The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
Size: px
Start display at page:

Download "The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta"

Transcription

1 1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

2 2 Important Registers used with the Stack EIP: ESP: EBP:

3 3 Important Registers used with the Stack EIP: Contains the address of the next instruction that will be executed ESP: EBP:

4 4 Important Registers used with the Stack EIP: Contains the address of the next instruction that will be executed ESP: Contains the address of the top element in the stack EBP:

5 5 Important Registers used with the Stack EIP: Contains the address of the next instruction that will be executed ESP: Contains the address of the top element in the stack EBP: Contains the address of the base of the current stack frame

6 6 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack

7 7 EIP Which part of memory are we looking at when we see instructions? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack

8 8 EIP Which part of memory are we looking at when we see instructions? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack

9 9 EIP Which part of memory are we looking at when we see instructions? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn Lower Memory Higher Memory Main Memory Text Data Heap Stack **This ordering is not strict** Stack always grows towards lower memory

10 10 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A004

11 11 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx not yet executed 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn already executed EIP 0x0000 A004

12 12 EIP preparing for and calling a function 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx not yet executed 0x0000 A00C push esi 0x0000 A010 call 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn already executed function code EIP 0x0000 A004

13 13 EIP What happens after we execute this? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 JMP 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax EIP 0x0000 A010

14 14 EIP We just jump and keep executing. No caller. No return. 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 JMP 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax EIP 0x0000 A010

15 15 EIP 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A010 int main() { foo(a,b,c,d); int b = a; } int foo(a,b,c,d) { int e = 0; //lost when return return 0; }

16 16 EIP How to know where to return? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A010 int main() { foo(a,b,c,d); int b = a; } int foo(a,b,c,d) { int e = 0; //lost when return return 0; }

17 17 EIP Save return address! (0x0000 A014) but where? 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A010 int main() { foo(a,b,c,d); int b = a; } int foo(a,b,c,d) { int e = 0; //lost when return return 0; }

18 18 EIP The stack! 0x0000 A000 push eax 0x0000 A004 push edi 0x0000 A008 push ebx 0x0000 A00C push esi 0x0000 A010 CALL 0x0000 B000 0x0000 A014 add ESP, 0x10. 0x0000 B000 push eax 0x0000 B014 retn EIP 0x0000 A bits (DWORD) ** return address ** Value in esi Value in ebx Value in edi Value in eax Previously Stored Data

19 19 Recall Stack Non-register memory Short-term secondary storage LIFO Uses of the stack Local Variables Function parameters Return addresses

20 20 Recall Stack ESP holds the address of the top 32-bits (DWORD) ESP EBP Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Previously Stored Data Lower Memory Address Higher Memory Address

21 21 What is the EBP for??? Stack ESP EBP Local Variable Local Variable??? Return Address Parameter Parameter Lower Memory Address Higher Memory Address

22 22 Recall Stack ESP EBP points to the base of the current stack frame Local Variable Local Variable Saved EBP Return Address Parameter Parameter Lower Memory Address Higher Memory Address

23 23 What is the EBP for??? ESP EBP 0x0018 FD44 0x0018 FD44 unused Local Variable 2 Local Variable 1??? Return Address Parameter 1 Parameter 2 Lower Memory Address Higher Memory Address

24 24 What is the EBP for??? ESP 0x0018 FD3C 0x0018 FD44 EBP 0x0018 FD44 0x0018 FD40 unused Local Variable 2 Local Variable 1??? Return Address Parameter 1 Parameter 2 access the value of local variable 1 with [esp+4] or Lower Memory Address Higher Memory Address

25 25 What is the EBP for??? ESP 0x0018 FD3C 0x0018 FD44 EBP 0x0018 FD44 0x0018 FD40 unused Local Variable 2 Local Variable 1??? Return Address Parameter 1 Parameter 2 access the value of local variable 1 with [esp+4] or Lower Memory Address Higher Memory Address [ebp 4] (stack pointer may change, but not the base pointer at least not within the current stack frame)

26 26 What is the EBP for??? It holds the address of (points to) the base of the current stack frame

27 27 What is inside the Address EBP points to??? ESP 0x0018 FD3C EBP 0x0018 FD44 ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 ebp+0c Local Variable 2 Local Variable 1??????? Return Address Parameter 1 Parameter 2 Lower Memory Address Higher Memory Address

28 28 Nested Function Calls e.g., int main() { foo(); } void foo() { } EBP 0x0018 FD44 Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Return Address

29 29 Nested Function Calls e.g., int main() { foo(); } void foo() { } called from elsewhere (OS loader) EBP 0x0018 FD44 Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Return Address

30 30 Nested Function Calls e.g., int main() { foo(); } void foo() { } EBP 0x0018 FD44 Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Return Address no parameters

31 31 Nested Function Calls e.g., int main() { foo(); } void foo() { } EBP 0x0028 FD44 foo() Stack Frame Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 ebp-8 ebp-4 0x0028 FD44 ebp+4 ebp+8 Local Variable Local Variable Saved EBP Return Address Local Variable Local Variable????? Return Address

32 32 Nested Function Calls 0x0000 A010 CALL 0x0000 B000 0x0000 A014. 0x0000 B000 push eax 0x0000 B014 retn EBP 0x0028 FD44 foo() Stack Frame Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 when the function returns we can restore the old EBP ebp-8 ebp-4 0x0028 FD44 ebp+4 ebp+8 Local Variable Local Variable????? Local Variable Local Variable Saved EBP (0x0018 FD44) Return Address Return Address

33 33 Nested Function Calls 0x0000 A010 CALL 0x0000 B000 0x0000 A014. 0x0000 B000 push eax 0x0000 B014 retn EBP 0x0028 FD44 foo() Stack Frame Main() Stack Frame ebp-8 ebp-4 0x0018 FD44 ebp+4 ebp+8 ebp-8 ebp-4 0x0028 FD44 ebp+4 ebp+8 Local Variable Local Variable Saved EBP (0x0018 FD44) 0x0000 A014 Local Variable Local Variable????? Return Address

34 34 What is inside the Address EBP points to??? The address of the previous base pointer, i.e., the base pointer of the caller function.

35 A Function Call Walkthrough 35

36 36 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x

37 37 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x

38 38 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x local var

39 39 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x local var saved ebp

40 40 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Next instruction to execute is in red Heap Segment test Stack Segment EIP 0x00D4 10AE EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x local var saved ebp return address

41 State after executing 0x00D4 10AE 41 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B1 EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x

42 State after executing 0x00D4 10AE 42 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B1 EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x

43 State after executing 0x00D4 10B1 43 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B2 EDX ESP 0x001E FC94 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x using a local variable as a parameter

44 44 Recall Instruction 1. Call ADDR 1. Push address of instruction after call onto stack i. Adjust stack pointer (ESP) 2. Place ADDR into EIP

45 State after executing 0x00D4 10B1 45 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0x00D4 10B2 EDX ESP EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FCE0 0x00D4 1BA9 0x x

46 State after executing 0x00D4 10B2 46 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 Heap Segment test Stack Segment EIP 0X00D EDX ESP 0X001E FC90 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0X00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

47 State after executing 0x00D4 10B2 47 Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001EFC90 EBP 0x001EFC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

48 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x001EFC84 0x001EFC88 EDX ESP EBP 0x001EFC9C 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

49 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001EFC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

50 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D What is the current stack frame? Stack Segment Heap Segment test EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001E FC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

51 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Current stack frame Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001E FC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

52 State after executing 0x00D Text Segment... 0x00D push ebp 0x00D mov ebp, esp 0x00D Heap Segment test Stack Segment EIP 0x00D EDX ESP 0x001E FC8C EBP 0x001E FC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x saved ebp return address parameter

53 Moving ahead 53

54 State after executing 54 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... preparing to return Heap Segment test Stack Segment EIP 0x00D4 11A0 EDX ESP 0x001EFC8C EBP 0x001EFC8C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

55 State after executing 0x00D4 11A0 55 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x00D4 11A1 EDX ESP EBP 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

56 State after executing 0x00D4 11A0 56 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x00D4 11A1 EDX ESP 0x00EF FC90 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

57 57 Recall Instruction RET/RETN 1. Pop return address from stack and place into EIP i. Adjust ESP

58 State after executing 0x00D4 11A1 58 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x001EFC84 0x001EFC88 EDX ESP EBP 0x001E FC9C 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

59 State after executing 0x00D4 11A1 59 Text Segment... 0x00D4 11A0 pop ebp 0x00D4 11A1 retn 0x00D4 11A3... Heap Segment test Stack Segment EIP 0x00D4 10B7 EDX ESP 0x001E FC94 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

60 State after executing 0x00D4 11A1 60 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 0x00D4 10BA... Stack Segment Heap Segment test EIP 0x00D4 10B7 EDX ESP 0x001E FC94 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

61 State after executing 0x00D4 10B7 61 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 0x00D4 10BA... Stack Segment Heap Segment test EIP 0x00D4 10BA EDX ESP EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

62 State after executing 0x00D4 10B7 62 Text Segment 0x00D4 10AE mov edx, [ebp-4] 0x00D4 10B1 push edx 0x00D4 10B2 call 0x00D x00D4 10B7 add esp, 4 0x00D4 10BA... Stack Segment Heap Segment test EIP 0x00D4 10BA EDX ESP 0x001E FC98 EBP 0x001E FC9C 0x001EFC84 0x001EFC88 0x001EFC8C 0x001EFC90 0x001EFC94 0x001EFC98 0x001EFC9C 0x001EFCA0 0x001EFCA4 0x001EFCA8 0x001E FC9C 0x00D4 10B7 0x001E FCE0 0x00D4 1BA9 0x x

63 Break 63

64 Tracing Function Calls with IDA 64

65 Function Calls in IDA 65 Var_4 = -4 EBP 0x0018 FD44 0x0018 FD44 Local Variable????? Return Address

66 Function Calls in IDA 66 Var_4 = -4 EBP 0x0018 FD44 ebp+ var_4 0x0018 FD44 ebp+4 ebp+8 Local Variable????? Return Address

67 67 IDA Pro Debugging Mode One of the nicest features of IDA Pro is that it allows you to debug programs. The usual process it to find a place of interest and set a breakpoint (press F2)

68 68 IDA Pro Debugging Mode Once you do this the line turns red.

69 Breakpoints 69 This will show all breakpoints

70 70 IDA Pro Debugging Mode If you re running suspected malware, make sure it is in an isolated environment.

71 71 The program executes in debug mode. Notice the Window layout changes

72 72 Modules See the event log in the Modules window

73 73 EIP and ESP Windows Registers are pointing to these locations

74 74 General Registers follow address commonly used flags

75 Debugger Views in IDA 75 next instruction to execute

76 Debugger Views in IDA 76 blue: recently modified next instruction to execute hover to display contents at address (here we have a string)

77 77 Debugging (ESP Window) Stack local variable saved ebp return address parameters

78 78 Data Definition Directives Keyword Size in Bytes DB (Define byte) 1 DW (Define word) 2 DD (Define double-word) 4 DQ (Define quad-word) 8 IDA tries to infer the size of data elements.

79 79 0x0102 4F80 ESP EBP Var_4 Saved EBP Return Address Parameter Parameter Lower Memory Address Higher Memory Address

80 80 0x0102 4F80 test Lower Memory Address ESP EBP Var_4 0x0102 4F80 Saved EBP Return Address Parameter Parameter Higher Memory Address

81 A Full Walkthrough in IDA 81

82 Function Calls 82 EDX now contains memory address to string press F7 (step into)

83 Function Calls 83 EIP updated and EDX has been pushed onto stack

84 84 Back to Function Calls Instruction 1. Call ADDR 1. Push the address of the instruction after CALL onto stack i. Adjust stack pointer (ESP) 2. Place ADDR into EIP

85 85 Function Calls EIP updated ESP updated return address is now on the stack

86 86 Function Calls IDA named this

87 87 Function Calls EIP updated EBP pushed onto stack (points to old ebp)

88 88 Function Calls EIP updated EBP now points to current top of the stack

89 89 Function Calls Parameter passing order depends on the calling convention specified by the compiler. ESP Unknown Data (unused) Unknown Data (unused) Saved EBP Return Address EBP Parameters

90 90 Function Calls... moving ahead

91 Function Calls 91 getting ready to return to the caller

92 Function Calls 92 the EBP is now in the previous stack frame

93 93 Function Calls Instruction RET/RETN 1. Pop return address from stack and place into EIP i. Adjust ESP

94 Function Calls 94 Return address popped and put into EIP ESP now pointing to old parameter to function (remember arg_0) Why is the next instruction adding to ESP?

95 Function Calls 95 the parameter is no longer in the stack

96 96 What about Local Variables IDA improves readability by creating labels for local variables and parameters. ESP ebp + var_20 ebp + var_1c Local variables ebp + var_4 0x001E FC9C Saved EBP name size position relative to the base EBP 0x001E FC9C ebp + arg_0 Return Address Parameter

97 97 What about Local Variables Double-click on a variable label (e.g., var_20) to open the stack frame view.

98 98 What about Local Variables var_20 = 4 bytes

99 99 What about Local Variables var_20 = 4 bytes var_1c = (0x1C 0x04) = 24 bytes

100 100 What about Local Variables var_20 = 4 bytes var_1c = (0x1C 0x04) = 24 bytes var_4 = 4 bytes

101 101 What about Local Variables var_20 = 4 bytes var_1c = (0x1C 0x04) = 24 bytes var_4 = 4 bytes arg_0 = 4 bytes

102 Exercise 102

Similar documents

Assembly Language: Function Calls

Assembly Language: Function Calls Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference

More information

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls Goals of this Lecture Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"

More information

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls Goals of this Lecture Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"

More information

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning

More information

x86 assembly CS449 Fall 2017

x86 assembly CS449 Fall 2017 x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS

More information

CSC 2400: Computer Systems. Using the Stack for Function Calls

CSC 2400: Computer Systems. Using the Stack for Function Calls CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing

More information

CSC 8400: Computer Systems. Using the Stack for Function Calls

CSC 8400: Computer Systems. Using the Stack for Function Calls CSC 84: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing

More information

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register

More information

Program Exploitation Intro

Program Exploitation Intro Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be

More information

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta 1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile

More information

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

CSC 2400: Computing Systems. X86 Assembly: Function Calls CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing

More information

CSC 2400: Computer Systems. Using the Stack for Function Calls

CSC 2400: Computer Systems. Using the Stack for Function Calls CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing

More information

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next

More information

X86 Stack Calling Function POV

X86 Stack Calling Function POV X86 Stack Calling Function POV Computer Systems Section 3.7 Stack Frame Reg Value ebp xffff FFF0 esp xffff FFE0 eax x0000 000E Memory Address Value xffff FFF8 xffff FFF4 x0000 0004 xffff FFF4 x0000 0003

More information

x86 assembly CS449 Spring 2016

x86 assembly CS449 Spring 2016 x86 assembly CS449 Spring 2016 CISC vs. RISC CISC [Complex instruction set Computing] - larger, more feature-rich instruction set (more operations, addressing modes, etc.). slower clock speeds. fewer general

More information

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CSC 2400: Computing Systems. X86 Assembly: Function Calls CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the

More information

Function Call Convention

Function Call Convention Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout

More information

Systems I. Machine-Level Programming V: Procedures

Systems I. Machine-Level Programming V: Procedures Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp

More information

Practical Malware Analysis

Practical Malware Analysis Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the

More information

Machine Programming 3: Procedures

Machine Programming 3: Procedures Machine Programming 3: Procedures CS61, Lecture 5 Prof. Stephen Chong September 15, 2011 Announcements Assignment 2 (Binary bomb) due next week If you haven t yet please create a VM to make sure the infrastructure

More information

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27 Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure

More information

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through

More information

Lecture 4 CIS 341: COMPILERS

Lecture 4 CIS 341: COMPILERS Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic

More information

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016 CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the

More information

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14 SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically

More information

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP

More information

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack

More information

x86 Assembly Tutorial COS 318: Fall 2017

x86 Assembly Tutorial COS 318: Fall 2017 x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday

More information

Reverse Engineering II: The Basics

Reverse Engineering II: The Basics Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1

More information

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1

More information

CPS104 Recitation: Assembly Programming

CPS104 Recitation: Assembly Programming CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in

More information

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)

More information

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code

More information

238P: Operating Systems. Lecture 3: Calling conventions. Anton Burtsev October, 2018

238P: Operating Systems. Lecture 3: Calling conventions. Anton Burtsev October, 2018 238P: Operating Systems Lecture 3: Calling conventions Anton Burtsev October, 2018 What does CPU do internally? (Remember Lecture 01 - Introduction?) CPU execution loop CPU repeatedly reads instructions

More information

Machine-level Programming (3)

Machine-level Programming (3) Machine-level Programming (3) Procedures A: call A call A return Two issues How to return to the correct position? How to pass arguments and return values between callee to caller? 2 Procedure Control

More information

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups

More information

W4118: PC Hardware and x86. Junfeng Yang

W4118: PC Hardware and x86. Junfeng Yang W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more

More information

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86 Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions

More information

Subprograms: Local Variables

Subprograms: Local Variables Subprograms: Local Variables ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Local Variables in Subprograms In all the examples we have seen so far, the subprograms were

More information

Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1

Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1 Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language

More information

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution 1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can

More information

Reverse Engineering II: The Basics

Reverse Engineering II: The Basics Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with

More information

ASSEMBLY III: PROCEDURES. Jo, Heeseung

ASSEMBLY III: PROCEDURES. Jo, Heeseung ASSEMBLY III: PROCEDURES Jo, Heeseung IA-32 STACK (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top

More information

The x86 Architecture

The x86 Architecture The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015

More information

Assembly III: Procedures. Jo, Heeseung

Assembly III: Procedures. Jo, Heeseung Assembly III: Procedures Jo, Heeseung IA-32 Stack (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top

More information

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G CS 33: Week 3 Discussion x86 Assembly (v1.0) Section 1G Announcements - HW2 due Sunday - MT1 this Thursday! - Lab2 out Info Name: Eric Kim (Section 1G, 2-4 PM, BH 5419) Office Hours (Boelter 2432) - Wed

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)

More information

CPEG421/621 Tutorial

CPEG421/621 Tutorial CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model

More information

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Assembly III: Procedures Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32 (1) Characteristics Region of memory managed with stack discipline

More information

U23 - Binary Exploitation

U23 - Binary Exploitation U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:

More information

CS213. Machine-Level Programming III: Procedures

CS213. Machine-Level Programming III: Procedures CS213 Machine-Level Programming III: Procedures Topics IA32 stack discipline Register saving conventions Creating pointers to local variables IA32 Region of memory managed with stack discipline Grows toward

More information

Stack Discipline Jan. 19, 2018

Stack Discipline Jan. 19, 2018 15-410 An Experience Like No Other Discipline Jan. 19, 2018 Dave Eckhardt Brian Railing Slides originally stolen from 15-213 1 15-410, S 18 Synchronization Registration The wait list will probably be done

More information

Process Layout and Function Calls

Process Layout and Function Calls Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized

More information

CMSC 313 Lecture 12 [draft] How C functions pass parameters

CMSC 313 Lecture 12 [draft] How C functions pass parameters CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an

More information

UMBC. contain new IP while 4th and 5th bytes contain CS. CALL BX and CALL [BX] versions also exist. contain displacement added to IP.

UMBC. contain new IP while 4th and 5th bytes contain CS. CALL BX and CALL [BX] versions also exist. contain displacement added to IP. Procedures: CALL: Pushes the address of the instruction following the CALL instruction onto the stack. RET: Pops the address. SUM PROC NEAR USES BX CX DX ADD AX, BX ADD AX, CX MOV AX, DX RET SUM ENDP NEAR

More information

Processes (Intro) Yannis Smaragdakis, U. Athens

Processes (Intro) Yannis Smaragdakis, U. Athens Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's

More information

143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017

143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017 143A: Principles of Operating Systems Lecture 4: Calling conventions Anton Burtsev October, 2017 Recap from last time Stack and procedure calls What is stack? Stack It's just a region of memory Pointed

More information

Lab 10: Introduction to x86 Assembly

Lab 10: Introduction to x86 Assembly CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was

More information

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29 Procedure Calls Young W. Lim 2017-08-21 Mon Young W. Lim Procedure Calls 2017-08-21 Mon 1 / 29 Outline 1 Introduction Based on Stack Background Transferring Control Register Usage Conventions Procedure

More information

Lab 3. The Art of Assembly Language (II)

Lab 3. The Art of Assembly Language (II) Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified

More information

16.317: Microprocessor Systems Design I Fall 2014

16.317: Microprocessor Systems Design I Fall 2014 16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling

More information

An Experience Like No Other. Stack Discipline Aug. 30, 2006

An Experience Like No Other. Stack Discipline Aug. 30, 2006 15-410 An Experience Like No Other Discipline Aug. 30, 2006 Bruce Maggs Dave Eckhardt Slides originally stolen from 15-213 15-410, F 06 Synchronization Registration If you're here but not registered, please

More information

mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut

mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu Back to Conditional Jumps Review sub eax, 10 jz there xxx xxx there:yyy yyy Review cmp eax, 10 jz

More information

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool

More information

CMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project

CMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project CMSC 313 Lecture 08 Project 2 Questions Recap Indexed Addressing Examples Some i386 string instructions A Bigger Example: Escape Sequence Project UMBC, CMSC313, Richard Chang CMSC 313,

More information

Digital Forensics Lecture 3 - Reverse Engineering

Digital Forensics Lecture 3 - Reverse Engineering Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017 Reverse Engineering High-Level Software Low-level aspects of software are often the

More information

University of Washington

University of Washington Roadmap C: car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Assembly language: Machine code: Computer system: get_mpg: pushq %rbp movq %rsp, %rbp... popq %rbp

More information

CS61 Section Solutions 3

CS61 Section Solutions 3 CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104

More information

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Low-Level Essentials for Understanding Security Problems Aurélien Francillon Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central

More information

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS

More information

Machine-Level Programming III: Procedures

Machine-Level Programming III: Procedures Machine-Level Programming III: Procedures IA32 Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address address of top element Bottom Increasing

More information

Winter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:

Winter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today: Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis

More information

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 10 Advanced Procedures May, 2014 1 Assembly Language LAB Stack Parameters There are

More information

143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017

143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017 143A: Principles of Operating Systems Lecture 5: Calling conventions Anton Burtsev January, 2017 Stack and procedure calls Stack Main purpose: Store the return address for the current procedure Caller

More information

Buffer Overflow Attack

Buffer Overflow Attack Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.

More information

Region of memory managed with stack discipline Grows toward lower addresses. Register %esp contains lowest stack address = address of top element

Region of memory managed with stack discipline Grows toward lower addresses. Register %esp contains lowest stack address = address of top element Machine Representa/on of Programs: Procedures Instructors: Sanjeev Se(a 1 IA32 Stack Region of memory managed with stack discipline Grows toward lower addresses Stack BoGom Increasing Addresses Register

More information

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110 Questions 1 Question 4.1 1: (Solution, p 5) Define the fetch-execute cycle as it relates to a computer processing a program. Your definition should describe the primary purpose of each phase. Question

More information

Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998

Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment

More information

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11 X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it

More information

The course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002

The course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002 15-213 The course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables class07.ppt

More information

Microprocessors ( ) Fall 2010/2011 Lecture Notes # 15. Stack Operations. 10 top

Microprocessors ( ) Fall 2010/2011 Lecture Notes # 15. Stack Operations. 10 top Microprocessors (0630371) Fall 2010/2011 Lecture Notes # 15 Stack Operations Objectives of the Lecture Runtime Stack PUSH Operation POP Operation Initializing the Stack PUSH and POP Instructions Stack

More information

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming

More information

Second Part of the Course

Second Part of the Course CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming

More information

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary

More information

16.317: Microprocessor Systems Design I Fall 2015

16.317: Microprocessor Systems Design I Fall 2015 16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling

More information

CS642: Computer Security

CS642: Computer Security X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Week ACL- based permissions (UNIX style) Read, Write, execute can be restricted on users and groups

More information

UMBC. 1 (Feb. 9, 2002) seg_base + base + index. Systems Design & Programming 80x86 Assembly II CMPE 310. Base-Plus-Index addressing:

UMBC. 1 (Feb. 9, 2002) seg_base + base + index. Systems Design & Programming 80x86 Assembly II CMPE 310. Base-Plus-Index addressing: Data Addressing Modes Base-Plus-Index addressing: Effective address computed as: seg_base base index. Base registers: Holds starting location of an array. ebp (stack) ebx (data) Any 32-bit register except

More information

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08 CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it

More information

Overview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin

Overview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline

More information

Tutorial 10 Protection Cont.

Tutorial 10 Protection Cont. Tutorial 0 Protection Cont. 2 Privilege Levels Lower number => higher privilege Code can access data of equal/lower privilege levels only Code can call more privileged data via call gates Each level has

More information

AS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions

AS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions CS220 Logic Design Outline Calling Conventions Multi-module Programs 1 Calling and Returning We have already seen how the call instruction is used to execute a subprogram. call pushes the address of the

More information

Memory Models. Registers

Memory Models. Registers Memory Models Most machines have a single linear address space at the ISA level, extending from address 0 up to some maximum, often 2 32 1 bytes or 2 64 1 bytes. Some machines have separate address spaces

More information

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어

More information

3. Process Management in xv6

3. Process Management in xv6 Lecture Notes for CS347: Operating Systems Mythili Vutukuru, Department of Computer Science and Engineering, IIT Bombay 3. Process Management in xv6 We begin understanding xv6 process management by looking

More information

CSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II

CSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II 1 byte{ 1 byte{ CSCI 334: Principles of Programming Languages Lecture 11: Control Structures II Computer Architecture (a really really fast introduction) Instructor: Dan Barowy Memory Instructions main

More information

Subprograms: Arguments

Subprograms: Arguments Subprograms: Arguments ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Activation Records The stack is useful to store and rieve urn addresses, transparently managed via

More information

CSE351 Autumn 2012 Midterm Exam (5 Nov 2012)

CSE351 Autumn 2012 Midterm Exam (5 Nov 2012) CSE351 Autumn 2012 Midterm Exam (5 Nov 2012) Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove to

More information

Sungkyunkwan University

Sungkyunkwan University Switch statements IA 32 Procedures Stack Structure Calling Conventions Illustrations of Recursion & Pointers long switch_eg (long x, long y, long z) { long w = 1; switch(x) { case 1: w = y*z; break; case

More information

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4 CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback