6 private links
xxd|sed 's#^.: ##;s# .$##;s# ##g;s#..#& #g'|tr -d '\n'
A big doc about how asm instruction are decode
7 bytes
0000000: 6641 2521 2173 21 fA%!!s!
As 32 bit
00000000 6641 inc cx
00000002 2521217321 and eax,0x21732121
As 64 bit
00000000 6641252121 and ax,0x2121
00000005 7321 jnc 0x28
and clears the carry flag so the 64 bit version always jumps. For 64-bit the 6641 is the operand size override followed by rex.b so the operand size for the and comes out as 16 bit. On 32-bit the 6641 is a complete instruction so the and has no prefix and has a 32-bit operand size. This changes the number of immediate bytes consumed by the and giving two bytes of instructions that are only executed in 64-bit mode.
An array of all x86/x86_x64 instruction, very useful
While reading some disassembly, we came across a weird-looking instruction, that was present in most everything we gave objdump.
f3 c3 repz ret
When starting out as a reverse engineer or malware analyst, it is often tempting to trust your disassembler to correctly resolve the various bytes into code or data. However, to become an expert, it is important to gain as much insight as possible into the Instruction Set Architecture (ISA) of the chip you are working with. This opens many new possibilities: polymorphic code becomes easier to handle, and you become able to use some custom disassembly techniques in your own rootkits or understand these techniques when used by others.
This article’s aim is to explain how a modern operating system makes it possible to use shared libraries with load-time relocation. It focuses on the Linux OS running on 32-bit x86, but the general principles apply to other OSes and CPUs as well.
Each code module in your shared library should define the GOT as an external symbol:
extern _GLOBAL_OFFSETTABLE ; in ELF
extern __GLOBAL_OFFSETTABLE ; in BSD a.out
At the beginning of any function in your shared library which plans to access your data or BSS sections, you must first calculate the address of the GOT. This is typically done by writing the function in this form:
func: push ebp
mov ebp,esp
push ebx
call .get_GOT
.get_GOT:
pop ebx
add ebx,_GLOBAL_OFFSETTABLE+$$-.get_GOT wrt ..gotpc
; the function body comes here
mov ebx,[ebp-4]
mov esp,ebp
pop ebp
ret