENTS

I The "House Beautiful"

II Breaking Bad News
III Gordon's Farm
IV Into the Unknown
V The Home-Coming
VI A Day in the Country
VII The Riding of Jane
VIII Rain—And a Friend
IX "Maggie or Something"
X 'Possum Takes Hold
XI Farmers in Earnest
XII Sailing
XIII Amateur Surgery
XIV A Boating Holiday
XV Santa Claus and Clothes
XVI A Little Boy
XVII 'Possum Becomes a Pupil
XVIII The Regatta
XIX The Order of Release

'POSSUM

CHAPTER I
THE "HOUSE BEAUTIFUL"

The trim suburban garden blazed with flowers. Over the porch at the
gate mandevillea hung in a curtain of fragrant white, and an
archway over the path that wound through the close-shaven lawn
was a miracle of Fortune's yellow roses—gold and rose and copper
blended gloriously. There were beds aflame with "bonfire" salvia,
and others gay with many-hued annuals. Gaudy tulips reared
splendid heads near a great clump of arum lilies that fringed a tiny
pool where little Garth Macleod's solitary goldfish swam in lonely
state. Everywhere there were roses; in standards in the smooth,
well-kept beds, or trained along the wide verandas, forming a screen
of exquisite blossom. Their sweetness lay like a charm over the
garden.
It was a hot spring afternoon. Tom Macleod, digging busily in a
corner, pushed his Panama back from his flushed face, and stood
erect for a moment to ease his aching back. As he did so a motor
whirred to the gate, stopped, and a stout little man hurried up the
path, waving a capable hand towards the shirt-sleeved worker
across the lawn.
"Hullo, Doctor!" Macleod called.
"See you presently, Tom," was all the doctor vouchsafed him.
He disappeared behind the roses on the veranda, and Macleod
returned to his work with a furrow between his eyes that had not
been there before. From time to time he cast half-impatient glances
towards the house, whence no sound issued. Finally, with a hasty
movement, he plunged his spade into the soil, and went with long
strides across the grass—meeting, at the step, the doctor, who
plunged out of the house like a plump Jack-in-the-box.
"Oh!" said Macleod vaguely. "How's the kid?"
"The kid? why, going on first-rate," said the doctor, laughing.
"Can't a man stay five minutes talking to his patient's mother
without your making up your mind that the kid must be dying?"
Tom Macleod grinned a little shamefacedly.
 "The last three weeks have rather unsettled my nervous system,
I believe," he said. "I didn't know I had one until Garth took to
trying to die. You needn't be so superior, old man. I believe the little
beggar shook up yours, too!"
"Well—it hasn't been too jolly a time," admitted the doctor. "One
doesn't like to see a nice kid suffering: and Garth and I are old
chums. Anyhow, he's better. Come and sit down; it's an
extraordinary thing, but I have time for a cigarette."
He went with quick, short steps towards a bench under a
drooping pepper tree, Macleod following with his long, easy stride.
No two men could have been a greater contrast: the short, plump
doctor, with his humorous, ugly face, which every child loved at the
first glance, and the tall, lean Australian, clean-limbed and
handsome—almost boyish, but for a certain worn expression, and for
the lines of anxiety which his boy's illness had graven round his eyes
and mouth. They lit their cigarettes and stared at each other.
"On the rare occasions when you announce that you've time to
smoke, I have noticed that you generally have something to
communicate—probably unpleasant," said Macleod. "What is it, old
man?"
"I wish you weren't so observant," said the doctor; "it's
disconcerting. Well, I have something. It isn't exactly new: I hinted
at it to you six months ago. Now I've got to speak plainly."
"You mean——?"
"I mean that if I had a boy like Garth I wouldn't run the risk of
trying to bring him up in a city," the doctor answered. "I haven't
been satisfied with the little chap for a long time. His constitution's
all right—there's nothing radically the matter. But he doesn't thrive.
You've seen that for yourself, Tom."
"Yes—I've seen it," said the father heavily. "Of course, we've
kept hoping he would grow stronger. As you say, there seemed
nothing really wrong, and he's pretty wiry——"
"If he hadn't been wiry I could not have pulled him through the
last three weeks," Dr. Metcalf said. "You may thank your stars he's
wiry."
"If he hadn't picked up this unlucky illness——"
"Well—I don't know," said the doctor. "I'm inclined to think you
may yet consider it a blessing in disguise. You might have gone on
pouring tonics and patent messes into him, and hoping he'd
improve. You can't do it now. It's up to you and Aileen to give him
every chance, if you want a strong son instead of a weakling."
"That's final?" Macleod asked.
"That's my considered opinion. I know your difficulties, old man.
But I know you don't value anything in the world beyond Garth. Take
him to the country; let him live out of doors, and run as wild as a
rabbit; give him unlimited fresh milk—not the stuff you buy out of a
can—country food, and pure air: let him wear old clothes all the time
and sleep out of doors—and in a year I'd stake my professional
reputation you won't know him. Keep him in a Melbourne suburb,
and I won't be answerable for the consequences."
"That's pretty straight, anyhow," said Macleod.
"I mean it to be straight. I haven't known you since you were at
school to mince matters with you now. And I'm fond of the kid: I
want to see him grow into a decent man, with all the best that is in
him given a fair chance."
 "We've tried to do that," Macleod said. He looked round the
glowing garden. "It's such a jolly home, and he does love it."
"It's one of the jolliest little homes I've ever seen, and it's going
to hurt both of you badly to leave it," the doctor rejoined. "The
trouble is, it is too jolly. You have made yourself a little Paradise
inside the tallest paling fence you could build, and you've shut out all
that lies outside that fence—miles on miles of teeming streets,
packed and jammed with people. You're in the midst of grass and
roses and things, with a sprinkler going on your tulips, or whatever
those rainbow affairs are—and you don't think about the street
outside, dry and baking, with a hot wind swirling the germ-laden
dust about—blowing it probably upon the meat and fruit and milk
you'll buy to-morrow. The air comes to you over thousands of
houses, clean and dirty, and thousands of people breathe it. You've
got to get where there's no second-hand air."
"Great Scott!" ejaculated Macleod. "Will you tell me how any
children manage to live at all?"
"It's a special dispensation of Providence that most youngsters
don't die from germs," said the doctor, laughing. "I'm aware that the
infantile population of Melbourne is pretty healthy, but it's always a
mystery to me how children in any big city survive their
surroundings. After all, Melbourne's cleaner than most places.
However, there is only one among its hordes of kids that is
interesting you and me at the moment, and that's Garth. You've got
to get him out of it, Tom."
"When?"
"As soon as you can make your arrangements. I know you can't
do that in a moment, but, of course, he could not be moved just yet.
When he is strong enough Aileen could take him somewhere until
you were ready. But get him to the country. His poor little head is full
of stories and make-believes: let him forget what a book looks like,
and introduce him to a pony. By the way, it's going to be enormously
good for you and Aileen, too."
"Is it?" Macleod asked, smiling grimly. "I'll worry along
somehow, though I know mighty little of anything outside a city. But
it's rough on her, poor girl. She just loathes the country—hasn't any
use for scrub and bad roads, and discomfort generally. I'll never be
able to get her a servant—there aren't any, I believe, once you get
more than a mile from a picture theatre. And she has never had to
work."
"Don't you worry your head about Aileen," said the little doctor,
rising. "She has her head screwed on the right way—and women
have a way of doing what they've got to do. She can imagine herself
her own grandmother, fresh out from England, and tackling the Bush
as all our plucky little grandmothers did. Pity there are not more like
them now: we live too softly nowadays, and our backbones don't
stiffen. But you'll find Aileen will come out all right. In a year you'll
all be blessing me. When you come to think of it, I'm the only one to
be pitied. I'm going to miss you badly." There was a twisted smile on
his lips as he wrung his friend's hand. "Good-bye: my patients will be
calling down maledictions on my head if I don't hurry."
Macleod saw him into his dusty motor and watched it glide
down the hot street. Then he turned and went back through the
scent of the garden, instinctively making his footsteps noiseless as
he crossed the veranda and entered the house.
 It was a trim house of one story, with a square hall where tall
palms gave an effect of green coolness. An embroidered curtain
screened a turn into a passage where, through an open door, could
be heard the sound of a low voice reading. A childish call cut across
the soft tones.
"Is that you, Daddy?"
"That's me," said Macleod cheerfully, if ungrammatically. "Are
you sure you ought not to be asleep?" He entered the room and
smiled down at his little son.
"A fellow can't sleep all day," Garth said. "'Sides, I needn't sleep
so much now. Doctor says I'm nearly well, Daddy."
"That's good news," said his father heartily. "We'll have you out
in the garden soon, and getting fat. The tulips are blossoming,
Garth, and your poor old goldfish is awfully lonesome. He says even
Bran doesn't go near him now."
"Bran is too busy nursing his master," said Garth's mother,
looking at the rough head of the Irish terrier curled up on a chair
beside the boy's bed. "We'll all get out together in a few days, and
find out all the beautiful things that have happened in the garden
since we were there. Won't it be lovely, Tom?"
She leaned back until her head touched her husband—a tall,
pale girl, with lovely features and a mass of fair hair that glinted like
Garth's when the sunlight fell on it, and eyes as blue as violets. Her
long hands, blue-veined and delicate, lay idly in her lap, one finger
keeping open the book from which she had been reading. She was
like an exquisite piece of china—fragile, to all outward appearance,
and dainty; graceful in every line. Tom Macleod looking down at her,
felt as he had felt ten year' ago, before they married, that he must
let no wind blow upon her roughly.
Now he had to tell her that they must go away, away from the
ordered comfort of city life, which was all that she had ever known,
to whatever the country had in store for them. Even for himself,
always a townsman, the prospect carried something of dread, as do
all unfamiliar prospects. But he knew that, whatever hardships the
Bush holds for a man, it is hardest on a woman.
Garth was chattering away, oblivious of his father's grave face.
"Doctor says I can talk as much as I like," he proclaimed
happily. "And he says I'll be perflickly well in a little bit, and then
Mother can take me down to the sea. And she says she will, didn't
you, Mother? And then you can come down for week-ends, Daddy.
Or do you think the Office would give you a holiday, like it did the
time we went to Black Rock?"
"It might," said his father.
"Do make it," Garth begged. "It would be so lovely, Daddy—and
you could teach me to swim." His little thin face, for which the
brown eyes were so much too large, was alight with eagerness.
"Bran'll come too—he loves going away, doesn't he? D'you know,
Daddy, I think Bran was just cut out for a country dog! He's so awful
interested when he gets away from the streets."
"I'm not sure that that's not very good taste on Bran's part,"
said Macleod: and at something in his tone his wife looked up
sharply. "What do you think about it yourself, Garth?"
"Oh, I just love the country," Garth answered. "You get so tired
with streets—they all look alike, nothing but motors and dust. The
Gardens are jolly, of course, and so's Fawkner Park; but they're not
the same as the real country. D'you remember the time we went to
Gippsland for the holidays? Wasn't it lovely? I always felt when we
went out walking that we might meet anything whatever—fairies, or
Bunyips, or—or all sorts of things!"
"But you never did, I suppose?"
"N-no," Garth admitted. "But I used to pretend I did, and that
was fun. And I truly did see some rabbits and a wallaby, only the
people at the farm weren't a bit pleased when I told them about the
rabbits. Mr. Brown said he'd rather see a gorilla on any of his land.
Isn't it a pity rabbits are such damageous things, Daddy? Anyhow, I
used to pretend that all the really bad fairies had got locked up
inside rabbits, to do as much mischief as ever they could, until they
got good again. But Mr. Brown said that if ever he heard of a rabbit
getting good he'd eat his hat."
"Seeing that Brown told me he'd just spent two hundred pounds
netting his land against rabbits, you couldn't expect him to love
them," Macleod said.
"Two hundred pounds is an awful lot of money, isn't it?" Garth
asked innocently. "But you've got heaps more than that, haven't you,
Daddy?"
"Not as big a heap as I would like," his father answered. He
walked across the room and stood looking out of the window, his
eye wandering over the well-kept garden. A lucky legacy had
enabled him to buy his home just before his marriage: now he
wished with all his heart that he had not spent so much, in the years
that followed, in making it nearer and nearer to their hearts' desire.
They had built a room here, a veranda there: had installed electric
light and cooking power, electric fans and electric irons—had filled
the house with every modern device for ease and comfort. His salary
was good: there was no need for economy. He had lavished it on the
garden they loved, until its high walls enclosed, in truth, a little
paradise. Their personal tastes had been expensive: stalls at the
theatres, little dinners at the Savoy, races, dances, bridge parties,
had all been commonplaces in their happy, careless life. Best of all
had he loved to dress Aileen beautifully. "When a fellow has the
loveliest wife in Australia, it's up to him to see that she's decently
rigged out," he would say, bringing home a fur coat, a costly
sunshade, a piece of exquisite lace. He hardly knew how much his
own clothes, quietly good, had cost him: Garth had been the best
turned out boy in the neighbourhood. Their servants, well-paid and
lightly-worked, had kept the household machinery moving silently on
oiled wheels. There had seemed not one crumpled petal in the rose-
leaves that strewed their path.
The trained nurse entered softly, bearing on a little brass tray
Garth's tea-service—dainty china, painted with queer, long-necked
cats.
"This is the first day I've felt really int'rested in tea," Garth
proclaimed cheerfully, wriggling up on his pillows. His mother moved
quickly to help him, slipping a wrap round the thin little shoulders.
Then a gong chimed softly from the hall, and she turned to her
husband. Her fingers lay on his shoulder for a moment.
"Tea, Tom."
"Oh, all right," he said, and turned from the window. "So long,
old son—eat a big tea."
"I'll eat a 'normous one, if Nurse will only give it to me," Garth
said, eyeing his tray hungrily. "Mind you do, too, Daddy. And come
back soon."
"I will," Macleod said. He smiled at the eager face as he
followed his wife from the room.

CHAPTER II
BREAKING BAD NEWS

It was one of Aileen Macleod's whims that she liked to brew her own
tea. A copper kettle bubbled busily over a spirit lamp on the tray as
they entered the drawing-room, and her husband flung himself into
an arm-chair and watched the slim, beautiful hands busy with the
silver tea-caddy and the quaint, squat teapot. Neither spoke until
she came to his side with his cup.
"I beg your pardon, dear," he said, trying to rise. She kept him
back, a hand on his shoulder.
"You've been working: why shouldn't I bring you your tea?" she
said, smiling at him.
"Because I ought to be looking after you," he rejoined. He was
on his feet with a quick movement, took her by the shoulders
laughingly, and put her into a big chair, bringing tea and hot cakes to
a tiny table beside her.
"There!" he said. "No: you want another cushion. Now lie back,
sweetheart, and rest; you're ever so much more tired than you'll
admit, even to yourself."
"Being tired doesn't matter, now," she said. "Nothing matters,
now that Garth is safe. But it's nice to be bullied." She smiled at him,
with a little restful movement, then took up her cup. Over it she
looked at him questioningly.
"Dr. Metcalfe is quite satisfied, Tom? What were you and he
talking about for so long?"
"Oh, he's quite satisfied with the boy's progress," Macleod
answered. "He says you and he can go away quite soon. We—we
were just yarning." Something tied his tongue; she looked so tired,
and yet so peaceful. He would not tell her just yet.
Aileen opened her lips to speak and then closed them again.
They talked idly of the garden, the tulips that were just blossoming,
and the new roses, until tea was over and a silent-footed maid had
removed the tray. Macleod lit a cigarette, and lay back in his chair.
"Tell me, Tom," she said quietly. "I know there is something
more."
He was silent for a moment, looking at her. She was very pale,
her breath coming quickly.
"Don't bother about anything now," he said. "We've got the little
chap back; and you're dog-tired. You mustn't worry about anything."
"Don't you see—when I don't know, I think it's Garth!" Her voice
broke, almost in a cry. "Tell me—quick!"
He was on his knees beside her in a flash.
"What a fool I am!—it's all right, my girl. Garth's quite safe.
Only we've got to go away—to leave all this and take him to the
Bush. He'll grow strong if we do. But I didn't know how to tell you."
His wife gave a long sigh, and put her face down on his
shoulder.
"Oh-h!" she said. "I thought it was something that really
mattered!"
 "My girl!" said Macleod huskily. For a while they did not move.
Then she put him away from her gently, and looked at him with
steady eyes.
"I suppose I shall wake up some morning—perhaps to-morrow
morning—to realize that it's quite large and important," she said.
"But at present it seems the smallest thing, because all that really
counts is that Garth is safe. Tell me all about it, Tom."
"Metcalfe won't answer for him if we keep him in town," he
said. "If we take him right into the country for a few years he will
grow into a strong boy. Therefore, as the Americans say, it's country
for ours."
"Of course. What will happen?"
"We'll sell or let this place," he said, watching her face keenly
for some sign that the blow was telling. But there was no change in
its eager interest, and he went on.
"I must send in my resignation at the office. They'll be nice
about it, of course: probably they'd always try to find a berth for me,
though it would not be as good as this one. That will leave us with
the little bit of private income we have and whatever we get out of
the house. We might live on that, after a fashion. But if we've got to
go into the country, I'd rather see if we can't make something out of
the land."
"But we don't know anything about it."
"Not a thing," Macleod agreed. "But I don't believe it's so
awfully complicated: surely a man of reasonable common sense can
learn. And look at the alternative—living in some beastly cottage in a
township, with not a thing to do. I don't think I could stand it."
 "I'm sure I couldn't," said his wife. "Of course you'll learn—look
at all the stupid people who do well out of land. Quite stupid people:
and your worst enemy can't say you haven't got brains, Tom!"
"I make you my best bow," said her husband solemnly. "You're
very encouraging, ma'am! I'll try to live up to your high estimate of
me. But what seems to matter more is that I think I've got enough
muscle."
For the first time a shadow of doubt came into her eyes.
"I don't want you to be worked to death," she said. "Will it be
very hard for you, Tom?"
He broke into a short laugh.
"Hard for me! Do you think it matters the least little bit about
me? But it maddens me to think what it's going to mean for you. Do
you realize that it means no more fun, as we've always counted fun?
no more outings or gaiety, no pretty clothes? any sort of a home,
and mighty little comfort? We—we won't have much money, Aileen."
"We'll have enough to—to live, won't we?" she asked. "To buy
food, I mean?"
"Oh, there'll be enough for that. But we'll have to scrimp in a
hundred ways. I don't know that we can even keep a servant for
you, though I don't suppose, for that matter, that there are any to
be had in the Bush. I wouldn't mind that so much if I could help
you: but I'll have my own work outside, and it will keep me going.
I've never let you work, Aileen," he ended wistfully.
"No, you haven't," she said; looking at him gently. "If ever a
woman was thoroughly spoilt it's your wife!"
"I couldn't have had the face to marry you, if it had meant that
you would have to work," he answered. "How could I, when you'd
never done any work in your life?"
"I don't know that that is a very creditable record for a woman,"
she said reflectively. "I've often thought my life was too soft a one;
only you have made it so easy to be lazy, Tom."
"You're not lazy," he defended her hotly. "Look at all you have
on hand—your music, the garden, the home—do you think it's only
servants that have made us our 'House Beautiful?' You've charities,
and Women's Leagues—and Garth. It seems to me you're always
busy."
"They're all very pretty things to play at," she said, laughing.
"All except Garth: he is a solid reality. Now I'm going to discover
ever so many other realities. Don't worry about me, Tom, dear. It's
going to be an Awfully Big Adventure, but we'll get through
somehow."
She smiled up at him. Something like a great weight lifted from
Macleod's heart.
"You aren't afraid?" he asked.
Her face grew grave, and for a moment she did not answer.
"I never knew what fear really meant until Garth was ill," she
said, at length. "One says one is afraid of lots of things; but you get
right to the terrible depths of fear when you think your child is
dying. And it teaches you that nothing else matters. Now that Garth
has come back, and I can hold him again, nothing else even seems
serious. I suppose a month ago I might have felt scared at the idea
of cooking and scrubbing, but now I feel as if I could do it, and sing.
You understand, don't you?"
"Yes, I understand," he answered. "It's hard to imagine
anything else troubling us, if the kid's safe. But will we feel like that