001– Introduction to assembly

In our early study, we learned that in reverse development, a very important link is static analysis. So we know that an executable file that an APP installs on a phone is essentially a binary file. Because the iPhone is essentially executing binary instructions. It’s executed by the CPU on the phone. So static analysis is based on analyzing binary. So today we’re going to start with something very basic.

The development of assembly language

Machine language

Machine instructions made up of zeros and ones.

  • Add: 0100, 0000
  • Reduction: 0100 1000
  • Multiply: 1111 0111 1110 0000
  • Except: 1111 0111 1111 0000

Assembly Language

Use mnemonics instead of machine language such as:

  • Plus: INC EAX through compiler 0100 0000
  • Minus: DEC EAX via compiler 0100 1000
  • Multiply: MUL EAX through the compiler 1111 0111 1110 0000
  • Except for: DIV EAX through the compiler 1111 0111 1111 0000

### High-level Programming Language

C++ Java OC Swift, closer to a natural human language such as C:

  • Plus: A+B through the compiler 0100 0000
  • Minus: A-b through the compiler 0100 1000
  • Multiply: A*B through the compiler 1111 0111 1110 0000
  • Except: A/B through the compiler 1111 0111 1111 0000

Our code on a terminal device looks like this:

  • Assembly language and machine language one – to – one correspondence, each machine instruction has a corresponding assembly instruction
  • Assembly language can be compiled into machine language, and machine language can be disassembled into assembly language
  • High-level languages can be compiled into assembly language machine language, but assembly language machine language is almost impossible to restore to high-level language

Assembly language features

  • It can directly access and control all kinds of hardware devices, such as memory and CPU, which can maximize the functions of hardware

  • The ability to have complete control over the generated binary code without the limitations of the compiler

  • The object code is short, occupies little memory and executes fast

  • Assembly instruction is a mnemonic of machine instruction, corresponding to machine instruction. Each CPU has its own machine instruction set, assembly instruction set, so assembly language is not portable

  • Knowledge points too much, developers need to understand the CPU and other hardware structure, is not easy to write, debugging, maintenance

  • Case insensitive, for example mov is the same as MOV

The use of assembly (what have I learned to do?)

  • Write drivers, operating systems (such as some key parts of the Linux kernel)
  • A program or snippet of code that requires high performance and can be mixed with a high-level language (inline assembly)
  • Software security
    • Virus analysis and control
    • Reverse, shell, unshell, crack, plug-in, avoid killing, encryption and decryption, vulnerability, hacker
  • The best starting point and most efficient way to understand the entire computer system
  • Lay the foundation for writing efficient code
  • Get to the bottom of the code
    • What is the nature of a function?
    • ++a ++ A ++ +a how does the bottom layer implement?
    • What does the compiler really do for us?
    • What are the key aspects of DEBUG and RELEASE modes that we missed
    • .

Let’s finish with 13

The lower the more simple! Real programmers need to know a very important language, assembly!

The types of assembly languages

  • At present, more assembly language is discussed

    • 8086 assembly (the 8086 processor is a 16-bit CPU)
    • Win32 compilation
    • Win64 assembly
    • ARM Assembly (Embedded, Mac, iOS)
    • .

  • We use ARM assembly in the iPhone, but it varies from device to device. The CPU architecture is different.

architecture equipment
armv6 IPhone, iPhone2, iPhone3G, first generation, second generation iPod Touch
armv7 iPhone3GS, iPhone4, iPhone4S,iPad, iPad2, iPad3(The New iPad), iPad mini, iPod Touch 3G, iPod Touch4
armv7s iPhone5, iPhone5C, iPad4(iPad with Retina Display)
arm64 IPhone5S, iPhoneX, iPad Air, iPad mini2

A few essential common sense tips

  • To learn assembly well, first of all, you need to understand the hardware structure such as CPU
  • APP/ program execution process

  • The most important hardware related is CPU/ memory
  • In assembly, most instructions are CPU – and memory-specific

The bus

  • Each CPU chip has a number of pins connected to a bus through which the CPU interacts with external devices
  • Bus: A collection of wires
  • Bus classification
    • The address bus
    • The data bus
    • Control bus

For example

  • The address bus
    • Its width determines the addressing power of the CPU
    • The address bus width of the 8086 is _20_, so the addressing capability is _1M_ (2^20).

  • The data bus
    • Its width determines the amount of data that the CPU can transmit at a time, that is, the speed at which it can transmit data
    • The data bus width of the 8086 is _16_, so a maximum of _2 bytes of data can be passed at a time
  • Control bus
    • Its width determines how much control the CPU can have over other devices

Do a little exercise

  • A CPU with 8KB addressing capacity has an address bus width of ____
  • The address bus width of 8080,8088,80286,80386 is 16,20,24,32, respectively. What are their addressing capabilities ____KB, ____MB,____MB,____GB?
  • The data bus width of 8080808 8808 6802 86803 86 8, respectively, 8, 16, 16, and 32. The data that can be transmitted at one time is :____B,____B,____B,____B,____B,
  • To read 1024 bytes of data from memory, the 8086 must read at least ____ times and the 80386 must read at least ____ times.

The answer

memory

  • The size of the memory address space is limited by the CPU address bus width. The address bus width of the 8086 is 20, and it can locate 2^20 different memory units (memory address range 0x00000 to 0xFFFFF), so the memory size of the 8086 is 1MB

  • 0x00000 to 0x9FFFF: Main memory. Can read but write

  • 0xA0000 to 0xBFFFF: Writes data to the video memory, which is output to the display by the video card. Can read but write

  • 0xC0000~0xFFFFF: Stores various hardware \ system information. read-only

## Barriers to base learning

Many people do not learn the base system, the reason is that they always rely on the decimal system to consider other bases, when the operation is always converted to the decimal system first, this learning method is wrong. Why do we have to convert to decimal? We convert simply because we are most familiar with decimal. Every base system is perfect, and the best way to learn base system is to forget about the decimal system and the conversion between bases!

### Base definition

  • Octal is made up of eight symbols :0, 1, 2, 3, 4, 5, 6, 7
  • The decimal system consists of 10 symbols :0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • The n-base system is made up of N symbols: carry one every N

##### do an exercise

  • 1 + 1 in the case of ____ is equal to 3, right?

The decimal system consists of 10 symbols: 0, 1, 3, 2, 8, A, B, E, S, 7

If you define the decimal system like this: 1 + 1 = 3! Just right!

What is the purpose of this? The traditional decimal notation is different from the custom decimal notation. So these 10 symbols if we don’t tell people about this symbol table, they can’t get our specific data! For encryption!

The decimal system consists of ten symbols, every ten into one, the symbol can be customized!!

### base operation

##### do an exercise

  • Octal operation

    • 2 + 3 = __, 2 * 3 = __,4 + 5 = __,4 * 5 = __.

    • 277 + 333 = __, 276 * 54 = __, 237-54 = __, 234/4 = __.

##### octal addition table

0 12 3 4 5 6 7 10 11 12 13 14 15 16 17 20 21 22 23 24 25 26 27... 1+1 = 2 1+2 = 3 2+2 = 4 1+3 = 4 2+3 = 5 3+3 = 6 1+4 = 6 3+4 = 7 4+4 = 10 1+5 = 6 2+5 = 10 4+5 = 11 5+5 = 5 12 1+6 = 7 2+6 = 10 3+6 = 11 4+6 = 12 5+6 = 13 6+6 = 14 1+7 = 10 2+7 = 11 3+7 = 12 4+7 = 14 6+7 = 15 7+7 = 16Copy the code

##### octal multiplication table

0 12 3 4 5 6 7 10 11 12 13 14 15 16 17 20 21 22 23 24 25 26 27... 1*1 = 11 *2 = 2 2*2 = 4 1*3 = 3 2*3 = 6 3*3 = 11 1*4 = 4 2*4 = 10 3*4 = 14 4*4 = 20 1*5 = 5 2*5 = 12 3*5 = 17 4*5 = 24 5*5 = 31 1*6 = 6 2*6 = 14 3*6 = 22 4*6 = 30 5*6 = 36 6*6 = 44 1*7 = 7 2*7 = 16 3*7 = 25 4*7 = 34 5*7 = 43 6*7 = 52 7*7 = 7  61Copy the code

##### Actual combat four operations

277 236 276 234 + 333-54 * 54/4 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --Copy the code

### short for binary

Binary: 1011 1011 111 00 Three binary groups: 101 110 111 100 octal: 5 6 7 4 Four binary groups: 1011 1011 1100 Hexadecimal: B B CCopy the code

Binary: write from 0 to 1111 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 This binary is too cumbersome to use, change to a simpler symbol: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F that’s hexadecimal

A mathematical number that has no size limit and can be infinitely large. In computers, however, due to hardware constraints, data is limited in length (we call it data width), and any data exceeding the maximum width is discarded.

#import <UIKit/UIKit.h>
#import "AppDelegate.h"

int test(){
    int cTemp = 0x1FFFFFFFF;
    return cTemp;
}

int main(int argc, char * argv[]) {
    printf("%x\n",test());
    @autoreleasepool {
        return UIApplicationMain(argc, argv, nil.NSStringFromClass([AppDelegate class])); }}Copy the code

### The width of data commonly found in computers

  • Bit: a Bit is a binary Bit, 0 or 1
  • Byte: A Byte consists of eight bits (8 bits). The smallest unit of memory Byte.
  • Word: A Word consists of two bytes (16 bits), which are called high bytes and low bytes.
  • 2. A Doubleword consisting of two words (32 bits).

So the computer will store data and it will divide it into signed and unsigned numbers. So look at this picture to understand!

Unsigned number, direct conversion! Signed numbers: positive numbers: 0 1 2 3 4 5 6 7 Negative numbers: F E D B C A 9 8-1-2-3-4-5-6-7-8Copy the code

### custom base symbols ##### exercise

  • Now there are 10 base numbers: 2,9,1,7,6,5,4, 8,3, A enter 1 into 10 so: 123 + 234 = ____
Decimal: 0 1 2 3 4 5 6 7 8 9 Custom: 2 9 1 7 6 5 4 8 3 A 92 99 91 97 96 95 94 98 93 9A 12 19 11 17 16 15 14 18 13 1A 72 79 71 77 76 75 74 78 73 7A 62 69 61 67 66 65 64 68 63 6A 52 59 51 57 56 55 54 58 53 5A 42 49 41 47 46 45 44 48 43 4A 82 89 81 87 86 85 84 88 83 8A 32 39 31 37 36 35 34 38 33 3A 922Copy the code

So you can just convert to base 10 and look it up! But in other bases. We can’t convert, we have to learn to look up tables

  • Now there are 9 base numbers and the 9 symbols are: 2,9,1,7,6,5,4, 8
Decimal: 0 1 2 3 4 5 6 7 8 Custom: 2 91 76 5 4 8 3 92 99 91 97 96 95 94 98 93 12 19 11 17 16 15 14 18 13 72 79 71 77 76 75 74 78 73 62 69 61 67 66 65 64 68 63 52 59 51 57 56 55 54 58 53 42 49 41 47 46 45 44 48 43 82 89 81 87 86 85 84 88 83 32 39 31 37 36 35 34 38 33 922Copy the code

# # & CPU registers

The internal components are connected by a bus

The CPU has controllers, arithmetic units and registers. The function of register is the temporary storage of data.

CPU computing speed is very fast. For performance purposes, the CPU creates a small temporary storage area and copies data from the memory to this small temporary storage area before performing operations. We call this small temporary storage area a register.

For ARM64 cpus, a register beginning with an X indicates a 64-bit register, and a register beginning with a W indicates a 32-bit register. There are no 16 – and 8-bit registers available for access and use. The 32 bit register is the lower 32 bit part of the 64 bit register and does not exist independently.

  • For programmers, the most important parts of CPU are registers, which can be controlled by changing the contents of registers
  • The number and structure of registers are different for different cpus

#### Floating point and vector registers Because of the storage of floating point numbers and the special nature of their operations, floating point registers are provided in the CPU to handle floating point numbers

  • Floating point register 64-bit: D0-D31 32-bit: S0-S31

The current CPU support vector operation.(vector operation in the graphics processing related field is very much used) for the support vector calculation system also provides a number of vector registers.

  • Vector register 128 bits :V0-V31

Universal register

  • The general purpose register, also known as the data address register, is usually used for temporary storage, accumulation, counting, address storage and other functions of data calculation. The main purpose of these registers is to store operands in CPU instructions and use them as regular variables in the CPU.
  • ARM64 has 32 64-bit general-purpose registers X0 through X30, as well as XZR(Zero register). These general-purpose registers are sometimes used for specific purposes.
    • So w0 through W28 these are 32 bits. 64-bit cpus are 32-bit compatible. So you can use only the lower 32 bits of the 64-bit register.
    • For example, w0 is the lower 32 bits of x0!

Note: For those of you who have read the 8086 assembly, there is a special register segment register :CS,DS,SS,ES four registers to hold the base address of these segments, which belong to the Intel architecture CPU. Not in ARM

  • Typically, the CPU stores the data in memory into a general purpose register, and then performs operations on the data in the general purpose register
  • Suppose you have a chunk of red memory with a value of 3, and now you want to increase its value by 1 and store the result into blue memory

  • The CPU first places the value of the red memory space in register X0: MOV X0, red memory space

  • Then add register X0 to 1: add X0,1

  • Finally, assign the value to the memory space: mov blue memory space,X0

### PC register (Program Counter)

  • Is the instruction pointer register, which indicates the address of the instruction that the CPU is currently reading
  • In memory or on disk, instructions and data are indistinguishable as binary information
  • The CPU works by treating some information as instructions and some as data, assigning different meanings to the same information
    • For example, 1110 0000 0000 0011 0000 1000 1010 1010
    • Can be regarded as data 0xE003008AA
    • Can also be used as instruction mov x0, x8
  • On what basis does the CPU interpret information in memory as instructions?
    • The CPU treats the contents of the memory cell that the PC points to as instructions
    • If something in memory has been executed by the CPU, the memory location it resides in must have been pointed to by the PC

#### cache the ARM processor A11 on iPhoneX has a level 1 cache capacity of 64KB and level 2 cache capacity of 8M.

Before executing an instruction, the CPU reads the instruction from memory into the CPU and executes it. Registers run much faster than memory reads and writes, and the CPU integrates a cache storage area for performance. When a program is running, the code and data to be executed are copied to the cache (done by the operating system). The CPU reads the instructions from the cache to execute them.

Bl instruction

  • Where the CPU executes instructions from is determined by the contents of the PC, and we can control the CPU to execute the target instructions by changing the contents of the PC

  • ARM64 provides a MOV instruction (transfer instruction) that can be used to modify most register values, such as

    • Mov x0,#10, mov x1,#20

  • However, the MOV instruction cannot be used to set the value of a PC, and ARM64 does not provide such functionality

  • ARM64 provides additional instructions to modify PC values. These instructions are collectively called transfer instructions, the simplest of which are BL instructions

Bl instruction — practice

Now there are two pieces of code! Assuming the program executes A first, write down the order in which the instructions are executed. What is the value of the final register X0?

_A:
    mov x0,#0xa0
    mov x1,#0x00
    add x1, x0, #0x14
    mov x0,x1
    bl _B
    mov x0,#0x0
    ret

_B:
    add x0, x0, #0x10
    ret
Copy the code
  • Compilation overview:
    • A programming language that uses mnemonics in place of machine instructions
    • Assembly and machine instructions are one – to – one correspondence, get binary can disassemble
    • Because assembly corresponds to the CPU’s instruction set, assembly is not portable
  • Bus: A collection of wires
    • Address bus:
      • The width of the address bus determines the addressing capability
    • The data bus
      • The width of the data bus determines the throughput of CPU data
  • Into the system
    • Any base is composed of symbols of the corresponding number, and the symbols can be defined
    • 2\8\16 is a relatively perfect base for their relationship
      • The three base 2 bits are identified by an base 8
      • The four binary bits use a hexadecimal identifier
      • Two hexadecimal bits can identify a byte
    • Number of units
      • 1 k = 1024; 1024 k = 1 m; 1024M = 1G
    • Capacity of the unit
      • 1024 = 1 KB; 1024 KB = 1 MB; 1024MB = 1GB
      • B: Byte (byte) 1B = 8 bits
      • Bit: A binary bit
    • Width of data
      • Data in a computer will have a width, beyond which it will overflow
  • Register: The CPU creates a temporary storage area internally for performance purposes
    • Floating point vector register
    • Abnormal status register
    • General purpose registers: In addition to storing data, they are sometimes used for special purposes
      • ARM64 has 32 64-bit general purpose registers X0-X30 and XZR(zero register)
      • For 32-bit compatibility, ARM64 has w0-W28 \WZR 30 32-bit registers (FP and LR are not used for low address bit compatibility)
    • PC register: Pointer instruction register
      • The value in the PC register stores the address instructions that the CPU needs to execute next!
      • Changing the value of the PC changes the flow of the program

003- Status register

Inside the CPU, there is a special type of register (the number and structure may vary from processor to processor). This kind of register is called status register (CPSR) register in ARM. CPSR is different from other registers, which are used to store data. The whole register has one meaning. The CPSR register works bitwise, meaning that each bit has a special meaning and records specific information.

Note: the CPSR register is 32 bits

  • The lower 8 bits of the CPSR (including I, F, T, and M[4:0]) are called the control bits and cannot be modified by a program unless the CPU is running in privileged mode!
  • N, Z, C, and V are all conditional code flag bits. Their contents can be changed by the results of arithmetic or logical operations, and can determine whether an instruction is executed or not! Significant!

N indicates Negative

Bit 31 of the CPSR is N, the symbol flag bit. It records whether the result is negative after the relevant instruction is executed. If it’s negative N is equal to 1, if it’s non-negative N is equal to 0.

Note that in the ARM64 instruction set, some instructions that affect the status register, such as add, sub, or etc., are mostly operational instructions (perform logical or arithmetic operations).

Z (Zero)

The 30th bit of CPSR is the Z, 0 flag bit. It records whether the result is 0 after the relevant instruction is executed. If the result is 0, then Z = 1. If it’s not 0, then Z is equal to 0.

For the value of Z, we can see that Z marks whether the calculation result of the relevant instruction is 0. If it is 0, Z should record the positive information such as “yes”. In computers, 1 means logical truth, positive. So when the result is 0 Z = 1 means “the result is 0″. If the result is not 0, Z records the negative message” not 0″. In computers, 0 means logic false, means negation, so when the result is not 0, Z = 0 means “the result is not 0”.

C # # # (Carry)

Bit 29 of the CPSR is C, the carry flag bit. In general, unsigned numbers are performed. Addition operation: C=1 if the operation results in a carry (unsigned overflow), otherwise C=0. Subtraction operations (including CMP) : C=0 when a debit occurs (unsigned overflow), otherwise C=1.

For an unsigned number with bits N, the highest bit of the corresponding binary information, i.e., the n-1st bit, is its most significant bit, while the imaginary NTH bit is the higher bit relative to the most significant bit. As shown below:

We know that when two pieces of data are added, it is possible to produce a carry from the most significant bit to a higher one. For example, two 32-bit bits of data: 0xAAAAaAAA + 0xAAAAaAAA will produce a carry. Since the carry value cannot be stored in 32 bits, we simply say that the carry value is lost. In fact, the CPU does not discard the carry system, but records it in a special register. ARM uses C bits to record the carry value. For example, the following command

Mov w0, xaaaaaaaa # 0; The binary of 0xA is 1010 adds W0,w0,w0; After execution equals 1010 << 1 carry 1 (unsigned overflow) so C is marked with 1 adds W0,w0,w0; After execution equals 0101 << 1 carry 0 (unsigned without overflow) so C is marked with 0 adds W0,w0,w0; Repeat the above to add W0,w0,w0Copy the code

When two numbers are subtracted, it is possible to borrow higher. For another example, two 32-bit data: 0x00000000-0x000000FF will generate a debit. After the debit, it is equivalent to calculating 0x100000000-0x000000FF. I get the value 0xffffFF01. Since we borrowed one bit, the C bit is used to mark the borrowing. C = 0. For example:

mov w0,#0x0
subs w0,w0,#0xff ;
subs w0,w0,#0xff
subs w0,w0,#0xff
Copy the code

###V(Overflow) indicates Overflow

Bit 28 of the CPSR is V, the overflow flag bit. When a signed number operation is performed, if it exceeds the range that the machine can identify, it is called an overflow.

  • Positive + positive overflow for negative numbers
  • Negative + negative is positive overflow
  • Positive and negative numbers cannot overflow

Status (flag) register

  • ARM64cpsr register (32 bits) Bit status register
  • The highest bit (28, 29, 30, 31) is the flag bit
  • N flag (negative flag bit)
    • N = 1 is negative
    • N = 0 is non-negative
  • Z flag (0 flag bit)
    • Z = 1 is equal to 0
    • Z = 0 is not 0
  • C flag (unsigned overflow)
    • Addition: carry C = 1, otherwise C = 0
    • Subtraction: borrow C = 0, otherwise C = 1
  • V flag (signed number overflow)
    • Plus plus minus V is equal to 1
    • Negative plus negative is positive V is equal to 1