100% found this document useful (6 votes)

24 views

Full Download Foundations of ARM64 Linux Debugging, Disassembling, and Reversing: Analyze Code, Understand Stack Memory Usage, and Reconstruct Original C/C++ Code with ARM64 1st Edition Dmitry Vostokov PDF DOCX

Vostokov

Uploaded by

ussieldeiicy

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (6 votes)

24 views

Full Download Foundations of ARM64 Linux Debugging, Disassembling, and Reversing: Analyze Code, Understand Stack Memory Usage, and Reconstruct Original C/C++ Code with ARM64 1st Edition Dmitry Vostokov PDF DOCX

Vostokov

Uploaded by

ussieldeiicy

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 66

Download Full Version ebookmass - Visit ebookmass.

com

Foundations of ARM64 Linux Debugging,

Disassembling, and Reversing: Analyze Code,
Understand Stack Memory Usage, and Reconstruct
Original C/C++ Code with ARM64 1st Edition Dmitry
Vostokov
https://ebookmass.com/product/foundations-of-arm64-linux-
debugging-disassembling-and-reversing-analyze-code-
understand-stack-memory-usage-and-reconstruct-original-c-c-
code-with-arm64-1st-edition-dmitry-vostokov/

OR CLICK HERE

DOWLOAD NOW

Discover More Ebook - Explore Now at ebookmass.com

Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...

Foundations of Linux Debugging, Disassembling, and

Reversing: Analyze Binary Code, Understand Stack Memory
Usage, and Reconstruct C/C++ Code with Intel x64 1st
Edition Dmitry Vostokov
https://ebookmass.com/product/foundations-of-linux-debugging-
disassembling-and-reversing-analyze-binary-code-understand-stack-
memory-usage-and-reconstruct-c-c-code-with-intel-x64-1st-edition-
dmitry-vostokov/
ebookmass.com

Foundations of ARM64 Linux Debugging, Disassembling, and

Reversing Dmitry Vostokov

https://ebookmass.com/product/foundations-of-arm64-linux-debugging-
disassembling-and-reversing-dmitry-vostokov/

ebookmass.com

Fundamentals of Trace and Log Analysis: A Pattern-Oriented

Approach to Monitoring, Diagnostics, and Debugging 1st
Edition Dmitry Vostokov
https://ebookmass.com/product/fundamentals-of-trace-and-log-analysis-
a-pattern-oriented-approach-to-monitoring-diagnostics-and-
debugging-1st-edition-dmitry-vostokov-2/
ebookmass.com

Physiology Sixth Edition Costanzo

https://ebookmass.com/product/physiology-sixth-edition-costanzo/

ebookmass.com
Business Communication: A Problem Solving Approach 1st
Edition, (Ebook PDF)

https://ebookmass.com/product/business-communication-a-problem-
solving-approach-1st-edition-ebook-pdf/

ebookmass.com

What If You & Me Roni Loren

https://ebookmass.com/product/what-if-you-me-roni-loren/

ebookmass.com

Interplanetary Liberty: Building Free Societies in the

Cosmos Charles S. Cockell

https://ebookmass.com/product/interplanetary-liberty-building-free-
societies-in-the-cosmos-charles-s-cockell/

ebookmass.com

Why Privacy Matters Neil Richards

https://ebookmass.com/product/why-privacy-matters-neil-richards/

ebookmass.com

Historical Culture in Iron Age Italy: Archaeology,

History, and the Use of the Past, 900-300 BCE 1st Edition
Seth Bernard
https://ebookmass.com/product/historical-culture-in-iron-age-italy-
archaeology-history-and-the-use-of-the-past-900-300-bce-1st-edition-
seth-bernard/
ebookmass.com
U is for Uncrossing: The A, B, C's of Witchery (Moonbeam
Chronicles Book 21) Carolina Mac

https://ebookmass.com/product/u-is-for-uncrossing-the-a-b-cs-of-
witchery-moonbeam-chronicles-book-21-carolina-mac/

ebookmass.com
Foundations of ARM64
Linux Debugging,
Disassembling, and
Reversing
Analyze Code, Understand Stack
Memory Usage, and Reconstruct
Original C/C++ Code with ARM64
—
Dmitry Vostokov
Foundations of
ARM64 Linux
Debugging,
Disassembling, and
Reversing
Analyze Code, Understand
Stack Memory Usage,
and Reconstruct Original C/C++
Code with ARM64

Dmitry Vostokov
Foundations of ARM64 Linux Debugging, Disassembling, and Reversing:
Analyze Code, Understand Stack Memory Usage, and Reconstruct Original
C/C++ Code with ARM64

Dmitry Vostokov
Dublin, Ireland

ISBN-13 (pbk): 978-1-4842-9081-1 ISBN-13 (electronic): 978-1-4842-9082-8

https://doi.org/10.1007/978-1-4842-9082-8
Copyright © 2023 by Dmitry Vostokov
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or
part of the material is concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way,
and transmission or information storage and retrieval, electronic adaptation, computer software,
or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark
symbol with every occurrence of a trademarked name, logo, or image we use the names, logos,
and images only in an editorial fashion and to the benefit of the trademark owner, with no
intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of
publication, neither the authors nor the editors nor the publisher can accept any legal
responsibility for any errors or omissions that may be made. The publisher makes no warranty,
express or implied, with respect to the material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Celestin Suresh John
Development Editor: James Markham
Coordinating Editor: Mark Powers
Cover designed by eStudioCalamar
Cover image by Susan Wilkinson on Unsplash (www.unsplash.com)
Distributed to the book trade worldwide by Apress Media, LLC, 1 New York Plaza, New York, NY
10004, U.S.A. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail [email protected],
or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member
(owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance
Inc is a Delaware corporation.
For information on translations, please e-mail [email protected]; for
reprint, paperback, or audio rights, please e-mail [email protected].
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Print
and eBook Bulk Sales web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is
available to readers on GitHub (https://github.com/Apress). For more detailed information,
please visit http://www.apress.com/source-code.
Printed on acid-free paper
Table of Contents
About the Author��ix

About the Technical Reviewer��xi

Preface��xiii

Chapter 1: Memory, Registers, and Simple Arithmetic��1

Memory and Registers Inside an Idealized Computer��1
Memory and Registers Inside ARM 64-Bit Computer��2
“Arithmetic” Project: Memory Layout and Registers��3
“Arithmetic” Project: A Computer Program��5
“Arithmetic” Project: Assigning Numbers to Memory Locations��5
Assigning Numbers to Registers��8
“Arithmetic” Project: Adding Numbers to Memory Cells��9
Incrementing/Decrementing Numbers in Memory and Registers��12
Multiplying Numbers��15
Summary��18

Chapter 2: Code Optimization��19

“Arithmetic” Project: C/C++ Program��19
Downloading GDB��20
GDB Disassembly Output – No Optimization��21
GDB Disassembly Output – Optimization��27
Summary��28

iii
Table of Contents

Chapter 3: Number Representations��29

Numbers and Their Representations��29
Decimal Representation (Base Ten)��30
Ternary Representation (Base Three)��30
Binary Representation (Base Two)��31
Hexadecimal Representation (Base Sixteen)��32
Why Are Hexadecimals Used?��32
Summary��34

Chapter 4: Pointers��35
A Definition��35
“Pointers” Project: Memory Layout and Registers��36
“Pointers” Project: Calculations��38
Using Pointers to Assign Numbers to Memory Cells��39
Adding Numbers Using Pointers��46
Incrementing Numbers Using Pointers��51
Multiplying Numbers Using Pointers��54
Summary��58

Chapter 5: Bytes, Halfwords, Words, and Doublewords��59

Using Hexadecimal Numbers��59
Byte Granularity��60
Bit Granularity��60
Memory Layout��61
Summary��64

iv
Table of Contents

Chapter 6: Pointers to Memory��65

Pointers Revisited��65
Addressing Types��65
Registers Revisited��70
NULL Pointers��70
Invalid Pointers��70
Variables As Pointers��71
Pointer Initialization��71
Initialized and Uninitialized Data��72
More Pseudo Notation��72
“MemoryPointers” Project: Memory Layout��73
Summary��87

Chapter 7: Logical Instructions and PC��89

Instruction Format��89
Logical Shift Instructions��90
Logical Operations��90
Zeroing Memory or Registers��91
Program Counter��92
Code Section��93
Summary��94

Chapter 8: Reconstructing a Program with Pointers��95

Example of Disassembly Output: No Optimization��95
Reconstructing C/C++ Code: Part 1��98
Reconstructing C/C++ Code: Part 2��100
Reconstructing C/C++ Code: Part 3��102

v
Table of Contents

Reconstructing C/C++ Code: C/C++ Program��103

Example of Disassembly Output: Optimized Program��104
Summary��106

Chapter 9: Memory and Stacks��107

Stack: A Definition��107
Stack Implementation in Memory��108
Things to Remember��110
Stack Push Implementation��111
Stack Pop Implementation��111
Register Review��111
Application Memory Simplified��112
Stack Overflow��113
Jumps��114
Calls��115
Call Stack��116
Exploring Stack in GDB��118
Summary��121

Chapter 10: Frame Pointer and Local Variables��123

Stack Usage��123
Register Review��124
Addressing Array Elements��124
Stack Structure (No Function Parameters)��126
Function Prolog��127
Raw Stack (No Local Variables and Function Parameters)��127
Function Epilog��129

vi
Table of Contents

“Local Variables” Project��130

Disassembly of Optimized Executable��133
Summary��134

Chapter 11: Function Parameters��135

“FunctionParameters” Project��135
Stack Structure��136
Function Prolog and Epilog��138
Project Disassembled Code with Comments��139
Parameter Mismatch Problem��144
Summary��145

Chapter 12: More Instructions��147

PSTATE Flags��147
Testing for 0��147
TST – Logical Compare��148
CMP – Compare Two Operands��149
TST or CMP?��150
Conditional Jumps��150
Function Return Value��151
Summary��152

Chapter 13: Function Pointer Parameters��153

“FunctionPointerParameters” Project��153
Commented Disassembly��154
Summary��161

vii
Table of Contents

Chapter 14: Summary of Code Disassembly Patterns��163

Function Prolog/Epilog��163
ADR (Address)��164
Passing Parameters��164
Accessing Saved Parameters and Local Variables��165
Summary��166

Index��167

viii
About the Author
Dmitry Vostokov is an internationally
recognized expert, speaker, educator, scientist,
and author. He is the founder of the pattern-
oriented software diagnostics, forensics,
and prognostics discipline and Software
Diagnostics Institute (DA+TA: DumpAnalysis.
org + TraceAnalysis.org). Vostokov has also
authored more than 50 books on software
diagnostics, anomaly detection and analysis,
software and memory forensics, root cause analysis and problem solving,
memory dump analysis, debugging, software trace and log analysis,
reverse engineering, and malware analysis. He has more than 25 years
of experience in software architecture, design, development, and
maintenance in various industries, including leadership, technical, and
people management roles. Dmitry also founded Syndromatix, Anolog.
io, BriteTrace, DiaThings, Logtellect, OpenTask Iterative and Incremental
Publishing (OpenTask.com), Software Diagnostics Technology and
Services (former Memory Dump Analysis Services; PatternDiagnostics.
com), and Software Prognostics. In his spare time, he presents various
topics on Debugging TV and explores Software Narratology, its further
development as Narratology of Things and Diagnostics of Things (DoT),
Software Pathology, and Quantum Software Diagnostics. His current
areas of interest are theoretical software diagnostics and its mathematical
and computer science foundations, application of formal logic, artificial
intelligence, machine learning and data mining to diagnostics and anomaly
detection, software diagnostics engineering and diagnostics-driven

ix
About the Author

development, and diagnostics workflow and interaction. Recent areas

of interest also include cloud native computing, security, automation,
functional programming, and applications of category theory to software
development and big data.

x
About the Technical Reviewer
Sundar Pandian has more than three
years of experience in embedded software
development, including development of device
drivers, middleware software, and application
services for the infotainment system on the
Android platform. He’s also developed CAN
protocol drivers for the automotive braking
system on the Autosar platform.
He’s developed software with C, C++,
and Java and worked in the automotive,
semiconductor, and telecom industries. He has
a bachelor’s in electronics and communication engineering. Currently, he
serves as a firmware/middleware engineer for audio DSPs.

xi
Preface
The book covers topics ranging from ARM64 assembly language
instructions and writing programs in assembly language to pointers, live
debugging, and static binary analysis of compiled C and C++ code.
Diagnostics of core memory dumps, live and postmortem debugging
of Linux applications, services, and systems, memory forensics, malware,
and vulnerability analysis require an understanding of ARM64 assembly
language and how C and C++ compilers generate code, including
memory layout and pointers. This book is about background knowledge
and practical foundations that are needed to understand internal Linux
program structure and behavior, start working with the GDB debugger, and
use it for disassembly and reversing. It consists of practical step-by-step
exercises of increasing complexity with explanations and many diagrams,
including some necessary background topics.
By the end of the book, you will have a solid understanding of how
Linux C and C++ compilers generate binary code. In addition, you will be
able to analyze such code confidently, understand stack memory usage,
and reconstruct original C/C++ code.
The book will be useful for

• Software support and escalation engineers, cloud

security engineers, SRE, and DevSecOps

• Software engineers coming from JVM background

• Software testers

• Engineers coming from non-Linux environments, for

example, Windows or Mac OS X

xiii
Preface

• Engineers coming from non-ARM environments, for

example, x86/x64

• Linux C/C++ software engineers without assembly

language background

• Security researchers without assembly language

background

• Beginners learning Linux software reverse engineering

techniques

This book can also be used as an ARM64 assembly language and Linux
debugging supplement for relevant undergraduate-level courses.

Source Code
All source code used in this book can be downloaded from github.com/
apress/arm64-linux-debugging-disassembling-reversing.

xiv
CHAPTER 1

Memory, Registers,
and Simple Arithmetic
emory and Registers Inside an
M
Idealized Computer
Computer memory consists of a sequence of memory cells, and each cell
has a unique address (location). Every cell contains a “number.” We refer
to these “numbers” as contents at addresses (locations). Because memory
access is slower than arithmetic instructions, there are so-called registers
to speed up complex operations that require memory to store temporary
results. We can also think about them as stand-alone memory cells. The
name of a register is its address. Figure 1-1 illustrates this.

© Dmitry Vostokov 2023 1

D. Vostokov, Foundations of ARM64 Linux Debugging, Disassembling, and Reversing,
https://doi.org/10.1007/978-1-4842-9082-8_1
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-1. Computer memory represented as a sequence of memory

cells and locations

emory and Registers Inside ARM

M
64-Bit Computer
Here, addresses for memory locations containing integer values usually
differ by four or eight, and we also show two registers called X0 and X1.
The first halves of them are called W0 and W1 as shown in Figure 1-2.

2
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-2. Typical ARM 64-bit memory and register layout

Because memory cells contain “numbers,” we start with simple

arithmetic and ask a processor to compute the sum of two numbers to see
how memory and registers change their values.

“ Arithmetic” Project: Memory Layout

and Registers
For our project, we have two memory addresses (locations) that we call
“a” and “b.” We can think about “a” and “b” as names of their respective
addresses (locations). Now we introduce a special notation where (a)

3
Chapter 1 Memory, Registers, and Simple Arithmetic

means contents at the memory address (location) “a.” If we use the C

or C++ language to write our project, we declare and define memory
locations “a” and “b” as

static int a, b;

By default, when we load a program, static memory locations are filled

with zeroes, and we can depict our initial memory layout after loading the
program, as shown in Figure 1-3.

Figure 1-3. Initial memory layout after loading the program

4
Chapter 1 Memory, Registers, and Simple Arithmetic

“Arithmetic” Project: A Computer Program

We can think of a computer program as a sequence of instructions for
the manipulation of contents of memory cells and registers. For example,
addition operation: add the contents of memory cell №12 to the contents
of memory cell №14. In our pseudo-code, we can write

[14] <- [14] + [12]

Our first program in pseudo-code is shown on the left of the table:

[a] <- 1 Here, we put assembly instructions corresponding to

[b] <- 1 pseudo-code.
[b] <- [b] + [a]
[a] <- [a] + 1
[b] <- [b] * [a]

“<-” means moving (assigning) the new value to the contents of a

memory location (address). “//” is a comment sign, and the rest of the line
is a comment. “=” shows the current value at a memory location (address).
To remind, a code written in a high-level programming language is
translated to a machine language by a compiler. However, the machine
language can be readable if its digital codes are represented in some
mnemonic system called assembly language. For example, ADD X1, X1, #1
is increment by one of what is stored in the register memory cell X1.

“ Arithmetic” Project: Assigning Numbers

to Memory Locations
We remind that “a” means the location (address) of the memory cell,
and it is also the name of the location (address) 00000000004b2b00 (see
Figure 1-3). [a] means the contents (number) stored at the address “a.”

5
Chapter 1 Memory, Registers, and Simple Arithmetic

If we use the C or C++ language, “a” is called “the variable a,” and we
write the assignment as

a = 1;

In ARM64 assembly language, we write several instructions for that:

adr x0, a
mov w1, #1
str w1, [x0]

In the GDB disassembly output, we may see the following code:

adrp    x0, 0x4b2000
add     x0, x0, #0xb00
mov     w1, #0x1
str     w1, [x0]

We show the translation of our pseudo-code into assembly language in

the right column:

[a] <- 1 // x0 = a adr x0, a

// w1 = 1 mov  w1, #1
// [a] = 1 str  w1, [x0]
[b] <- 1          // x0 = b adr  x0, b
// w1 = 1 mov  w1, #1
// [b] = 1 str  w1, [x0]
[b] <- [b] + [a]
[a] <- [a] + 1
[b] <- [b] * [a]

adrp x0, 0x4b2000, and subsequent add x0, x0, #0xb00 is how the
compiler generates code to calculate the address “a” instead of specifying it
directly. Such code is required for addressing large regions of memory, and

6
Chapter 1 Memory, Registers, and Simple Arithmetic

the compiler uses it even for smaller regions where just one adr instruction
is sufficient.
Literal constants have the # prefix, for example, #0x1. The 0x prefix
means the following number is hexadecimal. We explain such numbers
in Chapter 3. Please also notice that the movement direction is the same
in both the disassembly output and the pseudo-code: from right to left
(except for the str instruction).
After executing the first three assembly language instructions, we have
the memory layout shown in Figure 1-4A.

Figure 1-4A. Memory layout after executing the first three assembly
language instructions

7
Chapter 1 Memory, Registers, and Simple Arithmetic

After executing the next three assembly language instructions, we have

the memory layout shown in Figure 1-4B.

Figure 1-4B. Memory layout after executing the next three assembly
language instructions

Assigning Numbers to Registers

In the previous section, we saw that assigning numbers was a part of
memory assignments. We can write in pseudo-code:

8
Chapter 1 Memory, Registers, and Simple Arithmetic

Note that we do not use brackets when we refer to register contents.

The latter instruction means assigning (copying) the number at the
location (address) “a” to a register.
In assembly language, we write

mov w1, #1 // 1 is copied to the first half of X1

register
mov  x1, #1              // full contents of X1 register are
replaced with 1
adr  x0, a               // copy the location (address) "a" to
X0 register
ldr  w1, [x0]            // copy the number at the location
stored in X0 to
                         // the first half of X1 register
Ldr  x1, [x0]            // copy the number at the location
stored in X0 to X1

In the GDB disassembly output, we may see the output where one
adr instruction is replaced by adrp/add instructions with parts of the
address value:

adrp x0, 0x4b2000 // 0x4b2000 + 0xb00 = 0x4b2b00

("a" address)
add x0, x0, #0xb00
ldr w1, [x0]

“ Arithmetic” Project: Adding Numbers

to Memory Cells
Now let's look at the following pseudo-code statement in more detail:

[b] <- [b] + [a]

9
Chapter 1 Memory, Registers, and Simple Arithmetic

To recall, “a” and “b” mean the names of locations (addresses)

00000000004b2b00 and 00000000004b2b04, respectively (see Figures 1-4A
and 1-4B). [a] and [b] mean contents at addresses “a” and “b,” respectively,
simply some numbers stored there.
In the C or C++ language, we write the following statement:

b = b + a;
b += a;

In assembly language, we use the instruction ADD. Because of ARM

architecture limitations, we cannot use memory addresses in one step
(instruction), for example, add b, b, a. We can only use the add register1,
register1, register0 instruction to add the value stored in the register0 to
the value stored in the register1 and move the result to the register1. So,
first, we need to load (ldr) contents at addresses “a” and “b” to registers
and store (str) the result back to the memory location “b” after addition.
Recall that a register is like a temporary memory cell itself here:

Register2 <- [b]

Register1 <- [a]
Register2 <- register2 + register1
[b] <- register2

In assembly language, we write

adr  x0, b
ldr  w1, [x0]
adr  x0, a
ldr  w0, [x0]
add  w1, w1, w0
adr  x0, b
str  w1, [x0]

In the GDB disassembly output, we may see the following code:

10
Chapter 1 Memory, Registers, and Simple Arithmetic

adrp x0, 0x4b2000

add  x0, x0, #0xb00
ldr  w1, [x0]
adrp x0, 0x4b2000
add  x0, x0, #0xb04
ldr  w0, [x0]
add  w1, w1, w0
adrp x0, 0x4b2000
add  x0, x0, #0xb04
str  w1, [x0]

Now we can translate our pseudo-code into assembly language:

[a] <- 1 // x0 = a adr x0, a

After executing ADR, LDR, ADD, and STR instructions, we have the
memory layout illustrated in Figure 1-5.

11
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-5. Memory layout after executing ADR, LDR, ADD, and STR
instructions

Incrementing/Decrementing Numbers
in Memory and Registers
In pseudo-code, it looks simple and means increment (decrement) a
number stored at the location (address) “a”:

[a] <- [a] + 1

[a] <- [a] – 1

In the C or C++ language, we can write this using three possible ways:

12
Chapter 1 Memory, Registers, and Simple Arithmetic

a = a + 1;
++a;
a++;
b = b – 1;
--b;
b--;

In assembly language, we use instructions ADD and SUB and write

add x0, x0, #1
sub x0, x0, #1

adr  x0, a
ldr  w1, [x0]
add  w1, w1, #1
str  w1, [x0]

adr  x0, b
ldr  w1, [x0]
sub  w1, w1, #1
str  w1, [x0]

In the GDB disassembly output, we may see the similar instructions:

adrp x0, 0x4b2000

add  x0, x0, #0xb00
ldr  w0, [x0]
add  w1, w0, #0x1
adrp x0, 0x4b2000
add  x0, x0, #0xb00
str  w1, [x0]

13
Chapter 1 Memory, Registers, and Simple Arithmetic

Now we add the assembly language translation of increment:

[a] <- 1 // x0 = a adr x0, a

                  // w1 = 1 mov  w1, #1
                  // [a] = 1 str  w1, [x0]
[b] <- 1          // x0 = b adr  x0, b
                  // w1 = 1 mov  w1, #1
                  // [b] = 1 str  w1, [x0]
[b] <- [b] + [a]  // x0 = b adr  x0, b
                  // w1 = 1 ldr  w1, [x0]
                  // x0 = a adr  x0, a
                  // w0 = 1 ldr  w0, [x0]
                  // w1 = 2 add  w1, w1, w0
                  // x0 = b adr  x0, b
                  // [b] = 2 str  w1, [x0]
[a] <- [a] + 1    // x0 = a adr  x0, a
                  // w1 = 1 ldr  w1, [x0]
                  // w1 = 2 add  w1, w1, #1
                  // [a] = 2 str  w1, [x0]
[b] <- [b] * [a]

After the execution of the ADD instruction, we have the memory layout
illustrated in Figure 1-6.

14
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-6. Memory layout after the execution of the ADD instruction

Multiplying Numbers
In pseudo-code, we write

[b] <- [b] * [a]

It means that we multiply the number at the location (address) “b” by

the number at the location (address) “a.”
In the C or C++ language, we can write that using two ways:

b = b * a;
b *= a;

15
Chapter 1 Memory, Registers, and Simple Arithmetic

In assembly language, we use instruction MUL and write

adr  x0, b
ldr  w1, [x0]
adr  x0, a
ldr  w0, [x0]
mul  w1, w1, w0
adr  x0, b
str  w1, [x0]

In the GDB disassembly output, we may see the following code:

adrp x0, 0x4b2000

add  x0, x0, #0xb04
ldr  w1, [x0]
adrp x0, 0x4b2000
add  x0, x0, #0xb00
ldr  w0, [x0]
mul  w1, w1, w0
adrp x0, 0x4b2000
add  x0, x0, #0xb04
str  w1, [x0]

Now we add additional assembly instructions to our pseudo-code

assembly language translation:

16
Chapter 1 Memory, Registers, and Simple Arithmetic

[a] <- 1 // x0 = a adr x0, a

After the execution of the STR instruction, we have the memory layout
illustrated in Figure 1-7.

17
Chapter 1 Memory, Registers, and Simple Arithmetic

Figure 1-7. Memory layout after the execution of the STR instruction

Summary
This chapter introduced CPU registers and explained the memory layout
of a simple arithmetic program. We learned basic ARM64 commands,
including loading values from and storing values in memory. We also
manually translated C and C++ code to assembly language.
The next chapter looks at assembly language code produced by a
debugger via disassembling binary code. Then, we reverse it to C and C++
code. We also compare the disassembly output of nonoptimized code to
optimized code.

18
CHAPTER 2

Code Optimization
“Arithmetic” Project: C/C++ Program
Let's rewrite our “Arithmetic” program in C/C++. Corresponding assembly
language instructions are put in comments:

int a, b;

int main(int argc, char* argv[])

{
      a = 1;              // adr  x0, a
                          // mov  w1, #1
                          // str  w1, [x0]

b = 1; // adr x0, b

// mov w1, #1
// str w1, [x0]

b = b + a; // adr x0, b

                          // ldr  w1, [x0]
                          // adr  x0, a
                          // ldr  w0, [x0]
                          // add  w1, w1, w0
                          // adr  x0, b
                          // str  w1, [x0]

D. Vostokov, Foundations of ARM64 Linux Debugging, Disassembling, and Reversing,
https://doi.org/10.1007/978-1-4842-9082-8_2
Chapter 2 Code Optimization

      ++a;                // adr  x0, a
                          // ldr  w1, [x0]
                          // add  w1, w1, #1
                          // str  w1, [x0]

b = b * a; // adr x0, b

                          // ldr  w1, [x0]
                          // adr  x0, a
                          // ldr  w0, [x0]
                          // mul  w1, w1, w0
                          // adr  x0, b
                          // str  w1, [x0]

// results: [a] = 2 and [b] = 4

return 0;
}

Downloading GDB
We used one of the free ARM64 Linux compute instances available from
cloud providers. In our case, GDB was already available after provisioning.
If, in your case, GDB is not available, you need to install it together with
basic build tools. For example, in Debian:

$ sudo apt install build-essential

$ sudo apt install gdb

You may also need to download git to clone source code:

$ sudo apt install git

$ cd ~
$ git clone github.com/apress/arm64-linux-debugging-
disassembling-reversing .

20
Chapter 2 Code Optimization

On our RHEL-type system, we updated the tools (git included)

and GDB via

$ sudo yum group install "Development Tools"

$ sudo yum install gdb

GDB Disassembly Output – No Optimization

The source code can be downloaded from the following location:

github.com/apress/arm64-linux-debugging-disassembling-
reversing/Chapter2/

If we compile and link the program in no optimization mode (default):

$ gcc ArithmeticProjectC.cpp -o ArithmeticProjectC

we get the binary executable module we can load in GDB and inspect
assembly code.
First, we run GDB with the program as a parameter:

$ gdb ./ArithmeticProjectC
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-120.0.2.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/
licenses/gpl.html>
This is free software: you are free to change and
redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type
"show copying"
and "show warranty" for details.
This GDB was configured as "aarch64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...

21
Chapter 2 Code Optimization

Reading symbols from /home/coredump/pflddr/A64/Chapter2/

ArithmeticProjectC...(no debugging symbols found)...done.
(gdb)

Next, we put a breakpoint at our main C/C++ function to allow the

program execution to stop at that point and give us a chance to inspect
memory and registers. Symbolic names/function names like "main" can be
used instead of code memory locations:

(gdb) break main

Breakpoint 1 at 0x4005bc

Then we start the execution of the program (let it run). The program
then stops at the previously set breakpoint:

Starting program: /home/coredump/pflddr/A64/Chapter2/./

ArithmeticProjectC

Breakpoint 1, 0x00000000004005bc in main ()

Missing separate debuginfos, use: debuginfo-install
glibc-2.17-325.0.2.el7_9.aarch64

Now we disassemble the main function:

(gdb) disass main

Dump of assembler code for function main:
   0x00000000004005b8 <+0>:     sub     sp, sp, #0x10
=> 0x00000000004005bc <+4>:     str     w0, [sp,#12]
   0x00000000004005c0 <+8>:     str     x1, [sp]
   0x00000000004005c4 <+12>:    adrp    x0, 0x420000
   0x00000000004005c8 <+16>:    add     x0, x0, #0x20
   0x00000000004005cc <+20>:    mov     w1, #0x1          // #1
   0x00000000004005d0 <+24>:    str     w1, [x0]
   0x00000000004005d4 <+28>:    adrp    x0, 0x420000
   0x00000000004005d8 <+32>:    add     x0, x0, #0x24

22
Chapter 2 Code Optimization

0x00000000004005dc <+36>: mov w1, #0x1 // #1

   0x00000000004005e0 <+40>:    str     w1, [x0]
   0x00000000004005e4 <+44>:    adrp    x0, 0x420000
   0x00000000004005e8 <+48>:    add     x0, x0, #0x24
   0x00000000004005ec <+52>:    ldr     w1, [x0]
   0x00000000004005f0 <+56>:    adrp    x0, 0x420000
   0x00000000004005f4 <+60>:    add     x0, x0, #0x20
   0x00000000004005f8 <+64>:    ldr     w0, [x0]
   0x00000000004005fc <+68>:    add     w1, w1, w0
   0x0000000000400600 <+72>:    adrp    x0, 0x420000
   0x0000000000400604 <+76>:    add     x0, x0, #0x24
   0x0000000000400608 <+80>:    str     w1, [x0]
   0x000000000040060c <+84>:    adrp    x0, 0x420000
   0x0000000000400610 <+88>:    add     x0, x0, #0x20
   0x0000000000400614 <+92>:    ldr     w0, [x0]
   0x0000000000400618 <+96>:    add     w1, w0, #0x1
   0x000000000040061c <+100>:   adrp    x0, 0x420000
   0x0000000000400620 <+104>:   add     x0, x0, #0x20
   0x0000000000400624 <+108>:   str     w1, [x0]
---Type <return> to continue, or q <return> to quit---
   0x0000000000400628 <+112>:   adrp    x0, 0x420000
   0x000000000040062c <+116>:   add     x0, x0, #0x24
   0x0000000000400630 <+120>:   ldr     w1, [x0]
   0x0000000000400634 <+124>:   adrp    x0, 0x420000
   0x0000000000400638 <+128>:   add     x0, x0, #0x20
   0x000000000040063c <+132>:   ldr     w0, [x0]
   0x0000000000400640 <+136>:   mul     w1, w1, w0
   0x0000000000400644 <+140>:   adrp    x0, 0x420000
   0x0000000000400648 <+144>:   add     x0, x0, #0x24
   0x000000000040064c <+148>:   str     w1, [x0]

23
Chapter 2 Code Optimization

0x0000000000400650 <+152>: mov w0, #0x0 // #0

0x0000000000400654 <+156>: add sp, sp, #0x10
0x0000000000400658 <+160>: ret
End of assembler dump.

We repeat the part of the formatted disassembly output here that

corresponds to our C/C++ code:

0x00000000004005c4 <+12>: adrp x0, 0x420000

   0x00000000004005c8 <+16>:    add     x0, x0, #0x20
   0x00000000004005cc <+20>:    mov     w1, #0x1
   0x00000000004005d0 <+24>:    str     w1, [x0]
   0x00000000004005d4 <+28>:    adrp    x0, 0x420000
   0x00000000004005d8 <+32>:    add     x0, x0, #0x24
   0x00000000004005dc <+36>:    mov     w1, #0x1
   0x00000000004005e0 <+40>:    str     w1, [x0]
   0x00000000004005e4 <+44>:    adrp    x0, 0x420000
   0x00000000004005e8 <+48>:    add     x0, x0, #0x24
   0x00000000004005ec <+52>:    ldr     w1, [x0]
   0x00000000004005f0 <+56>:    adrp    x0, 0x420000
   0x00000000004005f4 <+60>:    add     x0, x0, #0x20
   0x00000000004005f8 <+64>:    ldr     w0, [x0]
   0x00000000004005fc <+68>:    add     w1, w1, w0
   0x0000000000400600 <+72>:    adrp    x0, 0x420000
   0x0000000000400604 <+76>:    add     x0, x0, #0x24
   0x0000000000400608 <+80>:    str     w1, [x0]
   0x000000000040060c <+84>:    adrp    x0, 0x420000
   0x0000000000400610 <+88>:    add     x0, x0, #0x20
   0x0000000000400614 <+92>:    ldr     w0, [x0]
   0x0000000000400618 <+96>:    add     w1, w0, #0x1
   0x000000000040061c <+100>:   adrp    x0, 0x420000
   0x0000000000400620 <+104>:   add     x0, x0, #0x20

24
Chapter 2 Code Optimization

0x0000000000400624 <+108>: str w1, [x0]

   0x0000000000400628 <+112>:   adrp    x0, 0x420000
   0x000000000040062c <+116>:   add     x0, x0, #0x24
   0x0000000000400630 <+120>:   ldr     w1, [x0]
   0x0000000000400634 <+124>:   adrp    x0, 0x420000
   0x0000000000400638 <+128>:   add     x0, x0, #0x20
   0x000000000040063c <+132>:   ldr     w0, [x0]
   0x0000000000400640 <+136>:   mul     w1, w1, w0
   0x0000000000400644 <+140>:   adrp    x0, 0x420000
   0x0000000000400648 <+144>:   add     x0, x0, #0x24
   0x000000000040064c <+148>:   str     w1, [x0]

We can directly translate it to bare assembly code we used in the

previous chapter and put corresponding pseudo-code in comments
(memory addresses may be different on your system):

0x00000000004005c4 <+12>: adrp x0, 0x420000

// [a] <- 1
   0x00000000004005c8 <+16>:    add     x0, x0, #0x20
   0x00000000004005cc <+20>:    mov     w1, #0x1
   0x00000000004005d0 <+24>:    str     w1, [x0]
   0x00000000004005d4 <+28>:    adrp    x0, 0x420000
// [b] <- 1
   0x00000000004005d8 <+32>:    add     x0, x0, #0x24
   0x00000000004005dc <+36>:    mov     w1, #0x1
   0x00000000004005e0 <+40>:    str     w1, [x0]
   0x00000000004005e4 <+44>:    adrp    x0, 0x420000
// [b] <- [b] + [a]
   0x00000000004005e8 <+48>:    add     x0, x0, #0x24
   0x00000000004005ec <+52>:    ldr     w1, [x0]
   0x00000000004005f0 <+56>:    adrp    x0, 0x420000
   0x00000000004005f4 <+60>:    add     x0, x0, #0x20

25
Chapter 2 Code Optimization

0x00000000004005f8 <+64>: ldr w0, [x0]

   0x00000000004005fc <+68>:    add     w1, w1, w0
   0x0000000000400600 <+72>:    adrp    x0, 0x420000
   0x0000000000400604 <+76>:    add     x0, x0, #0x24
   0x0000000000400608 <+80>:    str     w1, [x0]
   0x000000000040060c <+84>:    adrp    x0, 0x420000
// [a] <- [a] + 1
   0x0000000000400610 <+88>:    add     x0, x0, #0x20
   0x0000000000400614 <+92>:    ldr     w0, [x0]
   0x0000000000400618 <+96>:    add     w1, w0, #0x1
   0x000000000040061c <+100>:   adrp    x0, 0x420000
   0x0000000000400620 <+104>:   add     x0, x0, #0x20
   0x0000000000400624 <+108>:   str     w1, [x0]
   0x0000000000400628 <+112>:   adrp    x0, 0x420000
// [b] <- [b] * [a]
   0x000000000040062c <+116>:   add     x0, x0, #0x24
   0x0000000000400630 <+120>:   ldr     w1, [x0]
   0x0000000000400634 <+124>:   adrp    x0, 0x420000
   0x0000000000400638 <+128>:   add     x0, x0, #0x20
   0x000000000040063c <+132>:   ldr     w0, [x0]
   0x0000000000400640 <+136>:   mul     w1, w1, w0
   0x0000000000400644 <+140>:   adrp    x0, 0x420000
   0x0000000000400648 <+144>:   add     x0, x0, #0x24
   0x000000000040064c <+148>:   str     w1, [x0]

Now we can exit GDB:

(gdb) q
A debugging session is active.

Inferior 1 [process 11103] will be killed.

Quit anyway? (y or n) y
$

26
Random documents with unrelated
content Scribd suggests to you:
The Project Gutenberg eBook of Second census
This ebook is for the use of anyone anywhere in the United States
and most other parts of the world at no cost and with almost no
restrictions whatsoever. You may copy it, give it away or re-use it
under the terms of the Project Gutenberg License included with this
ebook or online at www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of the country where
you are located before using this eBook.

Title: Second census

Author: John Victor Peterson

Illustrator: John Schoenherr

Release date: September 14, 2023 [eBook #71645]

Language: English

Original publication: New York, NY: Royal Publications, Inc, 1957

Credits: Greg Weeks, Mary Meehan and the Online Distributed

Proofreading Team at http://www.pgdp.net

*** START OF THE PROJECT GUTENBERG EBOOK SECOND

CENSUS ***
Second Census

By JOHN VICTOR PETERSON

Illustrated by SCHOENHERR

Quintuplets alone would be bad enough, without

a census taker who could count them in advance!

[Transcriber's Note: This etext was produced from

Infinity October 1957.
Extensive research did not uncover any evidence that
the U.S. copyright on this publication was renewed.]
In addition to being a genius in applied atomics, Maitland Browne's a
speedster, a practical joker, and a spare-time dabbler in electronics.
As far as speed's concerned, I had a very special reason for wanting
to get home early tonight, and swift straight flight would have been
perfectly okay with me. The trouble was that Browne decided that this
was his night to work on Fitzgerald.
Browne lifted the three passenger jetcopter—his contribution to our
commuterpool—from the flight stage at Brookhaven National
Laboratories in a strictly prosaic manner. Then the flight-fiend in him
came out with a vengeance. Suddenly and simultaneously he set the
turbo-jets to full thrust and dived to treetop level; then he started
hedgehopping toward Long Island Sound. His heavy dark features
were sardonic in the rear-view mirror; his narrowed, speculative eyes
flicked to it intermittently to scan Ed Fitzgerald beside me.
Browne's action didn't surprise, startle, or even frighten me at first. I'd
seen the mildly irritated look in his eyes when Fitzgerald had come
meandering up—late as usual!—to the ship back on the stage. I had
rather expected some startling development; provoking Ed Fitzgerald
to a measurable nervous reaction was one of Browne's burning
ambitions. I also had a certain positive hunch that Fitzgerald's
tardiness was deliberate.
In any event my mind was ninety per cent elsewhere. Tessie—my
wife—had visifoned me from Doc Gardiner's office in New Canaan
just before I'd left my office at the Labs and had told me with high
elation that we were destined to become the proud parents of
quintuplets! I was, therefore, now going back bewilderedly over our
respective family trees, seeking a precedent in the genes.
I was shocked out of my genealogical pursuits when Browne
skimmed between the tall stereo towers near Middle Island. I
prayerfully looked at Fitzgerald for assistance in persuading Browne
to cease and desist, but Fitzgerald was staring as imperturbably as
ever at Browne's broad back, a faintly derisive smile on his face.
I should have expected that. Even a major cataclysm couldn't budge
Fitzgerald. I've seen him damp an atomic pile only milliseconds from
critical mass without batting an eye before, during or after.
I tried to console myself. But while I knew Browne's reaction time was
uncommonly fast and his years of 'copter flight singularly accident-
free, I still could not relax. Not tonight, with the knowledge that I was
a prospective father of not just the first but the first five. I wanted to
get home to Tessie in a hurry, certainly, but I wanted to get there all in
one proud piece.
Browne went from bad to worse and began kissing the 'copter's belly
on the waves in Long Island Sound. The skipping stone effect was
demoralizing. Then, trying to top that, he hedgehopped so low on the
mainland that the jets blew the last stubbornly clinging leaves from
every oak tree we near-missed crossing Connecticut to our
destination on the Massachusetts border.
Fitzgerald was the only one who talked on the way. Browne was too
intent on his alleged driving. I was, frankly, too scared for intelligible
conversation. It wasn't until later, in fact, that I realized that Ed
Fitzgerald's monologue had clearly solved a problem we were having
on adjusting the new cosmotron at the Labs.
"We made good time tonight," Browne said, finally easing up as we
neared home.
Fitzgerald grinned.
I found my voice after a moment and said, "It's a good thing radar
doesn't pick up objects that low or C.A.A. would be breathing down
your fat neck! As it is, I think the cops at Litchfield have probably 'cast
a summons to your p. o. tray by now. That was the mayor's 'copter
you almost clipped."
Browne shrugged as if he'd worry about it—maybe!—if it happened.
He's top physicist at the Labs. In addition to his abilities, that means
he has connections.
We dropped imperturbable Fitzgerald on his roofstage at the lower
end of Nutmeg Street; then Browne dropped a relieved me two blocks
up and proceeded the five blocks to his enormous solar house at the
hill's summit.
I energized the passenger shaft, buttoned it to optimum descent and
dropped to first. There was a note from Tessie saying she'd gone
shopping with Fitzgerald's wife, Miriam. So I'd start celebrating alone!
I punched the servomech for Scotch-on-the-rocks. As I sat sipping it I
kept thinking about Maitland Browne. It wasn't just the recollection of
the ride from Brookhaven. It was also the Scotch. Association.
I thought back to the night Tessie and I had gone up to Browne's to
spend the evening, and Browne invited me to sit in a new plush chair.
I sat all right, but promptly found that I was completely unable to rise
despite the fact that I was in full possession of my faculties. He'd then
taken our respective wives for a midnight 'copter ride, leaving me to
escape the chair's invisible embrace if I could. I couldn't.
Luckily he'd forgotten that his liquor cabinet was within arm's reach of
the chair; I'd made devastating inroads on a pinch bottle by the time
they'd returned. He switched off his psionic machine but fast then,
and didn't ever try to trap me in it again!
The visifone buzzed and I leaped to it, thinking of Tessie out shopping
in her delicate condition—
I felt momentary relief, then startlement.
It was Fitzgerald—Fitzgerald with fair features flushed, Fitzgerald the
imperturbable one stammering with excitement!
"Now, wait a second!" I said in amazement. "Calm down, for Heaven's
sake! What's this about a census?"
"Well, are they taking one now?"
"By 'they' I presume you mean the Bureau of the Census of the U. S.
Department of Commerce," I said, trying to slow him down, while
wondering what in the name of a reversed cyclotron could have jarred
him so.
He spluttered. "Who else? Well, are they?"
"Not to my knowledge. They took it only last year. Won't do it again
until 1970. Why?"
"As I was trying to tell you, a fellow who said he was a census taker
was just here and damn it, Jim, he wanted to know my considered
ideas of natural resources, birth control, immigration, racial
discrimination, UFO's and half a dozen other things. He threw the
questions at me so fast I became thoroughly confused. What with me
still thinking about the cosmotron, wondering if Brownie will stop
riding me before I do break down, and wondering where Miriam is, I
just had to slow him down so that I could piece together the answers.
"Just about then he staggered as if a fifth of hundred-proof bourbon
had caught up with him and reeled out without a fare-thee-well. I
didn't see which way he went because Jim Moran—he's the new
fellow in the house just down the hill—Jim called to see if the fellow
had been here yet and what I thought of him. If he hit Jim's before
me, that means he should be getting to you within the next half-hour
or so."
My front door chimed.
"Sorry, Fitz," I said. "This must be Tessie. She was coming home on
the surface bus. Miriam's with her, so that's one worry off your mind.
Take it easy. I'll call you back."

But it wasn't Tessie. It was a man, dressed in a dark brown business

suit that was tight on his big frame. His face was a disturbing one,
eyes set so wide apart you had trouble meeting them up close and
felt embarrassed shifting your gaze from one to the other.
"Mr. James Rainford?" he asked rhetorically.
"Yes?"
"I'm from the Bureau of the Census," he said calmly.
This couldn't be the same fellow Fitzgerald had encountered. There
must be a group of them covering the neighborhood. In any event,
this man was cold sober. Further, the fastest Olympic runner couldn't
have made the two long blocks from Fitzgerald's house in the time
that had elapsed and this fellow wasn't even breathing hard.
"Let's see your credentials," I said.
I wasn't sure whether he hesitated because he couldn't remember
which pocket they were in or for some other reason; anyway, he did
produce credentials and they were headed U. S. Department of
Commerce, Bureau of the Census, and looked very proper indeed.
But I still couldn't quite believe it. "But the census was taken last
year," I said.
"We have to recheck this area," he said smoothly. "We have reason
to believe that the records are inaccurate."
His eyes were harder to meet than ever.
"Excuse me," I said and stepped out on the stoop, looking down the
hill toward Fitzgerald's house.
Not only was Fitzgerald standing on his tropic forelawn, but so were
the dozen household heads in between, each and every one of them
staring fixedly at the pair of us on my stoop.
"Come in," I said perplexedly and led the way.
When I turned to face him I found that he'd swung a square black box
which resembled a miniature cathode ray oscilloscope from behind
his back and was busily engaged in punching multi-colored buttons
tinging the dim raster. I'm a gadget man—cybernetics is my forte—but
I'm afraid I stared. The most curious wave-forms I have ever seen
were purple-snaking across the 'scope.
"It's a combination memory storage bank and recorder," he explained.
"Electronic shorthand. I'm reading the data which your wife gave to us
and which I'll ask you to verify."
The gadget was a new one to me. I made a mental note to renew my
subscription to Scientific American.
"Married," he said. "Ah, yes, expecting!"
"Now will you stop right there!" I cried. "That couldn't be on your
records! A year ago we certainly weren't expecting! Now, look—"
But he kept on with most peculiar enthusiasm. "Quintuplets! Sure!
Three boys and two girls! My congratulations, Mr. Rainford. Thank
you for your time!"
I stood there dazed. Nobody but Doctor Gardiner, Tessie and myself
—well, maybe Miriam Fitzgerald by this time—knew we were
expecting. Even Gardiner couldn't know the division of sexes among
the foetal group at this early stage of development!
I had to find a way to delay this strange man.
"Let's see your credentials again," I demanded as my mind raced:
Oh, where's Tessie? What was it Fitz had said? Brownie, maybe
Brownie, can explain—
The census taker pulled papers from his pocket, then reeled as
though drunk. He staggered backward against and out of the door,
the autoclose slamming it behind him.
I jerked open the door and jumped out on the stoop.
In those few seconds the man had vanished—
No! There he was fifty feet away ringing Mike Kozulak's bell. And he
was erect, completely steady!
But nobody could move that fast!

I turned back and picked up the papers he'd dropped. There was a
little sheaf of them, printed on incredibly thin paper. The printing
resembled the wave-forms I had seen upon the 'scope. It was like
some twisted Arabic script. And this strange script was overprinted on
a star-chart which I thought I recognized.
I plumbed my mind, I had it! In a star identification course at M. I. T.
they had given us star-charts showing us the galaxy as seen from
another star which we were asked to identify. One of those charts at
M. I. T. had been almost exactly the same as this: the galaxy as
viewed from Alpha Centauri!
I was stunned. I staggered a bit as I went back out on the stoop and
looked down the street. I welcomed the sight of Ed Fitzgerald
hurrying up across the neighbors' forelawns, uprooting some of the
burbanked tropical plants en route.
By the time Fitzgerald reached me, the census taker had come out of
Mike Kozulak's like a fission-freed neutron, staggered a few times in
an orbit around one of Mike's greenhouse-shelled shrubs, and
actually streaked across the two vacant lots between Mike's and
Manny Cohen's.
"He's not human," I said to Ed. "Not Earth-human. I'll swear he's from
Alpha Centauri; look at these papers! What he's after Heaven knows,
but maybe we can find out. It's a cinch he'll eventually reach Maitland
Browne's. Let's get there fast; maybe we'll be able to trap him!"
I dragged Fitzgerald inside and we went up the passenger shaft
under optimum ascent.
My little Ponticopter's jets seared the roof garden as I blasted forward
before the vanes had lifted us clear of the stage. I think I out-Browned
Browne in going those five blocks and I know I laid the foundation for
a Mrs. Browne vs. Mr. Rainford feud as I dropped my 'copter with
dismaying results into the roof garden which was her idea of Eden. I
had to, though; Brownie's is a one-copter stage and his ship was on
it.
We beat the alien. We looked back down the hill before we entered
Brownie's passenger shaft. The fellow was just staggering out of Jack
Wohl's rancher at the lower end of this last block.
We found Browne working on a stripped-down stereo chassis which
had been carelessly laid without protective padding in the middle of
the highly polished dining table. I knew then that his wife couldn't
possibly be home.
Browne looked up as if he were accustomed to unannounced people
dropping into his reception chute.
"To what do I owe the honor of—" he started. Fitzgerald interrupted
him with a stammered burst that brought a pleased grin to his broad
features.
"Well, Fitz," Browne said. "Where's the old control?"
Fitzgerald fumed. I took over and explained swiftly.
"Well, this is a problem," Browne said thoughtfully. "Now why in the
world—"
His front door chimed and became one-way transparent. We saw the
alien standing on the stoop, erect and calm.
"Now what will—" Fitzgerald started. "We thought maybe—the chair,
Brownie!"
Browne grinned and pressed a button on the table console. He has
them in every room—to control at his whim any of the dozens of
electronic and mechanical equipments located throughout his
enormous house.
The front door opened and the alien entered as Browne cried "Come
in!"
Browne flicked over a switch marked Lock 1st Fl as he rose and went
into the living room. We followed him warily.

The alien glanced back at the closed door with a trace of annoyance
on his broad features; then regarded us imperturbably as we
advanced.
"Mr. Fitzgerald and Mr. Rainford," he said flatly. "Well, this is a
surprise!"
He didn't sound sincere.
"Have a seat," Browne said, waving a big hand toward the chair.
The alien shook his head negatively.
Browne gave Fitzgerald and me a quick glance, inclining his head
forward. We promptly accelerated our advance.
"Look," Browne said, his dark face intense, "we know you're not what
you pretend to be. We know you're not of our country, not of our
world, not even of our solar system. Sit down in that chair!"
He lunged forward, grasping with his big hands, as we leaped at the
alien from either flank.
The alien didn't just move—he streaked, shooting between Browne
and Fitzgerald, heading unerringly toward the open passenger shaft
—into it!
Browne leaped to a console and punched the roof-lock button. A split
second later we heard a riveting machine burst of what was obviously
Centaurian profanity coming down the shaft as the alien found the
exit closed. Browne's fingers darted on the console, locking all the
upstairs windows.
"Browne," I said, "what good will that do? If we do manage to corner
him, just how long do you think we can stand up against him? With
his speed he could evade us until doomsday, to say nothing about
beating our brains out while we tried to land one, solid punch!"
Fitzgerald said, "If we can keep him on the run, maybe he'll get tired."
"Yeah, maybe," I said. "What if that's his normal speed? And who's
likely to get tired first? I'm dragging as of now."
"Well," Fitzgerald said, "we could get more people in and go at him in
shifts—or, well, what about tear gas or an anesthetic gas or—"
"Now, wait!" Browne snapped, unquestionably seizing command. "I'll
admit I started him on the run just now. Perhaps it was the wrong
approach. After all, he's done nothing wrong as far as we know. I—I
guess all of us—leaped to the illogical conclusion that he's out for no
good just because he's an alien. Sure, he's after something or he
wouldn't be going from door to door posing as a census taker. The
way you talk, Jim, would seem to indicate you're not curious. Well, I
am, and I'm going to do everything in my power to find out what he's
after.
"We've got to make him tell us. We can't deduce anything from the
data we have now. Sure, we know he has what you, Jim, say look like
bona fide credentials from the Census Bureau, but we also have right
here I. D. papers or something which show he's apparently from
Alpha Centauri. We know he speaks our language perfectly; ergo he
either learned it here first-hand or acquired it from someone else who
had learned it here.
"Whatever he's after, his approach certainly varies. He asked you a
lot of questions, Fitz, but, Jim, practically all he did in your house was
tell you your wife was pregnant with quintuplets. And whatever his
approach has been, he never seems to finish whatever he comes to
do. Something about you two—and from what you two have said,
Kozulak and Wohl—seems to have a most peculiar effect on him; you
say he's staggered out of every house he's entered only to recover
again in a matter of seconds.
"Just try to equate that!"
He stopped, pondering, and we didn't interrupt.
"Look," he said, "you two go upstairs. Take opposite sides of the
house and find him. Go slowly so that he won't be alarmed. Try to talk
with him, to persuade him we mean him no harm. If you find you can't
persuade him to come willingly, try to work him back to the passenger
shaft. I'll watch through the console—I've kinescopes in every room—
and I'll lock off one room at a time so that he can't reverse himself. I
won't activate the kinescopes until you're upstairs; he might
deactivate them if he weren't kept busy. Get him back to the
passenger shaft and I'll take over from there."
"But what—" Fitzgerald started.
Browne scowled and we went. Fitzgerald should have known better;
there are no buts when Browne gives orders.

We reached the second floor, floated off the up column into the foyer,
and separated.
Browne's first floor rooms are spacious, but most of those on the
second floor are not. I'd never been on the second floor before; I
found it a honeycomb of interconnected rooms of varying sizes and
shapes. I was apparently in Mrs. Browne's quarters; there were half a
dozen hobby rooms alone: a sewing room, a painting room, a
sculpture room, a writing room, others—And here was her spacious
bedroom and on its far side the alien was vainly trying to force one of
its windows.
He turned as I entered, his curious eyes darting around for an avenue
of escape.
"Now, wait," I said as soothingly as I could. "We don't mean any
harm. I think we're justified in being curious as to why you're here.
Who are you anyway? What are you looking for and why?"
He shook his head as if bewildered and seemed suddenly to become
unsteady.
"One question at a time, please," he said, temporizingly. "Your school
system isn't exacting enough; you all think of too many things at
once. It shocks a mind trained to single subject concentration,
especially when one has been educated in telepathic reception."
He grinned at me as I mentally recalled his staggering moments of
seeming drunkenness.
One question at a time, he'd said. Well, I'd ask him the one that was
burning at the threshold of my mind. I said quickly:
"I realize that you probably read in my mind that my wife and I are
expecting quintuplets, but how did you know the rest—about the
division of sexes—or did you guess?"
"I'll have to explain," he said; then hesitated, seeming to debate
mentally with himself as to whether he should go on. Suddenly he
started to talk so fast that the words nearly blurred into
unrecognizability, like a 45 rpm record at 78.
"I am Hirm Sulay of Alpha Centauri Five," he burst. "My people have
warred with the race of Beta Centauri Three for fifty of your years. We
secretly bring our children here to protect them from sporadic
bombing, insuring their upbringing through placing them in
orphanages or directly into homes."
A horrible suspicion flamed in my mind. I'd tried vainly to account for
the multiple birth we were expecting. I cried at him: "Then my wife—"
and he said,
"She will have twin girls, Doc Gardiner tells me. We had planned to
have three newborn boys ready in the delivery room."
"Then Doc Gardiner—"
"He and his staff are all of my race," Hirm Sulay said. "I see how your
mind leaped when I said 'newborn boys.' Your UFO sightings
frequently describe a 'mother' ship. Considering the gravid women
aboard I'd say the description is quite apt."

For some reason anger flared in me, and I rushed at him. He blurred
and went around me and out the way I'd come. I raced after him and
heard Fitzgerald cry, "Oh, no you don't!" and machine-gun footfalls
were doubling back toward me.
I hurried on and he flashed at and by me, then turned back as he
came to a door Browne had remotely locked. Back at and past me
again. I gave chase.
Fitzgerald yelled, "He's slowing down, Jim. He's tiring!"
And the doors kept closing under Browne's nimble fingering at the
console down below. Suddenly the area was cut down to the
passenger shaft foyer, and the three of us were weaving about, like
two tackles after the fastest fullback of all time. I leaped forward and
actually laid a hand on the alien for a split second, just enough to
topple him off balance so that Fitzgerald, charging in, managed to
bump him successfully into the shaft. A surprised cry came ringing
back up the shaft; Browne had obviously cut the lift's power supply
completely.
Browne's voice came ringing up: "Come on down, fellows; I've got
him!"
The shaft guard light flicked to green. Fitzgerald and I dropped down
to first.
Browne had apparently had his chair directly under the shaft; it was
back from the touchdown pad now and Hirm Sulay was in it, vainly
wriggling, shame-faced.
"Now maybe we'll find out a thing or two—" Browne said
meaningfully, bending toward the alien.
"Wait a minute," I cut in and related what Hirm Sulay had told me
upstairs.
"Is it true?" Browne demanded.
Hirm Sulay nodded.
"But why are you going from door to door? Surely you know where
those children are!"
"Sorry," Hirm Sulay said, "we don't. Some of the older and more
important records were lost. I say more important because the
missing ones I seek are grown. We're fighting a war, as I told you,
Jim. You can't keep fighting a war without young recruits!"
Browne's nearly fantastic dexterity came to my mind then. It
apparently came to his simultaneously; he asked abruptly,
"Could I be one of you?"
"What do you think?" Hirm Sulay countered, his face enigmatic.
"Well, I certainly can't move as fast as you!"
"Have you ever tried? Have you ever gone in for athletics? I'd say no.
Most scientists are essentially inactive—physically, that is."
"Are you saying 'yes'?" Browne cried.
Hirm Sulay looked us over, one by one. "Each of you is of our blood,"
he said. "I knew Jim and Fitz were when Fitz said I was slowing down
upstairs. I wasn't; they were speeding up to normalcy for the first
time."
I was stunned for a moment, only dimly aware that he went on to say,
"Now please turn off this blasted chair and tell me how it works. The
principle applied as a tractor beam could win our war!"
"I haven't the vaguest idea," Browne said. "But I bet you can figure it
out!"
Browne went to the servomech for drinks. He was gone for precisely
three seconds. Of those the servomech took two. Slow machine.
I don't know what to tell Tessie. Maybe she'd feel strange with the
boys if she knew. I'll certainly have to tell her part of the truth, though,
because I just can't let Browne and Fitzgerald go to help win our war
without me.
*** END OF THE PROJECT GUTENBERG EBOOK SECOND
CENSUS ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.