Assembly

Course
Time
13 hours 15 minutes
Difficulty
Beginner
CEU/CPE
14

Video Transcription

00:01
Hello. This is Dr Miller, and this is Episode seven of Assembly.
00:06
Today we're going to talk about calling conventions
00:10
calling conventions.
00:11
So calling conventions are the assumption that the software makes about how a collar and a collie work.
00:18
So a collar is a function is going to call some function. Akali is the function that is being called and entered.
00:25
And so we have several different calling mentions that you will need to be aware of.
00:29
We have C Dekel standard call this call
00:33
and the different versions of fast calls. So 32 bit fast call in 64 bit fast call
00:40
32 big conventions.
00:42
So the C declaration is the sea calling conventions. This was created by the people who created UNIX, and so they made a way of declaring function calls
00:56
that the function that calls the Cali
01:02
that the caller function will clean up the stack. So this is faster than standard call.
01:07
And then parameters are pushed on the stack, as we've done in right toe left order.
01:11
So, for example, at the end of the function,
01:15
if you see a pop of EVP and then a return, then this is probably Ah, see Dekel call.
01:23
So here's an example. So we have this procedure called 4019 a four services out of reverse engineering.
01:30
We can see that we pushed on two parameters, and then we just popped those off into E. C X.
01:34
And then, as we're going to the function, we'll see our our entries of pushy BP movie B P E S p.
01:41
You see a poppy BP and then a return. And so we don't see any additional return on their
01:48
now standard call. The Cali cleans up the stack, and this is going to be easier to use except for when you have variable arguments. So an a easy example to think about for variable arguments is the printout function.
02:00
So print after you can give it one argument. 23456 as many as you want, as long as you have four matters in there.
02:08
And so in that case, it's very difficult for it to clean up the stack and an appropriate way.
02:15
And then in ST Standard call, we have registers like yea XTC X and E d X. Our caller saved, which means that if you care about the results of those registers of the contents and you're worried about them being blown away.
02:28
Then you need to save them.
02:30
And then the Cali has to save any other registers that it wouldn't modify.
02:35
And so this standard call is the default for C and C plus programming on Marcus Off Win 32 a p I.
02:42
So if you do any work with Windows 32 you might have to deal with the fact that
02:46
you're gonna have a different calling convention.
02:49
And so at the end, instead of just saying return, we would say red 12. And that would mean subtract 12 bytes off top of the stack.
02:58
So here, Now here's an example. So if you notice here, it says standard call. So the reverse engineering software can tell that this is a standard coal, and we see at the end we have returned n which mean end is how many bites are gonna pop off the stack.
03:14
So it does its prologue, does part of the epilogue and then does this return.
03:17
And so then you know that these bites aren't going to be saved on the stack in the end, and so you have to take that into account.
03:28
There's also this call, so in C plus Plus, we have this notion that there is a this variable.
03:34
So this points to the current object, and it has a set of attributes that are linked on the stack as well as functions that are linked onto the stack.
03:44
And so all of this is pointed to by the EEC X Register. So this register will point to those variables and those attributes. And then if you C E c X being used as a pointer in some notion that you're what you're probably looking at is C plus plus code.
04:00
And so here's an example.
04:01
So it thinks that this is a this call,
04:05
and when we get in here, we see that
04:08
and no place up here. E c X has a value set, but E. C X is getting moved into Yes, I and then that is being de referenced.
04:16
And so that means that this is a C plus plus function where the assumption is easy. X points to basically a function or a set of attributes, and so then that's being referenced, Right? So here it's moving some data into that location. But that was only initialized from EEC X, which wasn't set in the program.
04:36
And then you can see that it also might return right return four off the top of the stack, so that would be of this call.
04:46
And then we have fast calls. So part of the problem with the standard way that we pass parameters to functions is the fact that arguments have to be put on the stack and the stacks is a much slower
05:00
piece of memory, then registers. And so if you're only using maybe one or two registers instead of throwing them onto the stack and then doing your function and then popping them back off or subtracting from the stack, they just put them into registers.
05:15
And so, for the 32 bit Microsoft Fast Coal, it uses the registers of E, C X and E D X, and then the rest of the parameters of person with stack. So if you only have two arguments, then it's going to run faster because they'll be in registers is instead of on the stack
05:30
64 bit conventions.
05:33
So Microsoft has to find a 64 bit convention
05:36
and with 64 bit. We have instead of just e c X. We have RC X. So all of the easily replaced by our
05:44
and then there's additional registers that were beyond the normal ones.
05:47
And so we can use our age and are nine as our 1st 4 inner jer pointers. Or
05:54
or put imagers in that order
05:57
and then for floating point. So the XMM registers are the floating point registers that you can use in a program for doing floating point
06:06
arithmetic that came with some later architectures.
06:12
And so those 1st 40 through three are used for floating points,
06:17
and then the color also has to allocate 32 bytes of shadow space so we can save These registers are C X, already X R eight and are nine.
06:28
And then all of these registers are considered volatile, so the color has to save them,
06:33
and then the rest of them are non volatile. Macaulay has to save them,
06:38
and so these helped to make it so that function calls can run faster and not have to access the stack.
06:45
And with 64 bit, we end up with more registers so you can see that we have registers like are eight or nine or 10 all the way up to our 15.
06:54
And so these additional registers allow us to access mawr memory easier in 64 bit. And that's one of the reasons why 64 bit can be faster because it has more registers and the registers air faster than Ram.
07:10
And then we have so for arm, we have the system 5 64 bit A. B I or application binary interface. And this defines that. Registers like already IRC, um, are what the pointers can be put into. So it just has a different set of registers that we can use,
07:28
and then floating point registers zero through seven or eight of them can be used, right? And so that's the 64 bit,
07:36
um, application binary interface that could be used,
07:41
um,
07:42
with the A m d 64 bit
07:46
architecture.
07:48
So today we talked about some of the different calling conventions So standard. See, Dekel this and then a couple of different variants of fast coal
07:59
Looking forward, we're gonna look at local variables, so local variables are a place where we contemporary store data
08:05
inside of our functions, and we'll look at how we can save data there or
08:09
read data from local variables.
08:13
So which registers are used for the 1st 2 parameters on Microsoft? 32 bit fast Call
08:20
E C X and E D. X.
08:24
If you have questions, you can contact me at Miller MJ at you and Katie to you, and you can find me on Twitter at Milhouse 30.

Up Next

Assembly

This course will provide background and information related to programming in assembly. Assembly is the lowest level programming language which is useful in reverse engineering and malware analysis.

Instructed By

Instructor Profile Image
Matthew Miller
Assistant Professor at the University of Nebraska at Kearney
Instructor