Hmmm.... 0010:0010e07d seems to be the call that starts the sys_execve function itself at Supervisor level. So 0010:001230c8 is the execve() function prologue being executed.
Edit: So 0010:0012443c is the start of the getname() function.
Edit: 0010:001230dc is the return from the getname() function. It returns 0(according to EAX). So the function was a success.
Edit: Then, 0010:001230f5 is the call to do_execve().
Edit: Then, within do_execve(), there's at 0010:00122af6 fs/exec.c:553, the call to open_namei(filename,0,0,&bprm.inode,NULL). It's CALLed at 0010:00122b05.
Looking at the result value at 0010:00122b0a, EAX contains -2? So the open_namei call returns -2, so there's something wrong there?
Edit: Looking at include/linux/errno.h, it's return -2, so -ENOENT? So it cannot find the /bin directory or /bin/sh file correctly? Hmmm...
So, the open_namei call starts at 0010:00124a2c...
Edit: So, 0010:00124a76 E8 F1 FC FF FF calld 0012476c is the call to dir_namei(pathname,&namelen,&basename,base,&dir).
Edit: Looking at the result at 0010:00124a7b, it returns -2(so -ENOENT) as well? So dir_namei is failing somehow?
Edit: 0010:0012477f is *res_inode = NULL;
Edit: Base is NULL at 0010:00124785, so !base must be followed, the innet of the IF being at 0010:0012478c.
Edit: It loads current into EAX, then EAX+3D0 into EAX, effectively loading current->pwd into EAX.Then EAX into ESP+28(which is the base parameter).
Edit: Then, it increases i_count using a basic INC instruction.
Edit: It sees the root start(/), at which point it calls iput(base) at 0010:001247a9.
Edit: It returns at 0010:001247ae.
Edit: It loads current->root into base and increases pathname by 1 at 0010:001247bd.
Edit: It increases base->icount at 0010:001247be.
Edit: The infinite loop is entered. Pathname(ESI) is loaded into thisname(EBX).
Edit: It initializes len to 0(0010:001247ca) at [esp+10], for the pathname length check for the current directory(bin) to process.
Edit: I see it reading b, copying it to the c variable, increase and check for NULL-termination, then '/'(2Fh). It then increases len to 1.
Edit: Then the next one, reading i, increase and check for NULL-termination, then '/'(2Fh). It then increases len to 2.
Edit: Then the final path one, reading n, increase and check for NULL termination, then '/'(2Fh).
Edit: Then the path termination, reading '/', increase and check for NULL termination, then '/'(2Fh), which is found. It thus proceeds to 0010:001247eb.
Edit: It then checks for the NULL-terminator at 0010:001247eb to terminate the main loop.
Edit: It then stores EDX with the 'base' parameter's address at 0010:001247ef. It then increases base->icount at 0010:001247f3(fs:namei.c:181 ).
Edit: It then pushes parameters on the stack(len verified being 3 correctly("bin" length) and calls the lookup() function at 0010:00124803.
Edit: It returns -2. Looking at the source code for the lookup function, I see that value being returned right at the start of the function? Hmmm....
Edit: I see the lookup function starting at 0010:001245dc.
Edit: It sets the result to NULL at 0010:001245ef.
Edit: It validates dir to be valid.
Edit: It calls permission(dir,MAY_EXEC(=1)) at 0010:0012460f. It returns 1 at 0010:00124614 and stores it at ESP+18(the perm variable).
Edit: It checks the length for 2(it's 3 in length) at 0010:0012461b, which mismatches, jumping to 0010:0012466c.
Edit: It checks dir->i_op and dir->i_op for zero, finds them non-zero and jumps to 0010:0012469c.
Edit: The perm check succeeds, proceeding to 0010:001246bc for the length check.
Edit: It then calls dir->i_op->lookup(dir,name,len,result) at 0010:001246c0.
Edit: The Minix filesystem lookup(minix_lookup) function is then called at 0010:001246cb, the function existing at 0010:00131868. Said function returns -2 as well, so it's the cause.
Edit: Minix_lookup clears the result at 0010:00131876.
Edit: It proceeds to check for the directory attribute on 0010:00131898 for the root directory.
Edit: Said attribute is 0x41ed.
Edit: It's a directory(0x4000 set), thus proceeds to 0010:001318c8.
Edit: It calls minix_find_entry(dir,name,len,&de) at 0010:001318d8. Said functions returns 0, thus giving the -2 result which fails all.
Edit: It initializes res_dir to 0 at 0010:00131767.
Edit: Dir and dir->i_sb are deemed valid, thus continuing to 0010:00131788.
Edit: It loads namelen into EDX at 0010:0013178e.
Edit: It compares it to 14(0xE), being s->namelen.
Edit: It initializes for the main entry loop at 0010:0013179e.
Edit: The main entry loop then starts at 0010:001317aa.
Edit: It checks EBX(bh) for being 0. It finds it being NULL, thus proceeding to 0010:001317b4.
Edit: It then reads the filesystem using minix_bread(dir(00bf7ee0),block(0),0) at 0010:001317b8. The function existing at 0010:00133874.
Edit: It returns a valid value, thus finding something 😁 The bh pointer now will contain 0xbfed20 at 0010:001317bd.
Edit: It finds the result non-zero, thus continuing on.
Edit: *res_dir is updated with the first entry it found at 0010:001317e2.
Edit: It calls the name compare(minix_match(namelen,name,bh,&offset,info)) function at 0010:001317f5.
OK, at this point, it gets interesting! This function starts to compare the found directory entries to the entry we're searching for(which must be failing)...
Said function starts running at 0010:001316c8.
It loads the len in ebx, then bh into edx, the offset pointer into eax, info into ebp.
Edit: Then, it loads bh->b_data into edx at 0010:001316dc.
It then adds the offset dereferenced pointer to that edx. Thus getting the sum for the de variable.
It then loads info->dirsize(offset 5C), which matches minix_fs_sb.h, into esi at 0010:001316e0. That's 0x10(16).
It then adds the dirsize variable to the offset pointer dereferenced.
It then finds the inode being zeroed at 0010:001316e5 and returns.
It then compares offset to bh->b_size(0x400). Thus CMP b_size(0x400),EAX(10h) at 0010:00131805.
It them compares 0x60 with EAX(0x10) at 0010:00131827.
It notices EAX is below 0x60, thus jumping back to 0010:001317b0.
It restarts the loop, processing the next entry.
It's finding another zeroed inode, thus aborting.
That seems to continue. It only seems to find zeroed inodes?
Edit: The root directory has 6 entries, each being 0x10 bytes long. Looking at the disk image, the bin directory should be having 2 in it's inode. But the memory-resident version has 0 as it's value, thus invalid?