Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
31 views18 pages

4 2 Code Construct Assembly

The document discusses various code constructs like global vs local variables, arithmetic operations, if/else statements, for/while loops, function call conventions, switch statements, jump tables, and arrays. It explains how each construct appears at the assembly level and how the implementation can differ based on the compiler. The goal is to help analyze disassembled code at a higher level of abstraction rather than focusing on individual instructions.

Uploaded by

Jayesh Shinde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views18 pages

4 2 Code Construct Assembly

The document discusses various code constructs like global vs local variables, arithmetic operations, if/else statements, for/while loops, function call conventions, switch statements, jump tables, and arrays. It explains how each construct appears at the assembly level and how the implementation can differ based on the compiler. The goal is to help analyze disassembled code at a higher level of abstraction rather than focusing on individual instructions.

Uploaded by

Jayesh Shinde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Code Construct Assembly

Chapter 6
Code Construct Concept
 Entire disassembled program -> thousands or millions lines ->
too tedious to analyze each single line
 Obtain high-level picture of code functionality
 Analyze instructions in groups and focus on individual only on an
as-needed basis
 This skill takes time to develop
Code Construct Concept
 Definition: code construct is a code abstraction level that defines a
functional property but not the details of implementations.
 Goal: go from disassembly to high-level constructs.
 Examine the difference between compilers -> impacts on how
particular constructs appear in assembly.
 Focus on C language.
Global vs. Local Variables
 Global variables stored in either .data or .bss section of process
(ref. by memory address)

 Local variables stored on stack (ref. by stack address)


 Difference between global and local variables in C code is small
 Their assembly is quite different
Global vs. Local Variables
int x = 1;
int y = 2;
void a()
Global
{
x = x+y;
printf("Total = %d\n",x);
}
int main(){a();} void a()
{
int x = 1; Local
int y = 2;
x = x+y;
printf("Total = %d\n",x);
}
int main() {a();}
int x = 1; void a()
int y = 2; {
void a() int x = 1;
{ int y = 2;
x = x+y; x = x+y;
printf("Total = %d\n",x); printf("Total = %d\n",x);
} }
int main(){a();} int main() {a();}

Memory Location 0x40CF60

Local

Global
Question
Local variable vs. Global variable
(MinGW GCC) Question
Arithmetic Operations
If Statements
void f(){
int x = 1;
int y = 2;
if (x==y) {
printf("x equals y.\n");
} else {
printf("x is not ");
}
}

int main() { f();}


IDAPro - Graph

Jump not equal to zero; otherwise, means x equals y


For Loops

Initialize to zero
Then compare

Compare with 64h


Jump if greater

Execution
printf
Look for:
Clean register
Initialization, Comparison,
Execution, Increment
Increase by one
While Loops
 Malware: loop until a condition is met

Only exit
From the loop
Function call conventions
 Call conventions: governs the way function call occurs.
 Order parameters placed on the stack/registers
 Caller or callee is responsible for cleaning up the stack
 Depends on compiler
 Cdecl: parameters pushed onto the stack from right to left, caller cleans
up the stack when complete, return value stored in EAX
cdecl

1. Push on to the stack from right to left


2. Stack cleared up by the caller
3. Add esp, 12 (3 parameters * 4 bytes each) and grow the stack down
Function call conventions
 Stdcall
 callee is required for clearing up (the function being called)
 is used to call Win32 API functions
 Fastcall
 First few arguments to functions are to be passed in registers
(ECX/EDX), when possible. (calling function is usually responsible
for clearing up)
 This calling convention only applies to the x86 architecture.
 Hybrid approach – more efficient (no stack)
Compiler Dependence: Push vs. Move

Stack pointer is restored after push Move: Stack pointer never altered
Because we used push (direct move to stack address)
Switch Statements (Naïve)
Backdoors commonly select from a series of actions using a single byte value

Figure with better


resolution in the book pdf p.
157

Difficult to identify without the help of


graph: a group of if statements
Series of Conditions:
• Good if only a few cases
• Slow if a lot cases
Jump Table (optimizer)

Jump Table:
• Lookup branch • edx multiplied by 4 and
target from a table added to the base of the jump
table 0x401088 for jumping
• 4 because each entry is an
address of 4 bytes in size
Arrays
 Malware sometimes uses an array of pointers to strings of hostnames.

initialize,; add 1
to i

•Var_14: base for a


• Dword_40A0000: base
for b

• ecx used as index


• *4 since size is 4 bytes each

Question: why base for a and b look different ?

You might also like