Assembly

Assembly is currently in-progress. You are viewing an entry that is unfinished.

This article needs immediate attention, and is in desperate need of more content and some content removal (E.g. programming for call and ret - hatter will do this if someone thinks an entire program is needed and cannot figure out any other way to explain it). There should be zero full assembly programs on this page.

Introduction

• Assembler

An assembler is a program that compiles relatively human-readable operations into instructions that can be directly interpreted by the processor. Assembly Language can be seen as a "mnemonic" for machine instructions - it consists of words that are easier for humans to remember than machine language instructions - for example, "int" for the interrupt operation rather than "0xcd". The assembler produces compiled "objects", translating these mnemonics into machine code - also known as opcodes or as "binary code" in popular culture. By convention, many assembly programmers use the .s extension for assembly code and the .o extension for compiled objects.

On Linux platforms, 'as' is the standard assembler.

• Linker

A linker is a program that combines the compiled assembly objects into a binary. 'ld' is the standard linker on Linux platforms.

The way in which assembly code is assembled and linked is similar to the way in which higher-level compilers operate. Compilers such as GCC are often simply wrappers for an assembler and a linker that perform both functions dynamically. GCC assembles code into a number of object files based on the rules of the C programming language, then links them into a flat binary of the opcode sequences created at the assembly stage - this flat binary is encoded according to the executable format of the Operating System, which is why the same code will need to be recompiled for different operating systems in order for it to run cross-platform. At runtime, this binary interacts with ram and hardware gates on the CPU according to the rules that the Operating System and CPU architecture follow, performing the desired function of the program.

Binary

Main article: Bitwise Math

• counting
• endianness
• nybble - An uncommon unit of memory equivalent to 4 bits.
• byte - A byte is a unit of memory equivalent to 8 bits.
• word - 2 bytes
• dword - 4 bytes, also called a long
• qword - 8 bytes

make a note of the other naming convention, which is:

byte
hword = 2 bytes
word = 4 bytes
dword = 8 bytes

Number handling

Main article: Bitwise Math#Two's Complement

Two's complement is the mathematics principle behind the computer's ability to track positive and negative numbers.

• signed - Signed values are required to represent negative numbers. Most languages by default assume values are signed. The range of numbers it can assign extends from -1 downwards, depending on the data type. The method by which signed values are handled is known as two's complement. For a value signed with two's complement, the maximum number of possible permutations of the space allocated for the value are divided in two, and the higher value half is used to represent negative numbers. For example, with a signed byte, 00000000 is equal to 0, 00000001 is equal to 1 as would be expected. However, in addition 1111111 is equal to -1, 11111110 is equal to -2, and so on until it reaches the halfway point, which is the highest positive value.

• unsigned - Despite not being able to assign negative numbers, unsigned values are particularly advantageous for positive ranges. The memory that would have been assigned to the negative range is instead added to the positive range (twice as many positive numbers). Unsigned numbers work exactly as would be expected when counting - 0001 is one, 0010 is 2, 0011 is 3 and so on until the all the bits are filled, which is the maximum number that can be represented with that many bits. For example, since a 2 bits have 4 possible permutations - 00, 01, 10 and 11 - it would be possible to count from 0 to 3 with 2 bits. The key feature is that they can only represent 0 and positive numbers.

For example: the C datatype short int denotes an integer stored in 2 bytes The unsigned short int is able to represent numbers between 0 and 65,535. The signed short int, on the other hand, is able to represent numbers between -32,768 and 32,767.

Data storage

Register

A location where memory can be stored temporarily. A register has the bit-width of a cpu's bit description. So for 32 bit systems, a register is 32 bits (4 bytes or a doubleword, also called long) whereas on a 64 bit system a register is 64 bits in length (8 bytes or a qword).

A register is a location where memory can be stored temporarily. It can be considered to be a sort of basic variable, which can hold any value that the processor stores in it. The difference between registers and the variables of higher-level programming languages is twofold: firstly, registers are limited in size. The reigsters of a processer will have the bit width of the cpu's bit description - 32-bit processors have 32-bit (4-byte) registers, whereas 64-bit systems have a 64-bit (8 byte) register.

The other difference is that registers have both a limited number and in many cases a specific purpose. Registers cannot be defined at the whim of the programmer because unlike variables, a register is not simply a region of allocated memory. They occupy physical space and have a limited number. Some registers are open to use by programs and are "general purpose registers" - they can be loaded with any information and are often used by the operating system to hold arguments to function calls. Other registers such as the instruction pointer, which holds the address of the next instruction that is being executed, are reserved for cpu function.

Pointer

A pointer is simply a hexadecimal four-byte address that points to another location in memory. Pointers have many uses within programming, namely that it is easier to work with a 4-byte pointer to some data than to have to copy and recopy the data each time it is referenced. One area in which pointers are used is the instruction pointer register, which contains a pointer to the next instruction to be executed.

Sub-Register

A subregister is a portion of a register that is always divisible by a whole byte in size. They are often used where an entire 4 bytes (or 8 bytes) is not necessary to complete an operation. One area in which sub-registers are used is in writing Shellcode which is intended to be injected into a string - subregisters are used to avoid the inclusion of null-bytes, which are interpreted by most systems as the string terminator.

CPU Flag Registers

A flag register is a collection of bits used by a processor to indicate various on-off states of different conditions. Each bit corresponds to its own flag, which can be set to etiher on or off by instructions, and can be referenced by a program (or manually set/unset by a program) in order to make decisions based on the result of an operation.

For example:

• PF - the parity flag.

This indicates whether the number of bits of the previous result is even or odd.

• ZF - the zero flag.

This indicates, when set, that the result of the previous operation was zero.

• CF - the carry flag.

This indicates, when set, that bit rotation across datasets larger than the cpu register's bit-width will be successful. Without this, data will be rotated in increments of the bit-width of a register for the cpu of the given architecture.

Architecture-specific Registers and Sub-Registers

x86

32 bit general purpose registers

• eax

eax is part of a family of several general purpose registers. The other members of this family are ebx, ecx and edx. The general purpose registers are used for general operations, serving as temporary storage for data used by the program. Many functions also use the general purpose registers to hold arguments - for example, on Linux, the kernel interrupt stores the interrupt code in eax, and any additional arguments in ebx, ecx and so on.

As can be seen from the diagram above, eax is split into several sub-registers. The least significant 2 bytes of eax forms another subregister called ax. This in turn, is split into 2 one-byte sub-registers. The most significant byte of ax is ah, while the least significant byte is al.

• ebx

• ecx

• edx

• esx

• esi

• edi

• eip

• esp

• ebp

64 bit general purpose

• rax

rax is the 64-bit equivalent of eax. Being a 64-bit register, it is 8 bytes rather than 4 but apart from this it can be treated as a normal register. The relationships that apply to eax still apply to rax - there are other 64-bit registers in the form of rbx, rcx and rdx. Keep in mind that in ATT syntax, q is the operation suffix for working with 64-bit operands.

• rbx
• rcx
• rdx
• rsi
• rdi
• rbp
• rsp
• rip

•  %r8
•  %r9
•  %r10
•  %r11
•  %r12
•  %r13
•  %r14
•  %r15

mmx

sse

Memory Addressing

Stack Pointer

Commonly known as the ESP register in x86 Assembly, the stack pointer is a register that contains the location of the top of the stack. Every time a push instruction is used to add data to the top of the stack, the number of bytes added is subtracted from esp (remember, the stack grows downards) so that it points to the new top of the stack. Likewise, esp is added to when data is popped from the stack.

Instruction Pointer

Commonly known as the EIP register in x86 Assembly, the instruction pointer is a register that holds the address to the next instuction. When a return instruction is executed, the instruction pointer derives its address from the return address, which exists on the stack. Likewise, when the call instruction is used to transfer execution to a function, the current value of eip (which holds the address of the instruction after the call function) is pushed to the stack so that there is a return address to pop when the return instruction executes and execution resumes from the main thread.

The instruction pointer is very useful in executing Shellcode within overflows - if eip is hijacked, the execution of the program can be arbitrarily controlled.

Base Pointer

Commonly known as the EBP register in 32 bit x86 Assembly, the base pointer is generally used to find local variables and parameters on the stack. It is often used during function calls to "save" the position that esp pointed to when the function was called, so that additional space can be used on the stack without losing it's place.

Addressing Modes

When writing assembly code there are different ways of referencing the value being worked with. These are referred to as addressing modes.

• Direct Addressing

Direct addressing references the memory address of a given location. An example of this would be referring to data stored in a variable.

• Immediate Addressing

Immediate addressing references an actual numerical value, be it "1", "2", or "0x80".

• Indirect Addressing

References the value that a memory address points to. For example, in order to read the return address from the top of the stack:

As discussed below, indirect addressing can be offset using scalar multipliers.

• Indexed Addressing

Uses an index to reference data according to a specific rule. In its most complex form, it can be used to reference the nth n-bute segment of n.

For example:

This references the 4th segment of string_1, where 1 segment is 2 bytes long.

Scalar Multipliers

A scalar multiplier is used to reference memory based on an offset to a pointer. For example, using indexed addressing, the instruction that eip points to with can be referenced(%eip). However, to reference the data stored 4 bytes after eip, 4(%eip) would be used. Likewise, data could be referenced 4 bytes before the instruction that eip point to with -4(%eip).

Instructions

Syntaxes

Primarily two syntaxes of assembly have been the most prominent to date. Intel assembly syntax is traditionally used for Microsoft Windows environments, whereas AT&T System V syntax is generally used on Linux and Unix machines.

Intel Syntax (dest, src)

Generally, in intel syntax, all instructions are applied to destination, source operands. For example, to move 8 into the eax register:

mov eax, 8h

ATT Syntax (src, dest)

Generally, in ATR syntax, all instructions are applied to source, destination operands. For example, to move 8 into the eax register:

movl $8, %eax

Within ATT syntax, many operations can be appended with a single letter to indicate what kind of data the operation is being performed upon. For example:

• movq operates on 8 byte qwords
• movl operates on 4 byte dwords
• movw operates on 2 byte words
• movb operates on single bytes

As a result of this, movl is usually used for 32-bit registers, whereas movq is usually used for 64-bit registers.

Data manipulation basic primitives

mov

The mov instruction, which is a mnemonic for "move", copies some data from one location in memory to another. For example, to put the value 8 into the eax register in ATT syntax:

movl $8, %eax

Or, using smaller increments:

movw $0x1212, %ax

movb $0x1, %al

And with a larger increment:

movq $0xx1212121212121212, %rax

Note that we are using the movl variant of the mov instruction because we are working with a 4-byte register.

push

The push instruction takes a single operand and pushes some data onto the top of the stack. It creates as much room as the data will take up at the top of the stack, copies the data into the newly created space, and adjust the esp register to point to the new top of the stack.

An example of the use of the push instruction:

pushw %dx

pop

The pop instruction takes a single operand and performs the reverse of the push - it takes data from the top of the stack and 'pops' it into the register provided, while adjusting %esp so that it points to a lower point in the stack, effectively erasing the data from the top.

An example of the use of the pop instruction:

pushq %rax

pushl %eax

Basic arithmetic

add

The add operation adds two values together, depositing the result in a register (which is one of the operands). Which register the result is deposited in depends on the assembly syntax being used.

For example, ATT syntax uses the (src, dest) format. As such, take the following code:

addq %rax, %rbx

addl %eax, %ebx

addw %ax, %bx

addb %al, %bl

This code would add eax and ebx together and store the result in ebx.

sub

Following the same rules that the add operation does, when the sub operation is called the source operand is subtracted from the destination operand, the result being stored in the destination operand.

As such:

subq %rax, %rbx

subl %eax, %ebx

subw %ax, %bx

subb %al, %bl

As this is in ATT syntax, %eax is the source operand and %ebx is the destination operand. So %eax is subtracted from %ebx and the result is stored in %ebx.

div

The div operation divides the source by the destination and stores the result in the destination.

divq %rax, %rbx

divl %eax, %ebx

divw %ax, %bx

divb %al, %bl

The preceding code would divide eax by ebx and store the result in ebx.

• mul

The mul operation multiples the source and destination, storing the product in the destination.

mulq %rax, %rbx

mull %eax, %ebx

mulw %ax, %bx

mulb %al, %bl

The preceding code would multiply eax and ebx and store the result in ebx.

Bitwise mathematics operators

Main article: Bitwise Math

These instructions perform bitwise operations on the data they are given on a bit-by-bit basis.

and

This instruction performs the AND bitwise operation on two operands, returning a set bit for each instances where the source and destination are either both set or both unset, and an unset bit otherwise.

not

This instruction performs the NOT bitwise operation on a single operand, inverting each bit - each unset bit becomes a set bit, and each set bit becomes an unset bit.

or

This instruction performs the OR bitwise operation on two operands - it returns a set bit in each instance in which either one or the other or both bits at a given position are set.

xor

This instruction performs the XOR bitwise operation on two operands - it returns a set bit if the compared bits are different, and an unset bit if the compared bits are the same.

Because anything xor'd with itself is 0, the xor instruction is used in Shellcode to zero out a register without introducing any null bytes to the code:

xorl %eax, %eax

Shifts and rotations

Shifts

In a shift, the bits of some data are literally shifted either towards the left or the right. To use the example of a string in C:

"string"

shifted to the left becomes:

"tring\0"

For the binary string:

"1010110"

A right shift will produce the following result:

"101011"

Note that the least significant (rightmost) bit has been "shifted out" of the binary string.

shl

Takes two operands and shifts each bit to the left by the number of bits specified.

For example, if eax contains a pointer to the string "things\0",

shl $0x8, (%eax)

This would shift the string 8 bits - 1 byte - to the left. Because 1 character is equal to 1 byte, this shift would mean that eax now points to "hings\0".

shr

Takes two operands and shifts each bit to the right by the number of bits specified..

Binary is a base-2 system. Because of this, a left shift has the effect of multiplying a binary value by 2, while a right shift has the effect of dividing a binary value by 2.

If eax contains a pointer to the string "things\0",

shr $0x8, (%eax)

This time, the operation would shift the string 8 bits - 1 byte - to the right. This shift would mean that eax now points to "things" with no null byte.

Rotates

A rotate is similar to a shift, the difference being that instead of the shifted digit "disappearing", the bit shifted out is replaced on the other end.

For example:

"1010110"

If we apply a left rotate:

"0101101"

Note that the 1 that was previously the most significant (leftmost) bit has been shifted out and is now the least significant (rightmost) bit.

rol

Takes two operands and performs a left rotate upon it by the number of bits specified.

If eax contains a pointer to the string "things\0",

rol $0x8, (%eax)

This would perform a rotate by 8 bits on the string to the left, meaning that eax would now point to "hings\0t" - the first character (which occupies 8 bits) has been rotated to the end of the string.

ror

Takes two operands and performs a right rotate upon it by the number of bits specified.

If eax contains a pointer to the string "things\0",

ror $0x8, (%eax)

This would perform a rotate by 8 bits on the string, meaning that eax would now point to "\0things".

Control flow operators

cmp

A vital instruction for decision-making, the cmp instruction simply compares two operands that are passed to it and stores the result in the eflags register. After this, a jmp instruction can be used to move execution to various parts of the program depending on the result of this comparison.

jmp

The jmp instruction is tied closely to the cmp instruction. It has several incarnations - jmp, je, jne, jg and jl. In each case, the jump instruction accepts a single operand - the symbol or memory address to be jumped to. If jmp is used, it will jump to this symbol regardless of the result of the comparison stored in eflags. If je is used, it will jump to the symbol provided only if the two values compared were equal. Inversely, jne will only jump if the two operands were inequal. The jg instruction jumps only if the destination operand was greater than the source operand (in ATT syntax, this means that the second operand was greater than the first), while the jl instruction jumps only if the destination operand was less than the source operand.

An example of using cmp and jmp in ATT syntax:

 
cmpl $5, %ebx
jne _start
 

Another example, determining whether two subregisters are equal and executing some code if they are:

 
cmpb %al, %bl
je if_equal
 

call

As discussed previously, the call instruction transfers execution to a symbol that has been defined as a function. In order to do this, it pushes the current value of eip - which is a pointer to the instruction after the function call - onto the stack, "saving" the return address. It then alters the value of eip so that it points to the first instruction of the function being called. From that point, it is the function's responsibility to ensure that it transfers execution back to the return address once the function has completed.

ret

The counterpart to call, the ret instruction is used at the end of a function to return to the main program. Before ret can be called, it is important that the return address - which should have been pushed onto the stack by call - is at the top of the stack. If this is the case, then ret simply pops the return address back into eip so that the program can continue on its way after the function has completed execution.

Taking it further

• kernel interrupt
• architecture - i386, i686, x86_64
• operating system