The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
|
|
- Buck Kennedy
- 6 years ago
- Views:
Transcription
1 1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
2 2 Important Registers used with the Stack EIP: ESP: EBP:
3 3 Important Registers used with the Stack EIP: Contains the address of the next instruction that will be executed ESP: EBP:
4 4 Important Registers used with the Stack EIP: Contains the address of the next instruction that will be executed ESP: Contains the address of the top element in the stack EBP:
5 5 Important Registers used with the Stack EIP: Contains the address of the next instruction that will be executed ESP: Contains the address of the top element in the stack EBP: Contains the address of the base of the current stack frame
6 6 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack
7 7 EIP Which part of memory are we looking at when we see instructions? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack
8 8 EIP Which part of memory are we looking at when we see instructions? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack
9 9 EIP Which part of memory are we looking at when we see instructions? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack **This ordering is not strict** Stack always grows towards lower memory
10 10 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A004
11 11 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx not yet executed 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn already executed EIP 0x0000 A004
12 12 EIP preparing for and calling a function 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx not yet executed 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn already executed function code EIP 0x0000 A004
13 13 EIP What happens after we execute this? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 JMP 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax EIP 0x0000 A010
14 14 EIP We just jump and keep executing. No caller. No return. 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 JMP 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax EIP 0x0000 A010
15 15 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A010 int main() { foo(a,b,c,d); int b = a; } int foo(a,b,c,d) { int e = 0; //lost when return return 0; }
16 16 EIP How to know where to return? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A010 int main() { foo(a,b,c,d); int b = a; } int foo(a,b,c,d) { int e = 0; //lost when return return 0; }
17 17 EIP Save return address! (0x0000 A014) but where? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A010 int main() { foo(a,b,c,d); int b = a; } int foo(a,b,c,d) { int e = 0; //lost when return return 0; }
18 18 EIP The stack! 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A bits (DWORD) ** return address ** Value in esi Value in ebx Value in edi Value in eax Previously Stored Data
19 19 Recall Stack Non-register memory Short-term secondary storage LIFO Uses of the stack Local Variables Function parameters Return addresses
20 20 Recall Stack ESP holds the address of the top 32-bits (DWORD) ESP EBP Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Previously Stored Data Lower Memory Address Higher Memory Address
21 21 What is the EBP for??? Stack ESP EBP Local Variable Local Variable??? Return Address Parameter Parameter Lower Memory Address Higher Memory Address
22 22 Recall Stack ESP EBP points to the base of the current stack frame Local Variable Local Variable Saved EBP Return Address Parameter Parameter Lower Memory Address Higher Memory Address
23 23 What is the EBP for??? ESP EBP 0x0018 FD44 0x0018 FD44 unused Local Variable 2 Local Variable 1??? Return Address Parameter 1 Parameter 2 Lower Memory Address Higher Memory Address
24 24 What is the EBP for??? ESP 0x0018 FD3C 0x0018 FD44 EBP 0x0018 FD44 0x0018 FD40 unused Local Variable 2 Local Variable 1??? Return Address Parameter 1 Parameter 2 access the value of local variable 1 with [esp+4] or Lower Memory Address Higher Memory Address
25 25 What is the EBP for??? ESP 0x0018 FD3C 0x0018 FD44 EBP 0x0018 FD44 0x0018 FD40 unused Local Variable 2 Local Variable 1??? Return Address Parameter 1 Parameter 2 access the value of local variable 1 with [esp+4] or Lower Memory Address Higher Memory Address [ebp 4] (stack pointer may change, but not the base pointer at least not within the current stack frame)
26 26 What is the EBP for??? It holds the address of (points to) the base of the current stack frame
27 27 What is inside the Address EBP points to??? ESP 0x0018 FD3C EBP 0x0018 FD44 ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 ebp+0c Local Variable 2 Local Variable 1??????? Return Address Parameter 1 Parameter 2 Lower Memory Address Higher Memory Address
28 28 Nested Function Calls e.g., int main() { foo(); } void foo() { } EBP 0x0018 FD44 Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Return Address
29 29 Nested Function Calls e.g., int main() { foo(); } void foo() { } called from elsewhere (OS loader) EBP 0x0018 FD44 Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Return Address
30 30 Nested Function Calls e.g., int main() { foo(); } void foo() { } EBP 0x0018 FD44 Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Return Address no parameters
31 31 Nested Function Calls e.g., int main() { foo(); } void foo() { } EBP 0x0028 FD44 foo() Stack Frame Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 ebp-8 ebp-4 0x0028 FD44 ebp+4 ebp+8 Local Variable Local Variable Saved EBP Return Address Local Variable Local Variable????? Return Address
32 32 Nested Function Calls 0x0000 A010 CALL 0x0000 B000 0x0000 A014. 0x0000 B000 push eax 0x0000 B014 retn EBP 0x0028 FD44 foo() Stack Frame Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 when the function returns we can restore the old EBP ebp-8 ebp-4 0x0028 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Local Variable Local Variable Saved EBP (0x0018 FD44) Return Address Return Address
33 33 Nested Function Calls 0x0000 A010 CALL 0x0000 B000 0x0000 A014. 0x0000 B000 push eax 0x0000 B014 retn EBP 0x0028 FD44 foo() Stack Frame Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 ebp-8 ebp-4 0x0028 FD44 ebp+4 ebp+8 Local Variable Local Variable Saved EBP (0x0018 FD44) 0x0000 A014 Local Variable Local Variable????? Return Address
34 34 What is inside the Address EBP points to??? The address of the previous base pointer, i.e., the base pointer of the caller function.
35 A Function Call Walkthrough 35
36 36 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x
37 37 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x
38 38 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x local var
39 39 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x local var saved ebp
40 40 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x local var saved ebp return address
41 State after executing 0x00D4 10AE 41 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B1 EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x
42 State after executing 0x00D4 10AE 42 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B1 EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x
43 State after executing 0x00D4 10B1 43 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B2 EDX ESP 0x001E FC94 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x using a local variable as a parameter
44 44 Recall Instruction 1. Call ADDR 1. Push address of instruction after call onto stack i. Adjust stack pointer (ESP) 2. Place ADDR into EIP
45 State after executing 0x00D4 10B1 45 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B2 EDX ESP EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x
46 State after executing 0x00D4 10B2 46 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0X00D EDX ESP 0X001E FC90 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0X00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
47 State after executing 0x00D4 10B2 47 Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001EFC90 EBP 0x001EFC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
48 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x001EFC84 0x001EFC88 EDX ESP EBP 0x001EFC9C 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
49 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001EFC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
50 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D What is the current stack frame? Stack Segment Heap Segment test EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001E FC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
51 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Current stack frame Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001E FC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
52 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001E FC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x saved ebp return address parameter
53 Moving ahead 53
54 State after executing 54 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... preparing to return Heap Segment test Stack Segment EIP 0x00D4 11A0 EDX ESP 0x001EFC8C EBP 0x001EFC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
55 State after executing 0x00D4 11A0 55 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x00D4 11A1 EDX ESP EBP 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
56 State after executing 0x00D4 11A0 56 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x00D4 11A1 EDX ESP 0x00EF FC90 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
57 57 Recall Instruction RET/RETN 1. Pop return address from stack and place into EIP i. Adjust ESP
58 State after executing 0x00D4 11A1 58 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x001EFC84 0x001EFC88 EDX ESP EBP 0x001E FC9C 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
59 State after executing 0x00D4 11A1 59 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x00D4 10B7 EDX ESP 0x001E FC94 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
60 State after executing 0x00D4 11A1 60 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 0x00D4 10BA... Stack Segment Heap Segment test EIP 0x00D4 10B7 EDX ESP 0x001E FC94 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
61 State after executing 0x00D4 10B7 61 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 0x00D4 10BA... Stack Segment Heap Segment test EIP 0x00D4 10BA EDX ESP EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
62 State after executing 0x00D4 10B7 62 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 0x00D4 10BA... Stack Segment Heap Segment test EIP 0x00D4 10BA EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x
63 Break 63
64 Tracing Function Calls with IDA 64
65 Function Calls in IDA 65 Var_4 = -4 EBP 0x0018 FD44 0x0018 FD44 Local Variable????? Return Address
66 Function Calls in IDA 66 Var_4 = -4 EBP 0x0018 FD44 ebp+ var_4 0x0018 FD44 ebp+4 ebp+8 Local Variable????? Return Address
67 67 IDA Pro Debugging Mode One of the nicest features of IDA Pro is that it allows you to debug programs. The usual process it to find a place of interest and set a breakpoint (press F2)
68 68 IDA Pro Debugging Mode Once you do this the line turns red.
69 Breakpoints 69 This will show all breakpoints
70 70 IDA Pro Debugging Mode If you re running suspected malware, make sure it is in an isolated environment.
71 71 The program executes in debug mode. Notice the Window layout changes
72 72 Modules See the event log in the Modules window
73 73 EIP and ESP Windows Registers are pointing to these locations
74 74 General Registers follow address commonly used flags
75 Debugger Views in IDA 75 next instruction to execute
76 Debugger Views in IDA 76 blue: recently modified next instruction to execute hover to display contents at address (here we have a string)
77 77 Debugging (ESP Window) Stack local variable saved ebp return address parameters
78 78 Data Definition Directives Keyword Size in Bytes DB (Define byte) 1 DW (Define word) 2 DD (Define double-word) 4 DQ (Define quad-word) 8 IDA tries to infer the size of data elements.
79 79 0x0102 4F80 ESP EBP Var_4 Saved EBP Return Address Parameter Parameter Lower Memory Address Higher Memory Address
80 80 0x0102 4F80 test Lower Memory Address ESP EBP Var_4 0x0102 4F80 Saved EBP Return Address Parameter Parameter Higher Memory Address
81 A Full Walkthrough in IDA 81
82 Function Calls 82 EDX now contains memory address to string press F7 (step into)
83 Function Calls 83 EIP updated and EDX has been pushed onto stack
84 84 Back to Function Calls Instruction 1. Call ADDR 1. Push the address of the instruction after CALL onto stack i. Adjust stack pointer (ESP) 2. Place ADDR into EIP
85 85 Function Calls EIP updated ESP updated return address is now on the stack
86 86 Function Calls IDA named this
87 87 Function Calls EIP updated EBP pushed onto stack (points to old ebp)
88 88 Function Calls EIP updated EBP now points to current top of the stack
89 89 Function Calls Parameter passing order depends on the calling convention specified by the compiler. ESP Unknown Data (unused) Unknown Data (unused) Saved EBP Return Address EBP Parameters
90 90 Function Calls... moving ahead
91 Function Calls 91 getting ready to return to the caller
92 Function Calls 92 the EBP is now in the previous stack frame
93 93 Function Calls Instruction RET/RETN 1. Pop return address from stack and place into EIP i. Adjust ESP
94 Function Calls 94 Return address popped and put into EIP ESP now pointing to old parameter to function (remember arg_0) Why is the next instruction adding to ESP?
95 Function Calls 95 the parameter is no longer in the stack
96 96 What about Local Variables IDA improves readability by creating labels for local variables and parameters. ESP ebp + var_20 ebp + var_1c Local variables ebp + var_4 0x001E FC9C Saved EBP name size position relative to the base EBP 0x001E FC9C ebp + arg_0 Return Address Parameter
97 97 What about Local Variables Double-click on a variable label (e.g., var_20) to open the stack frame view.
98 98 What about Local Variables var_20 = 4 bytes
99 99 What about Local Variables var_20 = 4 bytes var_1c = (0x1C 0x04) = 24 bytes
100 100 What about Local Variables var_20 = 4 bytes var_1c = (0x1C 0x04) = 24 bytes var_4 = 4 bytes
101 101 What about Local Variables var_20 = 4 bytes var_1c = (0x1C 0x04) = 24 bytes var_4 = 4 bytes arg_0 = 4 bytes
102 Exercise 102
Assembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationCSC 2400: Computer Systems. Using the Stack for Function Calls
CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationCSC 8400: Computer Systems. Using the Stack for Function Calls
CSC 84: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls"
CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing
More informationCSC 2400: Computer Systems. Using the Stack for Function Calls
CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationX86 Stack Calling Function POV
X86 Stack Calling Function POV Computer Systems Section 3.7 Stack Frame Reg Value ebp xffff FFF0 esp xffff FFE0 eax x0000 000E Memory Address Value xffff FFF8 xffff FFF4 x0000 0004 xffff FFF4 x0000 0003
More informationx86 assembly CS449 Spring 2016
x86 assembly CS449 Spring 2016 CISC vs. RISC CISC [Complex instruction set Computing] - larger, more feature-rich instruction set (more operations, addressing modes, etc.). slower clock speeds. fewer general
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls
CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationSystems I. Machine-Level Programming V: Procedures
Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationMachine Programming 3: Procedures
Machine Programming 3: Procedures CS61, Lecture 5 Prof. Stephen Chong September 15, 2011 Announcements Assignment 2 (Binary bomb) due next week If you haven t yet please create a VM to make sure the infrastructure
More informationProcedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27
Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationCS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationx86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More information238P: Operating Systems. Lecture 3: Calling conventions. Anton Burtsev October, 2018
238P: Operating Systems Lecture 3: Calling conventions Anton Burtsev October, 2018 What does CPU do internally? (Remember Lecture 01 - Introduction?) CPU execution loop CPU repeatedly reads instructions
More informationMachine-level Programming (3)
Machine-level Programming (3) Procedures A: call A call A return Two issues How to return to the correct position? How to pass arguments and return values between callee to caller? 2 Procedure Control
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationSubprograms: Local Variables
Subprograms: Local Variables ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Local Variables in Subprograms In all the examples we have seen so far, the subprograms were
More informationDr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationASSEMBLY III: PROCEDURES. Jo, Heeseung
ASSEMBLY III: PROCEDURES Jo, Heeseung IA-32 STACK (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationAssembly III: Procedures. Jo, Heeseung
Assembly III: Procedures Jo, Heeseung IA-32 Stack (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top
More informationCS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G
CS 33: Week 3 Discussion x86 Assembly (v1.0) Section 1G Announcements - HW2 due Sunday - MT1 this Thursday! - Lab2 out Info Name: Eric Kim (Section 1G, 2-4 PM, BH 5419) Office Hours (Boelter 2432) - Wed
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationAssembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly III: Procedures Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32 (1) Characteristics Region of memory managed with stack discipline
More informationU23 - Binary Exploitation
U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:
More informationCS213. Machine-Level Programming III: Procedures
CS213 Machine-Level Programming III: Procedures Topics IA32 stack discipline Register saving conventions Creating pointers to local variables IA32 Region of memory managed with stack discipline Grows toward
More informationStack Discipline Jan. 19, 2018
15-410 An Experience Like No Other Discipline Jan. 19, 2018 Dave Eckhardt Brian Railing Slides originally stolen from 15-213 1 15-410, S 18 Synchronization Registration The wait list will probably be done
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationCMSC 313 Lecture 12 [draft] How C functions pass parameters
CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an
More informationUMBC. contain new IP while 4th and 5th bytes contain CS. CALL BX and CALL [BX] versions also exist. contain displacement added to IP.
Procedures: CALL: Pushes the address of the instruction following the CALL instruction onto the stack. RET: Pops the address. SUM PROC NEAR USES BX CX DX ADD AX, BX ADD AX, CX MOV AX, DX RET SUM ENDP NEAR
More informationProcesses (Intro) Yannis Smaragdakis, U. Athens
Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's
More information143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017
143A: Principles of Operating Systems Lecture 4: Calling conventions Anton Burtsev October, 2017 Recap from last time Stack and procedure calls What is stack? Stack It's just a region of memory Pointed
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationProcedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29
Procedure Calls Young W. Lim 2017-08-21 Mon Young W. Lim Procedure Calls 2017-08-21 Mon 1 / 29 Outline 1 Introduction Based on Stack Background Transferring Control Register Usage Conventions Procedure
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationAn Experience Like No Other. Stack Discipline Aug. 30, 2006
15-410 An Experience Like No Other Discipline Aug. 30, 2006 Bruce Maggs Dave Eckhardt Slides originally stolen from 15-213 15-410, F 06 Synchronization Registration If you're here but not registered, please
More informationmith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu Back to Conditional Jumps Review sub eax, 10 jz there xxx xxx there:yyy yyy Review cmp eax, 10 jz
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationCMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project
CMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project UMBC, CMSC313, Richard Chang CMSC 313,
More informationDigital Forensics Lecture 3 - Reverse Engineering
Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017 Reverse Engineering High-Level Software Low-level aspects of software are often the
More informationUniversity of Washington
Roadmap C: car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Assembly language: Machine code: Computer system: get_mpg: pushq %rbp movq %rsp, %rbp... popq %rbp
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationLow-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationMachine-Level Programming III: Procedures
Machine-Level Programming III: Procedures IA32 Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address address of top element Bottom Increasing
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 10 Advanced Procedures May, 2014 1 Assembly Language LAB Stack Parameters There are
More information143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017
143A: Principles of Operating Systems Lecture 5: Calling conventions Anton Burtsev January, 2017 Stack and procedure calls Stack Main purpose: Store the return address for the current procedure Caller
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationRegion of memory managed with stack discipline Grows toward lower addresses. Register %esp contains lowest stack address = address of top element
Machine Representa/on of Programs: Procedures Instructors: Sanjeev Se(a 1 IA32 Stack Region of memory managed with stack discipline Grows toward lower addresses Stack BoGom Increasing Addresses Register
More informationQuestion 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110
Questions 1 Question 4.1 1: (Solution, p 5) Define the fetch-execute cycle as it relates to a computer processing a program. Your definition should describe the primary purpose of each phase. Question
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationBinghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it
More informationThe course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002
15-213 The course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables class07.ppt
More informationMicroprocessors ( ) Fall 2010/2011 Lecture Notes # 15. Stack Operations. 10 top
Microprocessors (0630371) Fall 2010/2011 Lecture Notes # 15 Stack Operations Objectives of the Lecture Runtime Stack PUSH Operation POP Operation Initializing the Stack PUSH and POP Instructions Stack
More informationadministrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?
administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming
More informationSecond Part of the Course
CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming
More informationLow Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź
Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationCS642: Computer Security
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Week ACL- based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationUMBC. 1 (Feb. 9, 2002) seg_base + base + index. Systems Design & Programming 80x86 Assembly II CMPE 310. Base-Plus-Index addressing:
Data Addressing Modes Base-Plus-Index addressing: Effective address computed as: seg_base base index. Base registers: Holds starting location of an array. ebp (stack) ebx (data) Any 32-bit register except
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationOverview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
More informationTutorial 10 Protection Cont.
Tutorial 0 Protection Cont. 2 Privilege Levels Lower number => higher privilege Code can access data of equal/lower privilege levels only Code can call more privileged data via call gates Each level has
More informationAS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions
CS220 Logic Design Outline Calling Conventions Multi-module Programs 1 Calling and Returning We have already seen how the call instruction is used to execute a subprogram. call pushes the address of the
More informationMemory Models. Registers
Memory Models Most machines have a single linear address space at the ISA level, extending from address 0 up to some maximum, often 2 32 1 bytes or 2 64 1 bytes. Some machines have separate address spaces
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More information3. Process Management in xv6
Lecture Notes for CS347: Operating Systems Mythili Vutukuru, Department of Computer Science and Engineering, IIT Bombay 3. Process Management in xv6 We begin understanding xv6 process management by looking
More informationCSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II
1 byte{ 1 byte{ CSCI 334: Principles of Programming Languages Lecture 11: Control Structures II Computer Architecture (a really really fast introduction) Instructor: Dan Barowy Memory Instructions main
More informationSubprograms: Arguments
Subprograms: Arguments ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Activation Records The stack is useful to store and rieve urn addresses, transparently managed via
More informationCSE351 Autumn 2012 Midterm Exam (5 Nov 2012)
CSE351 Autumn 2012 Midterm Exam (5 Nov 2012) Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove to
More informationSungkyunkwan University
Switch statements IA 32 Procedures Stack Structure Calling Conventions Illustrations of Recursion & Pointers long switch_eg (long x, long y, long z) { long w = 1; switch(x) { case 1: w = y*z; break; case
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values
More information