Progetto Sicurezza di rete

Assembler IA-32 (parte I)

Lez. 2

Linguaggio Assembler

• Linguaggio di basso livello, generalmente una versione simbolica del linguaggio macchina

• Strettamente dipendente dal processore • Tradotto in linguaggio macchina attraverso un

assemblatore• Noi studieremo il linguaggio assembler

relativo alla famiglia dei processi Intel

I processori 80x86

• 8088, 8086: processori a16 bit, real-mode • 80286: 16-bit con protected mode• 80386: 32-bit registers, 32-bit protected mode• 80486/Pentium/Pentium Pro: Adds few features, speed-up• Pentium MMX: Introduces the multimedia extensions (MMX)• Pentium II: Pentium Pro with MMX instructions• Pentium III: Speed-up, introduces the Streaming SIMD• Extensions (SSE)• Pentium 4: Introduces the NetBurst architecture• Xeon: Introduces Hyper-Threading

Basic Execution environment

La memoria

• The memory that the processor addresses on its bus is called physical memory.

• Physical memory is organized as a sequence of 8-bit bytes. Each byte is assigned a unique address, called a physical address.

• The physical address space ranges from zero to a maximum of 236 – 1

• Virtually any operating system or executive designed to work with an IA-32 processor will use the processor’s memory management facilities to access memory

• These facilities provide features such as segmentation and paging, which allow memory to be managed efficiently and reliably

Memoria

• Flat memory model : Memory appears to a program as a single, continuous address space. This space is called a linear address space. Code, data, and stacks are all contained in this address space. Linear address space is byte addressable

• Segmented memory model: Memory appears to a program as a group of independent address spaces called segments. Code, data, and stacks are typically contained in separate segments. To address a byte in a segment, a program issues a logical address

Gestione Memoria

Modalità CPU

• The IA-32 architecture supports three basic operating modes: protected mode, real-address mode, and system management mode. The operating mode determines which instructions and architectural features are accessible:

• Protected mode: This mode is the native state of the processor. Among the capabilities of protected mode is the ability to directly execute “real-address mode” 8086 software in a protected, multi-tasking environment.

• Real-address mode:This mode implements the programming environment of the Intel 8086 processor with extensions

• System management mode (SMM) — This mode provides an operating system or executive with a transparent mechanism for implementing platform-specific functions such as power management and system security. The processor enters SMM when the external SMM interrupt pin (SMI#) is activated

Basic Program Execution Register

• The processor provides 16 basic program execution registers for use in general system and application programing. These registers can be grouped as follows:

• General-purpose registers: These eight registers are available for storing operands and pointers

• Segment registers: These registers hold up to six segment selectors.

• EFLAGS (program status and control) register. The EFLAGS register report on the status of the program being executed and allows limited (application-program level) control of the processor.

• EIP (instruction pointer) register. The EIP register contains a 32-bit pointer to the next instruction to be executed.

Registri IA-32

• EAX: Accumulator for operands and results data

• EBX: Pointer to data in the DS segment

• ECX: Counter for string and loop operations

• EDX: I/O pointer• ESI: Pointer to data in the segment

pointed to by the DS register; source pointer for

• string operations• EDI: Pointer to data (or destination)

in the segment pointed to by the ES register;

• destination pointer for string operations

• ESP: Stack pointer (in the SS segment)

• EBP: Pointer to data on the stack (in the SS segment)

Segment Register

Segment Register

• Each of the segment registers is associated with one of three types of storage: code, data, or stack

• CS register: contains the segment selector for the code segment, where the instructions being executed are stored

• The processor fetches instructions from the code segment, using a logical address that consists of the segment selector in the CS register and the contents of the EIP register. The EIP register contains the offset within the code segment of the next instruction to be executed

• The SS register contains the segment selector for the stack segment, where the procedure stack is stored for the program, task, or handler currently being executed. All stack operations use the SS register to find the stack segment

EIP

• The instruction pointer (EIP) • cannot be accessed directly by software • is advanced from one instruction boundary to the next in

straightline code or it is moved ahead or backwards by a number of instructions when executing JMP, Jcc, CALL, RET, and IRET instructions, interrupts, and exceptions.

• The onyl way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack.

• The EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure stack and executing a return instruction (RET or IRET).

CS

• The CS register cannot be loaded explicitly by an application program. It is loaded implicitly by instructions or internal processor operations that change program control (such as, procedure calls, interrupt handling, or task switching)

EFLAG Register

x86 Assembly Language

• (Slightly) higher-level language than machine language

• Program is made of:• directives: commands for the assembler

• .data identifies a section with variables

• instructions: actual operations• jmp 8048f3f

• Two possible syntaxes, with different ordering of the operands!• AT&T syntax (objdump, GNU Assembler)• DOS/Intel syntax (Microsoft Assembler, Nasm)

Instruction syntax (AT&T)

• label: mnemonic source(s), destination # comment

• Numerical constants are prefixed with a $• Hexadecimal numbers start with 0x• Binary numbers start with 0b• Registers are denoted by %• Instructions can be modified using suffixes

• b for byte, w for word (16 bits), l for long (32 bits)

• movl %ecx,%eax #moves ecx into eax

Istruzioni NASM

• Sintassi:• label: mnemonic destination, source ;comment

• Gli operandi possono essere:• registri• locazioni di memoria• Valori immediati• Impliciti

• Gli operandi di un’istruzione non possono essere entrambi locazioni di memoria

• Gli operandi devono avere la stessa dimensione• mov a,ax• add bx, 4• inc ecx

Direttive

• A db 190• B dw 134fh• C db 101001b• Array times 10 dw 0• Array2 resw 20• Le diverse locazioni sono memorizzate

consecutivamente ed in ordine di dichiarazione all’interno della memoria

• %include per includere un file, • %include “asm_io.inc”

Tipi di Istruzioni

• Data transfer• mov, xchg, push, pop

• Aritmetiche• add, sub, mul, div, inc, dec

• Logiche• and, or, xor, not

• Control transfer• jmp, jne, call, ret, int, iret

Istruzioni su Stack

• The stack usually grows towards lower memory addresses• This is the way the stack grows on many

architectures including the Intel, Motorola, SPARC, and MIPS processors

• The stack pointer (ESP) points to the top of the stack (the last valid address)

• A push operation first decrements the stack pointer and then stores the value in the address contained in the register

mul

• mul source• The source is either a register or a memory reference. • It can not be an immediate value. • Exactly what multiplication is performed depends on the size

of the source operand:• If the operand is byte sized, it is multiplied by the byte in the AL

register and the result is stored in the 16 bits of AX.

• If the source is 16-bit, it is multiplied by the word in AX and the 32-bit result is stored in DX:AX.

• If the source is 32-bit, it is multiplied by EAX and the 64-bit result is stored into EDX:EAX.

div

• div source• If the source is 8-bit, then AX is divided by the

operand. The quotient is stored in AL and the remainder in AH.

• If the source is 16-bit, then DX:AX is divided by the operand. The quotient is stored into AX and remainder into DX

• If the source is 32-bit, then EDX:EAX is divided by the operand and the quotient is stored into EAX and the remainder into EDX

I/O

• print int• prints out to the screen the value of the integer stored in EAX

• print char • prints out to the screen the character whose ASCII value stored in

AL• print string

• prints out to the screen the contents of the string at the address stored in EAX. The string must be a Ctype string (i.e. null terminated).

• print nl • prints out to the screen a new line character.

• read int• reads an integer from the keyboard and stores it into the EAX

register.• read char

• reads a single character from the keyboard and stores its ASCII code into the EAX register.

Debugging

• dump regs • prints out the values of the registers (in hexadecimal) of the

computer to stdout (i.e. the screen)

• dump mem • prints out the values of a region of memory (in hexadecimal).

It takes three comma delimited arguments. The first is an integer that is used to label the output, the second is the address to display. (This can be a label.) The last argument is the number of 16-byte paragraphs to display after the address

• dump stack • prints out the values on the CPU stack.

Schema programma

Indirizzamento

• Remember that labels can be used to refer to data in code. There are two ways that a label can be used. If a plain label is used, it is interpreted as the address (or offset) of the data. If the label is placed inside square brackets ([ ]), it is interpreted as the data at the address

Esercizio

• Scrivere un programma Assembler che chiede in input due numeri interi e stampa la loro somma, differenza, prodotto, quoziente e resto

• Predisporre il programma affinché durante la sua esecuzione stampi il contenuto delle locazioni di memoria che contengono i dati di input

• Assemblare generando anche il corrispondente listato del compilato

Numeri complemento a 2

• One of the great advantages of 2’s complement is that the rules for addition and subtraction are exactly the same as for unsigned integers

• There are two different multiply and divide instructions. First, to multiply use either the MUL or IMUL instruction. The MUL instruction is used to multiply unsigned numbers and IMUL is used to multiply signed integers• imul dest, source1• imul dest, source1, source2

• The two division operators are DIV and IDIV. They perform unsigned and signed integer division respectively

• A very common error is to forget to initialize DX or EDX before division.

imul

idiv

Istruzioni di controllo

• cmp vleft, vright• For unsigned integers, the difference vleft -

vright is computed and the zero (ZF) and carry (CF) flags are set accordingly• If vleft = vright, then ZF is set (i.e. 1) and the CF is

unset (i.e. 0)• If vleft > vright, then ZF is unset and CF is unset

(no borrow)• If vleft < vright, then ZF is unset and CF is set

(borrow)

Istruzioni di controllo

• For signed integers, there are three flags that are important: the zero (ZF) flag, the overflow (OF) flag and the sign (SF) flag

• If vleft = vright, the ZF is set (just as for unsigned integers).

• If vleft > vright, ZF is unset and SF = OF • If vleft < vright, ZF is unset and SF <>OF• Do not forget that other instructions can also

change the FLAGS register, not just CMP

Salti

• Branch instructions transfer execution to arbitrary points of a program

• There are two types of branches: unconditional and conditional• A conditional branch may or may not make the branch

depending on the flags in the FLAGS register. If a conditional branch does not make the branch, control passes to the next instruction

• The JMP (short for jump) instruction makes unconditional branches. Its single argument is usually a code label to the instruction to branch to

Salti condizionati

Esempio

Altri Jump

Esempio

Cicli

• LOOP Decrements ECX, if ECX <> 0, branches to label

• LOOPE, LOOPZ Decrements ECX (FLAGS register is not modified), if ECX <> 0 and ZF = 1, branches

• LOOPNE, LOOPNZ Decrements ECX (FLAGS unchanged), if ECX <>0 and ZF = 0, branches

Esempio

If …then … else

While

Repeat …until

HMW #2

• Scrivere un programma assembler che carica un array di 10 numeri interi con segno e calcola: la somma e il prodotto degli elementi di posizione pari, la differenza di quelli di posizione dispari, il quoziente e il resto tra il prodotto degli elementi di posizione pari e quelli dispari

• Scrivere un programma assembler che carica un array di 100 elementi interi senza segno con numeri casuali, li ordina e stampa sia l’array disordinato che quello ordinato

• Consegna: 15/10/2007 ore 24.00