Architecture 1001: x86-64 Assembly 汇编

编程语言心法参考：http://www.yinwang.org/blog-cn/2017/07/06/master-pl
英语阅读速成：http://www.yinwang.org/blog-cn/2018/11/23/grammar

前置条件

必须熟悉 C 编程。
https://www.learn-c.org/
https://www.edx.org/certificates/professional-certificate/dartmouth-imtx-c-programming-with-linux

这门课程是漏洞利用、逆向工程、恶意软件分析和系统安全的基础性课程

You Must Complete This Before You Start This Class...您必须在开始本课程之前完成此项工作...

Before You Start This Class... (1 Question) 在你开始这门课程之前...

您需要创建一个 Windows VM 来进行练习：Windows 10 Pro
https://apps.p.ost2.fyi/learning/course/course-v1:OpenSecurityTraining2+Lab_Setup_x86-64_Windows+2021_v1/home
https://www.youtube.com/watch?v=zgPMGFT-rsc
ISO:https://msdn.itellyou.cn/
Consumer Editions即消费者版：包含 Professional（专业版）
VMware+Workstation+Pro现在免费供个人使用
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware+Workstation+Pro

您需要将 Visual Studio 安装到 Windows VM 中。
https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Dbg1001_VS_IDE+2021_v1/about

然后从以下位置下载源代码：
https://gitlab.com/opensecuritytraining/arch1001_x86-64_asm_code_for_class

解压缩它，将其移动到您的桌面，然后打开 Visual Studio 解决方案文件 (Arch1001_x86-64_asm.sln)。

您应该会看到类似下面的消息，因为它是从互联网上下载的。取消选中“询问我每个项目”框，然后单击“确定”。

可选：下载课程幻灯片
https://gitlab.com/opensecuritytraining/arch1001_x86-64_asm_slides_and_subtitles

FAQ: How can I submit corrections to video subtitles? 如何提交视频字幕修正

Introduction

Why learn assembly at all? (1 Question) 为什么要学习汇编

About this class (1 Question)

最初是 16 位架构，后来发展为 32 位和 64 位，但保持了向后兼容性。硬件实际上以 16 位启动，然后软件将其转换为 32 位或 64 位操作。

英特尔最初想在转向 64 位时摆脱 x86 的束缚。这就是 IA64（英特尔架构 64 位），又名 Itanium。然而，AMD 决定自己将 x86 扩展为 64 位，从而产生了 AMD64 架构。当 Itanium 的采用速度非常缓慢时，英特尔决定咬紧牙关，从 AMD 获得 64 位扩展许可。
在英特尔手册中，您会看到 64 位扩展被称为 IA32e 或 EMT64 或 Intel 64（但永远不会是 IA64。再次强调，那是 Itanium，一种完全不同的架构，烂尾了）。

你可能会会在其他地方看见 amd64 或 x64，在这里称为x86-64

在本课程结束时，您应该……
了解 x86-64 通用寄存器及其 32 位和 16 位子寄存器名称
了解数据（如局部变量或返回地址）如何存储在堆栈中
了解函数调用约定
能够在 IDE（如 Visual Studio）中轻松编写 C 代码，并阅读和逐步执行反汇编（以便您可以找到新指令）
能够很好地阅读汇编代码，以确定影响不透明二进制控制流的预期输入（臭名昭著的“二进制炸弹实验室”）

你不需要学几百个指令，相反，只需要关注二十个左右的高频指令
统计结构：用于分类和分析的指纹识别恶意软件，指出仅 14 条汇编指令就占了代码的 90%
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf

Optional Refresher: binary to hex to decimal 可选复习：二进制到十六进制到十进制

用计算器搞定即可

Optional Refresher: two's complement negative numbers 可选复习：二进制补码负数

负值表示为其正值的“二进制补码”。二进制补码的计算方法是翻转所有位，然后加 1。

Optional Refresher: C data type sizes 可选复习：C 数据类型大小

char short int/long double/long long;8 16 32 64

Background: Endianess (1 Question) 背景：字节顺序

x86-64 内存是小端序（不适用于寄存器，寄存器是大端）；网络字节序是大端序
字节顺序仅适用于字节，不适用于比特

8字节试图：会体现为“大端”视角，在视角上与寄存器一致

手册：https://ost2images.s3.amazonaws.com/PDFs/325462-sdm-vol-1-2abcd-3abcd.pdf

Computer Registers

Memory hierarchy (1 Question) 内存层次结构

x86-64 general purpose registers x86-64 通用寄存器

16个通用寄存器

从8到64位的演进中又引入了新的命名，RAX又叫R0（R0-R15）

https://ost2images.s3.amazonaws.com/Arch101_x86-64_Asm/CheatSheet_x86-64_Registers.pdf

Intel recommended register conventions 英特尔推荐的寄存器约定

https://learn.microsoft.com/en-us/cpp/build/x64-software-conventions?view=msvc-160

这些是英特尔对编译器开发人员(和汇编程序手程序员)的建议。寄存器不一定要这样使用，但如果你看到它们这样使用，你就会明白为什么。

手册：3.4.1 General-Purpose Registers
RAX-存储函数返回值
RBX-数据部分的基本指针
RCX-用于字符串和循环操作的计数器
RDX-I/0指针
RSI-用于字符串操作的源索引指针
RDI-用于字符串操作的目标索引指针
RSP-堆栈(顶部)指针 RBP-堆栈帧基准指针
RIP-指向要执行的下一个指令("指令指针")

Your First Instruction: No-Operation (nop)

Overview (1 Question)
New Instructions: push & pop (1 Question)
RoX0r Arcade: The RSP Game (4 Questions)
Calling Functions
CallASubroutine1.c: New Instructions: CALL, RET, MOV, ADD, SUB (3 Questions)
RoX0r Arcade: DarkMathemagic: MOV, ADD, SUB (2 Questions)
Local Variables
SingleLocalVariable.c (2 Questions)
Mystery Listery 3 Solved! (4 Questions)
ArrayLocalVariable.c, New Instructions: imul, movsx, movzx (2 Questions)
StructLocalVariable.c (3 Questions)
RoX0r Arcade: DarkMathemagic: MOVZX, MOVSX (2 Questions)
Function Parameter Passing
Pass1Parameter.c (2 Questions)
TooManyParameters.c (2 Questions)
Mystery Listery 2 Solved! (1 Question)
64-bit Calling Conventions (1 Question)
32-bit Calling Conventions (2 Questions)
Mystery Listery 1 Solved! (1 Question)
SpecialMaths.c, New instructions: lea (2 Questions)
RoX0r Arcade: DarkMathemagic: LEA (1 Question)
Control Flow
GotoExample.c, New instructions: jmp (2 Questions)
IfExample.c, New instructions, "jcc", cmp (2 Questions)
IfExample2.c (1 Question)
SwitchExample.c (1 Question)
RoX0r Arcade: 1 step forward, 3 steps back: Jumps! (3 Questions)
Boolean Logic
Refresher: Boolean logic
BooleanBecause.c, New instructions: and, or, not, xor (2 Questions)
ForLoopNoRet.c, New instructions: inc, dec (2 Questions)
BitmaskExample.c, New instructions: test (2 Questions)
RoX0r Arcade: DarkMathemagic: AND, OR, XOR, NOT, INC, DEC (2 Questions)
RoX0r Arcade: 1 step forward, 3 steps back: Jumps w/ TEST (1 Question)
Bit Shifting
ShiftExample1.c, New instructions: shl, shr (2 Questions)
ShiftExample2Unsigned.c (1 Question)
ShiftExample3Signed.c, New instructions: cdq, sar (2 Questions)
RoX0r Arcade: DarkMathemagic: Shifty Time Today! (1 Question)
Multiply and Divide
MulDivExample.c, New instructions: div, idiv (2 Questions)
RoX0r Arcade: DarkMathemagic: Multiply and Divide (3 Questions)
CISC Delight: REPeatable Instructions
ArrayLocalVariable2.c, New instructions: rep stos (2 Questions)
ThereWillBe0xb100d.c (3 Questions)
JourneyToTheCenterOfMemcpy.c: New instructions: rep movs (3 Questions)
RoX0r Arcade: DarkMathemagic: BOSS LEVEL!!! (1 Question)
Choose Your Own Adventure!
Pick A Path... (1 Question)
Windows Binary Debugging, Incomplete section
Windbg tutorial
Looking at all those examples on Linux!
Before you begin...
Intel vs. AT&T assembly syntax
CallAFunction1.c
SingleLocalVariable.c
ArrayLocalVariable.c
StructLocalVariable.c
Pass1Parameter.c
TooManyParameters.c
SpecialMaths.c
GotoExample.c
IfExample.c
IfExample2.c
SwitchExample.c
BooleanBecause.c
ForLoopNoRet.c
BitmaskExample.c
ShiftExample1.c
ShiftExample2Unsigned.c
ShiftExample3Signed.c
MulDivExample.c
ArrayLocalVariable2.c
ThereWillBe0xb100d.c
JourneyToTheCenterOfMemcpy.c
RoX0r Arcade: DarkMathemagic: BOSS LEVEL!!!

Learning to Fish: Read The F*n Intel Manual!

Instructions (2 Questions)
Learning to Fish: Writing Inline Assembly
Learn to fish: Writing Inline Assembly
Visual Studio Inline Assembly
GCC Inline Assembly
The Most Important Assembly Exercise You'll Ever Do: Binary Bomb Lab
Bomb Lab Intro (1 Question)
Option 1: Do the Bomb Lab in GDB
Option 2: Do the Bomb Lab in WinDbg
Option 3: Do the Bomb Lab in Ghidra (with WinDbg or GDB)
Bomb Lab Recommendations (1 Question)
(Optional) Basic Buffer Overflow Lab
(Optional) Basic Buffer Overflow Lab
Conclusion
Conclusion (1 Question)
End of Class Survey (Please Fill This Out!)
End of Class Survey (Please Fill This Out!)
Special Thanks Section!
Special Thanks Section!