x86 Disassembly

x86 Disassembly
Exploring the relationship between C, x86 Assembly, and Machine

Code
Contents
0.1
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.1
What is Wikibooks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.2
What is this book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.3
Who are the authors?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.4
Wikibooks in Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.1.5
Happy Reading!
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.2
Cover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3.1
What Is This Book About? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3.2
What Will This Book Cover?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3.3
Who Is This Book For?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3.4
What Are The Prerequisites? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
0.3.5
What is Disassembly?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools
1.1
1.2
1.3
4
Assemblers and Compilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1
Assemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2
Assembler Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3
Intel Syntax Assemblers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4
(x86) AT&T Syntax Assemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5
Other Assemblers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6
Compilers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.7
Common C/C++ Compilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disassemblers and Decompilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1
What is a Disassembler? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2
x86 Disassemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3
Disassembler Issues
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
1.2.4
Decompilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
1.2.5
A General view of Disassembling
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
1.2.6
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
Disassembly Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
1.3.1
Example: Hello World Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
1.3.2
Example: Basic Disassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
ii
CONTENTS
1.4
Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
1.4.1
Debuggers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
1.4.2
Hex Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
1.4.3
Other Tools for Windows
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
1.4.4
GNU Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
1.4.5
Other Tools for Linux
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
1.4.6
XCode Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
Platforms
19
2.1
Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
2.1.1
Microsoft Windows
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
2.1.2
Windows Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
2.1.3
Virtual Memory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
2.1.4
System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
2.1.5
System calls and interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
2.1.6
Win32 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
2.1.7
Native API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
2.1.8
ntoskrnl.exe
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.9
Win32K.sys
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.10 Win64 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.11 Windows Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.12 Windows CE/Mobile, and other versions . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.13 Non-Executable Memory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.14 COM and Related Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
2.1.15 Remote Procedure Calls (RPC)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
Windows Executable Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
2.2.1
MS-DOS COM Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
2.2.2
MS-DOS EXE Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
2.2.3
PE Files
23
2.2.4
Relative Virtual Addressing (RVA)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
2.2.5
File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
2.2.6
Code Sections
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
2.2.7
Imports and Exports - Linking to other modules . . . . . . . . . . . . . . . . . . . . . . .
27
2.2.8
Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
2.2.9
Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
2.2
2.2.10 Resources
2.3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
2.2.11 Relocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
2.2.12 Alternate Bound Import Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
2.2.13 Windows DLL Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.3.1
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.3.2
System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
CONTENTS
2.4
iii
2.3.3
Conguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.3.4
Shells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.3.5
GUIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.3.6
Debuggers
31
2.3.7
File Analyzers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
Linux Executable Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
2.4.1
ELF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
2.4.2
Relocatable ELF Files
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
2.4.3
a.out Files
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
Code Patterns
33
3.1
The Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
3.1.1
The Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
3.1.2
Push and Pop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
3.1.3
ESP In Action
33
3.1.4
Reading Without Popping
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
3.1.5
Data Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
Functions and Stack Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
3.2.1
Functions and Stack Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
3.2.2
Standard Entry Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
3.2.3
Standard Exit Sequence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
3.2.4
Non-Standard Stack Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
3.2.5
Local Static Variables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
Functions and Stack Frame Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
3.3.1
Example: Number of Parameters
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
3.3.2
Example: Standard Entry Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
Calling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
3.4.1
Calling Conventions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
3.4.2
Notes on Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
3.4.3
Standard C Calling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
3.4.4
C++ Calling Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
3.4.5
Note on Name Decorations
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
3.4.6
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
Calling Convention Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
3.5.1
Microsoft C Compiler
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
3.5.2
GNU C Compiler
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
3.5.3
Example: C Calling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
3.5.4
Example: Named Assembly Function
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
3.5.5
Example: Unnamed Assembly Function . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
3.5.6
Example: Another Unnamed Assembly Function
. . . . . . . . . . . . . . . . . . . . . .
43
3.5.7
Example: Name Mangling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
Branches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
3.2
3.3
3.4
3.5
3.6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
CONTENTS
3.7
3.8
3.9
3.6.1
Branching
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
3.6.2
If-Then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
3.6.3
If-Then-Else . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
3.6.4
Switch-Case
44
3.6.5
Ternary Operator ?:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
Branch Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
3.7.1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
3.7.2
Example: Identify Branch Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
3.7.3
Example: Convert To C
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
3.8.1
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
3.8.2
Do-While Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
3.8.3
While Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
3.8.4
For Loops
48
3.8.5
Other Loop Types
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
Loop Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
3.9.1
Example: Identify Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
3.9.2
Example: Complete C Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
3.9.3
Example: Decompile To C Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
Data Patterns
51
4.1
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
4.1.1
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
4.1.2
How to Spot a Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
4.1.3
.BSS and .DATA sections
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
4.1.4
Static Local Variables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
4.1.5
Signed and Unsigned Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52
4.1.6
Floating-Point Values
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52
4.1.7
Global Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52
4.1.8
Constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
4.1.9
Volatile memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
4.1.10 Simple Accessor Methods
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.1.11 Simple Setter (Manipulator) Methods

4.2
4.3
53
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
Variable Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
4.2.1
Example: Identify C++ Code
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
4.2.2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
4.3.1
Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
4.3.2
Arrays
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
4.3.3
Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
4.3.4
Advanced Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
4.3.5
Identifying Structs and Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
CONTENTS
4.3.6
4.4
4.5
4.6
v
Linked Lists and Binary Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
Objects and Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
4.4.1
Object-Oriented Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
4.4.2
Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
4.4.3
Classes Vs. Structs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
Floating Point Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
4.5.1
Floating Point Numbers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
4.5.2
Calling Conventions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
59
4.5.3
Float to Int Conversions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
4.5.4
FPU Compares and Jumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
Floating Point Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
4.6.1
61
Example: Floating Point Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diculties
62
5.1
Code Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
5.1.1
Code Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
5.1.2
Stages of Optimizations
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
5.1.3
Loop Unwinding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
63
5.1.4
Inline Functions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
63
Optimization Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
63
5.2.1
Example: Optimized vs Non-Optimized Code . . . . . . . . . . . . . . . . . . . . . . . .
63
5.2.2
Example: Manual Optimization
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64
5.2.3
Example: Trace Variables
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64
5.2.4
Example: Decompile Optimized Code . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
5.2.5
Example: Instruction Pairings
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
5.2.6
Example: Avoiding Branches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
5.2.7
Example: Dus Device
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
Code Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
5.3.1
Code Obfuscation
65
5.3.2
What is Code Obfuscation?
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
5.3.3
Interleaving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
5.3.4
Non-Intuitive Instructions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
5.3.5
Obfuscators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
5.3.6
Code Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
5.3.7
Opaque Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
5.3.8
Code Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
Debugger Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
5.4.1
Detecting Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
5.4.2
IsDebuggerPresent API
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
5.4.3
PEB Debugger Check
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
5.4.4
Kernel Mode Debugger Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
5.4.5
Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
5.2
5.3
5.4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
CONTENTS
Detecting SoftICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
5.4.7
Detecting OllyDbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
Resources and Licensing
70
6.1
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
6.1.1
Wikimedia Resources
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
6.1.2
External Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
71
6.2.1
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
71
Manual of Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
71
6.3.1
71
6.2
6.3
5.4.6
Global Stylesheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Text and image sources, contributors, and licenses
72
7.1
Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
72
7.2
Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73
7.3
Content license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
74
0.1. PREFACE
0.1 Preface
0.1.2 What is this book?
This book was created by volunteers at Wikibooks (http:

//en.wikibooks.org).
This book was generated by the volunteers at Wikibooks,

a team of people from around the world with varying
backgrounds. The people who wrote this book may not
be experts in the eld. Some may not even have a passing
familiarity with it. The result of this is that some information in this book may be incorrect, out of place, or
misleading. For this reason, you should never rely on a
community-edited Wikibook when dealing in matters of
medical, legal, nancial, or other importance. Please see
our disclaimer for more details on this.
0.1.1
What is Wikibooks?
Despite the warning of the last paragraph, however, books

at Wikibooks are continuously edited and improved. If
errors are found they can be corrected immediately. If
you nd a problem in one of our books, we ask that you
be bold in xing it. You don't need anybodys permission
to help or to make our books better.
Wikibooks runs o the assumption that many eyes can
nd many errors, and many able hands can x them. Over
time, with enough community involvement, the books at
Wikibooks will become very high-quality indeed. You
are invited to participate at Wikibooks to help make
our books better. As you nd problems in your book
don't just complain about them: Log on and x them!
This is a kind of proactive and interactive reading experience that you probably aren't familiar with yet, so log
Started in 2003 as an oshoot of the popular Wikipedia on to http://en.wikibooks.org and take a look around at
project, Wikibooks is a free, collaborative wiki website all the possibilities. We promise that we won't bite!
dedicated to creating high-quality textbooks and other educational books for students around the world. In addition to English, Wikibooks is available in over 130 lan- 0.1.3 Who are the authors?
guages, a complete listing of which can be found at http:
//www.wikibooks.org. Wikibooks is a wiki, which The volunteers at Wikibooks come from around the
means anybody can edit the content there at any time. world and have a wide range of educational and profesIf you nd an error or omission in this book, you can sional backgrounds. They come to Wikibooks for diflog on to Wikibooks to make corrections and additions ferent reasons, and perform dierent tasks. Some Wikas necessary. All of your changes go live on the website ibookians are prolic authors, some are perceptive ediimmediately, so your eort can be enjoyed and utilized tors, some fancy illustrators, others diligent organizers.
by other readers and editors without delay.
Some Wikibookians nd and remove spam, vandalism,
Books at Wikibooks are written by volunteers, and can
be accessed and printed for free from the website. Wikibooks is operated entirely by donations, and a certain portion of proceeds from sales is returned to the Wikimedia
Foundation to help keep Wikibooks running smoothly.
Because of the low overhead, we are able to produce and
sell books for much cheaper then proprietary textbook
publishers can. This book can be edited by anybody at
any time, including you. We don't make you wait two
years to get a new edition, and we don't stop selling old
versions when a new one comes out.
Note that Wikibooks is not a publisher of books, and
is not responsible for the contributions of its volunteer
editors. PediaPress.com is a print-on-demand publisher
that is also not responsible for the content that it prints.
Please see our disclaimer for more information: http://
en.wikibooks.org/wiki/Wikibooks:General_disclaimer .
and other nonsense as it appears. Most Wikibookians

perform a combination of these jobs.
Its dicult to say who are the authors for any particular book, because so many hands have touched it and so
many changes have been made over time. Its not unheard
of for a book to have been edited thousands of times by
hundreds of authors and editors. You could be one of them
too, if you're interested in helping out.
0.1.4 Wikibooks in Class

Books at Wikibooks are free, and with the proper editing and preparation they can be used as cost-eective
textbooks in the classroom or for independent learners.
In addition to using a Wikibook as a traditional readonly learning aide, it can also become an interactive class
CONTENTS
project. Several classes have come to Wikibooks to write

new books and improve old books as part of their normal course work. In some cases, the books written by
students one year are used to teach students in the same
class next year. Books written can also be used in classes
around the world by students who might not be able to
aord traditional textbooks.
0.1.5
Happy Reading!
We at Wikibooks have put a lot of eort into these books,

and we hope that you enjoy reading and learning from
them. We want you to keep in mind that what you are
holding is not a nished product but instead a work in
progress. These books are never nished in the traditional sense, but they are ever-changing and evolving to
meet the needs of readers and learners everywhere. Despite this constant change, we feel our books can be reliable and high-quality learning tools at a great price, and
we hope you agree. Never hesitate to stop in at Wikibooks and make some edits of your own. We hope to see
you there one day. Happy reading!
x86 assembly code into human-readable C or C++ source

code. Some topics covered will be common to all computer architectures, not just x86-compatible machines.
0.3.2 What Will This Book Cover?

This book is going to look in-depth at the disassembly and
decompilation of x86 machine code and assembly code.
We are going to look at the way programs are made using assemblers and compilers, and examine the way that
assembly code is made from C or C++ source code. Using this knowledge, we will try to reverse the process. By
examining common structures, such as data and control
structures, we can nd patterns that enable us to disassemble and decompile programs quickly.
0.3.3 Who Is This Book For?

This book is for readers at the undergraduate level with
experience programming in x86 Assembly and C or
C++. This book is not designed to teach assembly language programming, C or C++ programming, or compiler/assembler theory.
0.2 Cover
0.3.4 What Are The Prerequisites?
The Wikibook of
x86 Disassembly
Using C and Assembly Language
Kernel
Library
Library
The reader should have a thorough understanding of x86

Assembly, C Programming, and possibly C++ Programming. This book is intended to increase the readers
understanding of the relationship between x86 machine
code, x86 Assembly Language, and the C Programming
Language. If you are not too familar with these topics,
you may want to reread some of the above-mentioned
books before continuing.
Library
0.3.5 What is Disassembly?

Software
From Wikibooks: The Free Library
0.3 Introduction
Computer programs are written originally in a human

readable code form, such as assembly language or a highlevel language. These programs are then compiled into
a binary format called machine code. This binary format is not directly readable or understandable by humans.
Many programs -- such as malware, proprietary commercial programs, or very old legacy programs -- may not
have the source code available to you.
Programs frequently perform tasks that need to be duplicated, or need to be made to interact with other programs. Without the source code and without adequate
documentation, these tasks can be dicult to accomplish.
This book outlines tools and techniques for attempting to
convert the raw machine code of an executable le into
0.3.1 What Is This Book About?
equivalent code in assembly language and the high-level
This book is about the disassembly of x86 machine code languages C and C++. With the high-level code to perinto human-readable assembly, and the decompilation of form a particular task, several things become possible:
0.3. INTRODUCTION
1. Programs can be ported to new computer platforms,
by compiling the source code in a dierent environment.
2. The algorithm used by a program can be determined. This allows other programs to make use of
the same algorithm, or for updated versions of a program to be rewritten without needing to track down
old copies of the source code.
3. Security holes and vulnerabilities can be identied
and patched by users without needing access to the
original source code.
4. New interfaces can be implemented for old programs. New components can be built on top of old
components to speed development time and reduce
the need to rewrite large volumes of code.
5. We can gure out what a piece of malware does. We
hope this leads us to guring out how to block its
harmful eects. Unfortunately, some malware writers use self-modifying code techniques (polymorphic camouage, XOR encryption, scrambling)[1] ,
apparently to make it dicult to even detect that
malware, much less disassemble it.
Disassembling code has a large number of practical uses.
One of the positive side eects of it is that the reader will
gain a better understanding of the relation between machine code, assembly language, and high-level languages.
Having a good knowledge of these topics will help programmers to produce code that is more ecient and more
secure.
[1] How does a crypter for bypass antivirus detection work?"
Chapter 1
Tools
1.1 Assemblers and Compilers
1.1.1
code, the instructions will be the same, but all the other
helpful information will be lost. The code will be accurate, but more dicult to read.
Compilers, as we will see later, cause even more information to be lost, and decompiling is often so dicult and
convoluted as to become nearly impossible to do accurately.
Assemblers
Assemblers are signicantly simpler than compilers, and

are often implemented to simply translate the assembly
code to binary machine code via one-to-one correspon- 1.1.3 Intel Syntax Assemblers
dence. Assemblers rarely optimize beyond choosing the
Because of the pervasiveness of Intel-based IA-32 mishortest form of an instruction or lling delay slots.
croprocessors in the home PC market, the majority of
Because assembly is such a simple process, disassemassembly work done (and the majority of assembly work
bly can often be just as simple. Assembly instructions
considered in this wikibook) is x86-based. Many of
and machine code words have a one-to-one corresponthese assemblers (or new versions of them) can handle
dence, so each machine code word will exactly map to one
amd64/x86_64/EMT64 code as well, although this wikiassembly instruction. However, disassembly has some
book will focus primarily on 32 bit (x86/IA-32) code exother diculties which cannot be accounted for using
amples.
simple code-word lookups. We will introduce assemblers
here, and talk about disassembly later.
MASM
1.1.2
Assembler Concepts
MASM is Microsofts assembler, an abbreviation for

Macro Assembler. However, many people use it as an
acronym for Microsoft Assembler, and the dierence
isn't a problem at all. MASM has a powerful macro feature, and is capable of writing very low-level syntax, and
pseudo-high-level code with its macro feature. MASM
6.15 is currently available as a free-download from Microsoft, and MASM 7.xx is currently available as part of
the Microsoft platform DDK.
Assemblers, on a most basic level, translate assembly instructions into machine code with a one to one correspondence. They can also translate named variables into
hard-coded memory addresses and labels into their relative code addresses.
Assemblers, in general, do not perform code optimization. The machine code that comes out of an assembler
is equivalent to the assembly instructions that go into the
assembler. Some assemblers have high-level capabilities
in the form of Macros.
MASM uses Intel Syntax.

MASM is used by Microsoft to implement some
low-level portions of its Windows Operating systems.
Some information about the program is lost during the

assembly process. First and foremost, program data is
stored in the same raw binary format as the machine code
instructions. This means that it can be dicult to determine which parts of the program are actually instructions.
Notice that you can disassemble raw data, but the resultant assembly code will be nonsensical. Second, textual
information from the assembly source code le, such as
variable names, label names, and code comments are all
destroyed during assembly. When you disassemble the
MASM, contrary to popular belief, has been in constant development since 1980, and is upgraded on a
needs-basis.
MASM has always been made compatible by Microsoft to the current platform, and executable le
types.
4
1.1. ASSEMBLERS AND COMPILERS
MASM currently supports all Intel instruction sets, GAS is developed specically to be used as the GCC
including SSE2.
backend. Because GCC always feeds it syntactically correct code, GAS often has minimal error checking.
Many users love MASM, but many more still dislike the GAS is available as a part of either the GCC package or
fact that it isn't portable to other systems.
the GNU binutils package.
TASM
1.1.5 Other Assemblers
TASM, Borlands Turbo Assembler, is a functional

assembler from Borland that integrates seamlessly with
Borlands other software development tools. Current release version is version 5.0. TASM syntax is very similar
to MASM, although it has an IDEAL mode that many
users prefer. TASM is not free.
HLA
HLA, short for High Level Assembler is a project

spearheaded by Randall Hyde to create an assembler
with high-level syntax. HLA works as a front-end to
other assemblers such as FASM (the default), MASM,
NASM, and GAS. HLA supports common assembly
NASM
language instructions, but also implements a series of
higher-level constructs such as loops, if-then-else branchNASM, the Netwide Assembler, is a free, portable, ing, and functions. HLA comes complete with a compreand retargetable assembler that works on both Windows hensive standard library.
and Linux. It supports a variety of Windows and Linux
executable le formats, and even outputs pure binary. Since HLA works as a front-end to another assembler,
NASM is not as mature as either MASM or TASM, the programmer must have another assembler installed to
assemble programs with HLA. HLA code output therebut is:
fore, is as good as the underlying assembler, but the code
is much easier to write for the developer. The high-level
more portable than MASM
components of HLA may make programs less ecient,
but that cost is often far outweighed by the ease of writ cheaper than TASM
ing the code. HLA high-level syntax is very similar in
strives to be very user-friendly
many respects to Pascal, which in turn is itself similar in
many respects to C, so many high-level programmers will
NASM comes with its own disassembler ndisasm, and immediately pick up many of the aspects of HLA.
supports 64-bit (x86-64/x64/AMD64/Intel 64) CPUs.
Here is an example of some HLA code:
NASM is released under the LGPL.
FASM
mov(src, dest); // C++ style comments pop(eax);

push(ebp); for(mov(0, ecx); ecx < 10; inc(ecx)) do
mul(ecx); endfor;
FASM, the Flat Assembler is an open source assembler Some disassemblers and debuggers can disassemble bithat supports x86, and IA-64 Intel architectures.
nary code into HLA-format, although none can faithfully
recreate the HLA macros.
1.1.4
(x86) AT&T Syntax Assemblers

1.1.6 Compilers
AT&T syntax for x86 microprocessor assembly code is

not as common as Intel-syntax, but the GNU Assembler
(GAS) uses it, and it is the de facto assembly standard on A compiler is a program that converts instructions from
one language into equivalent instructions in another lanUnix and Unix-like operating systems.
guage. There is a common misconception that a compiler always directly converts a high level language into
machine language, but this isn't always the case. Many
GAS
compilers convert code into assembly language, and a
The GNU Assembler (GAS) is the default back-end to few even convert code from one high level language into
the GNU Compiler Collection (GCC) suite. As such, another. Common examples of compiled languages are:
GAS is as portable and retargetable as GCC is. However, C/C++, Fortran, Ada, and Visual Basic. The gure below
GAS uses the AT&T syntax for its instructions as default, shows the common compile-time steps to building a prowhich some users nd to be less readable than Intel syn- gram using the C programming language. The compiler
tax. Newer versions of gas can be switched to Intel syntax produces object les which are linked to form the nal
with the directive ".intel_syntax noprex.
executable:
CHAPTER 1. TOOLS
C++, and has the option to compile C++ code into MSIL
(the .NET bytecode).
Microsofts compiler only supports Windows systems,
and Intel-compatible 16/32/64 bit architectures.
The Microsoft C compiler is cl.exe and the linker is
link.exe
Listing Files In this wikibook, cl.exe is frequently

For the purposes of this book, we will only be consider- used to produce assembly listing les of C source code.
ing the case of a compiler that converts C or C++ into To produce an assembly listing le yourself, use the synassembly code or machine language. Some compilers, tax:
such as the Microsoft C compiler, compile C and C++ cl.exe /Fa<assembly le name> <C source le>
source code directly into machine code. GCC on the
The "/Fa switch is the command-line option that tells the
other hand compiles C and C++ into assembly language,
compiler to produce an assembly listing le.
and an assembler is used to convert that into the appropriate machine code. From the standpoint of a disassem- For example, the following command line:
bler, it does not matter exactly how the original program cl.exe /FaTest.asm Test.c
was created. Notice also that it is not possible to exactly
reproduce the C or C++ code used originally to create would produce an assembly listing le named Test.asm
an executable. It is, however, possible to create code that from the C source le Test.c. Notice that there is no
compiles identically, or code that performs the same task. space between the /Fa switch and the name of the output
le.
C language statements do not share a one to one relationship with assembly language. Consider that the following
C statements will typically all compile into the same as- GNU C Compiler
sembly language code:
*arrayA = arrayB[x++]; *arrayA = arrayB[x]; x++; The GNU C compiler is part of the GNU Compiler Collection (GCC) suite. This compiler is available for most
arrayA[0] = arrayB[x++]; arrayA[0] = arrayB[x]; x++;
systems and it is free software. Many people use it exclusively so that they can support many platforms with
Also, consider how the following loop constructs perform just one compiler to deal with. The GNU GCC Comidentical tasks, and are likely to produce similar or even piler is the de facto standard compiler for Linux and Unix
identical assembly language code:
systems. It is retargetable, allowing for many input languages (C, C++, Obj-C, Ada, Fortran, etc...), and supfor(;;) { ... } while(1) { ... } do { ... } while(1)
porting multiple target OSes and architectures. It optimizes well, but has a non-aggressive IA-32 code generation engine.
1.1.7
Common C/C++ Compilers
The GCC frontend program is gcc (gcc.exe on Windows) and the associated linker is ld (ld.exe on WinThe purpose of this section is to list some of the most dows). Windows cmd searches for the programs with
common C and C++ compilers in use for developing .exe extensions automatically, so you don't need to type
production-level software. There are many many C com- the lename extension.
pilers in the world, but the reverser doesn't need to consider all cases, especially when looking at professional
software. This page will discuss each compilers strengths Listing Files To produce an assembly listing le in
and weaknesses, its availability (download sites or cost GCC, use the following command line syntax:
information), and it will also discuss how to generate an gcc -S /path/to/sourcele.c
assembly listing le from each compiler.
For example, the following commandline:
gcc -S test.c
will produce an assembly listing le named test.s. Assembly listing les generated by GCC will be in GAS format. On x86 you can select the syntax with -masm=intel
or -masm=att. GCC listing les are frequently not as well
commented and laid-out as are the listing les for cl.exe.
The Microsoft C compiler is available from Microsoft for

free as part of the Windows Server 2003 SDK. It is the
same compiler and library as is used in MS Visual Studio,
but doesn't come with the fancy IDE. The MS C Compiler
has a very good optimizing engine. It compiles C and You may add `-g3` ags to enable source-code-level de-
1.2. DISASSEMBLERS AND DECOMPILERS
bugging symbols so you can see the line numbers in the HLA syntax for code examples, but that may change in
listing. The -fno-asynchronous-unwind-tables ag can the future.
help eliminate some macros in the listing.
Intel C Compiler
This compiler is used only for x86, x86-64, and IA-64
code. It is available for both Windows and Linux. The
Intel C compiler was written by the people who invented
the original x86 architecture: Intel. Intels development
tools generate code that is tuned to run on Intel microprocessors, and is intended to squeeze every last ounce of
speed from an application. AMD IA-32 compatible processors are not guaranteed to get the same speed boosts
because they have dierent internal architectures.
1.2.2 x86 Disassemblers

Here we are going to list some commonly available disassembler tools. Notice that there are professional disassemblers (which cost money for a license) and there
are freeware/shareware disassemblers. Each disassembler will have dierent features, so it is up to you as the
reader to determine which tools you prefer to use.
Online Disassemblers
ODA is a free, web-based disassembler for a wide variety of architectures. You can use Live View to see
Metrowerks CodeWarrior
how code is disassembled in real time, one byte at
a time, or upload a le. The site is currently in beta
This compiler is commonly used for classic MacOS and
release but will hopefully only get better with time.
for embedded systems. If you try to reverse-engineer a
piece of consumer electronics, you may encounter code
http://www.onlinedisassembler.com
generated by Metrowerks CodeWarrior.
Green Hills Software Compiler
Commercial Windows Disassemblers
This compiler is commonly used for embedded systems. IDA Pro is a professional disassembler that is expensive,
extremely powerful, and has a whole slew of feaIf you try to reverse-engineer a piece of consumer electures. The downside to IDA Pro is that it costs $515
tronics, you may encounter code generated by Green Hills
US for the standard single-user edition. As such this
C/C++.
wikibook will not consider IDA Pro specically because the price tag is exclusionary. Freeware versions do exist; see below.
1.2 Disassemblers and Decompilers
1.2.1
What is a Disassembler?
In essence, a disassembler is the exact opposite of an

assembler. Where an assembler converts code written in
an assembly language into binary machine code, a disassembler reverses the process and attempts to recreate the
assembly code from the binary machine code.
Since most assembly languages have a one-to-one correspondence with underlying machine instructions, the
process of disassembly is relatively straight-forward, and
a basic disassembler can often be implemented simply
by reading in bytes, and performing a table lookup. Of
course, disassembly has its own problems and pitfalls, and
they are covered later in this chapter.
Many disassemblers have the option to output assembly
language instructions in Intel, AT&T, or (occasionally)
HLA syntax. Examples in this book will use Intel and
AT&T syntax interchangeably. We will typically not use
(version 6.x) http://www.hex-rays.com/idapro/

Relyze is a software analysis tool that lets you analyse
and understand native x86 and x64 Windows software. It provides interactive code and structure
views as well as interactive binary ding. Plugin
support is oered through an embedded Ruby plugin framework.
https://www.relyze.com
Hopper Disassembler is a reverse engineering tool for
the Mac, that lets you disassemble, decompile and
debug 32/64bits Intel Mac executables. It can also
disassemble and decompile Windows executables.
http://www.hopperapp.com
OBJ2ASM is an object le disassembler for 16 and 32
bit x86 object les in Intel OMF, Microsoft COFF
format, Linux ELF or Mac OS X Mach-O format.
http://www.digitalmars.com/ctg/obj2asm.html
CHAPTER 1. TOOLS
PE Explorer is a disassembler that focuses on ease of

http://www.agner.org/optimize/#objconv
use, clarity and navigation. It isn't as feature-lled
as IDA Pro and carries a smaller price tag to oset IDA 3.7 A DOS GUI tool that behaves very much like
the missing functionality: $130
IDA Pro, but is considerably more limited. It can
disassemble code for the Z80, 6502, Intel 8051, Inhttp://www.heaventools.com/PE_Explorer_
tel i860, and PDP-11 processors, as well as x86 indisassembler.htm
structions up to the 486.
W32DASM W32DASM was an excellent 16/32 bit disassembler for Windows, it seems it is no longer developed. the latest version available is from 2003.
the website went down and no replacement went up.
http://www.softpedia.com/get/Programming/
Debuggers-Decompilers-Dissasemblers/WDASM.
shtml
http://www.simtel.net/product.php
ida37fw)
(search
for
IDA Pro Freeware Behaves almost exactly like IDA

Pro, but disassembles only Intel x86 opcodes and is
Windows-only. It can disassemble instructions for
those processors available as of 2003. Free for noncommercial use.
Binary Ninja Binary Ninja is a commercial, crossplatform (Linux, OS X, Windows) reverse engineer (version 4.1) http://www.themel.com/idafree.zip
ing platform with aims to oer a similar feature set
to IDA ad a much cheaper price point. It is cur (version
4.3)
http://www.datarescue.be/
rently in a semi-private beta (anyone requesting acidafreeware/freeida43.exe
cess is allowed on the beta) and a precursor written in python is open source (https://github.com/
(version 5.0) http://www.hex-rays.com/idapro/
Vector35/deprecated-binaryninja-python). Curidadownfreeware.htm
rently advertised pricing is $99 for student/noncommercial use, and $399 for commercial use.
BORG Disassembler BORG is an excellent Win32
Disassembler with GUI.
https://binary.ninja/
http://www.caesum.com/
Commercial Freeware/Shareware Windows Disassemblers
HT Editor An analyzing disassembler for Intel x86 instructions. The latest version runs as a console GUI
OllyDbg OllyDbg is one of the most popular disassemprogram on Windows, but there are versions comblers recently. It has a large community and a wide
piled for Linux as well.
variety of plugins available. It emphasizes binary
code analysis. Supports x86 instructions only (no http://hte.sourceforge.net/
x86_64 support for now, although it is on the way).
diStorm64 diStorm is an open source highly optimized
http://www.ollydbg.de/ (ocial website)
stream disassembler library for 80x86 and AMD64.
http://www.openrce.org/downloads/browse/OllyDbg_
http://ragestorm.net/distorm/
Plugins (plugins)
http://www.ollydbg.de/odbg64.html (64 bit version)
Free Windows Disassemblers
crudasm crudasm is an open source disassembler with

a variety of options. It is a work in progress and is
bundled with a partial decompiler.
http://sourceforge.net/projects/crudasm9/
Capstone Capstone is an open source disassembly
framework for multi-arch (including support for
x86, x86_64) & multi-platform with advanced fea- BeaEngine BeaEngine is a complete disassembler library for IA-32 and intel64 architectures (coded
tures.
in C and usable in various languages : C, Python,
http://www.capstone-engine.org/
Delphi, PureBasic, WinDev, masm, fasm, nasm,
GoAsm).
Objconv A command line disassembler supporting 16,
32, and 64 bit x86 code. Latest instruction set http://www.beaengine.org
(SSE4, AVX, XOP, FMA, etc.), several object le
formats, several assembly syntax dialects. Win- Visual DuxDebugger is a 64-bit debugger disassembler
for Windows.
dows, Linux, BSD, Mac. Intelligent analysis.

http://www.duxcore.com/products.html
9
Objconv See above.
BugDbg is a 64-bit user-land debugger designed to de- ciasdis The ocial name of ciasdis is computer_intelligence_assembler_disassembler.
This
bug native 64-bit applications on Windows.
Forth-based tool allows to incrementally and
http://www.pespin.com/
interactively build knowledge about a code body.
It is unique that all disassembled code can be
re-assembled to the exact same code. Processors
DSMHELP Disassemble Help Library is a disasare 8080, 6809, 8086, 80386, Pentium I en DEC
sembler library with single line Epimorphic
Alpha. A scripting facility aids in analyzing Elf and
assembler.
Supported instruction sets - BaMSDOS headers and makes this tool extendable.
sic,System,SSE,SSE2,SSE3,SSSE3,SSE4,SSE4A,MMX,FPU,3DNOW,VMX,SVM,AVX,AVX2,BMI1,BMI2,F16C,FMA3,FMA
The Pentium I ciasdis is available as a binary image,
http://dsmhelp.narod.ru/ (in Russian)
others are in source form, loadable onto lina Forth,
available from the same site.
ArkDasm is a 64-bit interactive disassembler and dehttp://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html
bugger for Windows. Supported processor: x64 architecture (Intel x64 and AMD64)
objdump comes standard, and is typically used for general inspection of binaries. Pay attention to the relohttp://www.arkdasm.com/
cation option and the dynamic symbol table option.
SharpDisam is a C# port of the udis86 x86 / x86-64
disassembler
http://sharpdisasm.codeplex.com/
Unix Disassemblers
gdb comes standard, as a debugger, but is very often

used for disassembly. If you have loose hex dump
data that you wish to disassemble, simply enter it
(interactively) over top of something else or compile it into a program as a string like so: char foo[]
= {0x90, 0xcd, 0x80, 0x90, 0xcc, 0xf1, 0x90};
Many of the Unix disassemblers, especially the open lida linux interactive disassembler an interactive dissource ones, have been ported to other platforms, like
assembler with some special functions like a crypto
Windows (mostly using MinGW or Cygwin). Some Disanalyzer. Displays string data references, does code
assemblers like otool (OS X) are distro-specic.
ow analysis, and does not rely on objdump. Utilizes the Bastard disassembly library for decoding
single opcodes. The project was started in 2004 and
Capstone Capstone is an open source disassembly
remains dormant to this day.
framework for multi-arch (including support for
x86, x86_64) & multi-platform (including Mac
http://lida.sourceforge.net
OSX, Linux, *BSD, Android, iOS, Solaris) with advanced features.
dissy This program is a interactive disassembler that
uses objdump.
http://www.capstone-engine.org/
http://code.google.com/p/dissy/
Bastard Disassembler The Bastard disassembler is a
powerful, scriptable disassembler for Linux and EmilPRO replacement for the deprecated dissy disasFreeBSD.
sembler.
http://bastard.sourceforge.net/
http://github.com/SimonKagstrom/emilpro
ndisasm NASMs disassembler for x86 and x86-64. x86dis This program can be used to display binary
streams such as the boot sector or other unstructured
Works on DOS, Windows, Linux, Mac OS X and
binary les.
various other systems.
ldasm LDasm (Linux Disassembler) is a Perl/Tk-based
GUI for objdump/binutils that tries to imitate the
'look and feel' of W32Dasm. It searches for crosshttp://udis86.sourceforge.net/
references (e.g. strings), converts the code from
GAS to a MASM-like style, traces programs and
ZyanDisassembler Engine (Zydis) Fast
and
much more. Comes along with PTrace, a processlightweight x86/x86-64 disassembler library.
ow-logger. Last updated in 2002, available from
https://github.com/zyantific/zyan-disassembler-engine
Tucows.
udis86 Disassembler Library for x86 and x86-64
10
CHAPTER 1. TOOLS
http://www.tucows.com/preview/59983/LDasm
llvm LLVM has two interfaces to its disassembler:
that is often used is to identify the entry point of an executable, and nd all code reachable from there, recursively. This is known as code crawling.
Many interactive disassemblers will give the user the option to render segments of code as either code or data,
llvm-mc See the LLVM blog. Example usage:
but non-interactive disassemblers will make the separa$ echo '1 2' | llvm-mc -disassemble - tion automatically. Disassemblers often will provide the
triple=x86_64-apple-darwin9
instruction AND the corresponding hex data on the same
addl %eax, (%rdx)
line, shifting the burden for decisions about the nature of
$ echo '0x0f 0x1 0x9' | llvm-mc -disassemble the code to the user. Some disassemblers (e.g. ciasdis)
-triple=x86_64-apple-darwin9
will allow you to specify rules about whether to disassemsidt (%rcx)
ble as data or code and invent label names, based on the
$ echo '0x0f 0xa2' | llvm-mc -disassemble content of the object under scrutiny. Scripting your own
-triple=x86_64-apple-darwin9
crawler in this way is more ecient; for large programs
cpuid
interactive disassembling may be impractical to the point
$ echo '0xd9 0x' | llvm-mc -disassemble of being unfeasible.
-triple=i386-apple-darwin9
The general problem of separating code from data in arfcos
bitrary executable programs is equivalent to the halting
problem. As a consequence, it is not possible to write
a disassembler that will correctly separate code and data
otool OS Xs object le displaying tool.
for all possible input programs. Reverse engineering is
full of such theoretical limitations, although by Rices theorem all interesting questions about program properties
edb A cross platform x86/x86-64 debugger.
are undecidable (so compilers and many other tools that
https://github.com/eteran/edb-debugger
deal with programs in any form run into such limits as
well). In practice a combination of interactive and autox64dbg An open-source x64/x32 debugger for windows. matic analysis and perseverance can handle all but programs specically designed to thwart reverse engineerhttp://x64dbg.com
ing, like using encryption and decrypting code just prior
to use, and moving code around in memory.
llvm-objdump Mimics GNU objdump.
1.2.3
Disassembler Issues
Lost Information
As we have alluded to before, there are a number of issues
and diculties associated with the disassembly process. User dened textual identiers, such as variable names,
The two most important diculties are the division be- label names, and macros are removed by the assembly
tween code and data, and the loss of text information.
process. They may still be present in generated object
les, for use by tools like debuggers and relocating linkers, but the direct connection is lost and re-establishing
Separating Code from Data
that connection requires more than a mere disassembler.
Especially small constants may have more than one posSince data and instructions are all stored in an executable sible name. Operating system calls (like DLLs in MSas binary data, the obvious question arises: how can a dis- Windows, or syscalls in Unices) may be reconstructed, as
assembler tell code from data? Is any given byte a vari- their names appear in a separate segment or are known
able, or part of an instruction?
beforehand. Many disassemblers allow the user to attach
The problem wouldn't be as dicult if data were limited a name to a label or constant based on his understanding
to the .data section (segment) of an executable (explained of the code. These identiers, in addition to comments
in a later chapter) and if executable code were limited to in the source le, help to make the code more readable
the .code section of an executable, but this is often not to a human, and can also shed some clues on the purthe case. Data may be inserted directly into the code sec- pose of the code. Without these comments and identition (e.g. jump address tables, constant strings), and exe- ers, it is harder to understand the purpose of the source
cutable code may be stored in the data section (although code, and it can be dicult to determine the algorithm
new systems are working to prevent this for security rea- being used by that code. When you combine this problem
sons). AI programs, LISP or Forth compilers may not with the possibility that the code you are trying to read
contain .text and .data sections to help decide, and have may, in reality, be data (as outlined above), then it can
code and data interspersed in a single section that is read- be even harder to determine what is going on. Another
able, writable and executable, Boot code may even re- challenge is posed by modern optimising compilers; they
quire substantial eort to identify sections. A technique inline small subroutines, then combine instructions over

call and return boundaries. This loses valuable information about the way the program is structured.
1.2.4
Decompilers
11
Intel x86, ARM, MIPS, PIC32, and PowerPC architectures and outputs C or Python-like code, plus
ow charts and control ow graphs. It puts a running
time limit on each decompilation. It produces nice
results in most cases.
Akin to Disassembly, Decompilers take the process a https://retdec.com/

step further and actually try to reproduce the code in a
high level language. Frequently, this high level language Reko a modular open-source decompiler supporting
both an interactive GUI and a command-line interis C, because C is simple and primitive enough to faciliface. Its pluggable design supports decompilation of
tate the decompilation process. Decompilation does have
a variety of executable formats and processor archiits drawbacks, because lots of data and readability contectures (8- , 16- , 32- and 64-bit architectures as
structs are lost during the original compilation process,
of 2015). It also supports running unpacking scripts
and they cannot be reproduced. Since the science of debefore actual decompilation. It performs global data
compilation is still young, and results are good but not
and type analyses of the binary and yields its results
great, this page will limit itself to a listing of decompilin a subset of C++.
ers, and a general (but brief) discussion of the possibilities
of decompilation.
http://sourceforge.net/projects/decompiler
Decompilation: Is It Possible?
https://github.com/uxmal/reko
In the face of optimizing compilers, it is not uncommon C4Decompiler C4Decompiler is an interactive, static
decompiler under development (Alpha in 2013). It
to be asked Is decompilation even possible?" To some
performs global analysis of the binary and presents
degree, it usually is. Make no mistake, however: an opthe resulting C source in a Windows GUI. Context
timizing compiler results in the irretrievable loss of inmenus support navigation, properties, cross referformation. An example is in-lining, as explained above,
ences, C/Asm mixed view and manipulation of the
where code called is combined with its surroundings, such
decompile context (function ABI).
that the places where the original subroutine is called cannot even be identied. An optimizer that reverses that http://www.c4decompiler.com
process is comparable to an articial intelligence program
that recreates a poem in a dierent language. So perfectly
Boomerang Decompiler Project Boomerang Decomoperational decompilers are a long way o. At most, curpiler is an attempt to make a powerful, retargetable
rent Decompilers can be used as simply an aid for the
decompiler. So far, it only decompiles into C with
reverse engineering process leaving lots of arduous work.
moderate success.
Common Decompilers
http://boomerang.sourceforge.net/
Hex-Rays Decompiler Hex-Rays is a commercial de- Reverse Engineering Compiler (REC) REC is a powerful decompiler that decompiles native assembly
compiler. It is made as an extension to popular
code into a C-like code representation. The code is
IDA-Pro disassembler. It is currently the only vihalf-way between assembly and C, but it is much
able commercially available decompiler which promore readable than the pure assembly is. Unfortuduces usable results. It supports both x86 and ARM
nately the program appears to be rather unstable.
architecture.
http://www.hex-rays.com/products/decompiler/index.
shtml
http://www.backerstreet.com/rec/rec.htm
ExeToC ExeToC decompiler is an interactive decompiler that boasted pretty good results in the past.
DCC DCC is likely one of the oldest decompilers in existence, dating back over 20 years. It serves as a
http://sourceforge.net/projects/exetoc
good historical and theoretical frame of reference
for the decompilation process in general (Mirrors: ). snowman Snowman is an open source native code to
As of 2015, DCC is an active project. Some of the
C/C++ decompiler. Supports ARM, x86, and x86latest changes include xes for longstanding mem64 architectures. Reads ELF, Mach-O, and PE le
ory leaks and a more modern Qt5-based front-end.
formats. Reconstructs functions, their names and
arguments, local and global variables, expressions,
RetDec The Retargetable Decompiler is a freeware web
integer, pointer and structural types, all types of
decompiler that takes in ELF/PE/COFF binaries in
control-ow structures, including switch. Has a nice
12
CHAPTER 1. TOOLS
graphical user interface with one-click navigation
between the assembler code and the reconstructed
program. Has a command-line interface for batch
processing.
A macro-assembler like TASM will then use a macro like

this one:
_write macro message call write db message db 0 _write
endm
https://derevenets.com
From a human disassemblers point of view, this is a
nightmare, although this is straightforward to read in the
1.2.5 A General view of Disassembling
original Assembly source code, as there is no way to decide if the db should be interpreted or not from the binary
8 bit CPU code
form, and this may contain various jumps to real executable code area, triggering analysis of code that should
Most CPUs are 8-bit CPUs.[1]
never be analysed, and interfering with the analysis of the
Normally when a subroutine is nished, it returns to ex- real code (e.g. disassembling the above code from 0000h
ecuting the next address immediately following the call or 0001h won't give the same results at all).
instruction.
However a half-decent tool with possibilities to speciy
However, assembly-language programmers occasionally rules, and heuristic means to identify texts will have little
use several dierent techniques that adjust the return ad- trouble.
dress, making disassembly more dicult:
32 bit CPU code
jump tables,
calculated jumps, and
a parameter after the call instruction.
Most 32-bit CPUs use the ARM instruction set.[1][2][3]

Typical ARM assembly code is a series of subroutines,
with literal constants scattered between subroutines. The
standard prolog and epilog for subroutines is pretty easy
to recognize.
jump tables and other calculated jumps On 8-bit

CPUs, calculated jumps are often implemented by pushing a calculated return address to the stack, then jump- A brief list of disassemblers
ing to that address using the return instruction. For ex ciasdis an assembler where the elements opcode,
ample, the RTS Trick uses this technique to implement
operands and modiers are all objects, that are
jump tables (w:branch table).
reusable for disassembly. For 8080 8086 80386 Alpha 6809 and should be usable for Pentium 68000
6502 8051.
parameters after the call instruction
Instead of
picking up their parameters o the stack or out of some
radare, the reverse engineering framework includes
xed global address, some subroutines provide parameopen-source tools to disassemble code for many
ters in the addresses of memory that follow the instrucprocessors including x86, ARM, PowerPC, m68k,
tion that called that subroutine. Subroutines that use this
etc. several virtual machines including java, msil,
technique adjust the return address to skip over all the
etc., and for many platforms including Linux, BSD,
constant parameter data, then return to an address many
OSX, Windows, iPhoneOS, etc.
bytes after the call instruction. One of the more famous
programs that used this technique is the Sweet 16 vir IDA, the Interactive Disassembler ( IDA Pro ) can
tual machine.
disassemble code for a huge number of processors,
The technique may make disassembly more dicult.
including ARM Architecture (including Thumb
and Thumb-2), ATMEL AVR, INTEL 8051, INA simple example of this is the write() procedure impleTEL 80x86, MOS Technologies 6502, MC6809,
mented as follows:
MC6811, M68H12C, MSP430, PIC 12XX, PIC
; assume ds = cs, e.g like in boot sector code start: call
14XX, PIC 18XX, PIC 16XXX, Zilog Z80, etc.
write ; push messages address on top of stack db Hello,
Wikipedia: objdump, part of the GNU binutils, can
world,0dh,0ah,00h ; return point ret ; back to DOS
disassemble code for several processors and platwrite proc near pop si ; get string address mov ah,0eh ;
forms. binutils is an important part of the toolchain
BIOS: write teletype w_loop: lodsb ; read char at [ds:si]
as it provides the linker, assembler and other utilties
and increment si or al,al ; is it 00h? jz short w_exit int
(like objdump) to manipulate executables on the tar10h ; write the character jmp w_loop ; continue writing
get platform, and is available for most popular platw_exit: jmp si write endp end start
forms.
1.4. ANALYSIS TOOLS
13
For OS X/BSD systems, there is a rough equiv- Here are examples of C and C++ Hello World!" proalent called otool in the XCode kit.
grams.
Disassemblers at DMOZ lists a huge number of dis- #include <stdio.h> int main() { printf(Hello World!\n);
return 0; }
assemblers
#include <iostream> int main() { std::cout << Hello
Program transformation wiki: disassembly lists World!\n"; return 0; }
many highly recommended disassemblers
search for disassemble at SourceForge shows
many disassemblers for a variety of CPUs.
1.3.2
Example: Basic Disassembly
Hopper is a disassembler that runs on OS-X and disWrite a basic Hello World!" program (see the example
assembles 32/64-bit OS-X and windows binaries.
above). Compile the program into an executable with
The University of Queensland Binary Translator your favorite compiler, then disassemble it. How big is
(UQBT) is a reusable, component-based binary- the disassembled code le? How does it compare to the
translation framework that supports CISC, RISC, code from the listing le you generated? Can you explain
why the le is this size?
and stack-based processors.
1.2.6
Further reading
1.4 Analysis Tools
[1] Jim Turley. The Two Percent Solution. 2002.

[2] Mark Hachman. ARM Cores Climb Into 3G Territory.
2002. Although Intel and AMD receive the bulk of attention in the computing world, ARMs embedded 32-bit
architecture, ... has outsold all others.
1.4.1 Debuggers
Debuggers are programs that allow the user to execute a

compiled program one step at a time. You can see what
instructions are executed in which order, and which sec http://www.crackmes.de/ : reverse engineering tions of the program are treated as code and which are
treated as data. Debuggers allow you to analyze the prochallenges
gram while it is running, to help you get a better picture
A Challengers Handbook by Caesum has some of what it is doing.
tips on reverse engineering programs in JavaScript, Advanced debuggers often contain at least a rudimentary
Flash Actionscript (SWF), Java, etc.
disassembler, often times hex editing and reassembly fea-
[3] Tom Krazit. ARMed for the living room. ARM licensed 1.6 billion cores [in 2005]". 2006.
the Open Source Institute occasionally has reverse tures. Debuggers often allow the user to set breakpoints
engineering challenges among its other brainteasers. on instructions, function calls, and even memory locations.
The Program Transformation wiki has a Reverse enA breakpoint is an instruction to the debugger that allows
gineering and Re-engineering Roadmap, and disprogram execution to be halted when a certain condition
cusses disassemblers, decompilers, and tools for
is met. For instance, when a program accesses a certain
translating programs from one high-level language
variable, or calls a certain API function, the debugger can
to another high-level language.
pause program execution.
Other disassemblers with multi-platform support
Windows Debuggers
1.3 Disassembly Examples
1.3.1
Example: Hello World Listing
SoftICE A de facto standard for Windows debugging.

SoftICE can be used for local kernel debugging,
which is a feature that is very rare, and very valuable.
SoftICE was taken o the market in April 2006.
WinDbg WinDbg is a free piece of software from Microsoft that can be used for local user-mode deWrite a simple Hello World program using C or C++
bugging, or even remote kernel-mode debugging.
and your favorite compiler. Generate a listing le from
WinDbg is not the same as the better-known Vithe compiler. Does the code look the way you expect it
sual Studio Debugger, but comes with a nifty GUI
to? Do you understand what the assembly code means?
nonetheless. Available in 32 and 64-bit versions.
14
http://www.microsoft.com/whdc/devtools/debugging/
installx86.mspx
CHAPTER 1. TOOLS
NLKD A kernel debugger.
http://forge.novell.com/modules/xfmod/project/?nlkd
IDA Pro The multi-processor, multi-OS, interactive

edb A fully featured plugin-based debugger inspired by
disassembler by DataRescue.
the famous OllyDbg. Project page
http://www.hex-rays.com/idapro/
KDbg A gdb front-end for KDE. http://kdbg.org
OllyDbg OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and RR0D A Ring-0 Debugger for Linux. RR0D Project
Page
debugging.
http://www.ollydbg.de/
Winedbg Wine's debugger. Debugs Windows executables using wine.
Immunity Debugger Immunity Debugger is a branch

of OllyDbg v1.10, with built-in support for Python
Debuggers for Other Systems
scripting and much more.
http://immunityinc.com/products/debugger/index.
html
Linux Debuggers
dbx The standard Unix debugger on systems derived

from AT&T Unix. It is often part of an optional development toolkit package which comes at an extra
price. It uses an interactive command line interface.
Many of the open source debuggers on Linux, again, are ladebug An enhanced debugger on Tru64 Unix systems from HP (originally Digital Equipment Corcross-platform. They may be available on some other
poration) that handles advanced functionality like
Unix(-like) systems, or even Windows. Some of the dethreads better than dbx.
buggers may give you better experience than the old and
native ones on your system.
DTrace An advanced tool on Solaris that provides funcgdb The GNU debugger, comes with any normal Linux
tions like proling and many others on the entire sysinstall. It is quite powerful and even somewhat protem, including the kernel.
grammable, though the raw user interface is harsh.
lldb LLVMs debugger.
emacs The GNU editor, can be used as a front-end to
gdb. This provides a powerful hex editor and allows
full scripting in a LISP-like language.
ddd The Data Display Debugger. Its another front-end
to gdb. This provides graphical representations of
data structures. For example, a linked list will look
just like a textbook illustration.
strace, ltrace, and xtrace Lets you run a program
while watching the actions it performs. With strace,
you get a log of all the system calls being made.
With ltrace, you get a log of all the library calls being made. With xtrace, you get a log of some of the
funtion calls being made.
valgrind Executes a program under emulation, performing analysis according to one of the many plugin modules as desired. You can write your own plugin module as desired. Newer versions of valgrind
also support OS X.
mdb The Modular Debugger (MDB) is a new general

purpose debugging tool for the Solaris Operating
Environment. Its primary feature is its extensibility.
The Solaris Modular Debugger Guide describes how
to use MDB to debug complex software systems,
with a particular emphasis on the facilities available
for debugging the Solaris kernel and associated device drivers and modules. It also includes a complete
reference for and discussion of the MDB language
syntax, debugger features, and MDB Module Programming API.
Debugger Techniques
Setting Breakpoints As previously mentioned in the
section on disassemblers, a 6-line C program doing something as simple as outputting Hello, World!" turns into
massive amounts of assembly code. Most people don't
want to sift through the entire mess to nd out the information they want. It can be time consuming just to
nd the information one desires by just looking through
the code. As an alternative, one can choose to set breakpoints to halt the program once it has reached a given
point within the programs code.
1.4. ANALYSIS TOOLS
15
For instance, lets say that in your program you consis- http://www.bpsoft.com/
tantly experience crashes after one particular event: immediately after closing a message box. You set break- Tiny Hexer Free and does statistics. For Windows.
points on all calls to MessageBoxA. You run your program with the breakpoints set, and it stops, ready to call http://www.mirkes.de/files/
MessageBoxA. Executing each line one-by-one thereafter
(referred to as stepping) through the code, and watching frhed - free hex editor For Windows. Free and openthe program stack, you see that a buer overow occurs
source.
soon after the call.
http://www.kibria.de/frhed.html
1.4.2
Hex Editors
Cygnus Hex Editor For Windows. A very fast and

easy-to-use hex editor, available in a 'Free Edition'.
Hex editors are able to directly view and edit the binary
of a source le, and are very useful for investigating the http://www.softcircuits.com/cygnus/fe/
structure of proprietary closed-format data les. There
are many hex editors in existence. This section will at- Hexprobe Hex Editor For Windows. A professional
hex editor designed to include all the power to deal
tempt to list some of the best, some of the most popular,
with hex data, particularly helpful in the areas of
or some of the most powerful.
hex-byte editing and byte-pattern analysis.
HxD (Freeware) For Windows. A fast and powerful
free hex, disk and RAM editor
http://mh-nexus.de/hxd/
Freeware Hex Editor XVI32 For Windows. A freeware hex editor.
http://www.hexprobe.com/hexprobe/index.htm
UltraEdit32 For Windows. A hex editor/text editor,
won Application of the Year at 2005 Shareware
Industry Awards Conference.
http://www.ultraedit.com/
http://www.chmaas.handshake.de/delphi/freeware/
xvi32/xvi32.htm
Hexinator (For Windows and Linux) lets you edit

les of unlimited size (overwrite, insert, delete),
displays text with dozens of text encodings, shows
wxHexEditor (Beta, For Windows and Linux, Free &
variables in little and big endian byte order.
Open Source)
A fast hex editor specially for HUGE les and disk
https://hexinator.com
devices, allows up to hexabyte, allow size changes
(inject and deletes) without creating temp le, could
view les with multiple panes, has built-in disas- ICY Hexplorer For Windows. A lightweight free and
open source hex le editor with some nifty features,
sembler, supports tags for (reverse) engineering big
such as pixel view, structures, and disassembling.
binaries or le systems, could view les thrug XOR
encryption.
http://hexplorer.sourceforge.net/
http://wxhexeditor.sourceforge.net/
WinHex For Windows. A powerful hex le and disk

editor with advanced abilities for computer forensics
HHD Software Hex Editor Neo For Windows. A fast
and data recovery (used by governments and milile, disk, and memory editor with built-in disassemtary).
bler and le structure viewer.
http://www.x-ways.net/index-m.html
http://www.hhdsoftware.com/Family/hex-editor.html
Catch22 HexEdit For Windows. his is a powerful hex
editor with a slew of features. Has an excellent data
structure viewer.
http://www.catch22.net/software/hexedit.asp
010 Editor For Windows. A very powerful and fast hex

editor with extensive support for data structures and
scripting. Can be used to edit drives and processes.
http://www.sweetscape.com/010editor/
BreakPoint Hex Workshop For Windows. An excel- 1Fh For Windows. A free binary/hex editor which is
lent and powerful hex-editor, its usefulness is revery fast, even while working with large les. Its
stricted by the fact that it is not free like some of
the only Windows hex editor that allows you to view
the other options.
les in byte code (all 256-characters).
16
CHAPTER 1. TOOLS
Linux Hex Editors only
bvi A typical three-pane hex editor, with a vi-like interface.
emacs Along with everything else, emacs also includes
a hex editor.
joe Joes own editor now also supports hex editing.
bless A very capable gtk based hex editor.
A view of a small binary le in a 1Fh hex editor.
http://www.4neurons.com/1Fh/
xxd and any text editor Produce a hex dump with xxd,
freely edit it in your favorite text editor, and then
convert it back to a binary le with your changes
included.
HexEdit For Windows (Open source) and shareware GHex Hex editor for GNOME.
versions. Powerful and easy to use binary le and
http://directory.fsf.org/All_Packages_in_Directory/
disk editor.
ghex.html
http://www.hexedit.com/
HexToolkit For Windows. A free hex viewer specically designed for reverse engineering le formats.
Allows data to be viewed in various formats and includes an expression evaluator as well as a binary le
comparison tool.
http://www.binaryearth.net/HexToolkit
Okteta The well-integrated hexeditor from KDE since

4.1. Oers the traditional two-columns layout,
one with numeric values (binary, octal, decicmal, hexdecimal) and one with characters (lots of
charsets supported). Editing can be done in both
columns, with unlimited undo/redo. Small set of
tools (searching/replacing, strings, binary lter, and
more).
FlexHex For Windows. It Provides full support for http://utils.kde.org/projects/okteta

NTFS les which are based on a more complex
model than FAT32 les. Specically, FlexHex sup- BEYE A viewer of binary les with built-in editor in
ports Sparse les and Alternate data streams of les
binary, hexadecimal and disassembler modes. It
on any NTFS volume. Can be used to edit OLE
uses native Intel syntax for disassembly. Highlight
compound les, ash cards, and other types of physAVR/Java/Athlon64/Pentium 4/K7-Athlon disasical drives.
sembler, Russian codepages converter, full preview
of formats - MZ, NE, PE, NLM, co32, elf partial
http://www.heaventools.com/flexhex-hex-editor.htm
- a.out, LE, LX, PharLap; code navigator and more
over. (
HT Editor For Windows. A le editor/viewer/analyzer
for executables. Its goal is to combine the low- http://beye.sourceforge.net/en/beye.html
level functionality of a debugger and the usability
of IDEs.
BIEW A viewer of binary les with built-in editor in
http://hte.sourceforge.net/
HexEdit For MacOS. A simple but reliable hex editor
wher you to change highlight colours. There is also
a port for Apple Classic users.
http://hexedit.sourceforge.net/
binary, hexadecimal and disassembler modes. It

uses native Intel syntax for disassembly. Highlight
AVR/Java/Athlon64/Pentium 4/K7-Athlon disassembler, Russian codepages converter, full preview
of formats - MZ, NE, PE, NLM, co32, elf partial
- a.out, LE, LX, PharLap; code navigator and more
over. (PROJECT RENAMED, see BEYE)
http://biew.sourceforge.net/en/biew.html
Hex Fiend For MacOS. A very simple hex editor, but
incredibly powerful nonetheless. Its only 346 KB to
hview A curses based hex editor designed to work with
download and takes les as big as 116 GB.
large (600+MB) les with as quickly, and with little
http://ridiculousfish.com/hexfiend/
overhead, as possible.
1.4. ANALYSIS TOOLS
17
http://web.archive.org/web/20010306001713/http:
//tdistortion.esmartdesign.com/Zips/hview.tgz
rohitab.com API Monitor API Monitor is a free software that lets you monitor and control API calls
made by applications and services. Features include
detailed parameter information, structures, unions,
HexCurse An ncurses-based hex editor written in C
enumerated/ag data types, call stack, call tree,
that currently supports hex and decimal address outbreakpoints, custom DLLs, memory editor, call lput, jumping to specied le locations, searching,
tering, COM monitoring, 64-bit. Includes deniASCII and EBCDIC output, bolded modications,
tions for over 13,000 APIs and 1,300+ COM interan undo command, quick keyboard shortcuts, etc.
faces.
http://www.jewfish.net/description.php?title=
http://www.rohitab.com/apimonitor
HexCurse
hexedit View and edit les in hexadecimal or in ASCII. PE File Header dumpers
http://rigaux.org/hexedit.html
Dumpbin Dumpbin is a program that previously used

to be shipped with MS Visual Studio, but recently
Data Workshop An editor to view and modify binary
the functionality of Dumpbin has been incorporated
data; provides dierent views which can be used to
into the Microsoft Linker, link.exe. to access dumpedit, analyze and export the binary data.
bin, pass /dump as the rst parameter to link.exe:
http://www.dataworkshop.de/
link.exe /dump [options]
VCHE A hex editor which lets you see all 256 characters
It is frequently useful to simply create a batch
as found in video ROM, even control and extended
le that handles this conversion:
ASCII, it uses the /dev/vcsa* devices to do it. It also
could edit non-regular les, like hard disks, oppies, ::dumpbin.bat link.exe /dump %*
CDROMs, ZIPs, RAM, and almost any device. It
All examples in this wikibook that use dumpbin will
comes with a ncurses and a raw version for people
call it in this manner.
who work under X or remotely.
http://www.grigna.com/diego/linux/vche/
Here is a list of useful features of dumpbin :
dumpbin /EXPORTS displays a list of functions exDHEX DHEX is just another Hexeditor with a Diported from a library dumpbin /IMPORTS displays a
mode for ncurses. It makes heavy use of colors and
list of functions imported from other libraries dumpbin
is themeable.
/HEADERS displays PE header information for the executable
http://www.dettus.net/dhex/
1.4.3
Other Tools for Windows
http://msdn.microsoft.com/library/default.
asp?url=/library/en-us/vccore/html/_core_
dumpbin_reference.asp
Resource Monitors
Depends Dependency Walker is a GUI tool which will
SysInternals Freeware This page has a large number
allow you to see exports and imports of binaries. It
of excellent utilities, many of which are very useships with many Microsoft tools including MS Viful to security experts, network administrators, and
sual Studio.
(most importantly to us) reversers. Specically,
check out Process Monitor, FileMon, RegMon,
1.4.4 GNU Tools
TCPView, and Process Explorer.
http://technet.microsoft.com/sysinternals/default.aspx
API Monitors
The GNU packages have been ported to many platforms

including Windows.
GNU BinUtils The GNU BinUtils package contains

several small utilities that are very useful in dealSpyStudio Freeware The Spy Studio software is a tool
ing with binary les. The most important programs
to hook into windows processes, log windows API
in the list are the GNU objdump, readelf, GAS ascall to DLLs, insert breakpoints and change paramsembler, and the GNU linker, although the reverser
eters.
might nd more use in addr2line, c++lt, nm, and
http://www.nektra.com/products/spystudio/
readelf.
18
CHAPTER 1. TOOLS
http://www.gnu.org/software/binutils/
1.4.6 XCode Tools
objdump Dumps out information about an executable XCode contains some extra tools to be used unincluding symbols and assembly. It comes standard. der OS X with the Mach-O format. You can see
It can be made to support non-native binary formats. more of them under /Applications/Xcode.app/Contents/
Developer/usr/bin/.
objdump -p displays a list of functions imported from
other libraries, exported to and miscellaneous le header lipo Manages fat binaries with multiple architectures.
information
Its useful to check dll dependencies from command line
otool Object le displaying tool, works somehow like objdump and readelf.
readelf Like objdump but more specialized for ELF executables.

XCode also packs a lot of Unix tools, with many of them
sharing the names (and functions) of the GNU tools.
size Lists the sizes of the segments.
Other tools like nasm/ndisasm, lldb and GNU as can also
be found.
nm Lists the symbols in an ELF le.
strings Prints the strings from a le.
le Tells you what type of le it is.
fold Folds the results of strings into something pageable.
kill Can be used to halt a program with the sig_stop signal.
strace Trace system calls and signals.
1.4.5
Other Tools for Linux
oprole Can be used the nd out what functions and

data segments are used
subterfugue A tool for playing odd tricks on an executable as it runs. The tool is scriptable in python.
The user can write scripts to take action on events
that occur, such as changing the arguments to system calls.
http://subterfugue.org/
lizard Lets you run a program backwards.
http://lizard.sourceforge.net/
dprobes Lets you work with both kernel and user code.
biew Both a hex editor and a disassembler.
ltrace Displays runtime library call information for dynamically linked executables.
asmDIFF Searches for functions, instructions and
memory pointers in dierent versions of same binary by using code metrics. Supports x86, x86_64
code in PE and ELF les.
http://duschkumpane.org/index.php/asmdiff
Chapter 2
Platforms
2.1 Microsoft Windows
was good enough). It also handles all string operations

internally in Unicode, giving more exibility when using dierent languages. Operating Systems based on the
WinNT kernel are: Windows NT (versions 3.1, 3.5, 3.51
and 4.0), Windows 2000 (NT 5.0), Windows XP (NT
5.1), Windows Server 2003 (NT 5.2), Windows Vista
2.1.1 Microsoft Windows
(NT 6.0), Windows 7 (NT 6.1), Windows 8 (NT 6.2),
The Windows operating system is a popular reverse en- Windows 8.1 (NT 6.3), and Windows 10 (NT 10.0).
gineering target for one simple reason: the OS itself (mar- The Microsoft XBOX and and XBOX 360 also run a
ket share, known weaknesses), and most applications for variant of NT, forked from Windows 2000. Most future
it, are not Open Source or free. Most software on a Win- Microsoft operating system products are based on NT in
dows machine doesn't come bundled with its source code, some shape or form.
and most pieces have inadequate, or non-existent documentation. Occasionally, the only way to know precisely
what a piece of software does (or for that matter, to de- 2.1.3 Virtual Memory
termine whether a given piece of software is malicious or
legitimate) is to reverse it, and examine the results.
32 bit WinNT allows for a maximum of 4Gb of virtual
memory space, divided into pages that are 4096 bytes
by default. Pages not in current use by the system or any
2.1.2 Windows Versions
of the applications may be written to a special section on
the harddisk known as the paging le. Use of the paging
Windows operating systems can be easily divided into 2 le may increase performance on some systems, although
categories: Win9x, and WinNT.
high latency for I/O to the HDD can actually reduce performance in some instances.
Windows 9x
The Win9x kernel was originally written to span the 16bit
- 32bit divide. Operating Systems based on the 9x kernel are: Windows 95, Windows 98, and Windows ME.
Win9x Series operating systems are known to be prone
to bugs and system instability. The actual OS itself was
a 32 bit extension of MS-DOS, its predecessor. An important issue with the 9x line is that they were all based
around using the ASCII format for storing strings, rather
than Unicode.
2.1.4 System Architecture
The Windows architecture is heavily layered. Function

calls that a programmer makes may be redirected 3 times
or more before any action is actually performed. There is
an unignorable penalty for calling Win32 functions from
a user-mode application. However, the upside is equally
unignorable: code written in higher levels of the windows
system is much easier to write. Complex operations that
involve initializing multiple data structures and calling
Development on the Win9x kernel ended with the release multiple sub-functions can be performed by calling only
of Windows ME.
a single higher-level function.
Windows NT
The WinNT kernel series was originally written as
enterprise-level server and network software. WinNT
stresses stability and security far more than Win9x kernels did (although it can be debated whether that stress
The Win32 API comprises 3 modules: KERNEL32,

USER32, and GDI32. KERNEL32 is layered on top
of NTDLL, and most calls to KERNEL32 functions are
simply redirected into NTDLL function calls. USER32
and GDI32 are both based on WIN32K (a kernelmode module, responsible for the Windows look and
feel), although USER32 also makes many calls to the
19
20
CHAPTER 2. PLATFORMS
more-primitive functions in GDI32. This and NTDLL GDI diverts most of its calls into WIN32K, but it does
both provide an interface to the Windows NT kernel, contain a manager for GDI objects, such as pens, brushes
NTOSKRNL (see further below).
and device contexts. The GDI object manager and the
NTOSKRNL is also partially layered on HAL (Hardware KERNEL object manager are completely separate.
Abstraction Layer), but this interaction will not be considered much in this book. The purpose of this layering is to allow processor variant issues (such as location
of resources) to be made separate from the actual kernel itself. A slightly dierent system conguration thus
requires just a dierent HAL module, rather than a completely dierent kernel module.
2.1.5
System calls and interrupts
After ltering through dierent layers of subroutines,

most API calls require interaction with part of the operating system. Services are provided via 'software interrupts, traditionally through the int 0x2e instruction.
This switches control of execution to the NT executive /
kernel, where the request is handled. It should be pointed
out here that the stack used in kernel mode is dierent
from the user mode stack. This provides an added layer
of protection between kernel and user. Once the function
completes, control is returned back to the user application.
user32.dll
The USER subsystem is located in the user32.dll library
le. This subsystem controls the creation and manipulation of USER objects, which are common screen items
such as windows, menus, cursors, etc... USER will set
up the objects to be drawn, but will perform the actual
drawing by calling on GDI (which in turn will make many
calls to WIN32K) or sometimes even calling WIN32K
directly. USER utilizes the GDI Object Manager.
2.1.7 Native API
The native API, hereby referred to as the NTDLL subsystem, is a series of undocumented API function calls
that handle most of the work performed by KERNEL32.
Microsoft also does not guarantee that the native API will
remain the same between dierent versions, as Windows
developers modify the software. This gives the risk of native API calls being removed or changed without warning,
Both Intel and AMD provide an extra set of instructions breaking software that utilizes it.
to allow faster system calls, the SYSENTER instruction
from Intel and the SYSCALL instruction from AMD.
ntdll.dll
The NTDLL subsystem is located in ntdll.dll. This library contains many API function calls, that all follow a
particular naming scheme. Each function has a prex:
Both WinNT and Win9x systems utilize the Win32 API.
Ldr, Nt, Zw, Csr, Dbg, etc... and all the functions that
However, the WinNT version of the API has more funchave a particular prex all follow particular rules.
tionality and security constructs, as well as Unicode support. Most of the Win32 API can be broken down into 3 The ocial native API is usually limited only to functions whose prex is Nt or Zw. These calls are in fact the
separate components, each performing a separate task.
same in user-mode: the relevant Export entries map to
the same address in memory. However, in kernel-mode,
kernel32.dll
the Zw* system call stubs set the previous mode to kernelmode, ensuring that certain parameter validation routines
Kernel32.dll, home of the KERNEL subsystem, is where are not performed. The origin of the prex Zw is unnon-graphical functions are implemented. Some of the known; this prex was chosen due to its having no signifAPIs located in KERNEL are: The Heap API, the Vir- icance at all[1] .
tual Memory API, File I/O API, the Thread API, the System Object Manager, and other similar system services. In actual implementation, the system call stubs merely
Most of the functionality of kernel32.dll is implemented load two registers with values required to describe a nain ntdll.dll, but in undocumented functions. Microsoft tive API call, and then execute a software interrupt (or
prefers to publish documentation for kernel32 and guar- the sysenter instruction).
antee that these APIs will remain unchanged, and then Most of the other prexes are obscure, but the known
put most of the work in other libraries, which are then ones are:
not documented.
Rtl stands for Run Time Library, calls which help
functionality at runtime (such as RtlAllocateHeap)
gdi32.dll
Csr is for Client Server Runtime, which repregdi32.dll is the library that implements the GDI subsyssents the interface to the win32 subsystem located
tem, where primitive graphical operations are performed.
in csrss.exe
2.1.6
Win32 API
2.1. MICROSOFT WINDOWS
21
Dbg functions are present to enable debugging rou- Vista may be better known by its development code-name
tines and operations
Longhorn. Microsoft claims that Vista has been written largely from the ground up, and therefore it can be
Ldr provides the ability to load, manipulate and re- assumed that there are fundamental dierences between
trieve data from DLLs and other module resources the Vista API and system architecture, and the APIs and
architectures of previous Windows versions. Windows
Vista was released January 30th, 2007.
User Mode Versus Kernel Mode
Many functions, especially Run-time Library routines,
are shared between ntdll.dll and ntoskrnl.exe. Most Native API functions, as well as other kernel-mode only
functions exported from the kernel are useful for driver
writers. As such, Microsoft provides documentation on
many of the native API functions with the Microsoft
Server 2003 Platform DDK. The DDK (Driver Development Kit) is available as a free download.
2.1.12 Windows CE/Mobile, and other

versions
2.1.8
2.1.13 Non-Executable Memory
ntoskrnl.exe
This module is the Windows NT "'Executive'", providing

all the functionality required by the native API, as well
as the kernel itself, which is responsible for maintaining
the machine state. By default, all interrupts and kernel
calls are channeled through ntoskrnl in some way, making it the single most important program in Windows itself. Many of its functions are exported (all of which with
various prexes, a la NTDLL) for use by device drivers.
2.1.9
Recent windows service packs have attempted to implement a system known as Non-executable memory
where certain pages can be marked as being nonexecutable. The purpose of this system is to prevent
some of the most common security holes by not allowing control to pass to code inserted into a memory buer
by an attacker. For instance, a shellcode loaded into an
overowed text buer cannot be executed, stopping the
attack in its tracks. The eectiveness of this mechanism
is yet to be seen, however.
Win32K.sys
This module is the Win32 Kernel that sits on top of the

lower-level, more primitive NTOSKRNL. WIN32K is responsible for the look and feel of windows, and many
portions of this code have remained largely unchanged
since the Win9x versions. This module provides many of
the specic instructions that cause USER and GDI to act
the way they do. Its responsible for translating the API
calls from the USER and GDI libraries into the pictures
you see on the monitor.
2.1.10
Windows CE is the Microsoft oering on small devices.

It largely uses the same Win32 API as the desktop systems, although it has a slightly dierent architecture.
Some examples in this book may consider WinCE.
Win64 API
With the advent of 64-bit processors, 64-bit software is a

necessity. As a result, the Win64 API was created to utilize the new hardware. It is important to note that the format of many of the function calls are identical in Win32
and Win64, except for the size of pointers, and other data
types that are specic to 64-bit address space.
2.1.14 COM and Related Technologies

COM, and a whole slew of technologies that are either related to COM or are actually COM with a fancy name, is
another factor to consider when reversing Windows binaries. COM, DCOM, COM+, ActiveX, OLE, MTS, and
Windows DNA are all names for the same subject, or
subjects, so similar that they may all be considered under
the same heading. In short, COM is a method to export
Object-Oriented Classes in a uniform, cross-platform and
cross-language manner. In essence, COM is .NET, version 0 beta. Using COM, components written in many
languages can export, import, instantiate, modify, and destroy objects dened in another le, most often a DLL.
Although COM provides cross-platform (to some extent)
and cross-language facilities, each COM object is compiled to a native binary, rather than an intermediate format such as Java or .NET. As a result, COM does not
require a virtual machine to execute such objects.
This book will attempt to show some examples of COM

les, and the reversing challenges associated with them,
Dierences
although the subject is very broad, and may elude the
scope of this book (or at least the early sections of it). The
2.1.11 Windows Vista
discussion may be part of an Advanced Topic found in
Microsoft has released a new version of its Windows the later sections of this book.
operation system, named Windows Vista. Windows Due to the way that COM works, a lot of the methods and
22
data structures exported by a COM component are dicult to perceive by simply inspecting the executable le.
Matters are made worse if the creating programmer has
used a library such as ATL to simplify their programming
experience. Unfortunately for a reverse engineer, this reduces the contents of an executable into a Sea of bits,
with pointers and data structures everywhere.
oset specifying an oset into that window. The segment register would be set by DOS and the COM le
would be expected to respect this setting and not ever
change the segment registers. The oset registers, however, were fair game and served (for COM les) the same
purpose as a modern 32-bit register. The downside was
that the oset registers were only 16-bit and, therefore,
since COM les could not change the segment registers,
COM les were limited to using 64K of RAM. The good
thing about this approach, however, was that no extra
2.1.15 Remote Procedure Calls (RPC)
work was needed by DOS to load and run a COM le:
RPC is a generic term referring to techniques that allow a just load the le, set the segment register, and jump to it.
program running on one machine to make calls that actu- (The programs could perform 'near' jumps by just giving
ally execute on another machine. Typically, this is done an oset to jump to.)
by marshalling all of the data needed for the procedure in- COM les are loaded into RAM at oset $100. The
cluding any state information stored on the rst machine, space before that would be used for passing data to and
and building it into a single data structure, which is then from DOS (for example, the contents of the command
transmitted over some communications method to a sec- line used to invoke the program).
ond machine. This second machine then performs the requested action, and returns a data packet containing any Note that COM les, by denition, cannot be 32-bit.
results and potentially changed state information to the Windows provides support for COM les via a special
CPU mode.
originating machine.
In Windows NT, RPC is typically handled by having two
libraries that are similarly named, one which generates
RPC requests and accepts RPC returns, as requested by
a user-mode program, and one which responds to RPC
requests and returns results via RPC. A classic example
is the print spooler, which consists of two pieces: the
RPC stub spoolss.dll, and the spooler proper and RPC
service provider, spoolsv.exe. In most machines, which
are stand-alone, it would seem that the use of two modules communicating by means of RPC is overkill; why
not simply roll them into a single routine? In networked
printing, though, this makes sense, as the RPC service
provider can be resident physically on a distant machine,
with the remote printer, and the local machine can control the printer on the remote machine in exactly the same
way that it controls printers on the local machine.
[1] https://msdn.microsoft.com/en-us/library/windows/
hardware/ff565646(v=vs.85).aspx
2.2 Windows Executable Files
2.2.1
MS-DOS COM Files
2.2.2 MS-DOS EXE Files

One way MS-DOS compilers got around the 64K memory limitation was with the introduction of memory
models. The basic concept is to cleverly set dierent segment registers in the x86 CPU (CS, DS, ES, SS) to point
to the same or dierent segments, thus allowing varying
degrees of access to memory. Typical memory models
were:
tiny All memory accesses are 16-bit (segment registers
unchanged). Produces a .COM le instead of an
.EXE le.
small All memory accesses are 16-bit (segment registers
unchanged).
compact Data addresses include both segment and oset, reloading the DS or ES registers on access and
allowing up to 1M of data. Code accesses don't
change the CS register, allowing 64K of code.
medium Code addresses include the segment address,
reloading CS on access and allowing up to 1M of
code. Data accesses don't change the DS and ES
registers, allowing 64K of data.
large Both code and data addresses are (segment, oset)

COM les are loaded into RAM exactly as they appear;
pairs, always reloading the segment addresses. The
no change is made at all from the harddisk image to
whole 1M byte memory space is available for both
RAM. This is possible due to the segmented memory
code and data.
model of the early x86 line. Two 16-bit registers determine the actual address used for a memory access, a huge Same as the large model, with additional arithmetic
being generated by the compiler to allow access to
segment register specifying a 64K byte window into
arrays larger than 64K.
the 1M+64K byte space (in 16-byte increments) and an
2.2. WINDOWS EXECUTABLE FILES
23
When looking at an EXE le, one has to decide which

memory model was used to build that le.
2.2.3
PE Files
A Portable Executable (PE) le is the standard binary

le format for an Executable or DLL under Windows NT,
Windows 95, and Win32. The Win32 SDK contains a
le, winnt.h, which declares various structs and variables
used in the PE les. Some functions for manipulating PE
les are also included in imagehlp.dll. PE les are broken
down into various sections which can be examined.
2.2.4
Relative Virtual Addressing (RVA)
In a Windows environment, executable modules can be

loaded at any point in memory, and are expected to
run without problem. To allow multiple programs to be
The basic format of a Microsoft PE le
loaded at seemingly random locations in memory, PE les
have adopted a tool called RVA: Relative Virtual Addresses. RVAs assume that the base address of where
a module is loaded into memory is not known at compile
time. So, PE les describe the location of data in memory as an oset from the base address, wherever that may MS-DOS header
be in memory.
Some processor instructions require the code itself to directly identify where in memory some data is. This is not
possible when the location of the module in memory is
not known at compile time. The solution to this problem
is described in the section on Relocations.
Open any Win32 binary executable in a hex editor, and

note what you see: The rst 2 letters are always the letters MZ, the initials of Mark Zbikowski, who created
the rst linker for DOS. To some people, the rst few
bytes in a le that determine the type of le are called
It is important to remember that the addresses obtained the magic number, although this book will not use that
from a disassembly of a module will not always match term, because there is no rule that states that the magic
up to the addresses seen in a debugger as the program is number needs to be a single number. Instead, we will
running.
use the term File ID Tag, or simply, File ID. Sometimes this is also known as File Signature.
After the File ID, the hex editor will show several bytes
of either random-looking symbols, or whitespace, before
the human-readable string This program cannot be run
in DOS mode.
2.2.5
File Format
The PE portable executable le format includes a number

of informational headers, and is arranged in the following
format:
What is this?
24
Hex Listing of an MS-DOS le header
What you are looking at is the MS-DOS header of the

Win32 PE le. To ensure either a) backwards compatibility, or b) graceful decline of new le types, Microsoft
has written a series of machine instructions(an example
program is listed below the DOS header structure) into
the head of each PE le. When a 32-bit Windows le is
run in a 16-bit DOS environment, the program will display the error message: This program cannot be run in
DOS mode., then terminate.
Hex Listing of a PE signature, and the pointer to it

The PE header consists only of a File ID signature, with
the value PE\0\0 where each '\0' character is an ASCII
NUL character. This signature shows that a) this le is a
legitimate PE le, and b) the byte order of the le. Byte
order will not be considered in this chapter, and all PE
les are assumed to be in little endian format.
The DOS header is also known by some as the EXE The rst big chunk of information lies in the COFF
header. Here is the DOS header presented as a C data header, directly after the PE signature.
structure:
struct DOS_Header { // short is 2 bytes, long is 4 bytes
char signature[2] = MZ"; short lastsize; short nblocks;
short nreloc; short hdrsize; short minalloc; short maxalloc; void *ss; void *sp; short checksum; void *ip; void
*cs; short relocpos; short noverlay; short reserved1[4];
short oem_id; short oem_info; short reserved2[10]; long
e_lfanew; }
COFF Header
The COFF header is present in both COFF object les
(before they are linked) and in PE les where it is known
as the File header. The COFF header has some information that is useful to an executable, and some information that is more useful to an object le.
Here is the COFF header, presented as a C data structure:
After the DOS header there is a stub program mentioned

in the paragraph above the DOS header structure. Listed
below is a commented example of that program, it was
taken from a program compiled with GCC.
struct COFFHeader { short Machine; short NumberOfSections; long TimeDateStamp; long PointerToSymbolTable; long NumberOfSymbols; short
SizeOfOptionalHeader; short Characteristics; }
;# Using NASM with Intel syntax push cs ;# Push CS

onto the stack pop ds ;# Set DS to CS mov dx,message
; point to our message This program cannot be run Machine This eld determines what machine the le
in DOS mode., 0x0d, 0x0d, 0x0a, '$' mov ah, 09 int
was compiled for. A hex value of 0x14C (332 in
0x21 ;# when AH = 9, DOS interrupt to write a string ;#
decimal) is the code for an Intel 80386.
terminate the program mov ax,0x4c01 int 0x21 message
db This program cannot be run in DOS mode., 0x0d, Heres a list of possible values it can have.
0x0d, 0x0a, '$'
NumberOfSections The number of sections that are
described at the end of the PE headers.
PE Header
TimeDateStamp 32 bit time at which this header was

generated: is used in the process of Binding, see
below.
SizeOfOptionalHeader this eld shows how long the

At oset 60 (0x3C) from the beginning of the DOS
PE Optional Header is that follows the COFF
header is a pointer to the Portable Executable (PE) File
header.
header (e_lfanew in MZ structure). DOS will print the error message and terminate, but Windows will follow this Characteristics This is a eld of bit ags, that show
some characteristics of the le.
pointer to the next batch of information.

PE Optional Header
The PE Optional Header is not optional per se, because it is required in Executable les, but not in COFF
object les. The Optional header includes lots and lots of
information that can be used to pick apart the le structure, and obtain some useful information about it.
25
AddressOfEntryPoint A pointer to the entry point
function, relative to the image base address. For executable les, this is the starting address. For device
drivers, this is the address of the initialization function. The entry point function is optional for DLLs.
When no entry point is present, this member is zero.
BaseOfCode A pointer to the beginning of the code

The PE Optional Header occurs directly after the COFF
section, relative to the image base.
header, and some sources even show the two headers as
being part of the same structure. This wikibook separates BaseOfData A pointer to the beginning of the data section, relative to the image base.
them out for convenience.
Here is the PE Optional Header presented as a C data ImageBase The preferred address of the rst byte of the
structure:
image when it is loaded in memory. This value is a
multiple of 64K bytes. The default value for DLLs
struct PEOptHeader { /* char is 1 byte short is 2 bytes
is 0x10000000. The default value for applications
long is 4 bytes */ short signature; //decimal number 267
is 0x00400000, except on Windows CE where it is
for 32 bit, 523 for 64 bit, and 263 for a ROM image.
0x00010000.
char MajorLinkerVersion; char MinorLinkerVersion;
long SizeOfCode; long SizeOfInitializedData; long
SizeOfUninitializedData; long AddressOfEntryPoint;
//The RVA of the code entry point long BaseOfCode;
long BaseOfData; /*The next 21 elds are an extension
to the COFF optional header format*/ long ImageBase; long SectionAlignment; long FileAlignment;
short MajorOSVersion; short MinorOSVersion; short
MajorImageVersion; short MinorImageVersion; short
MajorSubsystemVersion; short MinorSubsystemVersion; long Win32VersionValue; long SizeOfImage;
long SizeOfHeaders; long Checksum; short Subsystem;
short DLLCharacteristics; long SizeOfStackReserve;
long SizeOfStackCommit; long SizeOfHeapReserve;
long SizeOfHeapCommit; long LoaderFlags; long
NumberOfRvaAndSizes; data_directory DataDirectory[NumberOfRvaAndSizes]; //Can have any number
of elements, matching the number in NumberOfRvaAndSizes. } //However, it is always 16 in PE les.
/* long is 4 bytes */ struct data_directory { long VirtualAddress; long Size; }
SectionAlignment The alignment of sections loaded in

memory, in bytes. This value must be greater than
or equal to the FileAlignment member. The default
value is the page size for the system.
FileAlignment The alignment of the raw data of sections in the image le, in bytes. The value should be
a power of 2 between 512 and 64K (inclusive). The
default is 512. If the SectionAlignment member is
less than the system page size, this member must be
the same as SectionAlignment.
MajorOSVersion The major version number of the required operating system.
MinorOSVersion The minor version number of the required operating system.
MajorImageVersion The major version number of the
image.
MinorImageVersion The minor version number of the
image.
Signature Contains a signature that identies the im- MajorSubsystemVersion The major version number
age.
of the subsystem.
MajorLinkerVersion The major version number of the MinorSubsystemVersion The minor version number
of the subsystem.
linker.
MinorLinkerVersion The minor version number of Win32VersionValue This member is reserved and
must be 0.
the linker.
SizeOfCode The size of the code section, in bytes, or SizeOfImage The size of the image, in bytes, including all headers. Must be a multiple of SectionAlignthe sum of all such sections if there are multiple code
ment.
sections.
SizeOfInitializedData The size of the initialized data SizeOfHeaders The combined size of the following
items, rounded to a multiple of the value specied
section, in bytes, or the sum of all such sections if
in the FileAlignment member.
there are multiple initialized data sections.
SizeOfUninitializedData The size of the uninitialized
data section, in bytes, or the sum of all such sections
if there are multiple uninitialized data sections.
e_lfanew member of DOS_Header

4 byte signature
26
size of COFFHeader
size of optional header
.data 000A0000_00000000_00000000_00000000_40000000
2E627373_00000000_00200000_00300000_00000000
.bss 00000000_00000000_00000000_00000000_80000000
size of all section headers
The structure of the section descriptor is as follows:
Oset Length Purpose ------ ------- ----------------------------------------------------------------- 0x00 8 bytes Section

Name - in the above example the names are .text .data
.bss 0x08 4 bytes Size of the section once it is loaded to
memory 0x0C 4 bytes RVA (location) of section once it
Subsystem The Subsystem that will be invoked to run is loaded to memory 0x10 4 bytes Physical size of section
on disk 0x14 4 bytes Physical location of section on disk
the executable
(from start of disk image) 0x18 12 bytes Reserved (usually zero) (used in object formats) 0x24 4 bytes Section
DLLCharacteristics The DLL characteristics of the
ags
image
A PE loader will place the sections of the executable imSizeOfStackReserve The number of bytes to reserve age at the locations specied by these section descriptors
for the stack. Only the memory specied by the (relative to the base address) and usually the alignment is
SizeOfStackCommit member is committed at load 0x1000, which matches the size of pages on the x86.
time; the rest is made available one page at a time Common sections are:
until this reserve size is reached.
1. .text/.code/CODE/TEXT - Contains executable
SizeOfStackCommit The number of bytes to commit
code (machine instructions)
for the stack.
CheckSum The image le checksum. The following
les are validated at load time: all drivers, any DLL
loaded at boot time, and any DLL loaded into a critical system process.
SizeOfHeapReserve The number of bytes to reserve

for the local heap. Only the memory specied by the
SizeOfHeapCommit member is committed at load
time; the rest is made available one page at a time
until this reserve size is reached.
SizeOfHeapCommit The number of bytes to commit
for the local heap.
2. .testbss/TEXTBSS - Present if Incremental Linking

is enabled
3. .data/.idata/DATA/IDATA - Contains initialised
data
4. .bss/BSS - Contains uninitialised data
Section Flags
LoaderFlags This member is obsolete.

The section ags is a 32-bit bit eld (each bit in the value
NumberOfRvaAndSizes The number of directory en- represents a certain thing). Here are the constants dened
tries in the remainder of the optional header. Each in the WINNT.H le for the meaning of the ags:
entry describes a location and size.
#dene IMAGE_SCN_TYPE_NO_PAD 0x00000008
DataDirectory Possibly the most interesting member // Reserved.
#dene IMAGE_SCN_CNT_CODE
of this structure. Provides RVAs and sizes which 0x00000020 // Section contains code.
#delocate various data structures, which are used for ne
IMAGE_SCN_CNT_INITIALIZED_DATA
setting up the execution environment of a module. 0x00000040 // Section contains initialized data. #deThe details of what these structures do exist in other ne IMAGE_SCN_CNT_UNINITIALIZED_DATA
sections of this page. The most interesting entries in 0x00000080 // Section contains uninitialized data.
DataDirectory are as follows, Export Directory, Im- #dene IMAGE_SCN_LNK_OTHER 0x00000100
port Directory, Resource Directory, and the Bound // Reserved.
#dene IMAGE_SCN_LNK_INFO
Import directory. Note that the osets in bytes are 0x00000200 // Section contains comments or
relative to the beginning of the optional header.
some other type of information.
#dene IMAGE_SCN_LNK_REMOVE
0x00000800
//
Section contents will not become part of im2.2.6 Code Sections
age.
#dene IMAGE_SCN_LNK_COMDAT
0x00001000 // Section contents comdat.
#deThe PE Header denes the number of sections in the exe- ne
IMAGE_SCN_NO_DEFER_SPEC_EXC
cutable le. Each section denition is 40 bytes in length. 0x00004000 // Reset speculative exceptions hanBelow is an example hex from a program I am writing:
dling bits in the TLB entries for this section. #de2E746578_74000000_00100000_00100000_A8050000 ne IMAGE_SCN_GPREL 0x00008000 // Section
.text 00040000_00000000_00000000_00000000_20000000
content can be accessed relative to GP #dene IM2E646174_61000000_00100000_00200000_86050000 AGE_SCN_MEM_FARDATA 0x00008000 #dene

IMAGE_SCN_MEM_PURGEABLE 0x00020000 #dene IMAGE_SCN_MEM_16BIT 0x00020000 #dene
IMAGE_SCN_MEM_LOCKED 0x00040000 #dene
IMAGE_SCN_MEM_PRELOAD 0x00080000 #dene
IMAGE_SCN_ALIGN_1BYTES 0x00100000 // #dene IMAGE_SCN_ALIGN_2BYTES 0x00200000
//
#dene
IMAGE_SCN_ALIGN_4BYTES
0x00300000
//
#dene
IMAGE_SCN_ALIGN_8BYTES 0x00400000 // #dene
IMAGE_SCN_ALIGN_16BYTES 0x00500000 //
Default alignment if no others are specied. #dene IMAGE_SCN_ALIGN_32BYTES 0x00600000 // #dene
IMAGE_SCN_ALIGN_64BYTES 0x00700000 // #dene IMAGE_SCN_ALIGN_128BYTES 0x00800000
//
#dene
0x00900000
//
#dene
IMAGE_SCN_ALIGN_512BYTES 0x00A00000 // #dene IMAGE_SCN_ALIGN_1024BYTES 0x00B00000
//
#dene
0x00C00000
//
#dene
IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 // #dene IMAGE_SCN_ALIGN_8192BYTES 0x00E00000
// #dene IMAGE_SCN_ALIGN_MASK 0x00F00000
#dene
IMAGE_SCN_LNK_NRELOC_OVFL
0x01000000 // Section contains extended relocations. #dene IMAGE_SCN_MEM_DISCARDABLE
0x02000000 // Section can be discarded.
#dene
IMAGE_SCN_MEM_NOT_CACHED
0x04000000 // Section is not cachable.
#dene
IMAGE_SCN_MEM_NOT_PAGED
0x08000000
// Section is not pageable.
#dene IMAGE_SCN_MEM_SHARED 0x10000000 // Section
is shareable. #dene IMAGE_SCN_MEM_EXECUTE
0x20000000 // Section is executable. #dene IMAGE_SCN_MEM_READ 0x40000000 // Section
is readable.
#dene IMAGE_SCN_MEM_WRITE
0x80000000 // Section is writeable.
2.2.7
Imports and Exports - Linking to

other modules
What is linking?
Whenever a developer writes a program, there are a number of subroutines and functions which are expected to be
implemented already, saving the writer the hassle of having to write out more code or work with complex data
structures. Instead, the coder need only declare one call
to the subroutine, and the linker will decide what happens
next.
There are two types of linking that can be used: static and
dynamic. Static uses a library of precompiled functions.
This precompiled code can be inserted into the nal executable to implement a function, saving the programmer
a lot of time. In contrast, dynamic linking allows subroutine code to reside in a dierent le (or module), which
27
is loaded at runtime by the operating system. This is also
known as a Dynamically linked library, or DLL. A library is a module containing a series of functions or values that can be exported. This is dierent from the term
executable, which imports things from libraries to do what
it wants. From here on, module means any le of PE
format, and a Library is any module which exports and
imports functions and values.
Dynamically linking has the following benets:
It saves disk space, if more than one executable links
to the library module
Allows instant updating of routines, without providing new executables for all applications
Can save space in memory by mapping the code of
a library into more than one process
Increases abstraction of implementation.
The
method by which an action is achieved can be modied without the need for reprogramming of applications. This is extremely useful for backward compatibility with operating systems.
This section discusses how this is achieved using the PE
le format. An important point to note at this point is that
anything can be imported or exported between modules,
including variables as well as subroutines.
Loading
The downside of dynamically linking modules together is
that, at runtime, the software which is initialising an executable must link these modules together. For various
reasons, you cannot declare that The function in this dynamic library will always exist in memory here". If that
memory address is unavailable or the library is updated,
the function will no longer exist there, and the application
trying to use it will break. Instead, each module (library
or executable) must declare what functions or values it exports to other modules, and also what it wishes to import
from other modules.
As said above, a module cannot declare where in memory
it expects a function or value to be. Instead, it declares
where in its own memory it expects to nd a pointer to
the value it wishes to import. This permits the module
to address any imported value, wherever it turns up in
memory.
2.2.8 Exports
Exports are functions and values in one module that
have been declared to be shared with other modules.
This is done through the use of the Export Directory, which is used to translate between the name of
an export (or Ordinal, see below), and a location in
28
memory where the code or data can be found. The
start of the export directory is identied by the IMAGE_DIRECTORY_ENTRY_EXPORT entry of the
resource directory. All export data must exist in the same
section. The directory is headed by the following structure:
struct IMAGE_EXPORT_DIRECTORY { long Characteristics; long TimeDateStamp; short MajorVersion;
short MinorVersion; long Name; long Base; long
NumberOfFunctions; long NumberOfNames; long
*AddressOfFunctions; long *AddressOfNames; long
*AddressOfNameOrdinals; }
The Characteristics value is generally unused, TimeDateStamp describes the time the export directory was
generated, MajorVersion and MinorVersion should describe the version details of the directory, but their nature is undened. These values have little or no impact
on the actual exports themselves. The Name value is
an RVA to a zero terminated ASCII string, the name of
this library name, or module.
dressOfFunctions array point into the section which contains the export directory, something that normal exports should not do. At that location, there should
be a zero terminated ASCII string of format LibraryName.ExportName for the appropriate place to forward
this export to.
2.2.9 Imports
The other half of dynamic linking is importing functions
and values into an executable or other module. Before
runtime, compilers and linkers do not know where in
memory a value that needs to be imported could exist.
The import table solves this by creating an array of pointers at runtime, each one pointing to the memory location
of an imported value. This array of pointers exists inside
of the module at a dened RVA location. In this way, the
linker can use addresses inside of the module to access
values outside of it.
The Import directory
Names and Ordinals Each exported value has both a

name and an ordinal (a kind of index). The actual exports themselves are described through AddressOfFunctions, which is an RVA to an array of RVAs, each pointing
to a dierent function or value to be exported. The size
of this array is in the value NumberOfFunctions. Each of
these functions has an ordinal. The Base value is used
as the ordinal of the rst export, and the next RVA in the
array is Base+1, and so forth.
The start of the import directory is pointed to by

both the IMAGE_DIRECTORY_ENTRY_IAT and IMAGE_DIRECTORY_ENTRY_IMPORT entries of the
resource directory (the reason for this is uncertain). At that location, there is an array of IMAGE_IMPORT_DESCRIPTOR structures. Each of
these identify a library or module that has a value we need
to import. The array continues until an entry where all the
values are zero. The structure is as follows:
Each entry in the AddressOfFunctions array is identied

by a name, found through the RVA AddressOfNames.
The data where AddressOfNames points to is an array of
RVAs, of the size NumberOfNames. Each RVA points
to a zero terminated ASCII string, each being the name
of an export. There is also a second array, pointed to
by the RVA in AddressOfNameOrdinals. This is also of
size NumberOfNames, but each value is a 16 bit word,
each value being an ordinal. These two arrays are parallel and are used to get an export value from AddressOfFunctions. To nd an export by name, search the AddressOfNames array for the correct string and then take
the corresponding ordinal from the AddressOfNameOrdinals array. This ordinal is then used to get an index to
a value in AddressOfFunctions.
struct IMAGE_IMPORT_DESCRIPTOR { long

*OriginalFirstThunk; long TimeDateStamp; long ForwarderChain; long Name; long *FirstThunk; }
The TimeDateStamp is relevant to the act of Binding,
see below. The Name value is an RVA to an ASCII string,
naming the library to import. ForwarderChain will be
explained later. The only thing of interest at this point,
are the RVAs OriginalFirstThunk and FirstThunk. Both
these values point to arrays of RVAs, each of which point
to a IMAGE_IMPORT_BY_NAMES struct. The arrays
are terminated with an entry that is equal to zero. These
two arrays are parallel and point to the same structure, in
the same order. The reason for this will become apparent
shortly.
Each of these IMAGE_IMPORT_BY_NAMES structs

Forwarding As well as being able to export functions has the following form:
and values in a module, the export directory can forward struct IMAGE_IMPORT_BY_NAME { short Hint;
an export to another library. This allows more exibility char Name[1]; }
when re-organising libraries: perhaps some functionality
has branched into another module. If so, an export can be Name is an ASCII string of any size that names the
forwarded to that library, instead of messy reorganising value to be imported. This is used when looking up a
inside the original module.
value in the export directory (see above) through the AdForwarding is achieved by making an RVA in the Ad- dressOfNames array. The Hint value is an index into
29
the AddressOfNames array; to save searching for a string, The OriginalFirstThunk for that index identies the IMthe loader rst checks the AddressOfNames entry corre- AGE_IMPORT_BY_NAME structure for a import that
sponding to Hint.
needs to be resolved, and the FirstThunk for that index is
To summarise: The import table consists of a large ar- the index of another entry that needs to be resolved. This
ray of IMAGE_IMPORT_DESCRIPTORs, terminated continues until the FirstThunk value is 1, indicating no
by an all-zero entry. These descriptors identify a library more forwarded values to import.
to import things from. There are then two parallel RVA
arrays, each pointing at IMAGE_IMPORT_BY_NAME
2.2.10
structures, which identify a specic value to be imported.
Resources
Resource structures
Imports at runtime
Using the above import directory at runtime, the loader
nds the appropriate modules, loads them into memory, and seeks the correct export. However, to be able
to use the export, a pointer to it must be stored somewhere in the importing modules memory. This is why
there are two parallel arrays, OriginalFirstThunk and
FirstThunk, identifying IMAGE_IMPORT_BY_NAME
structures. Once an imported value has been resolved,
the pointer to it is stored in the FirstThunk array. It can
then be used at runtime to address imported values.
Bound imports
The PE le format also supports a peculiar feature known
as binding. The process of loading and resolving import
addresses can be time consuming, and in some situations
this is to be avoided. If a developer is fairly certain that
a library is not going to be updated or changed, then the
addresses in memory of imported values will not change
each time the application is loaded. So, the import address can be precomputed and stored in the FirstThunk
array before runtime, allowing the loader to skip resolving the imports - the imports are bound to a particular memory location. However, if the versions numbers
between modules do not match, or the imported library
needs to be relocated, the loader will assume the bound
addresses are invalid, and resolve the imports anyway.
The TimeDateStamp member of the import directory
entry for a module controls binding; if it is set to zero,
then the import directory is not bound. If it is non-zero,
then it is bound to another module. However, the TimeDateStamp in the import table must match the TimeDateStamp in the bound modules FileHeader, otherwise the
bound values will be discarded by the loader.
Forwarding and binding Binding can of course be a
problem if the bound library / module forwards its exports
to another module. In these cases, the non-forwarded imports can be bound, but the values which get forwarded
must be identied so the loader can resolve them. This
is done through the ForwarderChain member of the import descriptor. The value of ForwarderChain is an index into the FirstThunk and OriginalFirstThunk arrays.
Resources are data items in modules which are dicult to be stored or described using the chosen programming language. This requires a separate compiler or resource builder, allowing insertion of dialog
boxes, icons, menus, images, and other types of resources, including arbitrary binary data. A number of
API calls can then be used to retrieve resources from
the module. The base of resource data is pointed to by
the IMAGE_DIRECTORY_ENTRY_RESOURCE entry of the data directory, and at that location there is an
IMAGE_RESOURCE_DIRECTORY structure:
struct IMAGE_RESOURCE_DIRECTORY { long
Characteristics; long TimeDateStamp; short MajorVersion; short MinorVersion; short NumberOfNamedEntries; short NumberOfIdEntries; }
Characteristics is unused, and TimeDateStamp is normally the time of creation, although it doesn't matter
if its set or not. MajorVersion and MinorVersion relate to the versioning info of the resources: the elds
have no dened values. Immediately following the IMAGE_RESOURCE_DIRECTORY structure is a series
of IMAGE_RESOURCE_DIRECTORY_ENTRYs, the
number of which are dened by the total of NumberOfNamedEntries and NumberOfIdEntries. The rst portion of these entries are for named resources, the latter
for ID resources, depending on the values in the IMAGE_RESOURCE_DIRECTORY struct. The actual
shape of the resource entry structure is as follows:
struct IMAGE_RESOURCE_DIRECTORY_ENTRY {
long NameId; long *Data; }
The NameId value has dual purpose: if the most significant bit (or sign bit) is clear, then the lower 16 bits are
an ID number of the resource. Alternatly, if the top bit
is set, then the lower 31 bits make up an oset from the
start of the resource data to the name string of this particular resource. The Data value also has a dual purpose: if
the most signicant bit is set, the remaining 31 bits form
an oset from the start of the resource data to another
IMAGE_RESOURCE_DIRECTORY (i.e. this entry is
an interior node of the resource tree). Otherwise, this is
a leaf node, and Data contains the oset from the start
of the resource data to a structure which describes the
specics of the resource data itself (which can be consid-
30
ered to be an ordered stream of bytes):
Function Exports
struct IMAGE_RESOURCE_DATA_ENTRY { long

Functions are exported from a DLL le by using the fol*Data; long Size; long CodePage; long Reserved; }
lowing syntax:
The Data value contains an RVA to the actual resource
data, Size is self-explanatory, and CodePage contains
the Unicode codepage to be used for decoding Unicodeencoded strings in the resource (if any). Reserved should
be set to 0.
Layout
The above system of resource directory and entries allows simple storage of resources, by name or ID number. However, this can get very complicated very quickly.
Dierent types of resources, the resources themselves,
and instances of resources in other languages can become
muddled in just one directory of resources. For this reason, the resource directory has been given a structure to
work by, allowing separation of the dierent resources.
For this purpose, the Data value of resource entries
points at another IMAGE_RESOURCE_DIRECTORY
structure, forming a tree-diagram like organisation of resources. The rst level of resource entries identies the
type of the resource: cursors, bitmaps, icons and similar. They use the ID method of identifying the resource
entries, of which there are twelve dened values in total.
More user dened resource types can be added. Each of
these resource entries points at a resource directory, naming the actual resources themselves. These can be of any
name or value. These point at yet another resource directory, which uses ID numbers to distinguish languages,
allowing dierent specic resources for systems using a
dierent language. Finally, the entries in the language
directory actually provide the oset to the resource data
itself, the format of which is not dened by the PE specication and can be treated as an arbitrary stream of bytes.
2.2.11
Relocations
2.2.12
Alternate Bound Import Structure
2.2.13
Windows DLL Files
__declspec(dllexport) void MyFunction() ...

The "__declspec keyword here is not a C language
standard, but is implemented by many compilers to set
extendable, compiler-specic options for functions and
variables. Microsoft C Compiler and GCC versions that
run on windows allow for the __declspec keyword, and
the dllexport property.
Functions may also be exported from regular .exe les,
and .exe les with exported functions may be called dynamically in a similar manner to .dll les. This is a rare
occurrence, however.
Identifying DLL Exports

There are several ways to determine which functions are
exported by a DLL. The method that this book will use
(often implicitly) is to use dumpbin in the following
manner:
dumpbin /EXPORTS <dll le>
This will post a list of the function exports, along with
their ordinal and RVA to the console.
Function Imports
In a similar manner to function exports, a program may
import a function from an external DLL le. The dll le
will load into the process memory when the program is
started, and the function will be used like a local function. DLL imports need to be prototyped in the following
manner, for the compiler and linker to recognize that the
function is coming from an external library:
__declspec(dllimport) void MyFunction();
Windows DLL les are a brand of PE le with a few key

Identifying DLL Imports
dierences:
If is often useful to determine which functions are imported from external libraries when examining a pro A DllMain() entry point, instead of a WinMain() or gram. To list import les to the console, use dumpbin
in the following manner:
main().
A .DLL le extension
The DLL ag set in the PE header.
dumpbin /IMPORTS <dll le>
You can also use depends.exe to list imported and exDLLs may be loaded in one of two ways, a) at load-time, ported functions. Depends is a a GUI tool and comes
or b) by calling the LoadModule() Win32 API function. with Microsoft Platform SDK.
2.3. LINUX
2.3 Linux
31
Bash An acronym for Bourne Again SHell.
Bourne A precursor to Bash.
The Linux page of the X86 Disassembly Wikibook is a

stub. You can help by expanding this section.
Csh C Shell
Ksh Korn Shell
2.3.1
Linux
TCsh A Terminal oriented Csh.
The GNU/Linux operating system is open source, Zsh Z Shell

but at the same time there is so much that constitutes
GNU/Linux that it can be dicult to stay on top of all
aspects of the system. Here we will attempt to boil down 2.3.5 GUIs
some of the most important concepts of the GNU/Linux
Operating System, especially from a reversers standpoint Some of the more-popular GUIs:
2.3.2
System Architecture
The concept of GNU/Linux is mostly a collection of

a large number of software components that are based
o the GNU tools and the Linux kernel. GNU/Linux is
itself broken into a number of variants called distros
which share some similarities, but may also have distinct
peculiarities. In a general sense, all GNU/Linux distros
are based on a variant of the Linux kernel. However,
since each user may edit and recompile their own kernel at will, and since some distros may make certain edits
to their kernels, it is hard to proclaim any one version of
any one kernel as the standard. Linux kernels are generally based o the philosophy that system conguration
details should be stored in aptly-named, human-readable
(and therefore human-editable) conguration les.
KDE K Desktop Environment

GNOME GNU Network Object Modeling Environment
2.3.6 Debuggers
gdb The GNU Debugger. It comes pre-installed on
most Linux distributions and is primarily used to debug ELF executables. manpage
winedbg A debugger for Wine, used to debug Win32
executables under Linux. manpage
edb A fully featured plugin-based debugger inspired by
the famous OllyDbg. Project page
The Linux kernel implements much of the core API, but

certainly not all of it. Much API code is stored in external
modules (although users have the option of compiling all 2.3.7 File Analyzers
these modules together into a Monolithic Kernel).
strings Finds printable strings in a le. When, for exOn top of the kernel generally runs one or more shells.
ample, a password is stored in the binary itself (deBash is one of the more popular shells, but many users
ned statically in the source), the string can then be
prefer other shells, especially for dierent tasks.
extracted from the binary without ever needing to
execute it. manpage
Beyond the shell, Linux distros frequently oer a GUI
(although many distros do not have a GUI at all, usually
for performance reasons).
le Determines a le type, useful for determining
whether an executable has been stripped and
Since each GUI often supplies its own underlying framewhether its been dynamically (or statically) linked.
work and API, certain graphical applications may run on
manpage
only one GUI. Some applications may need to be recompiled (and a few completely rewritten) to run on another
objdump Disassembles object les, executables and liGUI.
braries. Can list internal le structure and disassemble specic sections. Supports both Intel and AT&T
syntax
2.3.3 Conguration Files
2.3.4
Shells
Here are some popular shells:
nm Lists symbols from executable les. Doesn't work

on stripped binaries. Used mostly on debugging version of executables.
32
2.4 Linux Executable Files

ELF header
The Linux Executable Files page of the X86 Disassembly

Wikibook is a stub. You can help by expanding this section.
2.4.1
ELF Files
Program header table
.text
.rodata
The ELF le format (short for Executable and Linking Format) was developed by Unix System Laboratories to be a successor to previous le formats such as
COFF and a.out. In many respects, the ELF format is
more powerful and versatile than previous formats, and
has widely become the standard on Linux, Solaris, IRIX,
and FreeBSD (although the FreeBSD-derived Mac OS
X uses the Mach-O format instead). ELF has also been
adopted by OpenVMS for Itanium and BeOS for x86.
...
.data
Section header table
Historically, Linux has not always used ELF; Red Hat An ELF le has two views: the program header shows the segLinux 4 was the rst time that distribution used ELF; pre- ments used at run-time, while the section header lists the set of
sections of the binary.
vious versions had used the a.out format.
ELF Objects are broken down into dierent segments
and/or sections. These can be located by using the ELF
header found at the rst byte of the object. The ELF
header provides the location for both the program header
and the section header. Using these data structures the
rest of the ELF objects contents can be found, this includes .text and .data segments which contain code and
data respectively.
2.4.2 Relocatable ELF Files

Relocatable ELF les are created by compilers. They
need to be linked before running.
Those les are often found in .a archives, with a .o extension.
The GNU readelf utility, from the binutils package, is a

2.4.3
common tool for parsing ELF objects.
a.out Files
a.out is a very simple format consisting of a header (at

oset 0) which contains the size of 3 executable sections
File Format
(code, data, bss), plus pointers to additional information
such as relocations (for .o les), symbols and symbols
Each ELF le is made up of one ELF header, followed
strings. The actual sections contents follows the header.
by le data. The le data can include:
Osets of dierent sections are computed from the size
of the previous section.
Program header table, describing zero or more segThe a.out format is now rarely used.
ments
Section header table, describing zero or more sections
Data referred to by entries in the program or section
header table
The segments contain information that is necessary for
runtime execution of the le, while sections contain important data for linking and relocation. Each byte in the
entire le is taken by no more than one section at a time,
but there can be orphan bytes, which are not covered by
a section. In the normal case of a Unix executable one or
more sections are enclosed in one segment.
File Format
Chapter 3
Code Patterns
3.1 The Stack
3.1.1
because other functions may overwrite these values without your knowledge.
The Stack
Push
Pop
Users of Windows ME, 98, 95, 3.1 (and earlier) may

fondly remember the infamous Blue Screen of Death
-- that was sometimes caused by a stack overow exception. This occurs when too much data is written to the
stack, and the stack grows beyond its limits. Modern
operating systems use better bounds-checking and error
recovery to reduce the occurrence of stack overows, and
to maintain system stability after one has occurred.
3.1.2 Push and Pop

The following lines of ASM code are basically equivalent:
but the single command actually performs much faster

than the alternative. It can be visualized that the stack
grows from right to left, and esp decreases as the stack
Generally speaking, a stack is a data structure that stores grows in size.
data values contiguously in memory. Unlike an array,
however, you access (read or write) data only at the top
of the stack. To read from the stack is said "to pop" and
to write to the stack is said "to push". A stack is also
known as a LIFO queue (Last In First Out) since values 3.1.3 ESP In Action
are popped from the stack in the reverse order that they
are pushed onto it (think of how you pile up plates on a Lets say we want to quickly discard 3 items we pushed
table). Popped data disappears from the stack.
earlier onto the stack, without saving the values (in other
All x86 architectures use a stack as a temporary storage words clean the stack). The following works:
area in RAM that allows the processor to quickly store
and retrieve data in memory. The current top of the stack pop eax pop eax pop eax
is pointed to by the esp register. The stack grows downward, from high to low memory addresses, so values recently pushed onto the stack are located in memory ad- However there is a faster method. We can simply perdresses above the esp pointer. No register specically form some basic arithmetic on esp to make the pointer go
points to the bottom of the stack, although most operating above the data items, so they cannot be read anymore,
systems monitor the stack bounds to detect both under- and can be overwritten with the next round of push comow (popping an empty stack) and overow (pushing mands.
too much information on the stack) conditions.
add esp, 12 ; 12 is 3 DWORDs (4 bytes * 3)
When a value is popped o the stack, the value remains
sitting in memory until overwritten. However, you should Likewise, if we want to reserve room on the stack for an
never rely on the content of memory addresses below esp, item bigger than a DWORD, we can use a subtraction
33
34
CHAPTER 3. CODE PATTERNS
to articially move esp forward. We can then access our

reserved memory directly as a memory pointer, or we can
access it indirectly as an oset value from esp itself.
3.2 Functions and Stack Frames
Say we wanted to create an array of byte values on the

stack, 100 items long. We want to store the pointer to the
base of this array in edi. How do we do it? Here is an 3.2.1 Functions and Stack Frames
example:
sub esp, 100 ; num of bytes in our array mov edi, esp ; To allow for many unknowns in the execution environment, functions are frequently set up with a "stack
copy address of 100 bytes area to edi
frame" to allow access to both function parameters, and
automatic function variables. The idea behind a stack
To destroy that array, we simply write the instruction
frame is that each subroutine can act independently of its
location on the stack, and each subroutine can act as if it
add esp, 100
is the top of the stack.
3.1.4
Reading Without Popping
To read values on the stack without popping them o the

stack, esp can be used with an oset. For instance, to
read the 3 DWORD values from the top of the stack into
eax (but without using a pop instruction), we would use
the instructions:
When a function is called, a new stack frame is created at

the current esp location. A stack frame acts like a partition on the stack. All items from previous functions
are higher up on the stack, and should not be modied.
Each current function has access to the remainder of the
stack, from the stack frame until the end of the stack page.
The current function always has access to the top of the
stack, and so functions do not need to take account of the
memory usage of other functions or programs.
mov eax, DWORD PTR SS:[esp] mov eax, DWORD

PTR SS:[esp + 4] mov eax, DWORD PTR SS:[esp + 8] 3.2.2
Remember, since esp moves downward as the stack
grows, data on the stack can be accessed with a positive oset. A negative oset should never be used because data above the stack cannot be counted on to stay
the way you left it. The operation of reading from the
stack without popping is often referred to as peeking,
but since this isn't the ocial term for it this wikibook
won't use it.
3.1.5
Data Allocation
There are two areas in the computer memory where a

program can store data. The rst, the one that we have
been talking about, is the stack. It is a linear LIFO buer
that allows fast allocations and deallocations, but has a
limited size. The heap is typically a non-linear data storage area, typically implemented using linked lists, binary
trees, or other more exotic methods. Heaps are slightly
more dicult to interface with and to maintain than a
stack, and allocations/deallocations are performed more
slowly. However, heaps can grow as the data grows, and
new heaps can be allocated when data quantities become
too large.
Standard Entry Sequence
For many compilers, the standard function entry sequence

is the following piece of code (X is the total size, in bytes,
of all automatic variables used in the function):
push ebp mov ebp, esp sub esp, X
For example, here is a C function code fragment and the
resulting assembly instructions:
void MyFunction() { int a, b, c; ...
_MyFunction: push ebp ; save the value of ebp mov ebp,
esp ; ebp now points to the top of the stack sub esp, 12 ;
space allocated on the stack for the local variables
This means local variables can be accessed by referencing
ebp. Consider the following C code fragment and corresponding assembly code:
a = 10; b = 5; c = 2;
mov [ebp - 4], 10 ; location of variable a mov [ebp - 8],
5 ; location of b mov [ebp - 12], 2 ; location of c
This all seems well and good, but what is the purpose of
ebp in this setup? Why save the old value of ebp and then
point ebp to the top of the stack, only to change the value
of esp with the next instruction? The answer is function
As we shall see, explicitly declared variables are allocated parameters.
on the stack. Stack variables are nite in number, and
have a denite size. Heap variables can be variable in Consider the following C function declaration:
number and in size. We will discuss these topics in more void MyFunction2(int x, int y, int z) { ... }
detail later.
3.2. FUNCTIONS AND STACK FRAMES
35
It produces the following assembly code:
2007/03/12/fpo.aspx)] This means that the value of esp

_MyFunction2: push ebp mov ebp, esp sub esp, 0 ; no cannot be reliably used to determine (using the appropriate oset) the memory location of a specic local varilocal variables, most compilers will omit this line
able. To solve this problem, many compilers access local
variables using negative osets from the ebp registers.
Which is exactly as one would expect. So, what ex- This allows us to assume that the same oset is always
actly does ebp do, and where are the function parameters used to access the same variable (or parameter). For this
stored? The answer is found when we call the function.
reason, the ebp register is called the frame pointer, or
FP.
Consider the following C function call:
MyFunction2(10, 5, 2);
3.2.3 Standard Exit Sequence
This will create the following assembly code (using

a Right-to-Left calling convention called CDECL, ex- The Standard Exit Sequence must undo the things that the
plained later):
Standard Entry Sequence does. To this eect, the Standard Exit Sequence must perform the following tasks, in
push 2 push 5 push 10 call _MyFunction2
the following order:
Note: Remember that the call x86 instruction is basically
equivalent to
push eip + 2 ; return address is current address + size of
two instructions jmp _MyFunction2
1. Remove space for local variables, by reverting esp

to its old value.
2. Restore the old value of ebp to its old value, which
is on top of the stack.
It turns out that the function arguments are all passed on

the stack! Therefore, when we move the current value
3. Return to the calling function with a ret command.
of the stack pointer (esp) into ebp, we are pointing ebp
directly at the function arguments. As the function code
pushes and pops values, ebp is not aected by esp. Re- As an example, the following C code:
member that pushing basically does this:
void MyFunction3(int x, int y, int z) { int a, int b, int c;
sub esp, 4 ; allocate space for the new stack item mov ... return; }
[esp], X ; put new stack item value X in
Will create the following assembly code:
This means that rst the return address and then the old
value of ebp are put on the stack. Therefore [ebp] points
to the location of the old value of ebp, [ebp + 4] points to
the return address, and [ebp + 8] points to the rst function argument. Here is a (crude) representation of the
stack at this point:
_MyFunction3: push ebp mov ebp, esp sub esp, 12 ;

sizeof(a) + sizeof(b) + sizeof(c) ;x = [ebp + 8], y = [ebp
+ 12], z = [ebp + 16] ;a = [ebp - 4] = [esp + 8], b = [ebp
- 8] = [esp + 4], c = [ebp - 12] = [esp] mov esp, ebp pop
ebp ret 12 ; sizeof(x) + sizeof(y) + sizeof(z)
: : | 2 | [ebp + 16] (3rd function argument) | 5 | [ebp + 12]

(2nd argument) | 10 | [ebp + 8] (1st argument) | RA | [ebp
+ 4] (return address) | FP | [ebp] (old ebp value) | | [ebp - 3.2.4 Non-Standard Stack Frames
4] (1st local variable) : : : : | | [ebp - X] (esp - the current
stack pointer. The use of push / pop is valid now)
Frequently, reversers will come across a subroutine that
The stack pointer value may change during the execution doesn't set up a standard stack frame. Here are some
of the current function. In particular this happens when: things to consider when looking at a subroutine that does
not start with a standard sequence:
parameters are passed to another function;
the pseudo-function alloca()" is used.
[FIXME: When parameters are passed into another function the esp changing is not an issue. When that function returns the esp will be back to its old value. So
why does ebp help there. This needs better explanation. (The real explanation is here, ESP is not really
needed: http://blogs.msdn.com/larryosterman/archive/
Using Uninitialized Registers

When a subroutine starts using data in an uninitialized
register, that means that the subroutine expects external
functions to put data into that register before it gets called.
Some calling conventions pass arguments in registers, but
sometimes a compiler will not use a standard calling convention.
36
static Functions
struction pointer is currently pointing at any one of them.

Using a single mov instruction as placeholder on the other
In C, functions may optionally be declared with the static hand guarantees that the patching can be completed as an
atomic transaction.
keyword, as such:
static void MyFunction4();
The static keyword causes a function to have only local scope, meaning it may not be accessed by any external functions (it is strictly internal to the given code le).
When an optimizing compiler sees a static function that is
only referenced by calls (no references through function
pointers), it knows that external functions cannot possibly interface with the static function (the compiler controls all access to the function), so the compiler doesn't
bother making it standard.
3.2.5 Local Static Variables

Local static variables cannot be created on the stack, since
the value of the variable is preserved across function calls.
We'll discuss local static variables and other types of variables in a later chapter.
3.3 Functions and Stack Frame

Examples
Hot Patch Prologue

Some Windows functions set up a regular stack frame as
explained above, but start out with the apparently non3.3.1
sensical line
mov edi, edi;
Given the following disassembled function (in MASM

syntax), how many 4-byte parameters does this function
This instruction is assembled into 2 bytes which serve as a receive? How many variables are created on the stack?
placeholder for future function patches. Taken as a whole What does this function do?
such a function might look like this:
nop ; each nop is 1 byte long nop nop nop nop FUNCTION: ; <-- This is the function entry point as used by
call instructions mov edi, edi ; mov edi,edi is 2 bytes
long push ebp ; regular stack frame setup mov ebp, esp
_Question1: push ebp mov ebp, esp sub esp, 4 mov eax,
[ebp + 8] mov ecx, 2 mul ecx mov [esp + 0], eax mov
eax, [ebp + 12] mov edx, [esp + 0] add eax, edx mov
esp, ebp pop ebp ret
If such a function needs to be replaced without reloading

the application (or restarting the machine in case of kernel patches) it can be achieved by inserting a jump to the
replacement function. A short jump instruction (which
can jump +/- 127 bytes) requires 2 bytes of storage space
- just the amount that the mov edi,edi placeholder provides. A jump to any memory location, in this case to
our replacement function, requires 5 bytes. These are
provided by the 5 no-operation bytes just preceding the
function. If a function thus patched gets called it will rst
jump back by 5 bytes and then do a long jump to the replacement function. After the patch the memory might
look like this
The function above takes 2 4-byte parameters, accessed

by osets +8 and +12 from ebp. The function also has 1
variable created on the stack, accessed by oset +0 from
esp. The function is nearly identical to this C code:
int Question1(int x, int y) { int z; z = x * 2; return y + z;
}
3.3.2 Example: Standard Entry Sequences

Does the following function follow the Standard Entry
and Exit Sequences? if not, where does it dier?
LABEL: jmp REPLACEMENT_FUNCTION ; <-- 5

NOPs replaced by jmp FUNCTION: jmp short LABEL
; <-- mov edi has been replaced by short jump backwards _Question2: call _SubQuestion2 mov ecx, 2 mul ecx ret
push ebp mov ebp, esp ; <-- regular stack frame setup as
The function does not follow the standard entry sequence,
before
because it doesn't set up a proper stack frame with ebp
The reason for using a 2-byte mov instruction at the be- and esp. The function basically performs the following C
ginning instead of putting 5 nops there directly, is to pre- instructions:
vent corruption during the patching process. There would int Question2() { return SubQuestion2() * 2; }
be a risk with replacing 5 individual instructions if the in-
3.4. CALLING CONVENTIONS
37
Although an optimizing compiler has chosen to take a few will generate the following code if passed Left-to-Right:
shortcuts.
push a push b call _MyFunction
3.4 Calling Conventions
and will generate the following code if passed Right-toLeft:

push b push a call _MyFunction
3.4.1
Calling Conventions
Return value Some functions return a value, and that

value must be received reliably by the functions
caller. The called function places its return value
in a place where the calling function can get it when
execution returns. The called function stores the return value before executing the ret instruction.
Calling conventions are a standardized method for functions to be implemented and called by the machine. A
calling convention species the method that a compiler
sets up to access a subroutine. In theory, code from any
compiler can be interfaced together, so long as the functions all have the same calling conventions. In practice Cleaning the stack When arguments are pushed onto
however, this is not always the case.
the stack, eventually they must be popped back o
again. Whichever function, the caller or the callee,
Calling conventions specify how arguments are passed to
is responsible for cleaning the stack must reset the
a function, how return values are passed back out of a
stack pointer to eliminate the passed arguments.
function, how the function is called, and how the function
manages the stack and its stack frame. In short, the calling convention species how a function call in C or C++ Calling function (the caller) The parent function
is converted into assembly language. Needless to say,
that calls the subroutine. Execution resumes in the
there are many ways for this translation to occur, which
calling function directly after the subroutine call,
is why its so important to specify certain standard methunless the program terminates inside the subroutine.
ods. If these standard conventions did not exist, it would
be nearly impossible for programs created using dierent
compilers to communicate and interact with one another. Called function (the callee) The child function that
gets called by the parent.
There are three major calling conventions that are used
with the C language: STDCALL, CDECL, and FASTName Decoration When C code is translated to assemCALL. In addition, there is another calling convenbly code, the compiler will often decorate the
tion typically used with C++: THISCALL. There are
function name by adding extra information that the
other calling conventions as well, including PASCAL and
linker will use to nd and link to the correct funcFORTRAN conventions, among others. We will not contions. For most calling conventions, the decoration
sider those conventions in this book.
is very simple (often only an extra symbol or two
to denote the calling convention), but in some extreme cases (notably C++ thiscall convention), the
3.4.2 Notes on Terminology
names are mangled severely.
There are a few terms that we are going to be using in this
chapter, which are mostly common sense, but which are Entry sequence (the function prologue) a few inworthy of stating directly:
structions at the beginning of a function, which
prepare the stack and registers for use within the
function.
Passing arguments passing arguments is a way of
saying that the calling function is writing data in the
place where the called function will look for them. Exit sequence (the function epilogue) a few instrucArguments are passed before the call instruction is
tions at the end of a function, which restore the stack
executed.
and registers to the state expected by the caller, and
return to the caller. Some calling conventions clean
the stack in the exit sequence.
Right-to-Left and Left-to-Right These describe the
manner that arguments are passed to the subroutine,
in terms of the High-level code. For instance, the Call sequence a few instructions in the middle of a funcfollowing C function call:
tion (the caller) which pass the arguments and call
the called function. After the called function has
MyFunction1(a, b);
returned, some calling conventions have one more
instruction in the call sequence to clean the stack.
38
3.4.3
Standard C Calling Conventions
The C language, by default, uses the CDECL calling

convention, but most compilers allow the programmer
to specify another convention via a specier keyword.
These keywords are not part of the ISO-ANSI C standard, so you should always check with your compiler documentation about implementation specics.
If a calling convention other than CDECL is to be used,
or if CDECL is not the default for your compiler, and
you want to manually use it, you must specify the calling convention keyword in the function declaration itself,
and in any prototypes for the function. This is important
because both the calling function and the called function
need to know the calling convention.
CDECL
In the CDECL calling convention the following holds:
STDCALL
STDCALL, also known as WINAPI (and a few other
names, depending on where you are reading it) is used almost exclusively by Microsoft as the standard calling convention for the Win32 API. Since STDCALL is strictly
dened by Microsoft, all compilers that implement it do
it the same way.
STDCALL passes arguments right-to-left, and returns the value in eax. (The Microsoft documentation erroneously claimed that arguments are passed
left-to-right, but this is not the case.)
The called function cleans the stack, unlike CDECL.
This means that STDCALL doesn't allow variablelength argument lists.
Consider the following C function:
_stdcall int MyFunction2(int a, int b) { return a + b; }
and the calling instruction:

Arguments are passed on the stack in Right-to-Left x = MyFunction2(2, 3);
order, and return values are passed in eax.
The calling function cleans the stack. This allows
CDECL functions to have variable-length argument
lists (aka variadic functions). For this reason the
number of arguments is not appended to the name
of the function by the compiler, and the assembler
and the linker are therefore unable to determine if
an incorrect number of arguments is used.
These will produce the following respective assembly

code fragments:
:_MyFunction2@8 push ebp mov ebp, esp mov eax, [ebp
+ 8] mov edx, [ebp + 12] add eax, edx pop ebp ret 8
and
push 3 push 2 call _MyFunction2@8
Variadic functions usually have special entry code, gen- There are a few important points to note here:
erated by the va_start(), va_arg() C pseudo-functions.
Consider the following C instructions:
_cdecl int MyFunction1(int a, int b) { return a + b; }
and the following function call:
x = MyFunction1(2, 3);
These would produce the following assembly listings, respectively:
1. In the function body, the ret instruction has an (optional) argument that indicates how many bytes to
pop o the stack when the function returns.
2. STDCALL functions are name-decorated with a
leading underscore, followed by an @, and then the
number (in bytes) of arguments passed on the stack.
This number will always be a multiple of 4, on a 32bit aligned machine.
_MyFunction1: push ebp mov ebp, esp mov eax, [ebp + FASTCALL
8] mov edx, [ebp + 12] add eax, edx pop ebp ret
The FASTCALL calling convention is not completely
standard across all compilers, so it should be used with
and
caution. In FASTCALL, the rst 2 or 3 32-bit (or
push 3 push 2 call _MyFunction1 add esp, 8
smaller) arguments are passed in registers, with the most
commonly used registers being edx, eax, and ecx. AdWhen translated to assembly code, CDECL functions ditional arguments, or arguments larger than 4-bytes are
are almost always prepended with an underscore (thats passed on the stack, often in Right-to-Left order (simiwhy all previous examples have used "_ in the assembly lar to CDECL). The calling function most frequently is
code).
responsible for cleaning the stack, if needed.
3.4. CALLING CONVENTIONS
39
Because of the ambiguities, it is recommended that Name Mangling

FASTCALL be used only in situations with 1, 2, or 3
Because of the complexities inherent in function over32-bit arguments, where speed is essential.
loading, C++ functions are heavily name-decorated to the
The following C function:
point that people often refer to the process as Name
_fastcall int MyFunction3(int a, int b) { return a + b; }
Mangling. Unfortunately C++ compilers are free to do
the name-mangling dierently since the standard does
not enforce a convention. Additionally, other issues such
and the following C function call:
as exception handling are also not standardized.
x = MyFunction3(2, 3);
Since every compiler does the name-mangling dierently, this book will not spend too much time discussing
Will produce the following assembly code fragments for the specics of the algorithm. Notice that in many cases,
the called, and the calling functions, respectively:
its possible to determine which compiler created the exe:@MyFunction3@8 push ebp mov ebp, esp ;many cutable by examining the specics of the name-mangling
compilers create a stack frame even if it isn't used add format. We will not cover this topic in this much depth
in this book, however.
eax, edx ;a is in eax, b is in edx pop ebp ret
Here are a few general remarks about THISCALL namemangled functions:
and
;the calling function mov eax, 2 mov edx, 3 call @MyFunction3@8
The name decoration for FASTCALL prepends an @ to
the function name, and follows the function name with
@x, where x is the number (in bytes) of arguments passed
to the function.
They are recognizable on sight because of their complexity when compared to CDECL, FASTCALL,
and STDCALL function name decorations
They sometimes include the name of that functions
class.
They almost always include the number and type of

Many compilers still produce a stack frame for FASTthe arguments, so that overloaded functions can be
CALL functions, especially in situations where the
dierentiated by the arguments passed to it.
FASTCALL function itself calls another subroutine.
However, if a FASTCALL function doesn't need a stack
Here is an example of a C++ class and function declaraframe, optimizing compilers are free to omit it.
tion:
3.4.4
C++ Calling Convention
class MyClass { MyFunction(int

Class::MyFunction(2) { }
a);
My-
C++ requires that non-static methods of a class be called And here is the resultant mangled name:
by an instance of the class. Therefore it uses its own stan- ?MyFunction@MyClass@@QAEHH@Z
dard calling convention to ensure that pointers to the object are passed to the function: THISCALL.
Extern C
In a C++ source le, functions placed in an extern C
block are guaranteed not to be mangled. This is done frequently when libraries are written in C++, and the funcIn THISCALL, the pointer to the class object is passed in tions need to be exported without being mangled. Even
ecx, the arguments are passed Right-to-Left on the stack, though the program is written in C++ and compiled with
and the return value is passed in eax.
a C++ compiler, some of the functions might therefore
not be mangled and will use one of the ordinary C calling
For instance, the following C++ instruction:
conventions (typically CDECL).
MyObj.MyMethod(a, b, c);
THISCALL
Would form the following asm code:

mov ecx, MyObj push c push b push a call _MyMethod
3.4.5 Note on Name Decorations
We've been discussing name decorations in this chapter,

but the fact is that in pure disassembled code there typiAt least, it would look like the assembly code above if it cally are no names whatsoever, especially not names with
weren't for name mangling.
fancy decorations. The assembly stage removes all these
40
readable identiers, and replaces them with the binary lo- CDECL
cations instead. Function names really only appear in two
places:
int MyFunction(int x, int y) { return (x * 2) + (y * 3); }
1. Listing les produced during compilation
2. In export tables, if functions are exported
When disassembling raw machine code, there will be no
function names and no name decorations to examine. For
this reason, you will need to pay more attention to the way
parameters are passed, the way the stack is cleaned, and
other similar details.
While we haven't covered optimizations yet, suce it to
say that optimizing compilers can even make a mess out
of these details. Functions which are not exported do not
necessarily need to maintain standard interfaces, and if it
is determined that a particular function does not need to
follow a standard convention, some of the details will be
optimized away. In these cases, it can be dicult to determine what calling conventions were used (if any), and it
is even dicult to determine where a function begins and
ends. This book cannot account for all possibilities, so
we try to show as much information as possible, with the
knowledge that much of the information provided here
will not be available in a true disassembly situation.
3.4.6
Further reading
x86 Disassembly/Calling Convention Examples

Embedded Systems/Mixed C and Assembly Programming describes calling conventions on other
CPUs.
becomes:
PUBLIC _MyFunction _TEXT SEGMENT _x$ = 8
; size = 4 _y$ = 12 ; size = 4 _MyFunction PROC
NEAR ; Line 4 push ebp mov ebp, esp ; Line 5 mov
eax, _y$[ebp] imul eax, 3 mov ecx, _x$[ebp] lea eax,
[eax+ecx*2] ; Line 6 pop ebp ret 0 _MyFunction ENDP
_TEXT ENDS END
On entry of a function, ESP points to the return address
pushed on the stack by the call instruction (that is, previous contents of EIP). Any argument in stack of higher
address than entry ESP is pushed by caller before the call
is made; in this example, the rst argument is at oset
+4 from ESP (EIP is 4 bytes wide), plus 4 more bytes
once the EBP is pushed on the stack. Thus, at line 5, ESP
points to the saved frame pointer EBP, and arguments are
located at addresses ESP+8 (x) and ESP+12 (y).
For CDECL, caller pushes arguments into stack in a right
to left order. Because ret 0 is used, it must be the caller
who cleans up the stack.
As a point of interest, notice how lea is used in this function to simultaneously perform the multiplication (ecx *
2), and the addition of that quantity to eax. Unintuitive
instructions like this will be explored further in the chapter on unintuitive instructions.
FASTCALL
3.5 Calling Convention Examples

becomes:
PUBLIC @MyFunction@8 _TEXT SEGMENT _y$

= 8 ; size = 4 _x$ = 4 ; size = 4 @MyFunction@8
PROC NEAR ; _x$ = ecx ; _y$ = edx ; Line 4 push
ebp mov ebp, esp sub esp, 8 mov _y$[ebp], edx mov
Here is a simple function in C:
_x$[ebp], ecx ; Line 5 mov eax, _y$[ebp] imul eax, 3
int MyFunction(int x, int y) { return (x * 2) + (y * 3); } mov ecx, _x$[ebp] lea eax, [eax+ecx*2] ; Line 6 mov
esp, ebp pop ebp ret 0 @MyFunction@8 ENDP _TEXT
Using cl.exe, we are going to generate 3 separate list- ENDS END
ings for MyFunction, one with CDECL, one with FASTCALL, and one with STDCALL calling conventions. On This function was compiled with optimizations turned
the commandline, there are several switches that you can o. Here we see arguments are rst saved in stack then
use to force the compiler to change the default:
fetched from stack, rather than be used directly. This is
3.5.1
/Gd : The default calling convention is CDECL

/Gr : The default calling convention is FASTCALL
/Gz : The default calling convention is STDCALL
Using these commandline options, here are the listings:
because the compiler wants a consistent way to use all arguments via stack access, not only one compiler does like
that.
There is no argument is accessed with positive oset to
entry SP, it seems caller doesnt pushed in them, thus it
can use ret 0. Lets do further investigation:
3.5. CALLING CONVENTION EXAMPLES
41
int FastTest(int x, int y, int z, int a, int b, int c) { return x ; size = 4 _STDCALLTest@24 PROC NEAR ; Line
* y * z * a * b * c; }
2 push ebp mov ebp, esp ; Line 3 mov eax, _x$[ebp]
imul eax, DWORD PTR _y$[ebp] imul eax, DWORD
PTR _z$[ebp] imul eax, DWORD PTR _a$[ebp] imul
and the corresponding listing:
eax, DWORD PTR _b$[ebp] imul eax, DWORD
PUBLIC @FastTest@24 _TEXT SEGMENT _y$ = PTR _c$[ebp] ; Line 4 pop ebp ret 24 ; 00000018H
8 ; size = 4 _x$ = 4 ; size = 4 _z$ = 8 ; size = _STDCALLTest@24 ENDP _TEXT ENDS END
4 _a$ = 12 ; size = 4 _b$ = 16 ; size = 4 _c$ = 20 ;
size = 4 @FastTest@24 PROC NEAR ; _x$ = ecx ;
_y$ = edx ; Line 2 push ebp mov ebp, esp sub esp, 8 Yes the only dierence between STDCALL and CDECL
mov _y$[ebp], edx mov _x$[ebp], ecx ; Line 3 mov is that the former does stack clean up in callee, the later
eax, _x$[ebp] imul eax, DWORD PTR _y$[ebp] imul in caller. This saves a little bit in X86 due to its ret n.
eax, DWORD PTR _z$[ebp] imul eax, DWORD PTR
_a$[ebp] imul eax, DWORD PTR _b$[ebp] imul eax,
3.5.2 GNU C Compiler
DWORD PTR _c$[ebp] ; Line 4 mov esp, ebp pop ebp
ret 16 ; 00000010H
We will be using 2 example C functions to demonstrate
how GCC implements calling conventions:
Now we have 6 arguments, four are pushed in by caller
int MyFunction1(int x, int y) { return (x * 2) + (y * 3); }
from right to left, and last two are passed again in cx/dx,
and processed the same way as previous example. Stack
cleanup is done by ret 16, which corresponding to 4 ar- and
guments pushed before call executed.
int MyFunction2(int x, int y, int z, int a, int b, int c) {
For FASTCALL, compiler will try to pass arguments in
registers, if not enough caller will pushed them into stack
still in an order from right to left. Stack cleanup is done
by callee. It is called FASTCALL because if arguments
can be passed in registers (for 64bit CPU the maximum
number is 6), no stack push/clean up is needed.
The name-decoration scheme of the function: @MyFunction@n, here n is stack size needed for all arguments.
return x * y * (z + 1) * (a + 2) * (b + 3) * (c + 4); }
GCC does not have commandline arguments to force the
default calling convention to change from CDECL (for
C), so they will be manually dened in the text with the
directives: __cdecl, __fastcall, and __stdcall.
CDECL
STDCALL
The rst function (MyFunction1) provides the following

assembly listing:
_MyFunction1: pushl %ebp movl %esp, %ebp movl

8(%ebp), %eax leal (%eax,%eax), %ecx movl 12(%ebp),
%edx movl %edx, %eax addl %eax, %eax addl %edx,
%eax leal (%eax,%ecx), %eax popl %ebp ret
becomes:
PUBLIC _MyFunction@8 _TEXT SEGMENT _x$ =
8 ; size = 4 _y$ = 12 ; size = 4 _MyFunction@8 PROC
NEAR ; Line 4 push ebp mov ebp, esp ; Line 5 mov
eax, _y$[ebp] imul eax, 3 mov ecx, _x$[ebp] lea eax,
[eax+ecx*2] ; Line 6 pop ebp ret 8 _MyFunction@8
ENDP _TEXT ENDS END
First of all, we can see the name-decoration is the same as

in cl.exe. We can also see that the ret instruction doesn't
have an argument, so the calling function is cleaning the
stack. However, since GCC doesn't provide us with the
variable names in the listing, we have to deduce which
parameters are which. After the stack frame is set up, the
The STDCALL listing has only one dierence than the
rst instruction of the function is movl 8(%ebp), %eax.
CDECL listing that it uses ret 8 for self clean up of One we remember (or learn for the rst time) that GAS
stack. Lets do an example with more parameters:
instructions have the general form:
int STDCALLTest(int x, int y, int z, int a, int b, int c) { instruction src, dest
return x * y * z * a * b * c; }
We realize that the value at oset +8 from ebp (the last
parameter pushed on the stack) is moved into eax. The
Lets take a look at how this function gets translated into leal instruction is a little more dicult to decipher, espeassembly by cl.exe:
cially if we don't have any experience with GAS instrucPUBLIC _STDCALLTest@24 _TEXT SEGMENT tions. The form leal(reg1,reg2), dest adds the values
_x$ = 8 ; size = 4 _y$ = 12 ; size = 4 _z$ = 16 ; size in the parenthesis together, and stores the value in dest.
= 4 _a$ = 20 ; size = 4 _b$ = 24 ; size = 4 _c$ = 28 Translated into Intel syntax, we get the instruction:
42
lea ecx, [eax + eax]
creased by 2 (a). +16 gets increased by 3 (b), and +20

gets increased by 4 (c). Lets list these values then:
Which is clearly the same as a multiplication by 2. The

rst value accessed must then have been the last value
passed, which would seem to indicate that values are
passed right-to-left here. To prove this, we will look at
the next section of the listing:
z = [ebp + 8] a = [ebp + 12] b = [ebp + 16] c = [ebp +

20]
c is the furthest down, and therefore was the rst pushed.

z is the highest to the top, and was therefore the last
pushed. Arguments are therefore pushed in right-to-left
movl 12(%ebp), %edx movl %edx, %eax addl %eax, order, just like cl.exe.
%eax addl %edx, %eax leal (%eax,%ecx), %eax
the value at oset +12 from ebp is moved into edx. edx
is then moved into eax. eax is then added to itselt (eax *
2), and then is added back to edx (edx + eax). remember
though that eax = 2 * edx, so the result is edx * 3. This STDCALL
then is clearly the y parameter, which is furthest on the
stack, and was therefore the rst pushed. CDECL then on Lets compare then the implementation of MyFunction1
GCC is implemented by passing arguments on the stack in GCC:
in right-to-left order, same as cl.exe.
.globl _MyFunction1@8 .def _MyFunction1@8; .scl 2;
.type 32; .endef _MyFunction1@8: pushl %ebp movl
%esp, %ebp movl 8(%ebp), %eax leal (%eax,%eax),
FASTCALL
%ecx movl 12(%ebp), %edx movl %edx, %eax addl
.globl @MyFunction1@8 .def @MyFunction1@8; .scl %eax, %eax addl %edx, %eax leal (%eax,%ecx), %eax
2; .type 32; .endef @MyFunction1@8: pushl %ebp popl %ebp ret $8
movl %esp, %ebp subl $8, %esp movl %ecx, 4(%ebp)
movl %edx, 8(%ebp) movl 4(%ebp), %eax leal The name decoration is the same as in cl.exe, so STD(%eax,%eax), %ecx movl 8(%ebp), %edx movl CALL functions (and CDECL and FASTCALL for that
%edx, %eax addl %eax, %eax addl %edx, %eax leal matter) can be assembled with either compiler, and linked
(%eax,%ecx), %eax leave ret
with either linker, it seems. The stack frame is set up,
then the value at [ebp + 8] is doubled. After that, the
Notice rst that the same name decoration is used as in value at [ebp + 12] is tripled. Therefore, +8 is x, and +12
cl.exe. The astute observer will already have realized that is y. Again, these values are pushed in right-to-left order.
GCC uses the same trick as cl.exe, of moving the fastcall This function also cleans its own stack with the ret 8
arguments from their registers (ecx and edx again) onto instruction.
a negative oset on the stack. Again, optimizations are Looking at a bigger example:
turned o. ecx is moved into the rst position (4) and
edx is moved into the second position (8). Like the .globl _MyFunction2@24 .def _MyFunction2@24; .scl
CDECL example above, the value at 4 is doubled, and 2; .type 32; .endef _MyFunction2@24: pushl %ebp
the value at 8 is tripled. Therefore, 4 (ecx) is x, and movl %esp, %ebp movl 8(%ebp), %eax imull 12(%ebp),
8 (edx) is y. It would seem from this listing then that %eax movl 16(%ebp), %edx incl %edx imull %edx,
values are passed left-to-right, although we will need to %eax movl 20(%ebp), %edx addl $2, %edx imull %edx,
%eax movl 24(%ebp), %edx addl $3, %edx imull %edx,
take a look at the larger, MyFunction2 example:
%eax movl 28(%ebp), %edx addl $4, %edx imull %edx,
.globl @MyFunction2@24 .def @MyFunction2@24; %eax popl %ebp ret $24
.scl 2; .type 32; .endef @MyFunction2@24: pushl %ebp
movl %esp, %ebp subl $8, %esp movl %ecx, 4(%ebp)
movl %edx, 8(%ebp) movl 4(%ebp), %eax imull We can see here that values at +8 and +12 from ebp are
8(%ebp), %eax movl 8(%ebp), %edx incl %edx imull still x and y, respectively. The value at +16 is incremented
%edx, %eax movl 12(%ebp), %edx addl $2, %edx imull by 1, the value at +20 is incremented by 2, etc all the way
%edx, %eax movl 16(%ebp), %edx addl $3, %edx imull to the value at +28. We can therefore create the following
%edx, %eax movl 20(%ebp), %edx addl $4, %edx imull table:
x = [ebp + 8] y = [ebp + 12] z = [ebp + 16] a = [ebp +
%edx, %eax leave ret $16
20] b = [ebp + 24] c = [ebp + 28]
By following the fact that in MyFunction2, successive parameters are added to increasing constants, we can deduce the positions of each parameter. 4 is still x, and
8 is still y. +8 gets incremented by 1 (z), +12 gets in-
With c being pushed rst, and x being pushed last. Therefore, these parameters are also pushed in right-to-left order. This function then also cleans 24 bytes o the stack
with the ret 24 instruction.
3.6. BRANCHES
3.5.3
43
Example: C Calling Conventions
Two things should get our attention immediately. The

rst is that before the function call, a value is stored into
Identify the calling convention of the following C func- ecx. Also, the function name itself is heavily mangled.
This example must use the C++ THISCALL convention.
tion:
Inside the mangled name of the function, we can pick
int MyFunction(int a, int b) { return a + b; }
out two english words, Load and Container. Without
knowing the specics of this name mangling scheme, it
The function is written in C, and has no other speciers, is not possible to determine which word is the function
so it is CDECL by default.
name, and which word is the class name.
3.5.4
Example: Named Assembly Function
Identify the calling convention of the function MyFunction:

:_MyFunction@12 push ebp mov ebp, esp ... pop ebp
ret 12
We can pick out two 32-bit variables being passed to the

function, and a single 8-bit variable. The rst is located
in eax, the second is originally located on the stack from
oset 4 from ebp, and the third is located at ebp oset 3. In C++, these would likely correspond to two int
variables, and a single char variable. Notice at the end of
the mangled function name are three lower-case characters cii. We can't know for certain, but it appears these
three letters correspond to the three parameters (char, int,
int). We do not know from this whether the function returns a value or not, so we will assume the function returns
void.
The function includes the decorated name of an STDCALL function, and cleans up its own stack. It is therefore an STDCALL function.
Assuming that Load is the function name and Container is the class name (it could just as easily be the
other way around), here is our function denition:
3.5.5
Example: Unnamed Assembly Funcclass Container { void Load(char, int, int); }

tion
This code snippet is the entire body of an unnamed assembly function. Identify the calling convention of this
function.
3.6 Branches
push ebp mov ebp, esp add eax, edx pop ebp ret
The function sets up a stack frame, so we know the compiler hasnt done anything funny to it. It accesses regis- 3.6.1 Branching
ters which arent initialized yet, in the edx and eax registers. It is therefore a FASTCALL function.
Computer science professors tell their students to avoid
jumps and goto instructions, to avoid the proverbial
spaghetti code. Unfortunately, assembly only has jump
3.5.6 Example: Another Unnamed As- instructions to control program ow. This chapter will exsembly Function
plore the subject that many people avoid like the plague,
and will attempt to show how the spaghetti of assembly
push ebp mov ebp, esp mov eax, [ebp + 8] pop ebp ret can be translated into the more familiar control structures
16
of high-level language. Specically, this chapter will focus on If-Then-Else and Switch branching instructions.
The function has a standard stack frame, and the ret instruction has a parameter to clean its own stack. Also,
3.6.2 If-Then
it accesses a parameter from the stack. It is therefore an
STDCALL function.
Lets consider a generic if statement in pseudo-code followed by its equivalent form using jumps:
3.5.7
Example: Name Mangling
What does this code do? In English, the code checks the
condition and performs a jump only if it is false. With
that in mind, lets compare some actual C code and its
What can we tell about the following function call?
mov ecx, x push eax mov eax, ss:[ebp - 4] push eax mov Assembly translation:
al, ss:[ebp - 3] call @__Load?$Container__XXXY_?Fcii Note that when we translate to assembly, we need to
negate the condition of the jump because--like we said
44
above--we only jump if the condition is false. To recre- 3.6.4 Switch-Case

ate the high-level code, simply negate the condition once
Switch-Case structures can be very complicated when
again.
viewed in assembly language, so we will examine a few
Negating a comparison may be tricky if you're not paying
examples. First, keep in mind that in C, there are several
attention. Here are the correct dual forms:
keywords that are commonly used in a switch statement.
And here are some examples.
Here is a recap:
mov eax, $x //move x into eax cmp eax, $y //compare
eax with y jg end //jump if greater than inc eax move $x, Switch This keyword tests the argument, and starts the
eax //increment x end: ...
switch structure
Is produced by these C statements:
if(x <= y) { x++; }
Case This creates a label that execution will switch to,

depending on the value of the argument.
Break This statement jumps to the end of the switch
block
As you can see, x is incremented only if it is less than

or equal to y. Thus, if it is greater than y, it will not be Default This is the label that execution jumps to if and
only if it doesn't match up to any other conditions
incremented as in the assembler code. Similarly, the C
code
Lets say we have a general switch statement, but with an
if(x < y) { x++; }
extra label at the end, as such:
produces this assembler code:
switch (x) { //body of switch statement } end_of_switch:
mov eax, $x //move x into eax cmp eax, $y //compare

eax with y jge end //jump if greater than or equal to inc Now, every break statement will be immediately replaced with the statement
eax move $x, eax //increment x end: ...
jmp end_of_switch
X is incremented in the C code only if it is less than y,
so the assembler code now jumps if its greater than or But what do the rest of the statements get changed to?
equal to y. This kind of thing takes practice, so we will The case statements can each resolve to any number of
try to include lots of examples in this section.
arbitrary integer values. How do we test for that? The
answer is that we use a Switch Table. Here is a simple,
C example:
3.6.3
If-Then-Else
int main(int argc, char **argv) { //line 10 switch(argc) {

case 1: MyFunction(1); break; case 2: MyFunction(2);
break; case 3: MyFunction(3); break; case 4: MyFunction(4); break; default: MyFunction(5); } return 0; }
Let us now look at a more complicated case: the If-Then- And when we compile this with cl.exe, we can generate
Else instruction.
the following listing le:
tv64 = 4 ; size = 4 _argc$ = 8 ; size = 4 _argv$ = 12 ;
size = 4 _main PROC NEAR ; Line 10 push ebp mov
ebp, esp push ecx ; Line 11 mov eax, DWORD PTR
_argc$[ebp] mov DWORD PTR tv64[ebp], eax mov
ecx, DWORD PTR tv64[ebp] sub ecx, 1 mov DWORD
PTR tv64[ebp], ecx cmp DWORD PTR tv64[ebp], 3 ja
Now, here is an example of a real C If-Then-Else:
SHORT $L810 mov edx, DWORD PTR tv64[ebp] jmp
if(x == 10) { x = 0; } else { x++; }
DWORD PTR $L818[edx*4] $L806: ; Line 14 push
1 call _MyFunction add esp, 4 ; Line 15 jmp SHORT
Which gets translated into the following assembly code: $L803 $L807: ; Line 17 push 2 call _MyFunction
add esp, 4 ; Line 18 jmp SHORT $L803 $L808: ;
mov eax, $x cmp eax, 0x0A ;0x0A = 10 jne else mov Line 19 push 3 call _MyFunction add esp, 4 ; Line
eax, 0 jmp end else: inc eax end: mov $x, eax
20 jmp SHORT $L803 $L809: ; Line 22 push 4 call
_MyFunction add esp, 4 ; Line 23 jmp SHORT $L803
As you can see, the addition of a single unconditional $L810: ; Line 25 push 5 call _MyFunction add esp, 4
jump can add an entire extra option to our conditional.
$L803: ; Line 27 xor eax, eax ; Line 28 mov esp, ebp
Now, what happens here? Like before, the if statement
only jumps to the else clause when the condition is false.
However, we must also install an unconditional jump at
the end of the then clause, so we don't perform the else
clause directly afterwards.
3.6. BRANCHES
45
pop ebp ret 0 $L818: DD $L806 DD $L807 DD $L808 sub ecx, 1 mov DWORD PTR tv64[ebp], ecx
DD $L809 _main ENDP
Lets work our way through this. First, we see that line
10 sets up our standard stack frame, and it also saves ecx.
Why does it save ecx? Scanning through the function,
we never see a corresponding pop ecx instruction, so
it seems that the value is never restored at all. In fact,
the compiler isn't saving ecx at all, but is instead simply
reserving space on the stack: its creating a local variable. The original C code didn't have any local variables,
however, so perhaps the compiler just needed some extra
scratch space to store intermediate values. Why doesn't
the compiler execute the more familiar sub esp, 4 command to create the local variable? push ecx is just a faster
instruction that does the same thing. This scratch space
is being referenced by a negative oset from ebp. tv64
was dened in the beginning of the listing as having the
value 4, so every call to tv64[ebp]" is a call to this
scratch space.
The value of argc is moved into eax. The value of eax is

then immediately moved to the scratch space. The value
of the scratch space is then moved into ecx. Sounds like
an awfully convoluted way to get the same value into so
many dierent locations, but remember: I turned o the
optimizations. The value of ecx is then decremented by
1. Why didn't the compiler use a dec instruction instead?
Perhaps the statement is a general statement, that in this
case just happens to have an argument of 1. We don't
know why exactly, all we know is this:
eax = scratch pad
ecx = eax - 1
Finally, the last line moves the new, decremented value
of ecx back into the scratch pad. Very inecient.
There are a few things that we need to notice about the

The Compare and Jumps
function in general:
cmp DWORD PTR tv64[ebp], 3 ja SHORT $L810
Label $L803 is the end_of_switch label. Therefore,
every jmp SHORT $L803 statement is a break.
This is veriable by comparing with the C code line- The value of the scratch pad is compared with the value
3, and if the unsigned value is above 3 (4 or more), exeby-line.
cution jumps to label $L810. How do I know the value is
Label $L818 contains a list of hard-coded memory
unsigned? I know because ja is an unsigned conditional
addresses, which here are labels in the code section!
jump. Lets look back at the original C code switch:
Remember, labels resolve to the memory address of
the instruction. This must be an important part of switch(argc) { case 1: MyFunction(1); break; case 2:
MyFunction(2); break; case 3: MyFunction(3); break;
our puzzle.
case 4: MyFunction(4); break; default: MyFunction(5); }
To solve this puzzle, we will take an in-depth look at line
11:
Remember, the scratch pad contains the value (argc - 1),
mov eax, DWORD PTR _argc$[ebp] mov DWORD
PTR tv64[ebp], eax mov ecx, DWORD PTR tv64[ebp]
sub ecx, 1 mov DWORD PTR tv64[ebp], ecx cmp
DWORD PTR tv64[ebp], 3 ja SHORT $L810 mov
edx, DWORD PTR tv64[ebp] jmp DWORD PTR
$L818[edx*4]
which means that this condition is only triggered when

argc > 4. What happens when argc is greater than 4? The
function goes to the default condition. Now, lets look at
the next two lines:
mov edx, DWORD PTR tv64[ebp] jmp DWORD PTR
$L818[edx*4]
This sequence performs the following pseudo-C opera- edx gets the value of the scratch pad (argc - 1), and then
tion:
there is a very weird jump that takes place: execution
if( argc - 1 >= 4 ) { goto $L810; /* the default */ } label jumps to a location pointed to by the value (edx * 4 +
*L818[] = { $L806, $L807, $L808, $L809 }; /* dene a $L818). What is $L818? We will examine that right now.
table of jumps, one per each case */ // goto L818[argc 1]; /* use the address from the table to jump to the correct
The Switch Table
case */
Heres why...
$L818: DD $L806 DD $L807 DD $L808 DD $L809
$L818 is a pointer, in the code section, to a list of other

code section pointers. These pointers are all 32bit values
mov eax, DWORD PTR _argc$[ebp] mov DWORD (DD is a DWORD). Lets look back at our jump statePTR tv64[ebp], eax mov ecx, DWORD PTR tv64[ebp] ment:
The Setup
46
jmp DWORD PTR $L818[edx*4]
menting this value sets every bit in eax to a logical 1.

Now, when we perform the logical and function we get:
In this jump, $L818 isn't the oset, its the base, edx*4 is
the oset. As we said earlier, edx contains the value of
(argc - 1). If argc == 1, we jump to [$L818 + 0] which
is $L806. If argc == 2, we jump to [$L818 + 4], which
is $L807. Get the picture? A quick look at labels $L806,
$L807, $L808, and $L809 shows us exactly what we expect to see: the bodies of the case statements from the
original C code, above. Each one of the case statements
calls the function MyFunction, then breaks, and then
jumps to the end of the switch block.
...11111111 &...00000101 ;101 is 5 in binary -----------...00000101
3.6.5
eax gets the value 5. In this case, its a roundabout method

of doing it, but as a reverser, this is the stu you need to
worry about.
For reference, here is the GCC assembly output of the
same ternary operator from above:
_main: pushl %ebp movl %esp, %ebp subl $8, %esp
xorl %eax, %eax andl $16, %esp call __alloca call
___main xorl %edx, %edx cmpl $2, 8(%ebp) setge %dl
leal (%edx,%edx,4), %eax leave ret
Ternary Operator ?:
Notice that GCC produces slightly dierent code than

Again, the best way to learn is by doing. Therefore we cl.exe produces. However, the stack frame is set up the
will go through a mini example to explain the ternary op- same way. Notice also that GCC doesn't give us line numerator. Consider the following C code program:
bers, or other hints in the code. The ternary operator line
int main(int argc, char **argv) { return (argc > 1)?(5):(0); occurs after the instruction call __main. Lets highlight
that section here:
}
cl.exe produces the following assembly listing le:
xorl %edx, %edx cmpl $2, 8(%ebp) setge %dl leal

(%edx,%edx,4), %eax
_argc$ = 8 ; size = 4 _argv$ = 12 ; size = 4

_main PROC NEAR ; File c:\documents and settings\andrew\desktop\test2.c ; Line 2 push ebp mov
ebp, esp ; Line 3 xor eax, eax cmp DWORD PTR
_argc$[ebp], 1 setle al dec eax and eax, 5 ; Line 4 pop
ebp ret 0 _main ENDP
Again, xor is used to set edx to 0 quickly. Argc is tested

against 2 (instead of 1), and dl is set if argc is greater then
or equal. If dl gets set to 1, the leal instruction directly
thereafter will move the value of 5 into eax (because lea
(edx,edx,4) means edx + edx * 4, i.e. edx * 5).
Line 2 sets up a stack frame, and line 4 is a standard exit

sequence. There are no local variables. It is clear that
Line 3 is where we want to look.
3.7 Branch Examples
The instruction xor eax, eax simply sets eax to 0.

For more information on that line, see the chapter on
unintuitive instructions. The cmp instruction tests the
condition of the ternary operator. The setle function is
one of a set of x86 functions that works like a conditional
move: al gets the value 1 if argc <= 1. Isn't that the exact
opposite of what we wanted? In this case, it is. Lets look
at what happens when argc = 0: al gets the value 1. al
is decremented (al = 0), and then eax is logically anded
with 5. 5 & 0 = 0. When argc == 2 (greater than 1), the
setle instruction doesn't do anything, and eax still is zero.
eax is then decremented, which means that eax == 1.
What is 1?
3.7.1 Example: Number of Parameters

What parameters does this function take? What calling
convention does it use? What kind of value does it return?
Write the entire C prototype of this function. Assume all
values are unsigned values.
push ebp mov ebp, esp mov eax, 0 mov ecx, [ebp + 8]
cmp ecx, 0 jne _Label_1 inc eax jmp _Label_2 :_Label_1 dec eax : _Label_2 mov ecx, [ebp + 12] cmp ecx, 0
jne _Label_3 inc eax : _Label_3 mov esp, ebp pop ebp ret
In x86 processors, negative numbers are stored in twoscomplement format. For instance, lets look at the fol- This function accesses parameters on the stack at [ebp
lowing C code:
+ 8] and [ebp + 12]. Both of these values are loaded
into ecx, and we can therefore assume they are 4-byte
BYTE x; x = 1;
values. This function doesn't clean its own stack, and the
values aren't passed in registers, so we know the function
At the end of this C code, x will have the value 11111111: is CDECL. The return value in eax is a 4-byte value, and
all ones!
we are told to assume that all the values are unsigned.
When argc is greater than 1, setle sets al to zero. Decre- Putting all this together, we can construct the function
3.8. LOOPS
47
prototype:
so we don't need to invert the condition. We can write an

unsigned int CDECL MyFunction(unsigned int param1, if statement directly:
unsigned int param2);
if(ecx == 0) ;ecx is param2 here { eax++; }
3.7.2
Example:
tures
Identify Branch Struc- 3.7.3 Example: Convert To C
Write the equivalent C code for this function. Assume all

How many separate branch structures are in this func- parameters and return values are unsigned values.
tion? What types are they? Can you give more descrip- push ebp mov ebp, esp mov eax, 0 mov ecx, [ebp + 8]
tive names to _Label_1, _Label_2, and _Label_3, based cmp ecx, 0 jne _Label_1 inc eax jne _Label_2 :_Label_1
on the structures of these branches?
dec eax : _Label_2 mov ecx, [ebp + 12] cmp ecx, 0
push ebp mov ebp, esp mov eax, 0 mov ecx, [ebp + 8] jne _Label_3 inc eax : _Label_3 mov esp, ebp pop ebp ret
cmp ecx, 0 jne _Label_1 inc eax jmp _Label_2 :_Label_1 dec eax : _Label_2 mov ecx, [ebp + 12] cmp ecx, 0 Starting with the C function prototype from answer 1, and
jne _Label_3 inc eax : _Label_3 mov esp, ebp pop ebp ret the conditional blocks in answer 2, we can put together a
pseudo-code function, without variable declarations, or a
How many separate branch structures are there in this return value:
function? Stripping away the entry and exit sequences, unsigned int CDECL MyFunction(unsigned int param1,
here is the code we have left:
unsigned int param2) { if(param1 == 0) { eax++; } else
mov ecx, [ebp + 8] cmp ecx, 0 jne _Label_1 inc eax jmp { eax--; } if(param2 == 0) { eax++; } }
_Label_2 :_Label_1 dec eax : _Label_2 mov ecx, [ebp
+ 12] cmp ecx, 0 jne _Label_3 inc eax : _Label_3
Now, we just need to create a variable to store the value
from eax, which we will call a, and we will declare as a
Looking through, we see 2 cmp statements. The rst cmp register type:
statement compares ecx to zero. If ecx is not zero, we unsigned int CDECL MyFunction(unsigned int param1,
go to _Label_1, decrement eax, and then fall through to unsigned int param2) { register unsigned int a = 0;
_Label_2. If ecx is zero, we increment eax, and go to if(param1 == 0) { a++; } else { a--; } if(param2 == 0) {
directly to _Label_2. Writing out some pseudocode, we a++; } return a; }
have the following result for the rst section:
if(ecx doesnt equal 0) goto _Label_1 eax++; goto _La- Granted, this function isn't a particularly useful function,
bel_2 :_Label_1 eax--; :_Label_2
but at least we know what it does.
Since _Label_2 occurs at the end of this structure,
we can rename it to something more descriptive, like
End_of_Branch_1, or Branch_1_End. The rst com- 3.8 Loops
parison tests ecx against 0, and then jumps on not-equal.
We can reverse the conditional, and say that _Label_1 is
an else block:
if(ecx == 0) ;ecx is param1 here { eax++; } else { eax--; }
3.8.1 Loops
So we can rename _Label_1 to something else descrip- To complete repetitive tasks, programmers often impletive, such as Else_1. The rest of the code block, after ment loops. There are many sorts of loops, but they can
Branch_1_End (_Label_2) is as follows:
all be boiled down to a few similar formats in assembly
mov ecx, [ebp + 12] cmp ecx, 0 jne _Label_3 inc eax : code. This chapter will discuss loops, how to identify
them, and how to decompile them back into high-level
_Label_3
representations.
We can see immediately that _Label_3 is the end of
this branch structure, so we can immediately call it
Branch_2_End, or something else. Here, we are again
comparing ecx to 0, and if it is not equal, we jump to the
end of the block. If it is equal to zero, however, we increment eax, and then fall out the bottom of the branch. We
can see that there is no else block in this branch structure,
3.8.2 Do-While Loops

It seems counterintuitive that this section will consider
Do-While loops rst, considering that they might be the
least used of all the variations in practice. However, there
is method to our madness, so read on.
48
Consider the following generic Do-While loop:
See why we covered the Do-While loop rst? Because the

What does this loop do? The loop body simply executes, While-loop becomes a Do-While when it gets assembled.
the condition is tested at the end of the loop, and the loop So why can't the jump label occur before the test?
jumps back to the beginning of the loop if the condition is mov eax, $x beginning: cmp eax, 0x0A jg end inc eax
satised. Unlike if statements, Do-While conditions are
jmp beginning end: mov $x, eax
not reversed.
Let us now take a look at the following C code:
do { x++; } while(x != 10);
Which can be translated into assembly language as such:
3.8.4 For Loops
mov eax, $x beginning: inc eax cmp eax, 0x0A ;0x0A = What is a For-Loop? In essence, its a While-Loop with
an initial state, a condition, and an iterative instruction.
10 jne beginning mov $x, eax
For instance, the following generic For-Loop:
gets translated into the following pseudocode while-loop:
3.8.3
While Loops
initialization; while(condition) { action; increment; }
While loops look almost as simple as a Do-While loop, Which in turn gets translated into the following Do-While
but in reality they aren't as simple at all. Lets examine a Loop:
generic while-loop:
initialization; if(condition) { do { action; increment; }
while(x) { //loop body }
while(condition); }
What does this loop do? First, the loop checks to make
sure that x is true. If x is not true, the loop is skipped. The
loop body is then executed, followed by another check: is
x still true? If x is still true, execution jumps back to the
top of the loop, and execution continues. Keep in mind
that there needs to be a jump at the bottom of the loop
(to get back up to the top), but it makes no sense to jump
back to the top, retest the conditional, and then jump back
to the bottom of the loop if the conditional is found to be
false. The while-loop then, performs the following steps:
Note that often in for() loops you assign an initial constant

value in A (for example x = 0), and then compare that
value with another constant in B (for example x < 10).
Most optimizing compilers will be able to notice that the
rst time x IS less than 10, and therefore there is no need
for the initial if(B) statement. In such cases, the compiler
will simply generate the following sequence:
initialization; do { action increment; } while(condition);
rendering the code indistinguishable from a while() loop.
1. check the condition. if it is false, go to the end

2. perform the loop body
3. check the condition, if it is true, jump to 2.
3.8.5 Other Loop Types
4. if the condition is not true, fall-through the end of C only has Do-While, While, and For Loops, but some
the loop.
other languages may very well implement their own types.
Also, a good C-Programmer could easily home brew a
new type of loop using a series of good macros, so they
Here is a while-loop in C code:
bear some consideration:
while(x <= 10) { x++; }
And here then is that same loop translated into assembly:
mov eax, $x cmp eax, 0x0A jg end beginning: inc eax
cmp eax, 0x0A jle beginning end:
Do-Until Loop
A common Do-Until Loop will take the following form:
If we were to translate that assembly code back into C, do { //loop body } until(x);
we would get the following code:
if(x <= 10) //remember: in If statements, we reverse which essentially becomes the following Do-While loop:
the condition from the asm { do { x++; } while(x <= 10) } do { //loop body } while(!x);
3.9. LOOP EXAMPLES
49
Until Loop
sum in eax. The only parameter (located in [ebp + 8]) is

a pointer to an array of integer values. The comparison
Like the Do-Until loop, the standard Until-Loop looks between ebx and 100 indicates that the input array has
like the following:
100 entries in it. The pointer oset [esi + ebx * 4] shows
that each entry in the array is 4 bytes wide.
until(x) { //loop body }
which (likewise) gets translated to the following While- 3.9.2 Example: Complete C Prototype
Loop:
What is this functions C prototype? Make sure to include
while(!x) { //loop body }
parameters, return values, and calling convention.
Do-Forever Loop
push ebp mov ebp, esp mov esi, [ebp + 8] mov ebx, 0
mov eax, 0 mov ecx, 0 _Label_1: mov ecx, [esi + ebx *
4] add eax, ecx inc ebx cmp ebx, 100 jne _Label_1 mov
esp, ebp pop ebp ret 4
A Do-Forever loop is simply an unqualied loop with a

condition that is always true. For instance, the following
Notice how the ret function cleans its parameter o the
pseudo-code:
stack? That means that this function is an STDCALL
doforever { //loop body }
function. We know that the function takes, as its only
parameter, a pointer to an array of integers. We do not
will become the following while-loop:
know, however, whether the integers are signed or unsigned, because the je command is used for both types of
while(1) { //loop body }
values. We can assume one or the other, and for simplicity, we can assume unsigned values (unsigned and signed
Which can actually be reduced to a simple unconditional values, in this function, will actually work the same way).
jump statement:
We also know that the return value is a 4-byte integer
value, of the same type as is found in the parameter arbeginning: ;loop body jmp beginning
ray. Since the function doesnt have a name, we can just
call it MyFunction, and we can call the parameter arNotice that some non-optimizing compilers will produce
ray because it is an array. From this information, we can
nonsensical code for this:
determine the following prototype in C:
mov ax, 1 cmp ax, 1 jne loopend beginning: ;loop body
unsigned int STDCALL MyFunction(unsigned int
cmp ax, 1 je beginning loopend:
*array);
Notice that a lot of the comparisons here are not needed
since the condition is a constant. Most compilers will optimize cases like this.
3.9.3
Example: Decompile To C Code
Decompile this code into equivalent C source code.
3.9 Loop Examples
3.9.1
Example: Identify Purpose
What does this function do? What kinds of parameters

does it take, and what kind of results (if any) does it return?
4] add eax, ecx inc ebx cmp ebx, 100 jne _Label_1 mov
Starting with the function prototype above, and the description of what this function does, we can start to write
the C code for this function. We know that this function
initializes eax, ebx, and ecx before the loop. However,
we can see that ecx is being used as simply an intermediate storage location, receiving successive values from the
array, and then being added to eax.
4] add eax, ecx inc ebx cmp ebx, 100 jne _Label_1 mov We will create two unsigned integer values, a (for eax)
and b (for ebx). We will dene both a and b with the
register qualier, so that we can instruct the compiler
This function loops through an array of 4 byte integer val- not to create space for them on the stack. For each loop
ues, pointed to by esi, and adds each entry. It returns the iteration, we are adding the value of the array, at location
50
ebx*4 to the running sum, eax. Converting this to our a
and b variables, and using C syntax, we see:
a = a + array[b];
The loop could be either a for loop, or a while loop. We
see that the loop control variable, b, is initialized to 0 before the loop, and is incremented by 1 each loop iteration.
The loop tests b against 100, after it gets incremented, so
we know that b never equals 100 inside the loop body.
Using these simple facts, we will write the loop in 3 different ways:
First, with a while loop.
*array) { register unsigned int b = 0; register unsigned int
a = 0; while(b != 100) { a = a + array[b]; b++; } return a; }
Or, with a for loop:
*array) { register unsigned int b; register unsigned int a =
0; for(b = 0; b != 100; b++) { a = a + array[b]; } return a; }
And nally, with a do-while loop:
unsigned int STDCALL MyFunction(unsigned int *array) { register unsigned int b = 0; register unsigned int a =
0; do { a = a + array[b]; b++; }while(b != 100); return a; }
Chapter 4
Data Patterns
4.1 Variables
4.1.1
In the last example, the value of ecx is calculated at runtime, whereas in the rst 2 examples, the value is the same
every time. RVAs are considered hard-coded addresses,
even though the loader needs to x them up to point to
the correct locations.
Variables
We've already seen some mechanisms to create local storage on the stack. This chapter will talk about some other
variables, including global variables, static variables,
variables labled "const, "register, and "volatile. It will
also consider some general techniques concerning variables, including accessor and setter methods (to borrow
from OO terminology). This section may also talk about
setting memory breakpoints in a debugger to track memory I/O on a variable.
4.1.2
How to Spot a Variable
4.1.3 .BSS and .DATA sections

Both .bss and .data sections contain values which can
change at run-time (e.g. variables). Typically, variables
that are initialized to a non-zero value in the source are allocated in the .data section (e.g. int a = 10;"). Variables
that are not initialized, or initialized with a zero value,
can be allocated to the .bss section (e.g. int arr[100];").
Because all values of .bss variables are guaranteed to be
zero at the start of the program, there is no need for the
linker to allocate space in the binary le. Therefore, .bss
sections do not take space in the binary le, regardless of
their size.
Variables come in 2 distinct avors: those that are created

on the stack (local variables), and those that are accessed
via a hardcoded memory address (global variables). Any 4.1.4 Static Local Variables
memory that is accessed via a hard-coded address is usually a global variable. Variables that are accessed as an Local variables labeled static maintain their value across
function calls, and therefore cannot be created on the
oset from esp, or ebp are frequently local variables.
stack like other local variables are. How are static variables created? Lets take a simple example C function:
Hardcoded address Anything hardcoded is a value
that is stored as-is in the binary, and is not changed void MyFunction(int a) { static int x = 0; printf(my
at runtime. For instance, the value 0x2054 is hard- number: "); printf("%d, %d\n, a, x); }
coded, whereas the current value of variable X is not
hard-coded and may change at runtime.
Compiling to a listing le with cl.exe gives us the following code:
Example of a hardcoded address:
mov eax, [0x77651010]
OR:
mov ecx, 0x77651010 mov eax, [ecx]
Example of a non-hardcoded (softcoded?) address:
mov ecx, [esp + 4] add ecx, ebx mov eax, [ecx]
_BSS SEGMENT ?x@?1??MyFunction@@9@9 DD

01H DUP (?) ; `MyFunction'::`2'::x _BSS ENDS
_DATA SEGMENT $SG796 DB 'my number: ', 00H
$SG797 DB '%d, %d', 0aH, 00H _DATA ENDS PUBLIC _MyFunction EXTRN _printf:NEAR ; Function
compile ags: /Odt _TEXT SEGMENT _a$ = 8 ; size
= 4 _MyFunction PROC NEAR ; Line 4 push ebp
mov ebp, esp ; Line 6 push OFFSET FLAT:$SG796
call _printf add esp, 4 ; Line 7 mov eax, DWORD
PTR ?x@?1??MyFunction@@9@9 push eax mov
ecx, DWORD PTR _a$[ebp] push ecx push OFFSET
51
52
CHAPTER 4. DATA PATTERNS
FLAT:$SG797 call _printf add esp, 12 ; 0000000cH ; 4.1.5 Signed and Unsigned Variables
Line 8 pop ebp ret 0 _MyFunction ENDP _TEXT ENDS
Integer formatted variables, such as int, char, short and
Normally when assembly listings are posted in this wiki- long may be declared signed or unsigned variables in the
book, most of the code gibberish is discarded to aid read- C source code. There are two dierences in how these
ability, but in this instance, the gibberish contains the variables are treated:
answer we are looking for. As can be clearly seen, this
function creates a standard stack frame, and it doesn't create any local variables on the stack. In the interests of
being complete, we will take baby-steps here, and work
to the conclusion logically.
1. Signed variables use signed instructions such as add,

and sub. Unsigned variables use unsigned arithmetic instructions such as addi, and subi.
2. Signed variables use signed branch instructions such

In the code for Line 7, there is a call to _printf with 3 aras jge and jl. Unsigned variables use unsigned
guments. Printf is a standard libc function, and it therebranch instructions such as jae, and jb.
fore can be assumed to be cdecl calling convention. Arguments are pushed, therefore, from right to left. Three
arguments are pushed onto the stack before _printf is The dierence between signed and unsigned instructions
is the conditions under which the various ags for greatercalled:
than or less-than (overow ags) are set. The integer result values are exactly the same for both signed and unsigned data.
DWORD PTR ?x@?1??MyFunction@@9@9
DWORD PTR _a$[ebp]
4.1.6 Floating-Point Values
Floating point values tend to be 32-bit data values (for

oat) or 64-bit data values (for double). These values
are distinguished from ordinary integer-valued variables
because they are used with oating-point instructions.
The second one, _a$[ebp] is partially dened in this as- Floating point instructions typically start with the letter
f. For instance, fadd, fcmp, and similar instructions are
sembly instruction:
used with oating point values. Of particular note are
_a$ = 8
the oad instruction and variants. These instructions take
And therefore _a$[ebp] is the variable located at oset an integer-valued variable and converts it into a oating
+8 from ebp, or the rst argument to the function. OFF- point variable.
SET FLAT:$SG797 likewise is declared in the assembly We will discuss oating point variables in more detail in
listing as such:
a later chapter.
SG797 DB '%d, %d', 0aH, 00H
OFFSET FLAT:$SG797
If you have your ASCII table handy, you will notice

that 0aH = 0x0A = '\n'. OFFSET FLAT:$SG797
then is the format string to our printf statement.
Our last option then is the mysterious-looking
"?x@?1??MyFunction@@9@9, which is dened
in the following assembly code section:
4.1.7 Global Variables
Global variables do not have a limited scope like lexical variables do inside a function body. Since the notion
of lexical scope implies the use of the system stack, and
since global variables are not lexical in nature, they are
typically not found on the stack. Global variables tend
_BSS SEGMENT ?x@?1??MyFunction@@9@9 DD to exist in the program as a hard-coded memory address,
01H DUP (?) _BSS ENDS
a location which never changes throughout program execution. These could exist in the DATA segment of the
This shows that the Microsoft C compiler creates static executable, or anywhere else that a hard-coded memory
variables in the .bss section. This might not be the same address can be used to store data.
for all compilers, but the lesson is the same: local static In C, global variables are dened outside the body of any
variables are created and used in a very similar, if not function. There is no global keyword. Any variable
the exact same, manner as global values. In fact, as far which is not dened inside a function is global. In C howas the reverser is concerned, the two are usually inter- ever, a variable which is not dened inside a function is
changeable. Remember, the only real dierence between only global to the particular source code le in which it is
static variables and global variables is the idea of scope, dened. For example, we have two les Foo.c and Bar.c,
which is only used by the compiler.
and a global variable MyGlobalVar:
4.1. VARIABLES
In the example above, the variable MyGlobalVar is visible
inside the le Foo.c, but is not visible inside the le Bar.c.
To make MyGlobalVar visible inside all project les, we
need to use the extern keyword, which we will discuss
below.
static Variables
53
4.1.8 Constants
Variables qualied with the const keyword (in C) are frequently stored in the .data section of the executable. Constant values can be distinguished because they are initialized at the beginning of the program, and are never
modied by the program itself. For this reasons, some
compilers may chose to store constant variables (especially strings) in the .text section of the executable, thus
allowing the sharing of these variables across multiple instances of the same process. This creates a big problem
for the reverser, who now has to decide whether the code
hes looking at is part of a constant variable or part of a
subroutine.
The C programming language species a special keyword

static to dene variables which are lexical to the function (they cannot be referenced from outside the function) but they maintain their values across function calls.
Unlike ordinary lexical variables which are created on the
stack when the function is entered and are destroyed from
the stack when the function returns, static variables are
4.1.9
created once and are never destroyed.
int MyFunction(void) { static int x; ... }
Volatile memory
In C and C++, variables can be declared volatile, which

tells the compiler that the memory location can be accessed from external or concurrent processes, and that
the compiler should not perform any optimizations on the
variable. For instance, if multiple threads were all accessing and modifying a single global value, it would be bad
for the compiler to store that variable in a register sometimes, and ush it to memory infrequently. In general,
Volatile memory must be ushed to memory after every
calculation, to ensure that the most current version of the
data is in memory when other processes come to look for
it.
Static variables in C are global variables, except the compiler takes precautions to prevent the variable from being accessed outside of the parent functions scope. Like
global variables, static variables are referenced using a
hardcoded memory address, not a location on the stack
like ordinary variables. However unlike globals, static
variables are only used inside a single function. There
is no dierence between a global variable which is only
used in a single function, and a static variable inside that
same function. However, its good programming practice
to limit the number of global variables, so when disas- It is not always possible to determine from a disassemsembling, you should prefer interpreting these variables bly listing whether a given variable is a volatile varias static instead of global.
able. However, if the variable is accessed frequently from
memory, and its value is constantly updated in memory
(especially if there are free registers available), thats a
good hint that the variable might be volatile.
extern Variables
The extern keyword is used by a C compiler to indicate
4.1.10 Simple Accessor Methods
that a particular variable is global to the entire project, not
just to a single source code le. Besides this distinction,
An Accessor Method is a tool derived from OO theand the slightly larger lexical scope of extern variables,
ory and practice. In its most simple form, an accessor
they should be treated like ordinary global variables.
method is a function that receives no parameters (or perIn static libraries, variables marked as being extern might haps simply an oset), and returns the value of a variable.
be available for use with programs which are linked to the Accessor and Setter methods are ways to restrict access to
library.
certain variables. The only standard way to get the value
of the variable is to use the Accessor.
Accessors can prevent some simple problems, such as

out-of-bounds array indexing, and using uninitialized
data. Frequently, Accessors contain little or no errorHere is a table to summarize some points about global checking.
variables:
Here is an example:
Global Variables Summary
When disassembling, a hard-coded memory address push ebp mov ebp, esp mov eax, [ecx + 8] ;THISCALL
should be considered to be an ordinary global variable function, passes this pointer in ecx mov esp, ebp pop
unless you can determine from the scope of the variable ebp ret
that it is static or extern.
54
Because they are so simple, accessor methods are fre- and we can take the element that is at oset +8 from that
quently heavily optimized (they generally don't need a pointer (value3):
stack frame), and are even occasionally inlined by the MyClass::GetValue3() { return this->value3; }
compiler.
4.1.11
The this pointer is not necessary here, but i use it anyway

to
illustrate the fact that the variable was accessed as an
Simple Setter (Manipulator) Methoset
from the this pointer.
ods
Setter methods are the antithesis of an accessor method,

and provide a unied way of altering the value of a given
variable. Setter methods will often take as a parameter
the value to be set to the variable, although some methods (Initializers) simply set the variable to a pre-dened
value. Setter methods often do bounds checking, and error checking on the variable before it is set, and frequently
either a) return no value, or b) return a simple boolean
value to determine success.
Here is an example:
Note: Remember, we don't know what the rst 8 bytes

actually look like in our class, we only have a single accessor method, that only accesses a single data value at
oset +8. The class could also have looked like this:
class MyClass /*Alternate Denition*/ { byte byte1;
byte byte2; short short1; long value2; long value3; ... }
Or, any other combinations of 8 bytes.
4.2.2 Example: Identify C++ Code
push ebp mov ebp, esp cmp [ebp + 8], 0 je error mov
eax, [ebp + 8] mov [ecx + 0], eax mov eax, 1 jmp end Can you tell what the original C++ source code looks like,
:error mov eax, 0 :end mov esp, ebp pop ebp ret
in general, for the following setter method?
4.2 Variable Examples
push ebp mov ebp, esp cmp [ebp + 8], 0 je error mov
eax, [ebp + 8] mov [ecx + 0], eax mov eax, 1 jmp end
:error mov eax, 0 :end mov esp, ebp pop ebp ret
This code looks a little complicated, but don't panic! We
will walk through it slowly. The rst two lines of code set
up the stack frame:
4.2.1
push ebp mov ebp, esp
Can you tell what the original C++ source code looks like, The next two lines of code compare the value of [ebp +
8] (which we know to be the rst parameter) to zero. If
in general, for the following accessor method?
push ebp mov ebp, esp mov eax, [ecx + 8] ;THISCALL [ebp+8] is zero, the function jumps to the label error.
function, passes this pointer in ecx mov esp, ebp pop We see that the label error sets eax to 0, and returns. We
haven't seen it before, but this looks conspicuously like an
ebp ret
if statement. If the parameter is zero, return zero.
We don't know the name of the class, so we will use a
generic name MyClass (or whatever you would like to call
it). We will lay out a simple class denition, that contains
a data value at oset +8. Oset +8 is the only data value
accessed, so we don't know what the rst 8 bytes of data
looks like, but we will just assume (for our purposes) that
our class looks like this:
If, on the other hand, the parameter is not zero, we move

the value into eax, and then move the value into [ecx +
0], which we know as the rst data eld in MyClass. We
also see, from this code, that this rst data eld must be
4 bytes long (because we are using eax). After we move
eax into [ecx + 0], we set eax to 1 and jump to the end of
the function.
class MyClass { int value1; int value2; int value3; //oset If we use the same MyClass dention as in question 1,
above, we can get the following code for our function,
+8 ... }
SetValue1(int val)":
We will then create our function, which I will call GetValue3()". We know that the data value being accessed
is located at [ecx+8], (which we have dened above to
be value3). Also, we know that the data is being read
into a 4-byte register (eax), and is not truncated. We can
assume, therefore, that value3 is a 4-byte data value. We
can use the this pointer as the pointer value stored in ecx,
int MyClass::SetValue1(int val) { if(val == 0) return 0;

this->value1 = val; return 1; }
Notice that since we are returning a 0 on failure, and a
1 on success, the function looks like it has a bool return
value. However, the return value is 4 bytes wide (eax is
used), but the size of a bool is implementation-specic,
4.3. DATA STRUCTURES
55
so we can't be sure. The bool is usually dened to have Which looks harmless enough. But, what if a program
a size of 1 byte, but it is often stored the same way as an inadvertantly accesses buer[4]? what about buer[5]?
int.
what about buer[8]? This is the makings of a buer
overow vulnerability, and (might) will be discussed in a
later section. However, this section won't talk about security issues, and instead will focus only on data structures.
4.3 Data Structures
Spotting an Array on the Stack

To spot an array on the stack, look for large amounts of
local storage allocated on the stack (sub esp, 1000, for
example), and look for large portions of that data being
Few programs can work by using simple memory stor- accessed by an oset from a dierent register from esp.
age; most need to utilize complex data objects, includ- For instance:
ing pointers, arrays, structures, and other complicated :_MyFunction3 push ebp mov ebp, esp sub esp, 256 lea
types. This chapter will talk about how compilers im- ebx, [esp + 0x00] mov [ebx + 0], 0x00
plement complex data objects, and how the reverser can
identify these objects.
is a good sign of an array being created on the stack.
Granted, an optimizing compiler might just want to oset
from esp instead, so you will need to be careful.
4.3.1
Data Structures
4.3.2
Arrays
Arrays are simply a storage scheme for multiple data ob- Spotting an Array in Memory
jects of the same type. Data objects are stored sequentially, often as an oset from a pointer to the beginning Arrays in memory, such as global arrays, or arrays which
of the array. Consider the following C code:
have initial data (remember, initialized data is created in
the .data section in memory) and will be accessed as ox = array[25];
sets from a hardcoded address in memory:
Which is identical to the following asm code:
mov ebx, $array mov eax, [ebx + 25] mov $x, eax
:_MyFunction4 push ebp mov ebp, esp mov esi,

0x77651004 mov ebx, 0x00000000 mov [esi + ebx],
0x00
Now, consider the following example:
It needs to be kept in mind that structures and classes

might be accessed in a similar manner, so the reverser
needs to remember that all the data objects in an array
are of the same type, that they are sequential, and they
This (roughly) translates into the following asm pseudowill often be handled in a loop of some sort. Also, (and
code:
this might be the most important part), each elements in
:_MyFunction1 push ebp mov ebp, esp sub esp, 80 ;the an array may be accessed by a variable oset from the
whole array is created on the stack!!! lea $array, [esp base.
+ 0] ;a pointer to the array is saved in the array variable ... Since most times an array is accessed through a computed
int MyFunction1() { int array[20]; ...
index, not through a constant, the compiler will likely use

The entire array is created on the stack, and the pointer to the following to access an element of the array:
the bottom of the array is stored in the variable array. mov [ebx + eax], 0x00
An optimizing compiler could ignore the last instruction,
and simply refer to the array via a +0 oset from esp (in
If the array holds elements larger than 1 byte (for char),
this example), but we will do things verbosely.
the index will need to be multiplied by the size of the
Likewise, consider the following example:
element, yielding code similar to the following:
void MyFunction2() { char buer[4]; ...
mov [ebx + eax * 4], 0x11223344 # access to an array
of DWORDs, e.g. arr[i] = 0x11223344 ... mul eax, $20
# access to an array of structs, each 20 bytes long lea edi,
:_MyFunction2 push ebp mov ebp, esp sub esp, 4 lea [ebx + eax] # e.g. ptr = &arr[i]
$buer, [esp + 0] ...
This pattern can be used to distinguish between accesses
This will translate into the following asm pseudo-code:
56
to arrays and accesses to structure data members.
4.3.3
struct MyStruct3 { long value1; void *value2; long

value3; } void MyFunction2(struct MyStruct3 *ptr) {
ptr->value1 = 10; ptr->value2 = ptr; ptr->value3 = 10; }
Structures
As a quick aside note, notice that this function doesn't

All C programmers are going to be familiar with the fol- load anything into eax, and therefore it doesn't return a
lowing syntax:
value.
struct MyStruct { int FirstVar; double SecondVar;
unsigned short int ThirdVar; }
4.3.4
Advanced Structures
Its called a structure (Pascal programmers may know a Lets say we have the following situation in a function:
similar concept as a record).
:MyFunction1 push ebp mov ebp, esp mov esi, [ebp + 8]
Structures may be very big or very small, and they may lea ecx, SS:[esi + 8] ...
contain all sorts of dierent data. Structures may look
very similar to arrays in memory, but a few key points what is happening here? First, esi is loaded with the value
need to be remembered: structures do not need to con- of the functions rst parameter (ebp + 8). Then, ecx is
tain data elds of all the same type, structure elds are loaded with a pointer to the oset +8 from esi. It looks
often 4-byte aligned (not sequential), and each element like we have 2 pointers accessing the same data structure!
in a structure has its own oset. It therefore makes no
sense to reference a structure element by a variable oset The function in question could easily be one of the following 2 prototypes:
from the base.
struct MyStruct1 { DWORD value1; DWORD value2;
Take a look at the following structure denition:
struct MySubStruct1 { ...
struct MyStruct2 { long value1; short value2; long struct MyStruct2 { DWORD value1; DWORD value2;
value3; }
DWORD array[LENGTH]; ...
Assuming the pointer to the base of this structure is one pointer oset from another pointer in a structure ofloaded into ebx, we can access these members in one of ten means a complex data structure. There are far too
two schemes:
many combinations of structures and arrays, however, so
The rst arrangement is the most common, but it clearly this wikibook will not spend too much time on this subleaves open an entire memory word (2 bytes) at oset +6, ject.
which is not used at all. Compilers occasionally allow the
programmer to manually specify the oset of each data
member, but this isn't always the case. The second exam- 4.3.5 Identifying Structs and Arrays
ple also has the benet that the reverser can easily identify
that each data member in the structure is a dierent size. Array elements and structure elds are both accessed as
osets from the array/structure pointer. When disassemConsider now the following function:
bling, how do we tell these data structures apart? Here
:_MyFunction push ebp mov ebp, esp lea ecx, SS:[ebp are some pointers:
+ 8] mov [ecx + 0], mov [ecx + 4], ecx mov [ecx + 8],
1. array elements are not meant to be accessed individmov esp, ebp pop ebp
ually. Array elements are typically accessed using a
variable oset
The function clearly takes a pointer to a data structure as
its rst argument. Also, each data member is the same
2. Arrays are frequently accessed in a loop. Because
size (4 bytes), so how can we tell if this is an array or a
arrays typically hold a series of similar data items,
structure? To answer that question, we need to remember
the best way to access them all is usually a loop.
one important distinction between structures and arrays:
Specically, for(x = 0; x < length_of_array; x++)
the elements in an array are all of the same type, the elstyle loops are often used to access arrays, although
ements in a structure do not need to be the same type.
there can be others.
Given that rule, it is clear that one of the elements in this
3. All the elements in an array have the same data type.
structure is a pointer (it points to the base of the structure itself!) and the other two elds are loaded with the
4. Struct elds are typically accessed using constant
hex value 0x0A (10 in decimal), which is certainly not
osets.
a valid pointer on any system I have ever used. We can
5. Struct elds are typically not accessed in order, and
then partially recreate the structure and the function code
are also not accessed using loops.
below:
4.4. OBJECTS AND CLASSES

6. Struct elds are not typically all the same data type,
or the same data width
4.3.6
Linked Lists and Binary Trees
57
When you start adding in inheritance and polymorphism,
things get a little more complicated. For the purposes
of simplicity, the structure of an object will be described
in terms of having no inheritance. At the end, however,
inheritance and polymorphism will be covered.
Two common structures used when programming are

linked lists and binary trees. These two structures in turn Variables
can be made more complicated in a number of ways.
Shown in the images below are examples of a linked list All static variables dened in a class resides in the static
structure and a binary tree structure.
region of memory for the entire duration of the applicaEach node in a linked list or a binary tree contains some tion. Every other variable dened in the class is placed
amount of data, and a pointer (or pointers) to other nodes. into a data structure known as an object. Typically when
the constructor is called, the variables are placed into the
Consider the following asm code example:
object in sequential order, see Figure 1.
loop_top: cmp [ebp + 0], 10 je loop_end mov ebp, [ebp
A:
+ 4] jmp loop_top loop_end:
class ABC123 { public: int a, b, c; ABC123():a(1), b(2),
At each loop iteration, a data value at [ebp + 0] is com- c(3) {}; };
pared with the value 10. If the two are equal, the loop is
ended. If the two are not equal, however, the pointer in B:
ebp is updated with a pointer at an oset from ebp, and
the loop is continued. This is a classic linked-loop search 0x00200000 dd 1 ;int a 0x00200004 dd 2 ;int b
0x00200008 dd 3 ;int c
technique. This is analagous to the following C code:
struct node { int data; struct node *next; }; struct node
However, the compiler typically needs the variables to be
*x; ... while(x->data != 10) { x = x->next; }
separated into sizes that are multiples of a word (2 bytes)
in order to locate them. Not all variables t this requireBinary trees are the same, except two dierent pointers ment, namely char arrays; some unused bits might be used
will be used (the right and left branch pointers).
pad the variables so they meet this size requirement. This
is illustrated in Figure 2.
4.4 Objects and Classes
A:
class ABC123{ public: int a; char b[3]; double c;

ABC123():a(1),c(3) { strcpy(b,"02); }; };
The Objects and Classes page of the X86 Disassembly B:
Wikibook is a stub. You can help by expanding this sec0x00200000 dd 1 ;int a ; oset = abc123 + 0*word_size
tion.
0x00200004 db '0' ;b[0] = '0' ; oset = abc123 +
2*word_size 0x00200005 db '2' ;b[1] = '2' 0x00200006
db 0 ;b[2] = null 0x00200007 db 0 ;<= UNUSED
4.4.1 Object-Oriented Programming
BYTE 0x00200008 dd 0x00000000 ;double c, lower 32
Object-Oriented (OO) programming provides for us a bits ; oset = abc123 + 4*word_size 0x0020000C dd
new unit of program structure to contend with: the Ob- 0x40080000 ;double c, upper 32 bits
ject. This chapter will look at disassembled classes from
C++. This chapter will not deal directly with COM, but In order for the application to access one of these object
it will work to set a lot of the groundwork for future dis- variables, an object pointer needs to be oset to nd the
cussions in reversing COM components (Windows users desired variable. The oset of every variable is known by
only).
the compiler and written into the object code wherever
4.4.2
Classes
A basic class that has not inherited anything can be broken into two parts, the variables and the methods. The
non-static variables are shoved into a simple data structure while the methods are compiled and called like every
other function.
its needed. Figure 3 shows how to oset a pointer to

retrieve variables.
;abc123 = pointer to object mov eax, [abc123] ;eax =
&a ;oset = abc123+0*word_size = abc123 mov ebx,
[abc123+4] ;ebx = &b ;oset = abc123+2*word_size
= abc123+4 mov ecx, [abc123+8] ;ecx = &c ;oset =
abc123+4*word_size = abc123+8
58
Figure 3: This shows how to oset a pointer to retrieve

variables. The rst line places the address of variable 'a'
into eax. The second line places the address of variable
'b' into ebx. And the last line places the variable 'c' into
ecx.
The abstract class A acts as a blueprint for the compiler,

dening an expected structure for any class that inherits
it. Every variable dened in class A and every virtual
method dened in A will have the exact same oset for
any of its children. Figure 7 declares a possible inheritance scheme as well as it structure in memory. Notice
how the oset to C::one is the same as D::one, and the
Methods
oset to Cs copy of A::a is the same as Ds copy. In this,
our polymorphic loop can just iterate through the array
At a low level, there is almost no dierence between a of pointers and know exactly where to nd each method.
function and a method. When decompiling, it can someA:
times be hard to tell a dierence between the two. They
both reside in the text memory space, and both are called class A{ public: int a; virtual void one() = 0; }; class B{
the same way. An example of how a method is called can public: int b; int c; virtual void two() = 0; }; class C:
public A{ public: int d; void one(); }; class D: public A,
be seen in Figure 4.
public B{ public: int e; void one(); void two(); };
A:
//method call abc123->foo(1, 2, 3);

B:
push 3 ; int c push 2 ; int b push 1 ; int a push [ebp-4] ;

the address of the object call 0x00434125 ; call to method
A notable characteristic in a method call is the address
of the object being passed in as an argument. This, however, is not a always a good indicator. Figure 5 shows
function with the rst argument being an object passed
in by reference. The result is function that looks identical
to a method call.
B:
;Object C 0x00200000 dd 0x00423848 ; address of

C::one ;oset = 0*word_size 0x00200004 dd 1 ; Cs
copy of A::a ;oset = 2*word_size 0x00200008 dd 4 ;
C::d ;oset = 4*word_size ;Object D 0x00200100 dd
0x00412348 ; address of D::one ;oset = 0*word_size
0x00200104 dd 1 ; Ds copy of A::a ;oset = 2*word_size
0x00200108 dd 0x00431255 ; address of D::two ;oset
= 4*word_size 0x0020010C dd 2 ; Ds copy of B::b
;oset = 6*word_size 0x00200110 dd 3 ; Ds copy of
B::c ;oset = 8*word_size 0x00200114 dd 5 ; D::e
;oset = 10*word_size
A:
//function call foo(abc123, 1, 2, 3);
4.4.3 Classes Vs. Structs

B:
push 3 ; int c push 2 ; int b push 1 ; int a push [ebp+4]

; the address of the object call 0x00498372 ; call to
function
4.5 Floating Point Numbers
Inheritance & Polymorphism
4.5.1 Floating Point Numbers
Inheritance and polymorphism completely changes the

structure of a class, the object no longer contains just
variables, they also contain pointers to the inherited methods. This is due to the fact that polymorphism requires
the address of a method or inner object to be gured out
at runtime.
This page will talk about how oating point numbers

are used in assembly language constructs. This page will
not talk about new constructs, it will not explain what
the FPU instructions do, how oating point numbers are
stored or manipulated, or the dierences in oating-point
data representations. However, this page will demonTake Figure 6 into consideration. How does the appli- strate briey how oating-point numbers are used in code
cation know to call D::one or C::one? The answer is that and data structures that we have already considered.
the compiler gures out a convention in which to order
The x86 architecture does not have any registers specivariables and method pointers inside the object such that
cally for oating point numbers, but it does have a special
when they're referenced, the osets are the same for any
stack for them. The oating point stack is built directly
object that has inherited its methods and variables.
into the processor, and has access speeds similar to those
of ordinary registers. Notice that the FPU stack is not the
same as the regular system stack.
4.5. FLOATING POINT NUMBERS
4.5.2
59
Calling Conventions
aren't integers. Unfortunately, the exact format of oating point numbers is well beyond the scope of this chapWith the addition of the oating-point stack, there is an ter.
entirely new dimension for passing parameters and re- x is oset +8, y is oset +16, and z is oset +24 from
turning values. We will examine our calling conventions ebp. Therefore, z is pushed rst, x is pushed last, and the
here, and see how they are aected by the presence of parameters are passed right-to-left on the regular stack
oating-point numbers. These are the functions that we not the oating point stack. To understand how a value
will be assembling, using both GCC, and cl.exe:
is returned however, we need to understand what fmulp
__cdecl double MyFunction1(double x, double y, oat
z) { return (x + 1.0) * (y + 2.0) * (z + 3.0); } __fastcall
double MyFunction2(double x, double y, oat z) { return
(x + 1.0) * (y + 2.0) * (z + 3.0); } __stdcall double
MyFunction3(double x, double y, oat z) { return (x +
1.0) * (y + 2.0) * (z + 3.0); }
does. fmulp is the Floating-Point Multiply and Pop instruction. It performs the instructions:
ST1 := ST1 * ST0 FPU POP ST0
This multiplies ST(1) and ST(0) and stores the result in

ST(1). Then, ST(0) is marked empty and stack pointer
is incremented. Thus, contents of ST(1) are on the top
of the stack. So the top 2 values are multiplied together,
and the result is stored on the top of the stack. Therefore,
in our instruction above, fmulp ST(1), ST(0)", which is
CDECL
also the last instruction of the function, we can see that
the last result is stored in ST0. Therefore, oating point
Here is the cl.exe assembly listing for MyFunction1:
parameters are passed on the regular stack, but oating
PUBLIC
_MyFunction1
PUBLIC point results are passed on the FPU stack.
__real@30000000000000
PUBLIC
One nal note is that MyFunction2 cleans its own stack,
__real@4000000000000000
PUBLIC
as referenced by the ret 20 command at the end of the list__real@4008000000000000
EXTRN
__ing. Because none of the parameters were passed in regtused:NEAR ; COMDAT __real@30000000000000
isters, this function appears to be exactly what we would
CONST
SEGMENT
__real@30000000000000
expect an STDCALL function would look like: parameDQ 030000000000000r ; 1 CONST ENDS ;
ters passed on the stack from right-to-left, and the funcCOMDAT
__real@4000000000000000
CONST
tion cleans its own stack. We will see below that this is
SEGMENT
__real@4000000000000000
DQ
actually a correct assumption.
04000000000000000r ; 2 CONST ENDS ; COMDAT __real@4008000000000000 CONST SEGMENT For comparison, here is the GCC listing:
__real@4008000000000000 DQ 04008000000000000r LC1: .long 0 .long 1073741824 .align 8 LC2: .long
; 3 CONST ENDS _TEXT SEGMENT _x$ = 8 ; size = 0 .long 1074266112 .globl _MyFunction1 .def _My8 _y$ = 16 ; size = 8 _z$ = 24 ; size = 4 _MyFunction1 Function1; .scl 2; .type 32; .endef _MyFunction1: pushl
PROC NEAR ; Line 2 push ebp mov ebp, esp ; Line %ebp movl %esp, %ebp subl $16, %esp dl 8(%ebp)
3 d QWORD PTR _x$[ebp] fadd QWORD PTR fstpl 8(%ebp) dl 16(%ebp) fstpl 16(%ebp) dl
__real@30000000000000 d QWORD PTR _y$[ebp] 8(%ebp) d1 faddp %st, %st(1) dl 16(%ebp) dl
fadd QWORD PTR __real@4000000000000000 fmulp LC1 faddp %st, %st(1) fmulp %st, %st(1) ds 24(%ebp)
ST(1), ST(0) d DWORD PTR _z$[ebp] fadd QWORD dl LC2 faddp %st, %st(1) fmulp %st, %st(1) leave ret
PTR __real@4008000000000000 fmulp ST(1), ST(0) .align 8
; Line 4 pop ebp ret 0 _MyFunction1 ENDP _TEXT
ENDS
This is a very dicult listing, so we will step through it
(albeit quickly). 16 bytes of extra space is allocated on
Our rst question is this: are the parameters passed on the stack. Then, using a combination of dl and fstpl
the stack, or on the oating-point register stack, or some instructions, the rst 2 parameters are moved from oplace dierent entirely? Key to this question, and to this sets +8 and +16, to osets 8 and 16 from ebp. Seems
function is a knowledge of what d and fstp do. d like a waste of time, but remember, optimizations are o.
(Floating-point Load) pushes a oating point value onto d1 loads the oating point value 1.0 onto the FPU stack.
the FPU stack, while fstp (Floating-Point Store and Pop) faddp then adds the top of the stack (1.0), to the value in
moves a oating point value from ST0 to the specied lo- ST1 ([ebp - 8], originally [ebp + 8]).
cation, and then pops the value from ST0 o the stack entirely. Remember that double values in cl.exe are treated
as 8-byte storage locations (QWORD), while oats are
FASTCALL
only stored as 4-byte quantities (DWORD). It is also important to remember that oating point numbers are not
stored in a human-readable form in memory, even if the Here is the cl.exe listing for MyFunction2:
@MyFunction2@20
PUBreader has a solid knowledge of binary. Remember, these PUBLIC
60
LIC
__real@30000000000000
PUBLIC
__real@4000000000000000
PUBLIC
__real@4008000000000000
EXTRN
__tused:NEAR ; COMDAT __real@30000000000000
CONST
SEGMENT
__real@30000000000000
DQ 030000000000000r ; 1 CONST ENDS ;
COMDAT
__real@4000000000000000
CONST
SEGMENT
__real@4000000000000000
DQ
04000000000000000r ; 2 CONST ENDS ; COMDAT __real@4008000000000000 CONST SEGMENT
__real@4008000000000000 DQ 04008000000000000r
; 3 CONST ENDS _TEXT SEGMENT _x$ = 8 ; size
= 8 _y$ = 16 ; size = 8 _z$ = 24 ; size = 4 @MyFunction2@20 PROC NEAR ; Line 7 push ebp mov ebp, esp
; Line 8 d QWORD PTR _x$[ebp] fadd QWORD PTR
__real@30000000000000 d QWORD PTR _y$[ebp]
fadd QWORD PTR __real@4000000000000000 fmulp
ST(1), ST(0) d DWORD PTR _z$[ebp] fadd QWORD
PTR __real@4008000000000000 fmulp ST(1), ST(0) ;
Line 9 pop ebp ret 20 ; 00000014H @MyFunction2@20
ENDP _TEXT ENDS
We can see that this function is taking 20 bytes worth of
parameters, because of the @20 decoration at the end of
the function name. This makes sense, because the function is taking two double parameters (8 bytes each), and
one oat parameter (4 bytes each). This is a grand total of 20 bytes. We can notice at a rst glance, without
having to actually analyze or understand any of the code,
that there is only one register being accessed here: ebp.
This seems strange, considering that FASTCALL passes
its regular 32-bit arguments in registers. However, that is
not the case here: all the oating-point parameters (even
z, which is a 32-bit oat) are passed on the stack. We
know this, because by looking at the code, there is no
other place where the parameters could be coming from.
Notice also that fmulp is the last instruction performed
again, as it was in the CDECL example. We can infer
then, without investigating too deeply, that the result is
passed at the top of the oating-point stack.
Notice also that x (oset [ebp + 8]), y (oset [ebp + 16])
and z (oset [ebp + 24]) are pushed in reverse order: z
is rst, x is last. This means that oating point parameters are passed in right-to-left order, on the stack. This is
exactly the same as CDECL code, although only because
we are using oating-point values.
Here is the GCC assembly listing for MyFunction2:
.align 8 LC5: .long 0 .long 1073741824 .align 8 LC6:
.long 0 .long 1074266112 .globl @MyFunction2@20
.def @MyFunction2@20; .scl 2; .type 32; .endef @MyFunction2@20: pushl %ebp movl %esp, %ebp subl
$16, %esp dl 8(%ebp) fstpl 8(%ebp) dl 16(%ebp)
fstpl 16(%ebp) dl 8(%ebp) d1 faddp %st, %st(1)
dl 16(%ebp) dl LC5 faddp %st, %st(1) fmulp %st,
%st(1) ds 24(%ebp) dl LC6 faddp %st, %st(1) fmulp
%st, %st(1) leave ret $20
This is a tricky piece of code, but luckily we don't need to

read it very close to nd what we are looking for. First o,
notice that no other registers are accessed besides ebp.
Again, GCC passes all oating point values (even the 32bit oat, z) on the stack. Also, the oating point result
value is passed on the top of the oating point stack.
We can see again that GCC is doing something strange at
the beginning, taking the values on the stack from [ebp
+ 8] and [ebp + 16], and moving them to locations [ebp
- 8] and [ebp - 16], respectively. Immediately after being moved, these values are loaded onto the oating point
stack and arithmetic is performed. z isn't loaded till later,
and isn't ever moved to [ebp - 24], despite the pattern.
LC5 and LC6 are constant values, that most likely represent oating point values (because the numbers themselves, 1073741824 and 1074266112 don't make any
sense in the context of our example functions. Notice
though that both LC5 and LC6 contain two .long data
items, for a total of 8 bytes of storage? They are therefore most denitely double values.
STDCALL
Here is the cl.exe listing for MyFunction3:
PUBLIC
_MyFunction3@20
PUBLIC
__real@30000000000000
PUBLIC
__real@4000000000000000
PUBLIC
__real@4008000000000000
EXTRN
__tused:NEAR ; COMDAT __real@30000000000000
CONST
SEGMENT
__real@30000000000000
DQ 030000000000000r ; 1 CONST ENDS ;
COMDAT
__real@4000000000000000
CONST
SEGMENT
__real@4000000000000000
DQ
04000000000000000r ; 2 CONST ENDS ; COMDAT __real@4008000000000000 CONST SEGMENT
__real@4008000000000000 DQ 04008000000000000r
; 3 CONST ENDS _TEXT SEGMENT _x$ = 8 ; size = 8
_y$ = 16 ; size = 8 _z$ = 24 ; size = 4 _MyFunction3@20
PROC NEAR ; Line 12 push ebp mov ebp, esp ; Line
13 d QWORD PTR _x$[ebp] fadd QWORD PTR
__real@30000000000000 d QWORD PTR _y$[ebp]
fadd QWORD PTR __real@4000000000000000 fmulp
ST(1), ST(0) d DWORD PTR _z$[ebp] fadd QWORD
PTR __real@4008000000000000 fmulp ST(1), ST(0) ;
Line 14 pop ebp ret 20 ; 00000014H _MyFunction3@20
ENDP _TEXT ENDS END
x is the highest on the stack, and z is the lowest, therefore these parameters are passed from right-to-left. We
can tell this because x has the smallest oset (oset [ebp
+ 8]), while z has the largest oset (oset [ebp + 24]).
We see also from the nal fmulp instruction that the return value is passed on the FPU stack. This function also
cleans the stack itself, as noticed by the call 'ret 20. It
4.6. FLOATING POINT EXAMPLES

is cleaning exactly 20 bytes o the stack which is, incidentally, the total amount that we passed to begin with.
We can also notice that the implementation of this function looks exactly like the FASTCALL version of this
function. This is true because FASTCALL only passes
DWORD-sized parameters in registers, and oating point
numbers do not qualify. This means that our assumption
above was correct.
Here is the GCC listing for MyFunction3:
Here we can also see, after all the opening nonsense, that
[ebp - 8] (originally [ebp + 8]) is value x, and that [ebp
- 24] (originally [ebp - 24]) is value z. These parameters
are therefore passed right-to-left. Also, we can deduce
from the nal fmulp instruction that the result is passed
in ST0. Again, the STDCALL function cleans its own
stack, as we would expect.
Conclusions
Floating point values are passed as parameters on the
stack, and are passed on the FPU stack as results. Floating point values do not get put into the general-purpose
integer registers (eax, ebx, etc...), so FASTCALL functions that only have oating point parameters collapse
into STDCALL functions instead. double values are
8-bytes wide, and therefore will take up 8-bytes on the
stack. oat values however, are only 4-bytes wide.
4.5.3
Float to Int Conversions
4.5.4
FPU Compares and Jumps
4.6 Floating Point Examples
4.6.1
Example: Floating Point Arithmetic
Here is the C source code, and the GCC assembly listing of a simple C language function that performs simple
oating-point arithmetic. Can you determine what the
numerical values of LC5 and LC6 are?
__fastcall double MyFunction2(double x, double y, oat
61
z) { return (x + 1.0) * (y + 2.0) * (z + 3.0); }
For this, we don't even need a oating-point number calculator, although you are free to use one if you wish (and
if you can nd a good one). LC5 is added to [ebp - 16],
which we know to be y, and LC6 is added to [ebp - 24],
which we know to be z. Therefore, LC5 is the number
2.0, and LC6 is the number 3.0. Notice that the d1
instruction automatically loads the top of the oatingpoint stack with the constant value 1.0.
Chapter 5
Diculties
5.1 Code Optimization
bother writing code to test x.

Control Flow Optimizations
Another set of optimization which can be performed either at the intermediate or at the code generation level are
An optimizing compiler is perhaps one of the most com- control ow optimizations. Most of these optimizations
plicated, most powerful, and most interesting programs in deal with the elimination of useless branches. Consider
existence. This chapter will talk about optimizations, al- the following code:
though this chapter will not include a table of common if(A) { if(B) { C; } else { D; } end_B: } else { E; } end_A:
optimizations.
5.1.1
Code Optimization
In this code, a simplistic compiler would generate a jump

from the C block to end_B, and then another jump from
end_B to end_A (to get around the E statements). Clearly
There are two times when a compiler can perform opti- jumping to a jump is inecient, so optimizing compilers
mizations: rst, in the intermediate representation, and will generate a direct jump from block C to end_A.
second, during the code generation.
This unfortunately will make the code more confused and
5.1.2
Stages of Optimizations
will prevent a nice recovery of the original code. For

complex functions, its possible that one will have to conIntermediate Representation Optimizations
sider the code made of only if()-goto; sequences, without
While in the intermediate representation, a compiler can being able to identify higher level statements like if-else
perform various optimizations, often based on dataow or loops.
analysis techniques. For example, consider the following The process of identifying high level statement hierarcode fragment:
chies is called code structuring.
x = 5; if(x != 5) { //loop body }
Code Generation Optimizations
An optimizing compiler might notice that at the point of
if (x != 5)", the value of x is always the constant 5.
This allows substituting 5 for x resulting in 5 != 5.
Then the compiler notices that the resulting expression
operates entirely on constants, so the value can be calculated now instead of at run time, resulting in optimizing
the conditional to if (false)". Finally the compiler sees
that this means the body of the if conditional will never
be executed, so it can omit the entire body of the if conditional altogether.
Consider the reverse case:
Once the compiler has sifted through all the logical ineciencies in your code, the code generator takes over.
Often the code generator will replace certain slow machine instructions with faster machine instructions.
For instance, the instruction:
beginning: ... loopnz beginning
operates much slower than the equivalent instruction set:
beginning: ... dec ecx jne beginning
x = 5; if(x == 5) { //loop body }

So then why would a compiler ever use a loopxx instrucIn this case, the optimizing compiler would notice that tion? The answer is that most optimizing compilers never
the IF conditional will always be true, and it won't even use a loopxx instruction, and therefore as a reverser, you
62
5.2. OPTIMIZATION EXAMPLES

will probably never see one used in real code.
63
5.1.4 Inline Functions
What about the instruction:
The C and C++ languages allow the denition of an inline

type of function. Inline functions are functions which are
treated similarly to macros. During compilation, calls to
The mov instruction is relatively quick, but a faster part of an inline function are replaced with the body of that functhe processor is the arithmetic unit. Therefore, it makes tion, instead of performing a call instruction. In addition
to using the inline keyword to declare an inline function,
more sense to use the following instruction:
optimizing compilers may decide to make other functions
xor eax, eax
inline as well.
mov eax, 0
because xor operates in very few processor cycles (and

saves three bytes at the same time), and is therefore faster
than a mov eax, 0. The only drawback of a xor instruction is that it changes the processor ags, so it cannot
be used between a comparison instruction and the corresponding conditional jump.
Function inlining works similarly to loop unwinding for

increasing code performance. A non-inline function requires a call instruction, several instructions to create a
stack frame, and then several more instructions to destroy
the stack frame and return from the function. By copying
the body of the function instead of making a call, the size
of the machine code increases, but the execution time decreases.
It is not necessarily possible to determine whether identical portions of code were created originally as macros,
inline functions, or were simply copy and pasted. HowWhen a loop needs to run for a small, but denite number ever, when disassembling it can make your work easier to
of iterations, it is often better to unwind the loop in or- separate these blocks out into separate inline functions, to
der to reduce the number of jump instructions performed, help keep the code straight.
and in many cases prevent the processors branch predictor from failing. Consider the following C loop, which
calls the function MyFunction() 5 times:
5.2 Optimization Examples
5.1.3
Loop Unwinding
for(x = 0; x < 5; x++) { MyFunction(); }

Converting to assembly, we see that this becomes,
roughly:
mov eax, 0 loop_top: cmp eax, 5 jge loop_end call
_MyFunction inc eax jmp loop_top loop_end:
5.2.1 Example:
Optimized
Optimized Code
vs
Non-
The following example is adapted from an algorithm preEach loop iteration requires the following operations to sented in Knuth(vol 1, chapt 1) used to nd the greatest
common denominator of 2 integers. Compare the listbe performed:
ing le of this function when compiler optimizations are
turned on and o.
1. Compare the value in eax (the variable x) to 5, and
/*line 1*/ int EuclidsGCD(int m, int n) /*we want to
jump to the end if greater then or equal
nd the GCD of m and n*/ { int q, r; /*q is the quotient,
r is the remainder*/ while(1) { q = m / n; /*nd q and
2. Increment eax
r*/ r = m % n; if(r == 0) /*if r is 0, return our n value*/
{ return n; } m = n; /*set m to the current n value*/ n
= r; /*set n to our current remainder value*/ } /*repeat*/ }
3. Jump back to the top of the loop.
Compiling with the Microsoft C compiler, we generate a
Notice that we remove all these instructions if we manu- listing le using no optimization:
ally repeat our call to MyFunction():
PUBLIC _EuclidsGCD _TEXT SEGMENT _r$ = 8
call _MyFunction call _MyFunction call _MyFunction ; size = 4 _q$ = 4 ; size = 4 _m$ = 8 ; size = 4 _n$
call _MyFunction call _MyFunction
= 12 ; size = 4 _EuclidsGCD PROC NEAR ; Line 2
push ebp mov ebp, esp sub esp, 8 $L477: ; Line 4 mov
This new version not only takes up less disk space be- eax, 1 test eax, eax je SHORT $L473 ; Line 6 mov
cause it uses fewer instructions, but also runs faster be- eax, DWORD PTR _m$[ebp] cdq idiv DWORD PTR
cause fewer instructions are executed. This process is _n$[ebp] mov DWORD PTR _q$[ebp], eax ; Line 7 mov
called Loop Unwinding.
eax, DWORD PTR _m$[ebp] cdq idiv DWORD PTR
64
_n$[ebp] mov DWORD PTR _r$[ebp], edx ; Line 8 cmp
DWORD PTR _r$[ebp], 0 jne SHORT $L479 ; Line 10
mov eax, DWORD PTR _n$[ebp] jmp SHORT $L473
$L479: ; Line 12 mov ecx, DWORD PTR _n$[ebp]
mov DWORD PTR _m$[ebp], ecx ; Line 13 mov edx,
DWORD PTR _r$[ebp] mov DWORD PTR _n$[ebp],
edx ; Line 14 jmp SHORT $L477 $L473: ; Line 15 mov
esp, ebp pop ebp ret 0 _EuclidsGCD ENDP _TEXT
ENDS END
CHAPTER 5. DIFFICULTIES
assigns storage in the function, and readily discards
values that are not needed.
5.2.2 Example: Manual Optimization

The following lines of assembly code are not optimized,
but they can be optimized very easily. Can you nd a way
to optimize these lines?
mov eax, 1 test eax, eax je SHORT $L473

Notice how there is a very clear correspondence between
the lines of C code, and the lines of the ASM code. the The code in this line is the code generated for the while(
addition of the "; line x directives is very helpful in that 1 )" C code, to be exact, it represents the loop break conrespect.
dition. Because this is an innite loop, we can assume
Next, we compile the same function using a series of op- that these lines are unnecessary.
timizations to stress speed over size:
mov eax, 1 initializes eax.
cl.exe /Tceuclids.c /Fa /Ogt2
the test immediately afterwards tests the value of eax

to ensure that it is nonzero. because eax will always be
and we produce the following listing:
nonzero (eax = 1) at this point, the conditional jump can
PUBLIC _EuclidsGCD _TEXT SEGMENT _m$ = 8
be removed along whith the mov and the test.
; size = 4 _n$ = 12 ; size = 4 _EuclidsGCD PROC
NEAR ; Line 7 mov eax, DWORD PTR _m$[esp-4] The assembly is actually checking whether 1 equals 1.
push esi mov esi, DWORD PTR _n$[esp] cdq idiv Another fact is, that the C code for an innite FOR loop:
esi mov ecx, edx ; Line 8 test ecx, ecx je SHORT for( ; ; ) { ... }
$L563 $L547: ; Line 12 mov eax, esi cdq idiv ecx ;
Line 13 mov esi, ecx mov ecx, edx test ecx, ecx jne
SHORT $L547 $L563: ; Line 10 mov eax, esi pop esi would not create such a meaningless assembly code to be; Line 15 ret 0 _EuclidsGCD ENDP _TEXT ENDS END gin with, and is logically the same as while( 1 )".
As you can see, the optimized version is signicantly 5.2.3 Example: Trace Variables
shorter then the non-optimized version. Some of the key
dierences include:
Here are the C code and the optimized assembly listing
from the EuclidGCD function, from the example above.
The optimized version does not prepare a standard Can you determine which registers contain the variables
stack frame. This is important to note, because r and q?
many times new reversers assume that functions al- /*line 1*/ int EuclidsGCD(int m, int n) /*we want to nd
ways start and end with proper stack frames, and this the GCD of m and n*/ { int q, r; /*q is the quotient, r is
is clearly not the case. EBP isnt being used, ESP isnt the remainder*/ while(1) { q = m / n; /*nd q and r*/
being altered (because the local variables are kept in r = m % n; if(r == 0) /*if r is 0, return our n value*/ {
registers, and not put on the stack), and no subfunc- return n; } m = n; /*set m to the current n value*/ n = r;
tions are called. 5 instructions are cut by this.
/*set n to our current remainder value*/ } /*repeat*/ }
The test EAX, EAX series of instructions in the
non-optimized output, under ";line 4 is all unnecessary. The while-loop is dened by while(1)" and
therefore the loop always continues. this extra code
is safely cut out. Notice also that there is no unconditional jump in the loop like would be expected:
the if(r == 0) return n;" instruction has become the
new loop condition.
The structure of the function is altered greatly: the
division of m and n to produce q and r is performed
in this function twice: once at the beginning of the
function to initialize, and once at the end of the
loop. Also, the value of r is tested twice, in the
same places. The compiler is very liberal with how it

NEAR ; Line 7 mov eax, DWORD PTR _m$[esp-4]
push esi mov esi, DWORD PTR _n$[esp] cdq idiv
esi mov ecx, edx ; Line 8 test ecx, ecx je SHORT
SHORT $L547 $L563: ; Line 10 mov eax, esi pop esi
; Line 15 ret 0 _EuclidsGCD ENDP _TEXT ENDS END
At the beginning of the function, eax contains m, and esi
contains n. When the instruction idiv esi is executed,
eax contains the quotient (q), and edx contains the remainder (r). The instruction mov ecx, edx moves r into
ecx, while q is not used for the rest of the loop, and is
5.3. CODE OBFUSCATION

therefore discarded.
5.2.4
Example:
Code
65
and eax, edx ret
This is an example of using various arithmetic instruc-
Decompile Optimized tions to avoid branching. The neg instruction sets the
Below is the optimized listing le of the EuclidGCD function, presented in the examples above. Can you decompile this assembly code listing into equivalent optimized
C code? How is the optimized version dierent in structure from the non-optimized version?
NEAR ; Line 7 mov eax, DWORD PTR _m$[esp-4]
push esi mov esi, DWORD PTR _n$[esp] cdq idiv
esi mov ecx, edx ; Line 8 test ecx, ecx je SHORT
SHORT $L547 $L563: ; Line 10 mov eax, esi pop esi
; Line 15 ret 0 _EuclidsGCD ENDP _TEXT ENDS END
Altering the conditions to maintain the same structure
gives us:
carry ag if c is not zero; otherwise, it clears the carry

ag. The next line depends on this. If the carry ag is
set, then sbb results in eax = eax - eax - 1 = 0x.
Otherwise, eax = eax - eax = 0. Finally, performing an
and on this result ensures that if ecx was not zero in the
rst place, eax will contain edx, and zero otherwise.
5.2.7 Example: Dus Device

What does the following C code function do? Is it useful?
Why or why not?
void MyFunction(int *arrayA, int *arrayB, int cnt) {
switch(cnt % 6) { while(cnt != 0) { case 0: arrayA[--cnt]
= arrayB[cnt]; case 5: arrayA[--cnt] = arrayB[cnt]; case
4: arrayA[--cnt] = arrayB[cnt]; case 3: arrayA[--cnt] =
arrayB[cnt]; case 2: arrayA[--cnt] = arrayB[cnt]; case 1:
arrayA[--cnt] = arrayB[cnt]; } } }
This piece of code is known as a Dus device or Dus

int EuclidsGCD(int m, int n) { int r; r = m % n; if(r !=
machine. It is used to partially unwind a loop for e0) { do { m = n; r = m % r; n = r; }while(r != 0) } return
ciency. Notice the strange way that the while() is nested
n; }
inside the switch statement? Two arrays of integers are
passed to the function, and at each iteration of the while
It is up to the reader to compile this new optimized C loop, 6 consecutive elements are copied from arrayB to
code, and determine if there is any performance increase. arrayA. The switch statement, since it is outside the while
Try compiling this new code without optimizations rst, loop, only occurs at the beginning of the function. The
and then with optimizations. Compare the new assembly modulo is taken of the variable cnt with respect to 6. If
listings to the previous ones.
cnt is not evenly divisible by 6, then the modulo statement is going to start the loop o somewhere in the middle of the rotation, thus preventing the loop from causing
a buer overow without having to test the current count
5.2.5 Example: Instruction Pairings
after each iteration.
Q Why does the dec/jne combo operate faster than the Dus Device is considered one of the more ecient
equivalent loopnz?
general-purpose methods for copying strings, arrays, or
data streams.
A The dec/jnz pair operates faster then a loopsz for several reasons. First, dec and jnz pair up in the dierent modules of the netburst pipeline, so they can be
5.3 Code Obfuscation
executed simultaneously. Top that o with the fact
that dec and jnz both require few cycles to execute,
while the loopnz (and all the loop instructions, for
that matter) instruction takes more cycles to complete. loop instructions are rarely seen output by
5.3.1 Code Obfuscation
good compilers.
Code Obfuscation is the act of making the assembly
code or machine code of a program more dicult to dis5.2.6 Example: Avoiding Branches
assemble or decompile. The term obfuscation is typically used to suggest a deliberate attempt to add diculty,
Below is an assembly version of the expression c ? d : 0. but many other practices will cause code to be obfuscated
There is no branching in the code, so how does it work? without that being the intention. Software vendors may
; ecx = c and edx = d ; eax will contain c ? d : 0 (eax = d attempt to obfuscate or even encrypt code to prevent reif c is not zero, otherwise eax = 0) neg ecx sbb eax, eax verse engineering eorts. There are many dierent types
66
of obfuscations. Notice that many code optimizations Port0 Double-speed integer arithmetic, oating point
(discussed in the previous chapter) have the side-eect
load, memory store
of making code more dicult to read, and therefore optimizations act as obfuscations.
Port1 Double-speed integer arithmetic, oating point
arithmetic
5.3.2
What is Code Obfuscation?
Port2 memory read
There are many things that obfuscation could be:

Port3 memory write (writes to address bus)
Encrypted code that is decrypted prior to runtime.
Compressed code that is decompressed prior to runtime.
Executables that contain Encrypted sections, and a
simple decrypter.
So for instance, the processor can simultaneously perform

2 integer arithmetic instructions in both Port0 and Port1,
so a compiler will frequently go to great lengths to put
arithmetic instructions close to each other. If the timing is
just right, up to 4 arithmetic instructions can be executed
in a single instruction period.
Code instructions that are put in a hard-to read or- Notice however that writing to memory is particularly
slow (requiring the address to be sent by Port3, and the
der.
data itself to be written by Port0). Floating point num Code instructions which are used in a non-obvious bers need to be loaded to the FPU before they can be
operated on, so a oating point load and a oating point
way.
arithmetic instruction cannot operate on a single value in
a single instruction cycle. Therefore, it is not uncommon
This chapter will try to examine some common methods
to see oating point values loaded, integer values be maof obfuscating code, but will not necessarily delve into
nipulated, and then the oating point value be operated
methods to break the obfuscation.
on.
5.3.3
Interleaving
5.3.4 Non-Intuitive Instructions
Optimizing Compilers will engage in a process called in- Optimizing compilers frequently will use instructions that
terleaving to try and maximize parallelism in pipelined are not intuitive. Some instructions can perform tasks for
processors. This technique is based on two premises:
which they were not designed, typically as a helpful side
eect. Sometimes, one instruction can perform a task
1. That certain instructions can be executed out of or- more quickly than other specialized instructions can.
der and still maintain the correct output
The only way to know that one instruction is faster than
another is to consult the processor documentation. How2. That processors can perform certain pairs of tasks
ever, knowing some of the most common substitutions is
simultaneously.
very useful to the reverser.
x86 NetBurst Architecture
The Intel NetBurst Architecture divides an x86 processor into 2 distinct parts: the supporting hardware, and the
primitive core processor. The primitive core of a processor contains the ability to perform some calculations
blindingly fast, but not the instructions that you or I am
familiar with. The processor rst converts the code instructions into a form called micro-ops that are then
handled by the primitive core processor.
Here are some examples. The code in the rst box operates more quickly than the one in the second, but performs exactly the same tasks.
Example 1
Fast
xor eax, eax
Slow
mov eax, 0
The processor can also be broken down into 4 components, or modules, each of which is capable of perform- Example 2
ing certain tasks. Since each module can operate separately, up to 4 separate tasks can be handled simultane- Fast
ously by the processor core, so long as those tasks can be shl eax, 3
performed by each of the 4 modules:
5.3. CODE OBFUSCATION

Slow
push edx push 8 mul dword [esp] add esp, 4 pop edx ;#
edx is not preserved by mul
67
or operation on two operands. Consider then, the
following example:
mov al, 0xAA xor al, al
Sometimes such transformations could be made to make

What does this do? Lets take a look at the binary:
the analysis more dicult:
10101010 ;10101010 = 0xAA xor 10101010 -------Example 3
00000000
Fast
The answer is that xor reg, reg sets the register to 0.
push $next_instr jmp $some_function $next_instr:...
More importantly, however, is that xor eax, eax sets eax
to 0 faster (and the generated code instruction is smaller)
than an equivalent mov eax, 0.
Slow
call $some_function
Example 4
Fast
pop eax jmp eax
Slow
retn
Common Instruction Substitutions
mov edi, edi On a 64-bit x86 system, this instruction

clears the high 32-bits of the rdi register.
shl, shr left-shifting, in binary arithmetic, is equivalent
to multiplying the operand by 2. Right-shifting is
also equivalent to integer division by 2, although the
lowest bit is dropped. in general, left-shifting by N
spaces multiplies the operand by 2N , and right shifting by N spaces is the same as dividing by 2N . One
important fact is that resulting number is an integer
with no fractional part present. For example:
mov al, 31 ; 00011111 shr al, 1 ; 00001111 = 15, not 15.5
lea The lea instruction has the following form:

xchg xchg exchanges the contents of two registers, or a
register and a memory address. A noteworthy point
is the fact that xchg operates faster than a move inWhere XS is a segment register (SS, DS, CS, etc...), reg1
struction. For this reason, xchg will be used to move
is the base address, reg2 is a variable oset, and x is a
a value from a source to a destination, when the
multiplicative scaling factor. What lea does, essentially,
value in the source no longer needs to be saved.
is load the memory address being pointed to in the second
argument, into the rst argument. Look at the following As an example, consider this code:
example:
mov ebx, eax mov eax, 0
mov eax, 1 lea ecx, [eax + 4]
lea dest, (XS:)[reg1 + reg2 * x]
Here, the value in eax is stored in ebx, and then eax is

Now, what is the value of ecx? The answer is that ecx loaded with the value zero. We can perform the same
has the value of (eax + 4), which is 5. In essence, lea is operation, but using xchg and xor instead:
used to do addition and multiplication of a register and a
xchg eax, ebx xor eax, eax
constant that is a byte or less (128 to +127).
Now, consider:
mov eax, 1 lea ecx, [eax+eax*2]
Now, ecx equals 3.
The dierence is that lea is quick (because it only adds a
register and a small constant), whereas the add and mul
instructions are more versatile, but slower. lea is used
for arithmetic in this fashion very frequently, even when
compilers are not actively optimizing the code.
It may surprise you to learn that the second code example

operates signicantly faster than the rst one does.
5.3.5 Obfuscators
There are a number of tools on the market that will automate the process of code obfuscation. These products
will use a number of transformations to turn a code snippet into a less-readable form, although it will not aect
the program ow itself (although the transformations may
xor The xor instruction performs the bit-wise exclusive- increase code size or execution time).
68
5.3.6
Code Transformations
Disassembling Encrypted Code
Code transformations are a way of reordering code so that To disassemble an encrypted executable, you must rst
it performs exactly the same task but becomes more dif- determine how the code is being decrypted. Code can be
cult to trace and disassemble. We can best demonstrate decrypted in one of two primary ways:
this technique by example. Lets say that we have 2 functions, FunctionA and FunctionB. Both of these two func1. All at once. The entire code portion is decrypted in
tions are comprised of 3 separate parts, which are pera single pass, and left decrypted during execution.
formed in order. We can break this down as such:
Using a debugger, allow the decryption routine to
FunctionA() { FuncAPart1(); FuncAPart2(); FuncArun completely, and then dump the decrypted code
Part3(); } FunctionB() { FuncBPart1(); FuncBPart2();
into a le for further analysis.
FuncBPart3(); }
2. By Block. The code is encrypted in separate blocks,
where each block may have a separate encryption
And we have our main program, that executes the two
key. Blocks may be decrypted before use, and refunctions:
encrypted again after use. Using a debugger, you
main() { FunctionA(); FunctionB(); }
can attempt to capture all the decryption keys and
then use those keys to decrypt the entire program
at once later, or you can wait for the blocks to be
Now, we can rearrange these snippets to a form that is
decrypted, and then dump the blocks individually to
much more complicated (in assembly):
a separate le for analysis.
main: jmp FAP1 FBP3: call FuncBPart3 jmp end FBP1:
call FuncBPart1 jmp FBP2 FAP2: call FuncAPart2 jmp
FAP3 FBP2: call FuncBPart2 jmp FBP3 FAP1: call
FuncAPart1 jmp FAP2 FAP3: call FuncAPart3 jmp 5.4 Debugger Detectors
FBP1 end:
As you can see, this is much harder to read, although it
perfectly preserves the program ow of the original code.
This code is much harder for a human to read, although 5.4.1 Detecting Debuggers
it isn't hard at all for an automated debugging tool (such
as IDA Pro) to read.
It may come as a surprise that a running program can
actually detect the presence of an attached user-mode
debugger. Also, there are methods available to detect
5.3.7 Opaque Predicates
kernel-mode debuggers, although the methods used depend in large part on which debugger is trying to be deAn Opaque Predicate is a predicate inside the code, that tected.
cannot be evaluated during static analysis. This forces the
This subject is peripheral to the narrative of this book,
attacker to perform a dynamic analysis to understand the
and the section should be considered an optional one for
result of the line. Typically this is related to a branch
most readers.
instruction that is used to prevent in static analysis the
understanding which code path is taken.
5.4.2 IsDebuggerPresent API

5.3.8
Code Encryption
The Win32 API contains a function called IsDebuggerCode can be encrypted, just like any other type of data, Present, which will return a boolean true if the program
except that code can also work to encrypt and decrypt is being debugged. The following code snippet will detail
itself. Encrypted programs cannot be directly disassem- a general usage of this function:
bled. However, such a program can also not be run di- if(IsDebuggerPresent())
{
TerminateProrectly because the encrypted opcodes cannot be inter- cess(GetCurrentProcess(), 1); }
preted properly by the CPU. For this reason, an encrypted
program must contain some sort of method for decrypt- Of course, it is easy to spot uses of the IsDebuggerPreing itself prior to operation.
sent() function in the disassembled code, and a skilled reThe most basic method is to include a small stub program verser will simply patch the code to remove this line. For
that decrypts the remainder of the executable, and then OllyDbg, there are many plugins available which hide the
passes control to the decrypted routines.
debugger from this and many other APIs.
5.4. DEBUGGER DETECTORS
5.4.3
PEB Debugger Check
The Process Environment Block stores the value that IsDebuggerPresent queries to determine its return value.
To avoid suspicion, some programmers access the value
directly from the PEB instead of calling the API function. The following code snippet shows how to access the
value:
mov eax, [fs:0x30] mov al, [eax+2] test al, al jne
@DebuggerDetected
69
To detect SoftICE, there are a number of techniques that
can be used:
1. Search for the SoftICE install directory. If SoftICE
is installed, the user is probably a hacker or a reverser.
2. Detect the presence of int 1. SoftICE uses interrupt
1 to debug, so if interrupt 1 is installed, SoftICE is
running.
5.4.7 Detecting OllyDbg

5.4.4
Kernel Mode Debugger Check
On Windows 32 and 64-bit Win <XP?, 7,8.1 and 10.

There is a structure called _KUSER_SHARED_DATA
at oset 0x2D4 it contains the eld named 'KdDebuggerEnabled' which is set to 0x03 if a KDM is active or 0x00
if not.
Base address of the structure is static (0x7FFE0000)
across dierent Windows versions even < XP.
The eld is updated constantly with the last 2 bits set to
'11' by the kernel.
The following assembly instruction will work in both 32
and 64-bit applications:
cmp byte ptr ds:[7FFE02D4], 3 je @DebuggerDetected
This has quite a few advantages. Known Source of information.
5.4.5
Timeouts
Debuggers can put break points in the code, and can

therefore stop program execution. A program can detect
this, by monitoring the system clock. If too much time
has elapsed between instructions, it can be determined
that the program is being stopped and analyzed (although
this is not always the case). If a program is taking too
much time, the program can terminate.
Notice that on preemptive multithreading systems, such
as modern Windows or Linux systems will switch away
from your program to run other programs. This is called
thread switching. If the system has many threads to run,
or if some threads are hogging processor time, your program may detect a long delay and may falsely determine
that the program is being debugged.
5.4.6
Detecting SoftICE
SoftICE is a local kernel debugger, and as such, it can't be

detected as easily as a user-mode debugger can be. The
IsDebuggerPresent API function will not detect the presence of SoftICE.
OllyDbg is a popular 32-bit usermode debugger. Unfortunately, the last few releases, including the latest version (v1.10) contain a vulnerability in the handling of the
Win32 API function OutputDebugString(). A programmer trying to prevent his program from being debugged
by OllyDbg could exploit this vulnerability in order to
make the debugger crash. The author has never released
a x, however there are unocial versions and plugins
available to protect OllyDbg from being exploited using
this vulnerability.
Chapter 6
Resources and Licensing

6.1 Resources
Solaris observation and debugging tools main page:

http://www.opensolaris.org/os/community/
dtrace/
6.1.1
http://www.opensolaris.org/os/community/
mdb/
Wikimedia Resources
Wikibooks
Free Debugging Tools, Static Source Code Analysis

Tools, Bug Trackers
X86 Assembly
Microsoft Developers Network (MSDN): http://

msdn.microsoft.com
Subject:Assembly languages
Compiler Construction
Gareth
Williams:
//gareththegeek.ga.funpic.de/
Floating Point
C Programming
B. Luevelsmeyer PE Format Description":http://

www.cs.bilkent.edu.tr/~{}hozgur/PE.TXT PE format description
C++ Programming
TheirCorp The Unocial TypeLib Data Format

Specication":http://theircorp.byethost11.com/
index.php?vw=TypeLib
Wikipedia
6.1.2
http:
External Resources
MSDN Calling Convention page:
External Links
Dictionary of Algorithms and Data Structures
The MASM Project: http://www.masm32.com/
Charles Petzolds Homepage:

charlespetzold.com/
Randall Hydes Homepage: http://www.cs.ucr.edu/

~{}rhyde/
http://www.
Donald Knuths Homepage: http://www-cs-faculty.

stanford.edu/~{}knuth/
Borland Turbo Assembler: http://info.borland.com/

borlandcpp/cppcomp/tasmfact.html
THE ISA AND PC/104 BUS by Mark Sokos

2000
NASM Project Homepage:

http://nasm.
sourceforge.net/wakka.php?wakka=HomePage
Practically Reversing CRC by Bas Westerbaan

2005
FASM Homepage: http://flatassembler.net/

DCC Decompiler:
CRC and how to Reverse it by anarchriz 1999
Boomerang Decompiler Project:
Reverse Engineering is a Way of Life by Matthew

Russotto
Microsoft debugging tools main page:
the Reverse and Reengineering Wiki

F-Secure Khallenge III: 2008 Reverse Engineering
competition (is this an annual challenge?)
http://www.microsoft.com/whdc/devtools/
debugging/default.mspx
70
6.3. MANUAL OF STYLE

Breaking Eggs And Making Omelettes: Topics On
Multimedia Technology and Reverse Engineering
71
6.3 Manual of Style
Reverse Engineering Stack Exchange
6.3.1 Global Stylesheet
Books
Yurichev, Dennis, An Introduction To Reverse This book has a global stylesheet that can be loaded
Engineering for Beginners. Online book: http: for you. Go to the Gadgets tab at Special:Preferences,
//yurichev.com/writings/RE_for_beginners-en.pdf and activate the "Per-book Javascript and Stylesheets"
gadget.
Eilam, Eldad. Reversing: Secrets of Reverse Engineering. 2005. Wiley Publishing Inc. ISBN
0764574817
Hyde, Randall. The Art of Assembly Language,
No Starch, 2003 ISBN 1886411972
Aho, Alfred V. et al. Compilers: Principles, Techniques and Tools, Addison Wesley, 1986. ISBN:
0321428900
Steven Muchnick, Advanced Compiler Design &
Implementation, Morgan Kaufmann Publishers,
1997. ISBN 1-55860-320-4
Kernighan and Ritchie, The C Programming Language, 2nd Edition, 1988, Prentice Hall.
Petzold, Charles. Programming Windows, Fifth
Edition, Microsoft Press, 1999
Hart, Johnson M. Win32 System Programming,
Second Edition, Addison Wesley, 2001
Gordon, Alan. COM and COM+ Programming
Primer, Prentice Hall, 2000
Nebbett, Gary. Windows NT/2000 Native API
Reference, Macmillan, 2000
Levine, John R. Linkers and Loaders, MorganKauman, 2000
Knuth, Donald E. The Art of Computer Programming, Vol 1, 1997, Addison Wesley.
MALWARE: Fighting Malicious Code, by Ed Skoudis; Prentice Hall, 2004
Maximum Linux Security, Second Edition, by Anonymous; Sams, 2001
6.2 Licensing
6.2.1
Licensing
This book is released under the following license:
Chapter 7
Text and image sources, contributors, and

licenses
7.1 Text
Wikibooks:Collections Preface Source: https://en.wikibooks.org/wiki/Wikibooks%3ACollections_Preface?oldid=2842060 Contributors: RobinH, Whiteknight, Jomegat, Mike.lifeguard, Martin Kraus, Adrignola, Magesha and MadKaw
X86 Disassembly/Cover Source: https://en.wikibooks.org/wiki/X86_Disassembly/Cover?oldid=2595883 Contributors: Whiteknight, Icktoofay and Anonymous: 2
X86 Disassembly/Introduction Source:
DavidCary and Whiteknight
https://en.wikibooks.org/wiki/X86_Disassembly/Introduction?oldid=2370674 Contributors:
X86 Disassembly/Assemblers and Compilers Source: https://en.wikibooks.org/wiki/X86_Disassembly/Assemblers_and_Compilers?

oldid=3018566 Contributors: DavidCary, Panic2k4, AlbertCahalan, Whiteknight, Az1568, Gcaprino, Scientes, Sigma 7, Adrignola, Jfmantis, EleoTager, Artoria2e5, Syum90 and Anonymous: 22
X86 Disassembly/Disassemblers and Decompilers Source: https://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_
Decompilers?oldid=3083227 Contributors: DavidCary, Mshonle, Panic2k4, AlbertCahalan, Quoth-22, Whiteknight, Mike Van Emmerik,
Koavf, Mdupont, 0xf001, Jkl, MichaelFrey, Svdb, Herbythyme, Macpunk, C1de0x, Ysangkok, Phatom87, Gannalech, SamB, Spongebob88, QuiteUnusual, Afog, Adrignola, Duplode, JamesCrook, Voomoo, M.boli, Jfmantis, EleoTager, Artoria2e5, Chip Wildon Forster,
C4Decompiler, Aquynh, Andy80586, Xradonx, Sfrlz, Mrexodia and Anonymous: 100
X86 Disassembly/Disassembly Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Disassembly_Examples?oldid=
1232569 Contributors: Whiteknight and Anonymous: 1
X86 Disassembly/Analysis Tools Source: https://en.wikibooks.org/wiki/X86_Disassembly/Analysis_Tools?oldid=3094739 Contributors:
Utcursch, Panic2k4, Marcika, AlbertCahalan, Quoth-22, Whiteknight, Jomegat, Kaosone, Perpetuum~enwikibooks, Hagindaz, Wikimoder~enwikibooks, Dr Dnar, Macpunk, Frozen dude, AnthonyD~enwikibooks, Spongebob88, MohammadEbrahim, QuiteUnusual,
Jodell1, Adrignola, Jfmantis, KenMacD, Rohitab, Rotlink, Artoria2e5, IamMe3141 and Anonymous: 65
X86 Disassembly/Microsoft Windows Source: https://en.wikibooks.org/wiki/X86_Disassembly/Microsoft_Windows?oldid=3137993
Contributors: Panic2k4, Quoth-22, Whiteknight, Hexed321, Chazz, Mantis~enwikibooks, Wj32, Gcaprino, Adrignola, Dennis714,
Gary600playsmc, Luis150902 and Anonymous: 35
X86 Disassembly/Windows Executable Files Source: https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files?
oldid=3088866 Contributors: Quoth-22, Whiteknight, Shokuku, Barthax, Hexed321, Dr Dnar, Gcaprino, Chris.digiamo, Van der Hoorn,
Adrignola, LaZ0r, EroCarrera, Ashpilkin, Self~enwikibooks, CallumPoole, Luis150902, Cwilson2016 and Anonymous: 31
X86 Disassembly/Linux Source: https://en.wikibooks.org/wiki/X86_Disassembly/Linux?oldid=2027237 Contributors: Whiteknight, Dr
Dnar, Gcaprino, Recent Runes, MohammadEbrahim, Adrignola, Swatnio~enwikibooks and Anonymous: 10
X86 Disassembly/Linux Executable Files Source: https://en.wikibooks.org/wiki/X86_Disassembly/Linux_Executable_Files?oldid=
2748762 Contributors: Orderud, Whiteknight, Ddouthitt, Gcaprino, ChrisR~enwikibooks, Ulf Abrahamsson~enwikibooks, Artoria2e5
and Anonymous: 2
X86 Disassembly/The Stack Source:
https://en.wikibooks.org/wiki/X86_Disassembly/The_Stack?oldid=2622875 Contributors:
Whiteknight, Dr Dnar, Swift, Mantis~enwikibooks, Gcaprino, Gannalech, Jsvcycling, Jfmantis, X-Fi6 and Anonymous: 17
X86 Disassembly/Functions and Stack Frames Source: https://en.wikibooks.org/wiki/X86_Disassembly/Functions_and_Stack_
Frames?oldid=3064266 Contributors: Whiteknight, Hagindaz, Mantis~enwikibooks, Gcaprino, Gannalech, Svick, Jfmantis and Anonymous: 26
X86 Disassembly/Functions and Stack Frame Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Functions_and_
Stack_Frame_Examples?oldid=2759822 Contributors: Whiteknight, NipplesMeCool, Jfmantis and Anonymous: 2
X86 Disassembly/Calling Conventions Source: https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Conventions?oldid=3118519
Contributors: DavidCary, Whiteknight, Mantis~enwikibooks, Gcaprino, Sigma 7, Timjr~enwikibooks, Crazy Ivan, Jfmantis and Anonymous: 22
72
7.2. IMAGES
73
X86 Disassembly/Calling Convention Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Calling_Convention_

Examples?oldid=2699639 Contributors: Cspurrier, Whiteknight, Spongebob88, NipplesMeCool and Anonymous: 13
X86 Disassembly/Branches Source:
https://en.wikibooks.org/wiki/X86_Disassembly/Branches?oldid=2739113 Contributors:
Whiteknight, Chazz, Mantis~enwikibooks, Leonus~enwikibooks, Gcaprino, Gannalech, Spongebob88, Adrignola and Anonymous: 11
X86 Disassembly/Branch Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Branch_Examples?oldid=1791851 Contributors: Whiteknight, NipplesMeCool, Jason Lee~enwikibooks and Anonymous: 3
X86 Disassembly/Loops Source: https://en.wikibooks.org/wiki/X86_Disassembly/Loops?oldid=3014964 Contributors: Whiteknight,
Mantis~enwikibooks, Gcaprino, Justyna.ilczuk and Anonymous: 5
X86 Disassembly/Loop Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Loop_Examples?oldid=1975904 Contributors: Whiteknight, Sz~enwikibooks and Anonymous: 4
X86 Disassembly/Variables Source:
https://en.wikibooks.org/wiki/X86_Disassembly/Variables?oldid=3045584
Whiteknight, Mantis~enwikibooks, Gcaprino, Shnizzedy, Spongebob88 and Anonymous: 6
Contributors:
X86 Disassembly/Variable Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Variable_Examples?oldid=1480358

Contributors: Whiteknight and NipplesMeCool
X86 Disassembly/Data Structures Source: https://en.wikibooks.org/wiki/X86_Disassembly/Data_Structures?oldid=3103795 Contributors: Whiteknight, Mantis~enwikibooks, Gcaprino, Dirk Hnniger and Anonymous: 4
X86 Disassembly/Objects and Classes Source: https://en.wikibooks.org/wiki/X86_Disassembly/Objects_and_Classes?oldid=2501049
Contributors: Whiteknight, Mantis~enwikibooks, Isaiah.v, Dirk Hnniger and Anonymous: 6
X86 Disassembly/Floating Point Numbers Source: https://en.wikibooks.org/wiki/X86_Disassembly/Floating_Point_Numbers?oldid=
3121607 Contributors: Whiteknight, Gcaprino, Spongebob88, JackPotte, Abhi166~enwikibooks, Jfmantis and Anonymous: 1
X86 Disassembly/Floating Point Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Floating_Point_Examples?oldid=
1076115 Contributors: Whiteknight
X86 Disassembly/Code Optimization Source: https://en.wikibooks.org/wiki/X86_Disassembly/Code_Optimization?oldid=3162808
Contributors: Whiteknight, Silmethule, Gcaprino, Luis150902 and Anonymous: 7
X86 Disassembly/Optimization Examples Source: https://en.wikibooks.org/wiki/X86_Disassembly/Optimization_Examples?oldid=
2676907 Contributors: Whiteknight, Wj32, I-VANN and Anonymous: 5
X86 Disassembly/Code Obfuscation Source: https://en.wikibooks.org/wiki/X86_Disassembly/Code_Obfuscation?oldid=3087381 Contributors: DavidCary, AlbertCahalan, Whiteknight, Wj32, Gcaprino, Adrignola, Dirk Hnniger, JamesCrook, Luis150902 and Anonymous:
18
X86 Disassembly/Debugger Detectors Source: https://en.wikibooks.org/wiki/X86_Disassembly/Debugger_Detectors?oldid=3141472
Contributors: Orderud, Whiteknight, D0gg, Chris.digiamo, Luis150902 and Anonymous: 4
X86 Disassembly/Resources Source: https://en.wikibooks.org/wiki/X86_Disassembly/Resources?oldid=2578714 Contributors: DavidCary, Whiteknight, Adrignola, Cognoscent and Anonymous: 3
X86 Disassembly/Licensing
Whiteknight
Source:
https://en.wikibooks.org/wiki/X86_Disassembly/Licensing?oldid=1075890
Contributors:
X86 Disassembly/Manual of Style Source: https://en.wikibooks.org/wiki/X86_Disassembly/Manual_of_Style?oldid=1076917 Contributors: Whiteknight
7.2 Images
File:1Fh_01.png Source: https://upload.wikimedia.org/wikibooks/en/a/af/1Fh_01.png License: Fair use Contributors: ? Original artist: ?
File:C_language_building_steps.png Source: https://upload.wikimedia.org/wikipedia/commons/b/b3/C_language_building_steps.png
License: CC-BY-SA-3.0 Contributors: ? Original artist: ?
File:C_language_do_while.png Source: https://upload.wikimedia.org/wikipedia/commons/2/21/C_language_do_while.png License: CC
BY 3.0 Contributors: Own work Original artist: Thedsadude
File:C_language_for.png Source: https://upload.wikimedia.org/wikipedia/commons/5/51/C_language_for.png License: CC BY 3.0 Contributors: Own work Original artist: Thedsadude
File:C_language_if.png Source: https://upload.wikimedia.org/wikipedia/commons/f/fb/C_language_if.png License: CC BY 3.0 Contributors: Own work Original artist: Thedsadude
File:C_language_if_else.png Source: https://upload.wikimedia.org/wikipedia/commons/a/ac/C_language_if_else.png License: CC BY
3.0 Contributors: Own work Original artist: Thedsadude
File:C_language_linked_list.png Source: https://upload.wikimedia.org/wikipedia/commons/1/1b/C_language_linked_list.png License:
CC BY 3.0 Contributors: Own work Original artist: Thedsadude
File:Data_stack.svg Source: https://upload.wikimedia.org/wikipedia/commons/2/29/Data_stack.svg License: Public domain Contributors: made in Inkscape, by myself User:Boivie. Based on Image:Stack-sv.png, originally uploaded to the Swedish Wikipedia in 2004 by
sv:User:Shrimp Original artist: User:Boivie
File:Elf-layout--en.svg Source: https://upload.wikimedia.org/wikipedia/commons/7/77/Elf-layout--en.svg License: CC BY-SA 3.0 Contributors: Own work Original artist: Suruea
File:Heckert_GNU_white.svg Source: https://upload.wikimedia.org/wikipedia/commons/2/22/Heckert_GNU_white.svg License: CC
BY-SA 2.0 Contributors: gnu.org Original artist: Aurelio A. Heckert <[email protected]>
74
CHAPTER 7. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES
File:Information_icon.svg Source: https://upload.wikimedia.org/wikipedia/commons/3/35/Information_icon.svg License: Public domain Contributors: en:Image:Information icon.svg Original artist: El T
File:Kernel-exo.svg Source: https://upload.wikimedia.org/wikipedia/commons/8/8f/Kernel-exo.svg License: CC-BY-SA-3.0 Contributors: self-made, based on Image:Kernel-exo.png by User:Aholstenson Original artist: Surachit
File:RevEngDosHead.JPG Source: https://upload.wikimedia.org/wikipedia/commons/2/2f/RevEngDosHead.JPG License: Public domain Contributors: Transferred from en.wikibooks to Commons by Adrignola using CommonsHelper. Original artist: Whiteknight at
English Wikibooks
File:RevEngPEFile.JPG Source: https://upload.wikimedia.org/wikipedia/commons/e/ea/RevEngPEFile.JPG License: Public domain
Contributors: Transferred from en.wikibooks to Commons by Adrignola using CommonsHelper. Original artist: Whiteknight at English
Wikibooks
File:RevEngPeSig.JPG Source: https://upload.wikimedia.org/wikipedia/commons/c/ca/RevEngPeSig.JPG License: Public domain Contributors: Transferred from en.wikibooks; transferred to Commons by User:Adrignola using CommonsHelper. Original artist: Original
uploader was Whiteknight at en.wikibooks
File:ReverseEngineeringPop.JPG Source: https://upload.wikimedia.org/wikibooks/en/8/8c/ReverseEngineeringPop.JPG License: Public domain Contributors: ? Original artist: ?
File:ReverseEngineeringPush.JPG Source: https://upload.wikimedia.org/wikibooks/en/9/98/ReverseEngineeringPush.JPG License:
Public domain Contributors: ? Original artist: ?
File:Tree-data-structure.svg Source: https://upload.wikimedia.org/wikipedia/commons/4/45/Tree-data-structure.svg License: GFDL
1.2 Contributors: ? Original artist: ?
File:Wikibooks-logo-en-noslogan.svg Source: https://upload.wikimedia.org/wikipedia/commons/d/df/Wikibooks-logo-en-noslogan.
svg License: CC BY-SA 3.0 Contributors: Own work Original artist: User:Bastique, User:Ramac et al.
File:Wikipedia-logo.png Source: https://upload.wikimedia.org/wikipedia/commons/6/63/Wikipedia-logo.png License: GFDL Contributors: based on the rst version of the Wikipedia logo, by Nohat. Original artist: version 1 by Nohat (concept by Paullusmagnus);
7.3 Content license

Creative Commons Attribution-Share Alike 3.0

x86 Disassembly

Uploaded by

Copyright:

Available Formats

x86 Disassembly

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

x86 Disassembly

Uploaded by

Copyright:

Available Formats

x86 Disassembly

Exploring the relationship between C, x86 Assembly, and Machine

What is this book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Who are the authors?

What Is This Book About? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

What Will This Book Cover?

Who Is This Book For?

What Are The Prerequisites? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Intel Syntax Assemblers

(x86) AT&T Syntax Assemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Common C/C++ Compilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Disassemblers and Decompilers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A General view of Disassembling

Example: Hello World Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Basic Disassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Other Tools for Windows

Other Tools for Linux

System calls and interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.1.10 Win64 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.1.11 Windows Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.1.12 Windows CE/Mobile, and other versions . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.1.13 Non-Executable Memory

2.1.14 COM and Related Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.1.15 Remote Procedure Calls (RPC)

Windows Executable Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

MS-DOS COM Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

MS-DOS EXE Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Relative Virtual Addressing (RVA)

Imports and Exports - Linking to other modules . . . . . . . . . . . . . . . . . . . . . . .

2.2.12 Alternate Bound Import Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2.13 Windows DLL Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Linux Executable Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Relocatable ELF Files

Push and Pop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Reading Without Popping

Functions and Stack Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Functions and Stack Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Standard Entry Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Standard Exit Sequence

Non-Standard Stack Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Local Static Variables

Functions and Stack Frame Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Number of Parameters

Example: Standard Entry Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Standard C Calling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C++ Calling Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Note on Name Decorations

Calling Convention Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: C Calling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Named Assembly Function

Example: Unnamed Assembly Function . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Another Unnamed Assembly Function

Example: Name Mangling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Number of Parameters

Example: Identify Branch Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Other Loop Types

Example: Identify Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Complete C Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Example: Decompile To C Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .