cs basics 5) programming in assembly language - · pdf filecs basics 5) programming in...

CS Basics5) Programming inAssembly Language

Emmanuel BenoistFall Term 2016-17

Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1

Programming in Assembly Language� Minimal Program

� Move

� FlagsIncrement and decrementConditional jumps

� Signed Values

� Structure of a program

� The Stack

� InterruptsSoftware InterruptsHardware Interrupt

� System call 64-bit

� Conclusion


Minimal Program


Minimal Program

For studying functionalities we need a “sandbox”To play withThat do not do anything importantThat we can totaly destruct and rebuild

SolutionA program with no instruction, where we will try new featuresOnly one thing is obligatory: a start point


Assembly Language Sandbox

sandbox.asm

section .data

section .text

global _start

_start:

nop ; Put your experiments between the two ↘

→nops...


→nops...

Attention:This program does not terminate properly, it is just for testingpurpose inside a debugger,Terminate the program manualy otherwise it will generate acore dump


Move


The MOV instruction

Moves data from one location to anotherSyntaxmov destination, source

Is the most used commandMove information from register to memoryfrom memory to registerfrom register to registerBut NOT form memory to memory

Examples

mov RAX, 42


Immediate Data

Immediate addressingThe data is built right into the machin instruction itselfIt is neither in a register, nor in a data itemIntruction is in the instruction

mov RAX, 42

mov RBX, ’Hello’

mov RCX, 0ABCDh

Hello is stored in reverse orderBecause of “little endian”

Size must be compatiblecl is a 8-bit register 067EFh is 16 bits

mov cl, 067EFh ; Instruction is not accepted by↘

→ NASM


Move Register Data

Register AddressingName the register to work with

mov EBP, ESI ; 32-bit

mov BL, CH ; 8-bit

add DX, AX ; 16-bit

add ECX, EDX ; 32-bit

add RAX, RBX ; 64-bit

ADD instructionAdds the source and the destinationThe sum replaces whatever is in the destination


Example

Test the following in a debugger

mov ax,067FEh

mov bx, ax

mov cl,bh

mov ch,bl

Set the breakpoint on the first instructionSingle-step through the instructionswatch carefullyHalve registers (8-bit) are used for accessing RCX


Memory Data

Is stored in the memory “owned” by the programCan be access using general purpose registers

;; Move to and from memory

mov rbx, Snippet ;the address of the string ↘

→in memory

mov rcx, 3 ; the offset in the string

mov ax, [rbx] ; Move 16 bits

mov rax, [rbx+3] ; Move 64 bits

mov eax, [rbx+rcx] ; Move 32 bits

The [] operatorAccesses the memory at the address inside the brackets[ebx] referes to memory whose address is stored in ebx

[ebx+3] the memory whose address is the value of ebx plus 3[ebx+ecx] the memory whose address is the sum of thevalues of ebx and ecx


Memory Data (Cont.)

Size copiedThe size of data copied from the memory depends on the sizeof the registerax is 16-biteax is 32-bitrax is 64-bit


Confusing Data and its AddressLabel are addresses

EatMsg is the address of the string[EatMsg] is the content of the addressFor a 32-bit register, we transfer 4 bytesFor a 64-bit register, we transfer 8 bytes

section .data

EatMsg db "Eat at Joe’s"

section .text

global _start

_start:


→nops

mov rcx, EatMsg ; copy the address

mov rdx, [EatMsg] ; Copy 64 first bits of the↘

→ message


→nops


Flags


Flags

The EFLAG register contains 32 bits:each one could be a flagContains 18 FlagsWe present the most usefull onesMost of the flags represent a “result” of some kind

OF: Overflow FlagWhen an arithmetic operation on a signed integer quantitybecomes too largeIs generally used as a “carry” flag in signed arithmetic

DF: Direction FlagIt tells the CPU something you wantTells the direction you want for string instructionIf DF = 1 string instructions proceed from high memorytoward low memoryif DF=0 string instructions proceed from low memory towardhigh memory.


Flags (Cont.)

IF: Interrupt enable flagThe CPU can set itYou can set it using STI (set IF) and CLI (clear IF)When IF is set, interrupts are enabled and may occur whenrequestedWhen IF is cleared interrupts are ignored

TF: Trap Flagallows debuggers to manage single-steppingit forces the CPU to execute only a single instruction

SF: Sign Flagbecomes set, when the result of an operation forces theoperand to become negativemeans: the first bit becomes 1 during the operation


Flags (Cont.)

ZF: Zero Flagis set when the result of an operation becomes zero.

PF: Parity FlagFamiliar with serial data communicationIndicates if the number of ones in the low-order byte is even orodd

CF: Carry Flagis used in unsigned arithmetic operationsif the result “carries out” a bit from the operand


Increment and decrement


Increment and decrementINC: Increment

Adds one to its operand

DEC: decrementSubstract one from its operand

Example

mov eax, 0FFFFFFFFh

mov ebx, 02Dh

dec ebx

inc eax

ebx becomes 2Cheax becomes 0Carry Flag is not affected by INC

The last instruction changes FlagsPF (parity), AF (Auxillary), ZF (zero), IF (interrupt) are set


Conditional jumps


Conditional jumps

Most of the flags have a conditional jumpJNZ : Jump if not zeroIf ZF is clear, nothing is doneIf ZF is set, execution travels to a new destination

Example: First loop

;; A first loop

mov eax, 5

DoMore: dec eax

jnz DoMore

As long as eax is not zero, loops to DoMore


Kangaroo

Kangaroo.asm

section .data

Snippet db "KANGAROO"

section .text

global _start

_start:

nop

; Put your experiments between the two nops...

mov ebx,Snippet

mov eax,8

DoMore: add byte [ebx],32

inc ebx

dec eax

jnz DoMore

; Put your experiments between the two nops...

nop


Kangaroo (Cont.)

The string “KANGAROO” is stored in memoryIt receives a label Snippet

eax is a counter that is decrementedebx is incremented from the Snippet label, to the end of thestring

Letters are changed to lowercaseOne substracts 32 to all the lettersWe can check in the memory


Signed Values


Signed Valuesx86 architecture uses two’s complement for signedvalues

-42 is denoted in a 8 bit register 256-42on a 32-bit registers 100000000H-42on a 64-bit register 10000000000000000H -42

Let us try the following code

mov eax, 5

DoMore: dec eax

jmp DoMore

Jump is inconditional (it is always done)

Eax becomes

0FFFFFFFFh (-1)

0FFFFFFFEh (-2)

0FFFFFFFDh (-3)

0FFFFFFFCh (-3)


NEG instruction

NEG generates a negative numberTransforms a positive number into a negative one.

Example

;; We generate a negative number

mov eax, 42

neg eax

add eax, 42

We increment the last positive number and get anegative one

;; we increment the last positive number

;; changes SF (sign flag)

mov ebx, 07FFFFFFFh

inc ebx ; sets the CF PF AF SF OF


Move signed numbers

Moving signed numbersMOV does not work if the size changesThe number is copied as a numberThe new number is not a valid negative number

Solution: MOVSX Move with Sign eXtension

mov ax, -42

mov ebx, eax ; value is not -42

mov ax, -42

movsx ebx, ax ; value remains -42


Multiplication

MUL and DIV handle unsigned calculationMUL multiplies two operandsBut the result is larger than the operandif operands are 64-bit, result can be 128-bitneed two registers for the result

IMUL and IDIV handle signed calculationPretty much the same functionality with signed numbers


MUL implicit operands

Explicit operandOne factor

Implicit operandOne factor (AL, AX, EAX, RAX depending on the size of theexplicit operand)Product (AX, DX and AX, EDX (high order bytes) and EAX(low order bytes), RDX and RAX respectively)

Example

mov eax, 447

mov ebx, 1739

mul ebx ;values in eax and edx are set

mov eax, 56

mov ebx, 67

neg ebx

imul ebx


Structure of a program


Structure

Initial comment blockAuthor, date, version, description

Data sectionContains all initialized dataData must have a valueSimilar to constants

BSS sectionContains unitialized dataJust placeholdersPlace will be reserved in the memory

Text sessionContains the codeneed a global label start to be executed


Example; Executable name : EATSYSCALL; Version : 1.0; Created date : 1/7/2009; Last update : 2/18/2009; Author : Jeff Duntemann; Description : A simple program in assembly for Linux, using NASM 2.05,; demonstrating the use of Linux INT 80H syscalls to display text.;; Build using these commands:; nasm −f elf −g −F stabs eatsyscall.asm; ld −o eatsyscall eatsyscall.o;SECTION .data ; Section containing initialised data

EatMsg: db ”Eat at Joe’s!”,10EatLen: equ $−EatMsg

SECTION .bss ; Section containing uninitialized data

SECTION .text ; Section containing codeglobal start ; Linker needs this to find the entry point!start:

nop ; This no−op keeps gdb happy...mov eax,4 ; Specify sys write callmov ebx,1 ; Specify File Descriptor 1: Standard Outputmov ecx,EatMsg ; Pass offset of the messagemov edx,EatLen ; Pass the length of the messageint 80H ; Make kernel callMOV eax,1 ; Code for Exit Syscallmov ebx,0 ; Return a code of zeroint 80H ; Make kernel call


The .text Section

Labelsmust begin with a letter or an underscoremust be followed by a semicolon when they are definedare case sensitiveAre used as targets for jumpslabel start must be present and declared global in anyLinux program


Variables

For initialized DataIn the Data sectiondata definition directive

Example

MyByte db 07h ; 8 bits in size

MyWord dw 0FFFFh : 16 bits in size

MyDouble dd 0B8000000h ; 32 bits in size

MyQuad dq 0B800000011000000h ; 64 bits


String Variables

Example

eatMsg: db "Eat at Joes’s!",10

Is a label (address) of information in memoryContains bytes (db)

Strings can be concatenated”Eat at Joes’s!”,10End of Line, EOL (0Ah / 10), is added at the end of the string

TwoLineMsg: db "Eat at Joe’s ...",10,"... Ten ↘

→million flies can’t ALL be wrong!",10

When displayed, produces two lines

Eat at Joe’s ...

... Ten million flies can’t ALL be wrong!


Derive String Length

Interesting:

EatLen: equ $-EatMsg

EQU stands for equateAssociate a value with a labelLike a named constant

FieldWidth equ 10

The following two lines are equal

mov eax,10

mov eax, FieldWidth


Derive String length (Cont.)

We need length of the stringWe could hard code it

EatMsg db "Eat at Joe’s!",10

EatLen equ 14

But what appens if we change the stringWe have to change the length : VERY error prone

Use the ”here” token: the $ signmarks the spot where NASM is in the intermediate file$ and EatMsg are both ”locations” (addresses in memory)One can compute the difference: where do the string start andfinishes

EatMsg: db "Eat at Joe’s!",10

EatLen: equ $-EatMsg


The Stack


The Stack

Is used to store information temporarlyStore the status of a program while doing something else

LIFOLast In - First Out

Push : add on top of the stack

Pop: remove from the top of the stack

Pez DispenserThe new candy are eaten firstThe old candies remain at the bottom


The Stack

248 Chapter 8 ■ Our Object All Sublime

Top of theStack

Top of theStack

Push four items onto the stack:

Top of theStack

Pop two items off the stack:

Push three items onto the stack:

Top of theStack

Figure 8-1: The stack

Stacking Things Upside DownMaking things a little trickier to visualize is the fact that the x86 stack isbasically upside-down. If you picture a region of memory with the lowestaddress at the bottom and the highest address at the top, the stack begins up atthe ceiling, and as items are pushed onto the stack, the stack grows downward,toward low memory.

Figure 8-2 shows in broad terms how Linux organizes the memory thatit gives to your program when it runs. At the bottom of memory are thethree sections that you define in your program: .text at the lowest addresses,followed by .data, followed by .bss. The stack is located all the way at theopposite end of your program’s memory block. In between the end of the .bsssection and the top of the stack is basically empty memory.

C programs routinely use this free memory space to allocate variables ‘‘on thefly’’ in a region called the heap. Assembly programs can do that as well, thoughit’s not as easy as it sounds and I can’t cover it in this book. The importantthing to remember is that the stack and your program proper (code andnamed data) play in opposite corners of the sandbox. The stack grows towardthe rest of your program, but unless you’re doing really extraordinary—orstupid—things, there’s little or no chance that the stack will grow so large asto collide with your program’s named data items or machine instructions. Ifthat happens, Linux will calmly issue a segmentation fault and your programwill terminate.

The only caution I should offer regarding Figure 8-2 is that the relative sizesof the program sections versus the stack shouldn’t be seen as literal. You mayhave thousands of bytes of program code and tens of thousands of bytes ofdata in a middling assembly program, but for that the stack is still quite small:a few hundred bytes at most, and generally less than that.

Note that when your program begins running, the stack is not completelyempty. Some useful things are there waiting for you, as I’ll explain a little later.


Stack in Memory

Stack starts at the top of memoryStart at the higher memoryGo down in the free memory

Opposite to the resttext sectiondata sectionbss sectionare stored at the bottom of the memory

C program allocate dynamically the free memoryOn the fly while it worksInside the heap


The Stack in Memory Chapter 8 ■ Our Object All Sublime 249

.text section(Program code)

.data section(Initialized data items)

.bss section(Uninitialized data items)

TheStack

FreeMemory

ESP moves upand down asitems are pushedonto or poppedfrom the stack

ESP alwayspoints to the lastitem pushedonto the stack

Highestmemoryaddresses

Lowestmemoryaddresses

Figure 8-2: The stack in program memory

Push-y Instructions

You can place data onto the stack in several ways, but the most straightforwardway involves a group of five related machine instructions: PUSH, PUSHF, PUSHFD,PUSHA, and PUSHAD. All work similarly, and differ mostly in what they pushonto the stack:

PUSH pushes a 16-bit or 32-bit register or memory value that is specifiedby you in your source code.PUSHF pushes the 16-bit Flags register onto the stack.PUSHFD pushes the full 32-bit EFlags register onto the stack.PUSHA pushes all eight of the 16-bit general-purpose registers onto thestack.


Push instructions

Add information on top of the stackPUSH a register or memory valuePUSHF push the Flags register

examples

push ax ; Push the AX register

; push ebx ; push the EAX register not supported in ↘

→64-bit mode

push rax ; Push the RAX register

push word[rbx] ; Push the word stored at bx

push qword[rdx] ; Push the double word stored↘

→ at edx

push rdi ; Push the RDI register

pushf ; Push the flags on the stack


Pop instructions

Retrieve information out of the stackRemoves the information from the stack and transfers itIt is up to you to know what information is stored on the stack

InstructionsPOP, POPF (for flags)

Examples

popf ;Pop the flags out of the stack

pop CX ; Pop the top 2 bytes from the stack ↘

→into CX

pop RSI ; Pop the top 16 bytes from the stack↘

→ into RSI

pop qword[rbx] ; Pop the top 8 bytes from the↘

→ stack into the memory at EBX

pop qword[vars1] ; Pop the top 8 bytes from ↘

→the stack into the memory at var1


How the stack works

Chapter 8 ■ Our Object All Sublime 253

PUSHF ; Push the Flags register onto the stack..POP BX ; ..and pop it immediately into BX

Not all bits of EFlags may be changed with POPFD. Bits VM and RF are notaffected by popping a value off the stack into EFlags.

34

12

A7

4B

34

12

17

FF

A7

4B

34

12

A7

4B

34

12Hi

gh M

emor

yLo

w M

emor

y

SP

SP

SP

SP

PUSH AX PUSH BX PUSH CX POP DX

DX nowcontains0FF17h

AX = 01234hBX = 04BA7h

CX = 0FF17hDX = 0000

Figure 8-3: How the stack works

Storage for the Short TermThe stack should be considered a place to stash things for the short term. Itemsstored on the stack have no names, and in general must be taken off the stack inthe reverse order in which they were put on. Last in, first out, remember. LIFO!

One excellent use of the stack allows the all-too-few registers to do multipleduty. If you need a register to temporarily hold some value to be operated onby the CPU and all the registers are in use, push one of the busy registers onto


Interrupts


Software Interrupts


Interrupts

Used to communicate with the Linux KernelNot authorized to access memory where Kernel instructions areProtected modeNeed a way to execute kernel instructions

InterruptsInterrupt vector tablePlaced at the first 1024 bytes of memory of any x86 computerEach vector has a number from 0 to 255Each vector contains the address (including offset andsegment) of kernel functionsAddresses can be dynamically allocated (regarding where thekernel is executed)


The interrupt vector table

256 Chapter 8 ■ Our Object All Sublime

parts, and when you upgrade to a new version of Linux, that new versionwill fill the appropriate slots in the interrupt vector table with upgraded andaccurate addresses.

Vector 0

Vector 2

Vector 1

Vector 3

The lowest location inx86 memory

00000000h

00000008h

00000004h

0000000Ch

00000010h

Figure 8-4: The interrupt vector table

What doesn’t change from Linux version to Linux version is the number of theinterrupt that holds a particular address. In other words, since the very firstLinux release, interrupt number 80h has pointed the way into darkest Linux tothe services dispatcher, a sort of multiple-railway switch with spurs heading outto the many (almost 200) individual Linux kernel service routines. The addressof the dispatcher is different with most Linux distributions and versions, butregardless of which Linux distro or which version of a distro that you have, pro-grams can access the dispatcher by way of slot 80h in the interrupt vector table.

Furthermore, programs don’t have to go snooping the table for the addressthemselves. In fact, that’s forbidden under the restrictions of protected mode.The table belongs to the operating system, and you can’t even go down thereand look at it. However, you don’t have to access addresses in the table


Interrupt 80h = the dispatcher

An interrupt number correspond to one functionIt remains the same, always80h corresponds to the dispatcher

The INT instructionIs used in the programCPU goes to the interrupt vector tableFetches the address from slot 80hJumps execution to that addressThe dispacher picks up the execution and performs the service


Riding an interrupt vector into Linux258 Chapter 8 ■ Our Object All Sublime

the dispatcher which service you need, which you do by placing the service’snumber in register EAX. The dispatcher may require other information as well,and will expect you to provide that information in the correct place—almostalways in various registers—before it begins its job.

Dispatcher

Vector Table

Vector 80h

INT 80h

Linux

Return Address

Your Code

The Stack

User Space

Kernel Space

The INT80h instruction first pushesthe address of the instruction after it onto the stack...

...and then jumps towhatever address is stored in vector 80h.

The address at vector80h takes execution into the Linux system call dispatcher

(Next Instruction)

Figure 8-5: Riding an interrupt vector into Linux

Look at the following lines of code from eatsyscall.asm:

mov eax,4 ; Specify sys_write syscallmov ebx,1 ; Specify File Descriptor 1: Standard Output


The dispatcher

Controles access to 200 individual routinesTell the dispacher which service you needPlace service number in register RAXThe dispatcher may require other information as wellMost allways in various registers

Example

mov eax,4 ; Specify sys_write call

mov ebx,1 ; Specify File Descriptor 1: ↘

→Standard Output

mov ecx,EatMsg ; Pass offset of the message

mov edx,EatLen ; Pass the length of the ↘

→message

int 80H ; Make kernel call


File descriptors

Standard Inputstdin

File descriptor 0

Standard Outputstdout

FIle descriptor 1

Standard Errorstderr

File descriptor 2

Other filesGenerate a new file descriptor


Return to your program

When the routine is finishedLinux goes back to your programHas to know where to go back

StackThe instruction number is stored on the stack when theinterrupt is calledWhen it is finished: the address is poped from the stackAnd inserted back in the instruction pointer (RIP)It is the address of the next instruction to be executed.


Returning home from an interruptChapter 8 ■ Our Object All Sublime 261

Dispatcher

Vector Table

Vector 80h

INT 80h

Linux

Return Address

Your Code

The Stack

The IRET instructionpops the returnaddress off the stack...

...and then jumps tothe instruction at thataddress, which is theone immediately afterthe INT 80h.IRET

(Next Instruction)

Figure 8-6: Returning home from an interrupt

Exiting this way is not just a nicety. Every program you write must exitby making a call to sys_exit through the kernel services dispatcher. If aprogram just ‘‘runs off the edge’’ it will in fact end, but Linux will hand up asegmentation fault and you’ll be none the wiser as to what happened.

Software Interrupts versus Hardware InterruptsYou’re probably still wondering why a mechanism like this is called an ‘‘inter-rupt,’’ and it’s a reasonable question with historical roots. Software interrupts


Exiting the program

Call the dispatcherINT 80 instruction

ParametersRoutine is number 1 in RAX

Value 0 is stored in RBX (everything went well)Or something else

Example

MOV eax,1 ; Code for Exit Syscall

mov ebx,0 ; Return a code of zero

int 80H ; Make kernel call


Hardware Interrupt


Hardware Interrupt

CPU mechanism to pay attention to the worldPC circuits can send signals to the CPUKeyboard, network, disk, USB, ...CPU can interrupt its work to treat the message

Harware interrupts are also addressesEach interrupt has a numberThe table links together number and address of the instructionsCalled: ISR Interrupt Service Routine

Difference hardware vs software interruptHarware interrupt is trigered by something outside your codeSoftware interrupt is trigered by something inside your code


System call 64-bit


System CallSystem Call replace software interrupt

Call to system functions can be done using interrupt 80hThey can also be done using “syscall”

Call functions reserved to the systemExit the programPrint something on the standard output (or error output)Print something in a fileManipulate filesRead chars from the standard input. . .

ParametersRAX : the function number

I 0 : sys read (read input or file)I 1 : sys wirte (write ouput or file)I 2 : sys open (for a file)I 3 : sys close (idem)I . . .I 60 : sys exit

Other parameters:I RDI, RSI, RDX, R10, R8, R9I Some function need more parameters than other


System Call: ExamplesDisplaying a string

RAX : 1 = sys writeRDI : 1 = Standard outputRSI : address of the string to be writtenRDX : length of the string (number of bytes)

mov rax,1 ; Code for Sys_write call

mov rdi, 1 ; Specify File Descriptor 1: Standard ↘

→Output

mov rsi, EatMsg ; Pass offset of the message

mov rdx, EatLen ; Pass the length of the message

syscall ; Make kernel call

Exit programRAX : 60 = sys exit

RDI : 0 = returned value (0 means OK)

mov rax, 60 ; Code for exit

mov rdi, 0 ; Return a code of zero

syscall ; Make kernel call


Eat Message using 64-bit syscalls

SECTION .data ; Section containing initialised dataEatMsg: db ”Eat at Joe’s!”,10EatLen: equ $−EatMsg

SECTION .bss ; Section containing uninitialized data

SECTION .text ; Section containing code

global start ; Linker needs this to find the entry point!

start:nop ; This no−op keeps gdb happy...mov rax,1 ; Code for Sys write callmov rdi, 1 ; Specify File Descriptor 1: Standard Outputmov rsi, EatMsg ; Pass offset of the messagemov rdx, EatLen ; Pass the length of the messagesyscall ; Make kernel call

mov rax, 60 ; Code for exitmov rdi, 0 ; Return a code of zerosyscall ; Make kernel call


Conclusion


Conclusion

Structure of a programInitialisation of the data in memoryPlaceholders to reserve place in memoryProgramm

StackUsed to store temporary informationUseful for calling an interrupt, to restore the environmentWill be used to call functions in our code

InterruptPossibility to access Kernel routinesUsed also to react to external stimuliMainly based on a vector containing the addresses of defaultfunctions.


Bibliography

This course corresponds to the chapters 7 and 8 of the coursebook:Assembly Language Step by Step (3rd Edition)


cs basics 5) programming in assembly language - · pdf filecs basics 5) programming in...

Documents