PA5 Overview (for real this time) Lecture 15 lol, let’s not target Windows executables March 7, 2018 PA5 Overview “[PA5] is by far the most difficult assignment... you have to get almost everything right which makes it difficult to estimate how much progress you’re making...” “[PA5] was the most time intensive and the hardest of the assignments in both classes. There was (1) just a lot more stuff and (2) a lot more creativity required...” “[PA5] needs a lot to come together to get a basic program working.” Compiler Construction 2/31 Compiler Construction 3/31 Considerations for PA5 É Stack machine code generation É Without a sensible register allocator, we must make sure to use a fixed number of registers for everything. É Vtables É Object layout É Interfacing with external libraries Compiler Construction 4/31 x86-64 Cool Assembly CISC — Complex É É RISC — Reduced Instruction Set Instruction Set É Lots of Only 8 registers opportunities for É Fewer optimization optimizations É opportunities É Nightmarish É Reference compiler interfacing with has helpful external libraries debugging É Must use external capabilities tools (e.g., gdb É If you don’t like instead of the the reference reference compiler) compiler.... well, sorry Amazing CV É Easier to complete booster É Compiler Construction 5/31 Cool Assembly Compiler Construction 6/31 x86-64 Assembly X86/WIN32 REVERSE ENGINEERING CHEAT­SHEET Registers Instructions GENERAL PURPOSE 32­BIT REGISTERS ADD <dest>, <source> Adds <source> to <dest>. <dest> may be a register or memory. <source> may EAX Contains the return value of a function call. Be a register, memory or immediate value. ECX Used as a loop counter. "this" pointer in C++. CALL <loc> Call a function and return to the next instruction when finished. <proc> EBX General Purpose may be a relative offset from the current location, a register or memory addr. EDX General Purpose CMP <dest>, <source> Compare <source> with <dest>. Similar to SUB instruction but does not ESI Source index pointer Modify the <dest> operand with the result of the subtraction. EDI Destination index pointer DEC <dest> Subtract 1 from <dest>. <dest> may be a register or memory. ESP Stack pointer DIV <divisor> Divide the EDX:EAX registers (64‐bit combo) by <divisor>. <divisor> may be EBP Stack base pointer a register or memory. SEGMENT REGISTERS INC <dest> Add 1 to <dest>. <dest> may be a register or memory. CS Code segment JE <loc> Jump if Equal (ZF=1) to <loc>. SS Stack segment JG <loc> Jump if Greater (ZF=0 and SF=OF) to <loc>. DS Data segment JGE <loc> Jump if Greater or Equal (SF=OF) to <loc>. ES Extra data segment JLE <loc> Jump is Less or Equal (SF<>OF) to <loc>. FS Points to Thread Information Block (TIB) JMP <loc> Jump to <loc>. Unconditional. GS Extra data segment JNE <loc> Jump if Not Equal (ZF=0) to <loc>. MISC. REGISTERS JNZ <loc> Jump if Not Zero (ZF=0) to <loc>. EIP Instruction pointer JZ <loc> Jump if Zero (ZF=1) to <loc>. EFLAGS Processor status flags. LEA <dest>, <source> Load Effective Address. Gets a pointer to the memory expression <source> STATUS FLAGS and stores it in <dest>. ZF Zero: Operation resulted in Zero MOV <dest>, <source> Move data from <source> to <dest>. <source> may be an immediate value, CF Carry: source > destination in subtract register, or a memory address. Dest may be either a memory address or a SF Sign: Operation resulted in a negative # register. Both <source> and <dest> may not be memory addresses. OF Overflow: result too large for destination MUL <source> Multiply the EDX:EAX registers (64‐bit combo) by <source>. <source> may 16­BIT AND 8­BIT REGISTERS be a register or memory. The four primary general purpose registers (EAX, EBX, POP <dest> Take a 32‐bit value from the stack and store it in <dest>. ESP is incremented ECX and EDX) have 16 and 8 bit overlapping aliases. by 4. <dest> may be a register, including segment registers, or memory. EAX 32‐bit PUSH <value> Adds a 32‐bit value to the top of the stack. Decrements ESP by 4. <value> AX 16‐bit may be a register, segment register, memory or immediate value. AH AL 8‐bit ROL <dest>, <count> Bitwise Rotate Left the value in <dest> by <count> bits. <dest> may be a register or memory address. <count> may be immediate or CL register. ROR <dest>, <count> Bitwise Rotate Right the value in <dest> by <count> bits. <dest> may be a The Stack register or memory address. <count> may be immediate or CL register. Low Empty SHL <dest>, <count> Bitwise Shift Left the value in <dest> by <count> bits. Zero bits added to Addresses the least significant bits. <dest> may be reg. or mem. <count> is imm. or CL. Local Variables <‐ESP points here SHR <dest>, <count> Bitwise Shift Left the value in <dest> by <count> bits. Zero bits added to the least significant bits. <dest> may be reg. or mem. <count> is imm. or CL. ↑ EBP‐x SUB <dest>, <source> Subtract <source> from <dest>. <source> may be immediate, memory or a <‐EBP points here ↓ EBP+x Saved EBP register. <dest> may be memory or a register. (source = dest)‐>ZF=1, Return Pointer (source > dest)‐>CF=1, (source < dest)‐>CF=0 and ZF=0 Parameters TEST <dest>, <source> Performs a logical OR operation but does not modify the value in the <dest> Parent function's operand. (source = dest)‐>ZF=1, (source <> dest)‐>ZF=0. data XCHG <dest, <source> Exchange the contents of <source> and <dest>. Operands may be register High Grand‐parent or memory. Both operands may not be memory. Addresses function's data XOR <dest>, <source> Bitwise XOR the value in <source> with the value in <dest>, storing the result in <dest>. <dest> may be reg or mem and <source> may be reg, mem or imm. Assembly Language Terminology and Formulas Instruction listings contain at least a mnemonic, which Pointer to Raw Data Offset of section data within the executable file. is the operation to be performed. Many instructions Size of Raw Data Amount of section data within the executable file. will take operands. Instructions with multiple RVA Relative Virtual Address. Memory offset from the beginning of the executable. operands list the destination operand first and the Virtual Address (VA) Absolute Memory Address (RVA + Base). The PE Header fields named source operand second (<dest>, <source>). Assembler VirtualAddress actually contain Relative Virtual Addresses. directives may also be listed which appear similar to Virtual Size Amount of section data in memory. instructions. Base Address Offset in memory that the executable module is loaded. ASSEMBLER DIRECTIVES ImageBase Base Address requested in the PE header of a module. DB <byte> Define Byte. Reserves an explicit Module An PE formatted file loaded into memory. Typically EXE or DLL. byte of memory at the current Pointer A memory address location. Initialized to <byte> value. Entry Point The address of the first instruction to be executed when the module is loaded. DW <word> Define Word. 2‐Bytes Import DLL functions required for use by an executable module. DD <dword> Define DWord. 4‐Bytes Export Functions provided by a DLL which may be Imported by another module. OPERAND TYPES RVA‐>Raw Conversion Raw = (RVA ‐ SectionStartRVA) + (SectionStartRVA ‐ SectionStartPtrToRaw) Immediate A numeric operand, hard coded RVA‐>VA Conversion VA = RVA + BaseAddress Register A general purpose register VA‐>RVA Conversion RVA = VA ‐ BaseAddress Memory Memory address w/ brackets [ ] Raw‐>VA Conversion VA = (Raw ‐ SectionStartPtrToRaw) + (SectionStartRVA + ImageBase) Copyright © 2009 Nick Harbour www.rnicrosoft.net Compiler Construction 7/31 Stack Machines É A simple evaluation model É No variables or registers (aside from temporary storage) É A stack of values for intermediate results Compiler Construction 8/31 Example Stack Machine Program É Consider two instructions É push i place integer i on top of the stack É add pop two elements, add them and put the result back on the stack É A program to compute 7 + 5: push 7 push 5 add Compiler Construction 9/31 Stack Machine Example 5 7 7 ⊕ 12 stack ... ... ... ... push 7 push 5 add É Each instruction: É Takes its operands from the top of the stack É Removes those operands from the stack É Computes the required operation on them É Pushes the result on the stack Compiler Construction 10/31 Why Stack Machines? É Each operation takes operands from the same place and puts the results in the same place (i.e., fixed offsets from the top of the stack) É This means a uniform compilation scheme É To do an add, always get sp[0] and sp[1], add them, store result at sp[0] É And thus a simpler compiler É This is the easiest way to do PA5 É Register allocation is more complex! Compiler Construction 11/31 Why Stack Machines? É Location of the operands is implicit É Always on the top of the stack É No need to specify operands explicitly É You can load fixed temporary registers with operands from stack! É example discipline: load operand 1 by popping sp[0] to r4, load operand 2 by popping sp[1] to r5 É No need to specify result location É e.g., always put result in r6, then push r6 É Can represent instruction as add instead of add r1, r2 É Smaller program size (sometimes faster: why?) É Java Bytecode uses a stack evaluation model! É Dalvik uses register allocation Compiler Construction 12/31 É Idea: the top of the stack is accessed frequently É Keep an accumulator in a fixed register É Implement add as: É accumulator accumulator + top_of_stack É Only one memory operation! Remarks on Stack Machines É The add instruction performs 3 memory operations É Two reads and one write to the stack É How can we improve this? É Hint: fold from functional programming Compiler Construction 13/31 Remarks on Stack Machines É The add instruction performs 3 memory operations É Two reads and one write to the stack É How can we improve this? É Hint: fold from functional programming É Idea: the top of the stack is accessed frequently É Keep an accumulator in a fixed register É Implement add as: É accumulator accumulator + top_of_stack É Only one memory operation! Compiler Construction 13/31 Stack Machine with Accumulator From before:7 + 5 acc 7 5 12 ⊕ 7 7 stack ..