### Assembly

Course
Time
13 hours 15 minutes
Difficulty
Beginner
CEU/CPE
14

### Video Transcription

00:01
Hello. This is Dr Miller, and this is Episode 6.2 of Assembly.
00:09
Today we're going to talk about the stack,
00:12
so we have the stack.
00:13
So the stack is a region of ram pointed by a register called E S B. The extended stack pointer.
00:20
And then with the stack, we can push things onto in pop things off of the stack. So we'll have operations like push and pop.
00:28
And then the stack is a last in first out type of operation and type of usage,
00:36
and we also have the SS register. So it is pointing to where stack memory is, but you don't actually have to even know that in general.
00:43
And so examples are pushy a X push ebx pop ebx add TSP or subtract from E S p,
00:53
and then what do we use it for? Mostly, the stack is going to be used for function calls. We can also use it to store local variables, parameters and then for a function allows the context to be saved.
01:04
And then we also will use it for a temporary space.
01:08
So here's some example. Operations so we can have push X.
01:14
Where will we take the S p and we subtract. The way that memory will be drawn is we draw the low memory addresses on up
01:23
and will draw it like a a set of plates where the top thing goes on the top. When we say push or when we say pop, it'll come out from the top.
01:32
But technically it subtracts four from the E S P register,
01:36
and then it will copy the data pointed to by E S P. So it'll copy that data onto the top of the stack,
01:42
and then X is either a register or an immediate value or, ah, hard coded value.
01:47
And then pop will add for TSP and then save whatever is on top of the stack into the register that's given. So they'll be a registered there we given here.
01:57
So here's an example. So we have our original stack, so it has some stuff on it we don't really know or care what that is.
02:02
And then we move in, just registers some values. So 10 goes into yea X 20 goes into BB X 30 goes into ccx
02:09
and then we're gonna execute this instruction here. So we're going to push Yea x on top of the stack so e X has a value of 10. So that's now going to go on top of the stack
02:20
so we can see the top of the stack points to the number 10 and we can we have all the original stuff.
02:24
So now we're gonna push e c x e c x has a value of 30
02:30
so we can see that that now goes on top of the stack,
02:34
the next instruction push ebx. So now EBX is gonna go on top of our stack
02:39
so you can see it copied the value of 20 on top of the stack.
02:43
And so push added things onto the stack and then pop is gonna take stuff off. So we say Poppy, a X
02:50
now e X should get whatever is pointed to at the top of the stack. So it had 10 and now it should have
02:55
20 minutes. Now Ta X is 20. That thing is removed from the stack. So now we still have 30 and 10 on top of our stack,
03:04
and now we're going to say pop E c X so we'll take that off of the top of the stack.
03:08
So now you exit still 20 but CCX gets the value that was on the stack, which was 30. And now Easy X again is 30. It had 30 before,
03:17
so that's an example.
03:21
Additionally, we have the operations like call we can call a function name. So what call does is it pushes the address of the next instruction onto the stack
03:30
and then a cop. Easy, I p, to that new function, location or address.
03:36
And then the reverse of that is the return. The return is going to allow us to exit a function
03:42
so your return from a function.
03:44
So what that does is it pops off the return address from the stack and then moves I p e i p to that new address.
03:51
So we end up always having a call to a function, and then inside the function when it's done, will have a return. And so that's how we can write a program with functions. Now you've done this in class. We have called a lot of different functions. So, for example, call read into call print end culprit, NL.
04:08
All of those we are calling a function and then we assume that it's going to resume
04:13
from the location that we were at before.
04:17
We also have the ability to allocate space using, add and subtract.
04:23
So, for example, we can say sub E S p x, and that will subtract X bytes from E S. P. So, typically, when you enter a function, you're going to do a subtract on E S p to allocate some temporary space that we can use for local variables or buffers.
04:38
And then at the end of the function, we can add back E S P so well typically add and subtract the same number of bytes.
04:46
And so this will analogue eight that space. And we'll do that right before we leave a function.
04:50
And then if you ever go through and you are reverse engineering some code, you might see that when a function enters, it might do something like A and E S p, and then you got a bunch of efs and a zero,
05:01
and this is because it is trying to make sure that yes, p is on an even boundary. And this is a security protection that some operating systems and some compilers implement to make it harder to attack these type of systems.
05:16
And then we have a couple of special operations, like Push 80 and pop 80.
05:20
And so push i d is going to push all of the registers onto the stack, but it pushes them in kind of a weird order. Right, so cozy A x e c x e x e b x
05:30
The value of vsp Before we did the push a d e v p e s i e d i
05:38
and then the pop a d is going to do them completely in reverse order And then the original E s P is going to get restored other ESPN before the
05:46
the pop operation occurred.
05:50
So today we talked about the stack.
05:54
So here's our quiz.
05:56
So what is the following code? Do
05:59
go ahead and think about that. Pause a lecture, See if you understand what you think it does.
06:06
All right. So we had our original stack. We pushed on E X and then pushed on ebx.
06:12
So yea X had the number 33. Ebx had the number 13 so when we got at 13 is on top of the stack.
06:18
Here's another question.
06:21
So at the end, what is any X and what is an EBX?
06:30
All right, So yea X has 12 and EBI excess toe right. They got both got pushed on there,
06:34
right? So Well, sorry. We push TX on there and then we popped ebx off writes ebx got the value that was copied on top of the stack.
06:44
So now EBX has the same value A ZX.
06:47
So looking forward, we're going to talk about using the stack.
06:51
And if you have questions, you can contact me at Miller MJ at you and Kate. I e d u. And you can find me on Twitter at no house 30.

### Assembly

This course will provide background and information related to programming in assembly. Assembly is the lowest level programming language which is useful in reverse engineering and malware analysis.

### Instructed By

Matthew Miller
Assistant Professor at the University of Nebraska at Kearney
Instructor