Assembly Language for Beginners

5.10. LOOPS And here is an example of very typical MIPS code. As we may recall, every MIPS (and also ARM in ARM mode or ARM64) i ...

5.10. LOOPS Sparse files This is sparse file with data scattered amidst almost empty file. Each space character here is in fact ...

5.10. LOOPS Compressed file This file is just some compressed archive. It has relatively high entropy and visually looks just ch ...

5.10. LOOPS CDFS^27 OSinstallations are usually distributed as ISO files which are copies of CD/DVD discs. Filesystem used is na ...

5.10. LOOPS 32-bit x86 executable code This is how 32-bit x86 executable code looks like. It has not very high entropy, because ...

5.10. LOOPS BMP graphics files BMPfilesarenotcompressed, soeachbyte(orgroupofbytes)describeseachpixel. I’vefoundthispicture some ...

5.11. ISADETECTION For example, if you had a loaded game on an 8-bit computer (there isn’t much memory on these, but the game us ...

5.11. ISADETECTION Disassembling from an incorrect start (x86) Unlike ARM and MIPS (where any instruction has a length of 2 or 4 ...

5.11. ISADETECTION Listing 5.7: random noise (x86) mov bl, 0Ch mov ecx, 0D38558Dh mov eax, ds:2C869A86h db 67h mov dl, 0CCh insb ...

5.11. ISADETECTION mov esi, 659D1985h Listing 5.8: random noise (x86-64) lea esi, [rax+rdx*4+43558D29h] loc_AF3: ; CODE XREF: se ...

5.11. ISADETECTION STRNEB R5, [R4],#0xCA2 STMNEIB R5, {R0,R4,R6,R7,R9-SP,PC} STMIA R8, {R0,R2-R4,R7,R8,R10,SP,LR}^ STRB SP, [R8] ...

5.12 Text strings right in the middle of compressed data. LDR R1, [R3,#0x3C] STR R1, [R5,#0x60] BCC 0xFFFFFF70 LDR R4, [SP,#0x1D ...

5.12. TEXT STRINGS RIGHT IN THE MIDDLE OF COMPRESSED DATA % xxd -g 1 -seek 0x515c550 -l 0x30 linux-4.10.2.tar.gz 0515c550: c5 59 ...

5.13 Other things datatocontainthesewords,however,Icheatedabit: Isearchedforbothlowercaseanduppercasestrings, thus compressed da ...

Chapter 6 OS-specific 6.1 Arguments passing methods (calling conventions) 6.1.1 cdecl This is the most popular method for passin ...

6.1. ARGUMENTS PASSING METHODS (CALLING CONVENTIONS) As a consequence, the number of function arguments can be easily deduced fr ...

6.1. ARGUMENTS PASSING METHODS (CALLING CONVENTIONS) Forexample,wemaytakethefunctionfrom1.86onpage97andchangeitslightlybyaddinga ...

6.1. ARGUMENTS PASSING METHODS (CALLING CONVENTIONS) 6.1.5 x86-64 Windows x64 The method of for passing arguments in Win64 somew ...

6.1. ARGUMENTS PASSING METHODS (CALLING CONVENTIONS) mov DWORD PTR [rsp+32], eax mov r9d, DWORD PTR c$[rsp] mov r8d, DWORD PTR b ...

6.1. ARGUMENTS PASSING METHODS (CALLING CONVENTIONS) If we compile the example with optimizations, it is to be almost the same, ...