Systems Design & Programming Data Movement Instructions. Intel Assembly



Similar documents
Computer Organization and Assembly Language

The 80x86 Instruction Set

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Complete 8086 instruction set

64-Bit NASM Notes. Invoking 64-Bit NASM

Buffer Overflows. Security 2011

Intel 8086 architecture

CHAPTER 6 TASK MANAGEMENT

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

CS 16: Assembly Language Programming for the IBM PC and Compatibles

Computer Organization and Architecture

Software Fingerprinting for Automated Malicious Code Analysis

IA-32 Intel Architecture Software Developer s Manual

Analysis of Win32.Scream

Phoenix Technologies Ltd.

CS61: Systems Programing and Machine Organization

Off-by-One exploitation tutorial

Assembly Language: Function Calls" Jennifer Rexford!

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Return-oriented programming without returns

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Instruction Set Architecture

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

x64 Cheat Sheet Fall 2015

Chapter 1. Bootstrap. Hardware

Hacking the Preboot execution Environment

Stack Overflows. Mitchell Adair

Faculty of Engineering Student Number:

The IA-32 processor architecture

5. Calling conventions for different C++ compilers and operating systems

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Using the RDTSC Instruction for Performance Monitoring

1. General function and functionality of the malware

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

PC Assembly Language. Paul A. Carter

PCI-SIG ENGINEERING CHANGE REQUEST

The x86 PC: Assembly Language, Design, and Interfacing 5 th Edition

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Overview. CISC Developments. RISC Designs. CISC Designs. VAX: Addressing Modes. Digital VAX

Understanding a Simple Operating System

Writing an 8086 emulator in Python

Assembly Language Tutorial

ASSEMBLY PROGRAMMING ON A VIRTUAL COMPUTER

X86-64 Architecture Guide

Windows XP SP3 Registry Handling Buffer Overflow

8. MACROS, Modules, and Mouse

High-speed image processing algorithms using MMX hardware

Machine Programming II: Instruc8ons

Embedded x86 Programming: Protected Mode

Fighting malware on your own

PCI BIOS SPECIFICATION. Revision 2.1

Intel Vanderpool Technology for IA-32 Processors (VT-x) Preliminary Specification

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Computer Architectures

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Administration. Instruction scheduling. Modern processors. Examples. Simplified architecture model. CS 412 Introduction to Compilers

How To Use A Computer With A Screen On It (For A Powerbook)

Machine-Level Programming II: Arithmetic & Control

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

Attacks on Virtual Machine Emulators

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

CPU performance monitoring using the Time-Stamp Counter register

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

TECHNICAL BULLETIN [ 1 / 5 ]

Attacking x86 Windows Binaries by Jump Oriented Programming

Lecture 27 C and Assembly

BCD (ASCII) Arithmetic. Where and Why is BCD used? Packed BCD, ASCII, Unpacked BCD. BCD Adjustment Instructions AAA. Example

Computer Organization and Components

Introduction. Figure 1 Schema of DarunGrim2

Using Debug 1 INTRODUCING DEBUG

Instruction Set Architecture (ISA)

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

W4118 Operating Systems. Junfeng Yang

Under The Hood: The System Call

TODAY, FEW PROGRAMMERS USE ASSEMBLY LANGUAGE. Higher-level languages such

Windows Assembly Programming Tutorial

esrever gnireenigne tfosorcim seiranib

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

For a 64-bit system. I - Presentation Of The Shellcode

Storage Classes CS 110B - Rule Storage Classes Page 18-1 \handouts\storclas

MICROPROCESSOR. Exclusive for IACE Students iacehyd.blogspot.in Ph: /422 Page 1

l C-Programming l A real computer language l Data Representation l Everything goes down to bits and bytes l Machine representation Language

Compiler Construction

Outline. Lecture 3. Basics. Logical vs. physical memory physical memory. x86 byte ordering

Using MMX Instructions to Convert RGB To YUV Color Conversion

Test Driven Development in Assembler a little story about growing software from nothing

Advanced Computer Architecture-CS501. Computer Systems Design and Architecture 2.1, 2.2, 3.2

612 CHAPTER 11 PROCESSOR FAMILIES (Corrisponde al cap Famiglie di processori) PROBLEMS

W4118 Operating Systems. Instructor: Junfeng Yang

Bypassing Windows Hardware-enforced Data Execution Prevention

MICROPROCESSOR BCA IV Sem MULTIPLE CHOICE QUESTIONS

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

TIn 1: Lecture 3: Lernziele. Lecture 3 The Belly of the Architect. Basic internal components of the Pointers and data storage in memory

Performance monitoring with Intel Architecture

5.14. EXCEPTION AND INTERRUPT REFERENCE

Introduction to Reverse Engineering

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

Transcription:

Intel Assembly Data Movement Instruction: mov (covered already) push, pop lea (mov and offset) lds, les, lfs, lgs, lss movs, lods, stos ins, outs xchg, xlat lahf, sahf (not covered) in, out movsx, movzx bswap cmov 1

Stack Instructions There are six forms of the push and pop instructions. Register, memory (memory-to-memory copy), immediate, segment register, flags, and all registers push: The source of the data may be: Any 16- or 32-bit register, immediate data, any segment register, any word or doubleword of memory data pop: pushad pushes eax, ecx, edx, ebx, esp, ebp, edi and esi where the value of esp saved on the stack is its value before the pushad. The source of the data may be: Any 16- or 32-bit register, any segment register (except for cs), any word or doubleword of memory data. 2

Stack Instructions push: eax ebx ecx edx F F F F 6 A B 3 push eax Stack Seg esp ebp 0 0 0 0 0 7 F E FFFF6AB3 edi esi cs ds es ss 0 0 1 0 Seg Base Trans. + Paging AH AL esp = esp-4 is performed before the PUSH 000007FA is the new value 3

Address Loading Instructions Load-Effective Address. lea: Loads any 32-bit register with the address of the data, as determined by the instruction addressing mode. lds and les: Load a 32-bit offset address and then ds or es from a 48-bit memory location. lfs, lgs and lss (80386 and up): Load any 32-bit offset address and then fs, gs or ss from a 48-bit memory location. lea eax,[ebx+ecx*4+100] lds edi, LIST lfs esi, DATA1 ;Loads eax with computed address. ;Loads edi and ds. ;Loads esi and fs. NOTE: lea calculates the ADDRESS given by the right arg and stores it in the left arg! 4

Address Loading Instructions Load-Effective Address. lea versus mov: lea ebx, [edi] mov ebx, [edi] mov ebx, edi ;Load the contents of edi into ebx. ;Load the value at edi into ebx. ;Move the contents of edi into ebx. (1) (2) (3) 1 and 3 are equivalent. So what are the differences? 3 is faster than 1 and is preferred. However, mov only works with single args and cannot be used with LIST[edi]. lea can take any address, e.g., lea esi, [ebx + edi]. 5

String Operations movs, lods, stos, ins, outs Allow data transfers of a byte, a word or a double word, or if repeated, a block of each of these. The D flag-bit (direction), esi and edi are implicitly used. D = 0: Auto increment edi and esi. Use cld instruction to clear this flag. D = 1: Auto decrement edi and esi. Use std instruction to set it. edi: Accesses data in the extra segment. Can NOT override. esi: Accesses data in the data segment. Can be overridden with segment override prefix. 6

String Operations lods: Loads al, ax or eax with data stored at the data segment (or extra segment) + offset given by esi. esi is incremented or decremented afterwards: lodsb lodsd es lodsb DATA1 ;al=ds:[esi]; esi=esi+/-1 ;eax=ds:[esi]; esi=esi+/-4 ;Override ds. stosb: Stores al, ax or eax to the extra segment (es) + offset given by edi. es cannot be overridden. edi is incremented or decremented afterwards: stosb stosd ;es:[edi]=al; edi=edi+/-1 ;es:[edi]=eax; edi=edi+/-4 7

String Operations rep prefix: Executes the instruction ecx times. mov edi, 0 ;Offset 0. mov ecx, 25*80 ;Load count. mov eax, 0720H ;Load value to write. rep stosw NOTE: rep does not make sense with the lodsb instruction. movs: Moves a byte, word or doubleword from data segment and offset esi to extra segment and offset edi. Increments/decrements both edi and esi: movsb movsd ;es:[edi]=ds:[esi]; edi+/-=1; esi+/-=1 ;es:[edi]=ds:[esi]; edi+/-=4; esi+/-=4 8

String Operations and Exchange ins/outs: Transfers a byte, word or doubleword of data from/to an I/O device into/out of the extra/data segment + offset edi/esi, respectively. The I/O address is stored in the edx register. insb insd insw outsb ;es:[edi]=[edx]; edi+/-=1 ;es:[edi]=[edx]; edi+/-=4 ;es:[edi]=[edx]; edi+/-=2; esi+/-=2 ;[edx]=ds:[esi]; esi=esi+/-1 xchg: Exchanges the contents of a register with the contents of any other register or memory location. It can NOT exchange segment registers or memory-to-memory data. Byte, word and doublewords can be exchanged using any addressing mode (except immediate, of course). xchg edx, esi ;Exchange edx and esi 9

Miscellaneous Data Transfer Operations movsx and movzx (80386 and up only): Move-and-sign-extend and Move-and-zero-extend: movsx cx, bl movzx eax, DATA2 ;Sign-extends bl into cx ;Zero extends word at DATA2 in eax. bswap (80486 and up only): Swaps the first byte with the forth, and the second byte with the third. Used to convert between little endian and big endian: eax bswap eax 0 0 1 1 2 2 3 3 3 3 2 2 1 1 0 0 cmov (Pentium and up only): These instructions move data only if a condition is true. Conditions are set by a previous instruction and include Carry, Zero, Sign, Overflow and Parity: cmovz eax, ebx ;Move if Zero flag is set else do nothing. There are many variations of this instruction (see intel instructions doc or text). 10

Assembler Directives Segment Override Prefix: Allows the programmer to override the default segment. es outsb es cmpsb Procedure Calls push args... call procedure_name add esp, # ;Push the arguments on stack. ;Call the procedure ;Restore the stack pointer. 11