Assembly

Course
Time
13 hours 15 minutes
Difficulty
Beginner
CEU/CPE
14

Video Transcription

00:01
Hello. This is Dr Miller, and this is Episode 6.6 of Assembly.
00:06
Today we're gonna talk about the function epilogue, and then we'll give our full example into buggit.
00:12
So the function epilogue.
00:14
So this is what we do in order to restore the stack and registers to the old versions that they had. So this is what you do every time that you're going to exit a function.
00:23
So in this example, we're going to copy, Yes, p back to e BP because SP can be modified in the middle of our function.
00:31
Remember, EVP is our extended base pointer, so it points to the base.
00:36
And so it points to the old version of EVP. And so then we do a pop e v p.
00:42
And so this is going to restore the old version of E V P from a previous function that we were using.
00:48
And so now it is restored back to where it was.
00:51
And if you remember, the top of our stacks should have our return address on it.
00:58
So here's our example as we left last time.
01:00
All right, So we had pushed on these
01:03
hard coded values Beef, beef in Cafe Cafe onto the stack. And so those air on there we have our old are return address of where we're going to go back, and that's gonna be this function right here.
01:15
Then we have our old version of E B. P.
01:18
And so now we're going to
01:19
We've executed the body of our function, which this function just move zero in t a X
01:25
that's our were returned result. And then we're going to copy E v P in tsp, and so we should see no change there.
01:34
But now when we pop pbp So yes, pea points of the top of the stack Now e v p gets restored back to its old version
01:42
and then pop will logically remove that from there.
01:46
So now our return address should be on top of the stack. So when we do return, it's gonna copy that in T i p and then jump to that location.
01:55
And so, if you recall, we called dysfunction here. So the return of just should be the the address of this line of code right here.
02:04
So now we're at that line, and then when we do something like add yes, B eight, right? The two things that were on top of the stack that we had pushed on before are now logically removed. So we execute that on the top of our stack is how it was before we started our function.
02:20
So our function didn't change anything. Except as we noted in our body, it changed the X to the value of zero.
02:29
So here we're going to debug an example. And this is the example that is given right here
02:34
so we can see our example. So we'll go ahead and jump in and look at what that looks like.
02:44
So if we look at the code,
02:49
we can see that we have our pushes. We call our function, we correct our stack, and then this is the internals of our function.
03:00
So we'll go ahead and use DDB and we're gonna use Jeff on it.
03:04
So that's been installed by default.
03:08
So I go ahead and break in. Essam
03:14
underscore Main.
03:16
I'll start running
03:19
and so we'll see here on top of the stack. It really doesn't matter what this points to. You can tell that it says ESPN Eby Pierre pointing to the same thing. So we haven't CBP Base Tech.
03:30
And so we're gonna execute a few instructions to do things like push all of the registers and then we'll see our pushes here. So s I is step instruction.
03:38
If I hit enter, it will do the next instruction.
03:43
So here we can see we have our push. Beef, beef. So now that should go on top of the stack.
03:50
So now we can see that beef beef is on top of our stack. Now we're gonna push Cafe Cafe.
03:57
So now we can see that our stack should have Cafe cafe at the top, and then
04:00
beef beef is at plus four
04:05
and then it's showing that when we're going to call this function, So we're going to call our function. It has an address here. So it's got
04:13
this zero x
04:15
80484 cf. That's an R function,
04:19
but let's scroll back here.
04:23
So this is our function that is going to call the function.
04:27
So the return addresses the next instruction that should be executed after the call instruction.
04:31
So it's going to be this function right here.
04:35
So this address here 80 for eight
04:40
for C four should be the address that gets pushed onto the stack because that's the next instruction that we want to go and execute.
04:48
So I'll step.
04:53
So now we can see that 80484 C four is pushed onto the stack. So that's our return address that we're going to execute.
05:01
We can still see Cafe Cafe. We can still see beef beef.
05:05
Now we enter the prologue, which was discussed in the previous lecture. So we're gonna push the old value of E B. P.
05:12
So currently, e BP has thieve value of looks like four efs d three d eight. That is our current value of that. So that's going to get pushed onto the stack
05:24
so you can see the four efs d three. D eight is now on top of the stack.
05:29
And as you can see right now, yes, P is pointing to the top of the stack.
05:32
We'll go ahead and
05:34
set the base pointer to
05:38
be where yes p is.
05:41
So now we can see that the base pointer is correctly set to here, and we'll use that in future lectures. When we talk about
05:47
parameters and when we talk about arguments.
05:51
So now I'm in the body of my function, which is just to move, yea x 20 Go ahead and step that
05:58
now we're going to where? At the end of our function, we're ready to exit. So we copy Backe, BP, TSP. In this case, they are the same thing. But this is how the prologue is supposed to work.
06:10
All right, so now they're copied. So the the stack pointer is this is pointing. Told the old version, TV BP. So now this is going to get restored in TVP.
06:17
All right, we can see here that e v P
06:20
has a different value. It's a d 38
06:24
instead of D eight.
06:26
So now that should get restored back to the D eight
06:30
and the stack will take that off.
06:33
So now we can see that BP has d eight in it where it was before,
06:40
and then Yes, P is pointing to this return address, which is inside of our main.
06:45
And so now when we step, we're gonna go back into our main.
06:53
So now we've gone back into Maine, and we're at that instruction that we saw before. Add yes, p eight And so that's going to remove our cafe, cafe and beef beef that are on top of the stack
07:03
so those will get logically removed.
07:08
And so this is where our stack was before we started executing, right? So
07:13
it is respond restored back to what it was previously.
07:19
Then when you're done, you can hit, see for continue noodle running exit.
07:28
So that was our full example.
07:30
So today we talked about the epilogue and then we gave that full example and showed how to debug it, which we've done in the past.
07:38
Looking forward, we're going to start talking about function arguments and those air going to leverage CBP, which we talked about in this lecture and in the previous lecture
07:46
and so understanding how e. V p is set up in the prologue and epilogue is important to understanding arguments.
07:56
So the quiz, What is the epilogue consist of?
08:01
It consists of movie s P E, V, p. Poppy, BP, and then return.
08:09
If you have questions, you can contact me at Miller MJ at you and Keita et you and confined me on Twitter at Milhouse 30

Up Next

Assembly

This course will provide background and information related to programming in assembly. Assembly is the lowest level programming language which is useful in reverse engineering and malware analysis.

Instructed By

Instructor Profile Image
Matthew Miller
Assistant Professor at the University of Nebraska at Kearney
Instructor