Architecture 1001: x86-64 Assembly 彙編

sec875發表於2024-10-08

程式語言心法參考:http://www.yinwang.org/blog-cn/2017/07/06/master-pl
英語閱讀速成:http://www.yinwang.org/blog-cn/2018/11/23/grammar

前置條件

必須熟悉 C 程式設計。
https://www.learn-c.org/
https://www.edx.org/certificates/professional-certificate/dartmouth-imtx-c-programming-with-linux

這門課程是漏洞利用、逆向工程、惡意軟體分析和系統安全的基礎性課程

You Must Complete This Before You Start This Class...您必須在開始本課程之前完成此項工作...

Before You Start This Class... (1 Question) 在你開始這門課程之前...

您需要建立一個 Windows VM 來進行練習:Windows 10 Pro
https://apps.p.ost2.fyi/learning/course/course-v1:OpenSecurityTraining2+Lab_Setup_x86-64_Windows+2021_v1/home
https://www.youtube.com/watch?v=zgPMGFT-rsc
ISO:https://msdn.itellyou.cn/
Consumer Editions即消費者版:包含 Professional(專業版)
VMware+Workstation+Pro現在免費供個人使用
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware+Workstation+Pro

您需要將 Visual Studio 安裝到 Windows VM 中。
https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Dbg1001_VS_IDE+2021_v1/about

然後從以下位置下載原始碼:
https://gitlab.com/opensecuritytraining/arch1001_x86-64_asm_code_for_class

解壓縮它,將其移動到您的桌面,然後開啟 Visual Studio 解決方案檔案 (Arch1001_x86-64_asm.sln)。

您應該會看到類似下面的訊息,因為它是從網際網路上下載的。取消選中“詢問我每個專案”框,然後單擊“確定”。

可選:下載課程幻燈片
https://gitlab.com/opensecuritytraining/arch1001_x86-64_asm_slides_and_subtitles

FAQ: How can I submit corrections to video subtitles? 如何提交影片字幕修正

Introduction

Why learn assembly at all? (1 Question) 為什麼要學習彙編

About this class (1 Question)

最初是 16 位架構,後來發展為 32 位和 64 位,但保持了向後相容性。硬體實際上以 16 位啟動,然後軟體將其轉換為 32 位或 64 位操作。

英特爾最初想在轉向 64 位時擺脫 x86 的束縛。這就是 IA64(英特爾架構 64 位),又名 Itanium。然而,AMD 決定自己將 x86 擴充套件為 64 位,從而產生了 AMD64 架構。當 Itanium 的採用速度非常緩慢時,英特爾決定咬緊牙關,從 AMD 獲得 64 位擴充套件許可。
在英特爾手冊中,您會看到 64 位擴充套件被稱為 IA32e 或 EMT64 或 Intel 64(但永遠不會是 IA64。再次強調,那是 Itanium,一種完全不同的架構,爛尾了)。

你可能會會在其他地方看見 amd64 或 x64,在這裡稱為x86-64

在本課程結束時,您應該……
瞭解 x86-64 通用暫存器及其 32 位和 16 位子暫存器名稱
瞭解資料(如區域性變數或返回地址)如何儲存在堆疊中
瞭解函式呼叫約定
能夠在 IDE(如 Visual Studio)中輕鬆編寫 C 程式碼,並閱讀和逐步執行反彙編(以便您可以找到新指令)
能夠很好地閱讀彙編程式碼,以確定影響不透明二進位制控制流的預期輸入(臭名昭著的“二進位制炸彈實驗室”)

你不需要學幾百個指令,相反,只需要關注二十個左右的高頻指令
統計結構:用於分類和分析的指紋識別惡意軟體,指出僅 14 條彙編指令就佔了程式碼的 90%
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf

Optional Refresher: binary to hex to decimal 可選複習:二進位制到十六進位制到十進位制

用計算器搞定即可

Optional Refresher: two's complement negative numbers 可選複習:二進位制補碼負數

負值表示為其正值的“二進位制補碼”。二進位制補碼的計算方法是翻轉所有位,然後加 1。

Optional Refresher: C data type sizes 可選複習:C 資料型別大小

char short int/long double/long long;8 16 32 64

Background: Endianess (1 Question) 背景:位元組順序

x86-64 記憶體是小端序(不適用於暫存器,暫存器是大端);網路位元組序是大端序
位元組順序僅適用於位元組,不適用於位元
image

image

8位元組試圖:會體現為“大端”視角,在視角上與暫存器一致
image

手冊:https://ost2images.s3.amazonaws.com/PDFs/325462-sdm-vol-1-2abcd-3abcd.pdf

Computer Registers

Memory hierarchy (1 Question) 記憶體層次結構

x86-64 general purpose registers x86-64 通用暫存器

16個通用暫存器
image

從8到64位的演進中又引入了新的命名,RAX又叫R0(R0-R15)
image

https://ost2images.s3.amazonaws.com/Arch101_x86-64_Asm/CheatSheet_x86-64_Registers.pdf

https://learn.microsoft.com/en-us/cpp/build/x64-software-conventions?view=msvc-160

這些是英特爾對編譯器開發人員(和彙編程式手程式設計師)的建議。暫存器不一定要這樣使用,但如果你看到它們這樣使用,你就會明白為什麼。

手冊:3.4.1 General-Purpose Registers
RAX-儲存函式返回值
RBX-資料部分的基本指標
RCX-用於字串和迴圈操作的計數器
RDX-I/0指標
RSI-用於字串操作的源索引指標
RDI-用於字串操作的目標索引指標
RSP-堆疊(頂部)指標 RBP-堆疊幀基準指標
RIP-指向要執行的下一個指令("指令指標")

Your First Instruction: No-Operation (nop)

Overview (1 Question)
New Instructions: push & pop (1 Question)
RoX0r Arcade: The RSP Game (4 Questions)
Calling Functions
CallASubroutine1.c: New Instructions: CALL, RET, MOV, ADD, SUB (3 Questions)
RoX0r Arcade: DarkMathemagic: MOV, ADD, SUB (2 Questions)
Local Variables
SingleLocalVariable.c (2 Questions)
Mystery Listery 3 Solved! (4 Questions)
ArrayLocalVariable.c, New Instructions: imul, movsx, movzx (2 Questions)
StructLocalVariable.c (3 Questions)
RoX0r Arcade: DarkMathemagic: MOVZX, MOVSX (2 Questions)
Function Parameter Passing
Pass1Parameter.c (2 Questions)
TooManyParameters.c (2 Questions)
Mystery Listery 2 Solved! (1 Question)
64-bit Calling Conventions (1 Question)
32-bit Calling Conventions (2 Questions)
Mystery Listery 1 Solved! (1 Question)
SpecialMaths.c, New instructions: lea (2 Questions)
RoX0r Arcade: DarkMathemagic: LEA (1 Question)
Control Flow
GotoExample.c, New instructions: jmp (2 Questions)
IfExample.c, New instructions, "jcc", cmp (2 Questions)
IfExample2.c (1 Question)
SwitchExample.c (1 Question)
RoX0r Arcade: 1 step forward, 3 steps back: Jumps! (3 Questions)
Boolean Logic
Refresher: Boolean logic
BooleanBecause.c, New instructions: and, or, not, xor (2 Questions)
ForLoopNoRet.c, New instructions: inc, dec (2 Questions)
BitmaskExample.c, New instructions: test (2 Questions)
RoX0r Arcade: DarkMathemagic: AND, OR, XOR, NOT, INC, DEC (2 Questions)
RoX0r Arcade: 1 step forward, 3 steps back: Jumps w/ TEST (1 Question)
Bit Shifting
ShiftExample1.c, New instructions: shl, shr (2 Questions)
ShiftExample2Unsigned.c (1 Question)
ShiftExample3Signed.c, New instructions: cdq, sar (2 Questions)
RoX0r Arcade: DarkMathemagic: Shifty Time Today! (1 Question)
Multiply and Divide
MulDivExample.c, New instructions: div, idiv (2 Questions)
RoX0r Arcade: DarkMathemagic: Multiply and Divide (3 Questions)
CISC Delight: REPeatable Instructions
ArrayLocalVariable2.c, New instructions: rep stos (2 Questions)
ThereWillBe0xb100d.c (3 Questions)
JourneyToTheCenterOfMemcpy.c: New instructions: rep movs (3 Questions)
RoX0r Arcade: DarkMathemagic: BOSS LEVEL!!! (1 Question)
Choose Your Own Adventure!
Pick A Path... (1 Question)
Windows Binary Debugging, Incomplete section
Windbg tutorial
Looking at all those examples on Linux!
Before you begin...
Intel vs. AT&T assembly syntax
CallAFunction1.c
SingleLocalVariable.c
ArrayLocalVariable.c
StructLocalVariable.c
Pass1Parameter.c
TooManyParameters.c
SpecialMaths.c
GotoExample.c
IfExample.c
IfExample2.c
SwitchExample.c
BooleanBecause.c
ForLoopNoRet.c
BitmaskExample.c
ShiftExample1.c
ShiftExample2Unsigned.c
ShiftExample3Signed.c
MulDivExample.c
ArrayLocalVariable2.c
ThereWillBe0xb100d.c
JourneyToTheCenterOfMemcpy.c
RoX0r Arcade: DarkMathemagic: BOSS LEVEL!!!

Learning to Fish: Read The F*n Intel Manual!

Instructions (2 Questions)
Learning to Fish: Writing Inline Assembly
Learn to fish: Writing Inline Assembly
Visual Studio Inline Assembly
GCC Inline Assembly
The Most Important Assembly Exercise You'll Ever Do: Binary Bomb Lab
Bomb Lab Intro (1 Question)
Option 1: Do the Bomb Lab in GDB
Option 2: Do the Bomb Lab in WinDbg
Option 3: Do the Bomb Lab in Ghidra (with WinDbg or GDB)
Bomb Lab Recommendations (1 Question)
(Optional) Basic Buffer Overflow Lab
(Optional) Basic Buffer Overflow Lab
Conclusion
Conclusion (1 Question)
End of Class Survey (Please Fill This Out!)
End of Class Survey (Please Fill This Out!)
Special Thanks Section!
Special Thanks Section!

相關文章