Akhil Mahendra

assembly

Data Types

Char -> Byte

Short -> Word

int/long -> DoubleWord

double/long long -> Quad Word

Long Double -> Double Quad Word

Negative numbers

1’s complement - flip bits 0->1 , 1->0

2’s complement - 1’s complement + 1

Positive Number is between 0x01 - 0x7F

Negative Number is between 0x80 - 0xFF

Architecture CISC and RISC

CISC:-

Eg; Intel

RISC:

More registers , less and fixed instructions

Eg: ARM, PowerPC

Little Endian -> 0x12345678 -> 78,56,34,12 -> Ram , Eg:Intel

Big Endian -> 0x12345678 -> 12,34,56,78 -> Registers

Registers

Register Conventions -1

Register Conventions -2

Register Conventions -3

EFlags

Instructions

  1. NOP
    1. No operation . Just to pad/align byte or to delay time. Used in buffer overflow exploit. ( intel’s example 16 byte )
  2. PUSH
    1. Can be a numeric constant. For instance, push 4 will push 00000004 to the stack.
    2. Can be the value in a register. Eg: push eax; will push the value inside eax
    3. Push instruction automatically decrements the ESP by 4 bytes
  3. POP
    1. Take Dword off the stack
    2. Put in a register
    3. Increment by 4 bytes
  4. CALL
    1. Implicitly modifying EIP
    2. Transfer control to a different function, in a way that it can be resumed where it left off
    3. What’s happening behind when CALL instruction is done
      1. Push the address of the next instruction onto the stack
      2. Then it changes EIP to the address given in the instruction
    4. Destination address can be specified in multiple ways
      1. Absolute address eg : go to 0x00239082
      2. Relative address eg: go to hex 50 bytes passed to the end of the next instruction
  5. RET
    1. Two types
      1. CDECL - POP the top of the stack into EIP
      2. STDL - POP the top of the stack into EIP and add a constant number of bytes to esp. Eg ret 0x20
  6. **MOV **
    1. Can move
      1. Register to register
      2. Memory to register and vice versa
      3. Immediate(constants hard coded to the instruction stream ) to register and vice versa
    2. Never memory to memory
  7. LEA
    1. Load Effective Address
    2. Calculates whatever address inside the ‘[ ]’ and store it back into EAX
  8. ADD
    1. ADD ESP, 8 -> ESP = ESP + 8
  9. SUB
    1. SUB eax, [ebx*2] = takes the value inside ebx, mul 2, treat it as address then eax - the memory content and store it into eax
  10. JMP
    1. Changes the eip to the given address
    2. Main forms of address
      1. Short relative - 1 byte from end of the instruction eg jmp 0x0E forward
      2. Near relative - 4 bytes displacement from the current EIP
      3. Absolute - hardcoded address in the instruction
      4. Absolute indirect - address calculated with r/m32
  11. JCC 21. Jump if condition is met 22. JNE = JNZ because both instructions check for zero flag 23. JZ/JE -> if true go to jmp . If false, falls into the next instruction 24. JLE 25. JGE
  12. CMP
    1. Is performed by subtracting the second operand from the first operand and then setting the status flags
    2. Would not store after subtracting
  13. TEST
    1. Does logical and on operators
    2. Does not store the result
    3. Set the flag
  14. **AND ** 31. Does and operations 32. Eg: And al,bl 33. Destination can r/m32 and source can be r/m32 or register or immidiate 34. Sets flag in the background(all logical operators)
  15. OR
    1. Does or operation
  16. XOR
    1. Does XOR operation
  17. NOT
    1. Does NOT operation
  18. SHL
    1. Shift logical left <<
    2. Can be used to multiply( power of 2)
  19. SHR
    1. Shift logical right »
    2. Can be used to divide number(power of 2)
  20. IMUL
    1. 3 forms
      1. IMUL r/m32 -> edx:eax=eax*r/m32
      2. IMUL reg, r/m32 -> reg = reg*r/m32
      3. IMUL reg. r/m32, immediate -> reg=r/m32 * immediate
  21. DIV
    1. Two forms:
      1. Unsigned divide ax by r/m8,al=quotient, ah =remainder
      2. Unsigned divide EDX:EAX by r/m8 ,eax= quotient ,edx =remainder
  22. REP STOS
    1. Repeat a single instruction multiple times
    2. Specifies the number of time (loop) in ECX
    3. Size should be specified
    4. Then data keeps on writing into eax

Stack

Calling Conventions

General stack frame operation

When a program is executed, first main() reserves space on the stack for it’s local variable. This is done by subtracting ESP in order to make space for local variables. If main() wants to call a subroutine(), main() becomes “the caller”. And performs caller-save register to store those registers if its present. In the next step the parameters are pushed into the stack. Ie: arguments are passed to the callee. When we actually execute the CALL instruction(subroutine()), the saved return address of the next instruction after the CALL instruction will be pushed onto the stack. So that when Callee is done executing the instructions, it can look up the this value and know where to go back.The entire main() stack frame is till this step. EBP always points to the start of the stack frame.

Now the first thing the subroutine() going to do is that it takes the EBP, the pointer which points to the top of the local variables and save it under the stack. So when it’s done and ready to destroy its own stack frame, it takes the stack pointer and put backs to EBP so that it again points to mains frame instead of its own. Then the subroutine() takes any callee-save registers, it will go ahead and save them.Stack frames are a linked list

If subroutine() wants subroutine2(), subroutine has to go through the same steps.

After subroutine() is done, it will clean all parameter, caller-save register, local variables,callee-save registers in sequential order and it takes the saved frame pointer and replace EBP with this value. So that it will point to main() frame. Then all the parameters and local variables in main() will get cleaned.

CPUID

48. CPU feature identification
49. Tells what features your pc currently supports eg: virtualization
50. Doesn’t have operands
51. Before issue cpuid eax should be set
52. After issuing cpuid eax,ebx,ecx,edx are going to be overridden

PUSHFD

53. Push EFlags onto the stack

POPFD

54. POP stack into EFlags

Control Flow

Inline Assembly

Syntax intel

__asm{

Mov eax, [esp + 0x4]

}

Syntax AT&T

asm(“push EBP \n”

“Mov ESP , EBP\n”

);

Compliling

Gcc -o <output> <input>

Gcc -o file file.c

-ggdb ->to add debug symbols

Buffer Overflow