Assembly Module 2.5: Continuing the Fun

Introduction:

In this module we are continuing with the binary from last module.  As a reminder here is the assembly from that module:

   0x080483db:	push   ebp
   0x080483dc:	mov    ebp,esp
   0x080483de:	mov    eax,0x0
   0x080483e3:	pop    ebp
   0x080483e4:	ret

If you did your homework you are familiar with each of the instructions we see above.  Lets put the pieces together and figure out what this program is doing.

Functionality:

Lets go through the instructions line by line:

  • push ebp – Stores the memory address in ebp on the stack.  This is memory address is the base of the calling functions stack frame.
  • mov ebp, esp – Moves the value in esp to ebp.  This is moving the base of the new stack frame to the top of the stack.
  • mov eax, 0x0 – Move the value 0x0 into the eax register.  It turns out that in a simple x86 program we return values in the eax register.  This function is returning 0.
  • pop ebp – Retrieve the value we originally placed on the stack.
  • ret – Return to the calling function.

In this program we set up a new stack frame, but that stack frame is empty because nothing gets placed in it.  We then set the return value to 0 and return to the calling function.  A pretty simple program.  The original source code of this binary is the following C code:

int main(void) {
    return 0;
    }

Looking At Differences:

The binary we end up looking at is heavily dependent on what architecture and language we are using.  To illustrate just how dependent what we see is I’m going to go through some different variation of the binary we used for this module.

64-bit x86 gcc compilation:

   push   rbp
   mov    rbp,rsp
   mov    eax,0x0
   pop    rbp
   ret 

The differences in this simple of a binary are minimal, but you can see that all but one fo the registers are renamed to the 64-bit versions, denoted by the r instead of e first letter.  The addresses are also twice as wide.

32-bit msvc compilation

	push	ebp
	mov	ebp, esp
	xor	eax, eax
	pop	ebp
	ret	0

Here we see that the mov eax, 0x0 has been replaced with xor eax, eax.  These instructions have the same effect on the eax register, which is setting the contained value to zero.  The difference is in how it’s done.  The xor operation is more efficient than using the mov instruction.

32-bit msvc compilation with full optimization

 	xor	eax, eax
	ret	0

When we use full optimization the compiler doesn’t even bother to set the stack up, it just sets the return register to zero and returns to the caller.

ARMv7

       str        fp, [sp, var_4]
       add        fp, sp, #0x0
       mov        r3, #0x0
       mov        r0, r3
       add        sp, fp, #0x0
       pop        fp
       bx         lr

Which is significantly different than using x86 architecture.  As an exercise get the instruction set reference for ARMv7 and learn what each line of the assembly snippet above is doing.

Conclusion:

Now we see the basic construction of a stack frame and a return value in C.  From here we will start building programs with different functionality.  As a review of C we will move through the C programming language and view the programs in assembly.  Becoming familiar with the first chapter of Reverse Engineering for Beginners will aid in recognizing standard constructions by themselves.

Next time we are going to go over some basic math that we are going to need to continue with assembly.  We will cover the binary, octal, and hexadecimal numbering system.  We will also cover bitwise logical operations like xor, and, and or.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s