I. x86 disassembly
 A. x86 architecture
------------------------------------------
          ARCHITECTURAL OVERVIEW

   +--------------------+     +---------+
   |      CPU           |     |         |
   | +----------------+ |     |         |
   | |  Registers     | |     |         |
   | +----^-----------+ |     |   RAM   |
   |      |             |     |         |
   |  +---v--+  +-----+ |     |         |
   |  | ALU  <-->Control<----->         |
   |  +---^--+  +-----+ |     |         |
   +------|-------------+     |         |
          |                   |         |
  +-------v--------------+    |         |
  |     I/O Devices      |    |         |
  |                      |    +---------+
  +----------------------+
------------------------------------------
        What does the RAM do?
        What does the ALU do?
        What does the control unit do?
  1. memory
   a. real mode memory addressing
------------------------------------------
       REAL MODE MEMORY ADDRESSING

For 16 bit 8086 and 8088 (from 1978!) also
80286 and above, for compatibility
   with older programs

Address is sum of:
     Segment address + offset

  FFFFFH +----------------+
         |                |
         |                |
         +----------------+
  1F000H |                |<-+ offset=F000
         +----------------+  |
         |   64K segment  |  |
         |                |  | Seg. Reg.
  10000H |                |<\| +---------+
         +----------------+  +-+   1000  |
         |                |    +---------+
         |                |
         |                |
         |                |
  00000H +----------------
------------------------------------------
        Why use this segment register + offset scheme?
------------------------------------------
        MEMORY LAYOUT FOR A PROCESS

Approximate, the sections may be
  - in different orders
  - not contiguous

high addresses
           +----------------------------+
           |       environment ptr      |
           |    cmd line arguments      |
      BP ->+----------------------------+
           |          stack             |
           |             |              |
           |             |              |
      SP ->|             v              |
           +----------------------------+
           |                            |
      SS ->|                            |
           +----------------------------+
           +----------------------------+
           |             ^              |
           |             |              |
           |             |              |
      ES ->|           heap             |
           +----------------------------+
           |                            |
           |       .data or .bss        |
      DS ->|                            |
           +----------------------------+
           |           .text            |
      CS ->|                            |
           +----------------------------+
low        |     shared libraries       |
addresses  +----------------------------+

------------------------------------------
        What's in the .text section?
   b. Protected mode addressing
------------------------------------------
          PROTECTED MODE ADDRESSING

80286 (16 bit, from 1982) and above

Doesn't use segment + offset to directly
  form address

Segment register contains a selector
   into a global descriptor table,
   the descriptor has a base address,
   address is base address + offset

So instructions are the same!
                              memory
                            +------------+ FFFFFF
                            |            |
                            |            |
                            |            |
                            |            |
             global         |            |
             descriptor     |            |
             table          |            |
             +-----------+  |            |
             |           |  |            |
             |           |  |            |
             |           |  |            |
             |           |  +------------+ 1000FF
    DS       +-----------+  |   data     |
  +-------+  |      ...  | />  segment   | 100000
  | 0008  |->|    100000 +- +------------+
  +-------+  |      00FF |  |            |
             +-----------+  |            |
             |           |  |            |
             +-----------+  +------------+ 000000
------------------------------------------
   c. virtual memory
------------------------------------------
           VIRTUAL MEMORY

80386 (32 bit, from 1985) and above

Program generates a "linear address"
Memory paging unit translates it to a
   "physical address"

------------------------------------------
   d. x64, flat memory addressing + virtual memory
------------------------------------------
             X64 ARCHITECTURE

64 bit architecture, introduced with the
  Intel Pentium 4 (2000)

linear addressing + virtual memory
 only sensible to use FS and GS 
                  segment registers

------------------------------------------
  2. instructions, opcodes, endianness
------------------------------------------
             ASSEMBLY INSTRUCTIONS

Intel assembler (NASM) conventions:

     mov    ecx,         0x42
     |      |            |
Mnemonic  destination    source

        B9               42 00 00 00
        |
     opcode              constant in bytes

Little-endian = least significant bytes first (left)

Big-endian = most significant bytes first (left)
------------------------------------------
        Which is Intel: big or little endian?
  3. operands
------------------------------------------
              TYPES OF OPERANDS

Immediate:

Register:

Memory address:


------------------------------------------
  4. registers
------------------------------------------
            REGISTERS

General:
  64 bit:  RAX,     RBX,     RCX,      RDX
  32 bit:  EAX,     EBX,     ECX,      EDX
  16 bit:   AX,     BX,      CX,        DX
   8 bit   AH & AL, BH & BL, CH & CL, DH & DL

64 bit mode also has registers r8-r15
  64 bit: r8
  32 bit: r8d
  16 bit: r8w
   8 bit: r8b

ECX is used as a

Source/Destination registers:
  64 bit:  RSI      RDI
  32 bit:  ESI      EDI
  16 bit    SI       DI

Stack-manipulation registers
  64 bit:  RBP      RSP
  32 bit:  EBP      ESP
  16 bit:   BP       SP

Flags:
  EFLAGS

Instruction Pointer:
  RIP (64 bit)
  EIP (32 bit)
   IP (16 bit)

------------------------------------------
------------------------------------------
     BACKWARDS COMPATIBILITY REGISTERS

                     +--------+---------+
                     |   AH   |   AL    |
                     |        |         |
                     +--------+---------+
                       8 bits    8 bits

                     +------------------+
                     |       AX         |
                     |                  |
                     +------------------+
                           16 bits

    +-----------------------------------+
    |             EAX                   |
    |                                   |
    +-----------------------------------+
                32 bits

+-//------------------------------------+
|                 RAX                   |
|                                       |
+-//------------------------------------+
              64 bits
------------------------------------------
------------------------------------------
            DATA TYPES AND BITS
                                    7   0
                                   +-----+
                          byte     |     |
                                   +-----+

                              15  8 7   0
                             +-----+-----+
                      word   | high| low |
                             | byte| byte|
                             +-----+-----+
                                N+1     N

                     31    16 15        0
                    +--------+-----------+
        doubleword  |        |           |
                    |        |           |
                    +--------+-----------+
                           N+2          N
  63              32 31                 0
 +------------------+--------------------+
 |      high        |       low          |
 |   doubleword     |     doubleword     |
 +------------------+--------------------+
                 N+4                    N
------------------------------------------
------------------------------------------
            SEGMENTATION

For protected mode (32 bit)in x86, 
 3 kinds of address:

 1. segmentation-based: segment + offset
 2. linear/virtual address (32/64 bit address)
 3. physical address (32/64 bit address

Segment registers (16 bit)
  CS ~ code
  SS ~ stack
  DS ~ data
  ES ~ extra
  FS ~ exception handling chain
  GS

Segmentation is disabled in 64 bit mode
  - uses flat 64 bit address space

------------------------------------------
        How much memory can be addressed with a 16 bit address?
        How much memory can be addressed with a 32 bit address?
------------------------------------------
            EFLAGS REGISTER

Bit    Name    Description
====================================
0      CF      Carry flag
2      PF      Parity flag
4      AF      Auxiliary carry flag
6      ZF      Zero flag
7      SF      Sign flag
8      TF      Trap flag
9      IF      Interrupt enable flag
10     DF      Direction flag
11     OF      Overflow flag
12-13  IOPL    I/O Privilege level
14     NT      Nested task flag
16     RF      Resume flag
17     VM      Virtual 8086 mode flag
18     AC      Alignment check flag (486+)
19     VIF     Virtual interrupt flag
20     VIP     Virtual interrupt pending flag
21     ID      ID flag

------------------------------------------
  5. instructions
   a. overview
------------------------------------------
            INSTRUCTION FORMAT

NASM syntax (Intel variant)

Instruction format

  LABEL: OPCODE destop [, sourceop]  [; comment]

Example:

  HERE: cmp ebx, BEEFh   ; does ebx have secret?
        push ebx
        push eax
        xor ebx, ebx     ; ebx == 0
        xor eax, eax     ; eax == 0

------------------------------------------
------------------------------------------
       ACCESSING MEMORY CONTENTS

  mov eax, 0xBEEF   ; eax gets

  mov eax, [0xBEEF] ; eax gets
------------------------------------------
------------------------------------------
       ACCESSING VIA REGISTERS

  mov eax, ebx   ; eax gets

  mov eax, [ebx] ; eax gets


------------------------------------------
   b. details
------------------------------------------
            GRAMMAR CONVENTIONS

  ::=      means "can be" or "produces"
  |        means "or"
  <x>      is the nonterminal named "x",
              a syntactic category
  other    literal characters
  [<x>]    is an optional <x>
  [<x>]... means 0 or more <x>s
  '['      is a left square bracket (char)
  ']'      is a right square bracket (char)

------------------------------------------
------------------------------------------
          MASM SYNTAX DETAILS

<instr> ::= [<label> :] <opcode> <args> [<comment>]
        | [<label> :] <pseudo-instr> [<comment>]
        | [<label> :] [<opcode-prefix>]... [<comment>]

<opcode> ::= [<opcode-prefix>] <opcode>
         | <letter>[<letter>]...
<opcode-prefix> ::= lock | rep | repe | repz
         | repne | repnz | xacquire | xrelease
         | bnd | nobnd | times <num-exp>
         | <seg-register>
<seg-register> ::= cs | ds | es | ss | fs |gs
<pseudo-instr> ::= <symbol> equ <exp>
         | <symbol> = <exp>

<size> ::= b | w | d | q | t | o | y | z

<args> ::=
          | <operand>
          | <operand>, <operand>
          | <operand>, <operand>, <operand>
<operand> ::= <prim-operand>
          | <effective-address>
          | <exp>
<prim-operand> ::= <number>
          | <register-name>

<exp> ::= <prim-operand>
          | ( <exp> ) | <exp> '[' <exp> ']'
          | <length-op> <exp>
          | <exp> . <exp>
          | <exp> : <exp> | ptr <exp>
          | <offset-op> <exp>
          | <part-op> <exp>
          | - <exp> | + <exp>
          | <exp> <mul-op> <exp>
          | <exp> + <exp> | <exp> - <exp>
          | <exp> <comp-op> <exp>
          | not <exp>
          | <exp> and <exp>
          | <exp> or <exp> | <exp> xor <exp>

<number> ::= <decimal-literal>
          | <hex-literal>
          | <binary-literal>
<length-op> ::= length | size | width | mask | lengthof | sizeof
<offset-op> ::= lroffset | offset | seg | this | type
<part-op> ::= high | highword | low | lowword
<mul-op> ::= * | / | mod | shl | shr
<comp-op> ::= eq | ne | lt | le | gt | ge


<bin-digit> ::= 0 | 1 | _
<binary-literal> ::= <bin-digits>y
          | <bin-digits>b
<bin-digits> ::= <bin-digit>[<bin-digit>]...

<dec-digit> ::= 0|1|2|3|4|5|6|7|8|9 | _
<decimal-digits> ::= <dec-digit>[<dec-digit>]...
<decimal-literal> ::= <decimal-digits>
          | <decimal-digits>t | <decimal-digits>d

<hex-digit> ::= <dec-digit>|A|B|C|D|E|F
<hex-digits> ::= <dec-digit>[<hex-digit>]...
<hex-literal> ::= <hex-number>h

<label> ::= <symbol>
<symbol> ::= <letter>[<label-char>]... 

<letter> ::= a|...|z|A|...|Z
<label-char> ::= <letter>|<dec-digit>|_|$|@|?

------------------------------------------
        Does the case of opcodes, size letters, and B and H matter?
        What is an effective address?
   c. AT&T Syntax
------------------------------------------
         INTEL VS. AT&T SYNTAX

We'll generally use Intel style syntax
   - found in NASM, MASM
   - available in gcc with the option
       -masm=intel
     as in
       gcc -S -masm=intel file.c

AT&T syntax used in gcc (for inlining)

Comparison:

  Intel (NASM)         AT&T (gas)
  ===================================
  push 4               pushl $4
  add eax, 4           addl $4, %eax
  mov al, byte foo     movb foo, %al
  call                 lcall
  jmp                  ljmp
  ret                  lret

  mov eax, byte[ebp-4] movb -4(%ebp), %eax
  mov ebx, \           movb foo(,%eax,4), \
      byte[foo+eax*4]       %ebx

General memory reference translation

 disp[base+idx*scale]  disp(base,idx,scale)
------------------------------------------
  6. simple instructions
------------------------------------------
         SIMPLE INSTRUCTIONS

mov - copies data

  mov eax, ebx
  mov eax, 0x42
  mov eax, [0x4037C4]
  mov eax, [ebx]
  mov eax, [ebx+esi*4]

xchg - swaps data

  xchg eax, ebx

lea - load effective address

  lea eax, [ebx+esi*4]

arithmetic

  sub eax, 0x10
  add eax, ebx
  inc edx
  dec ecx

multiplication and division
  use the edx and eax registers

  mul value
    multiplies eax by value,
      puts result into edx:eax

    +-----------------++----------------+
    |                 ||                |
    +-----------------++----------------+
            EDX              EAX
     most significant   least significant
        32 bits             32 bits

  div value
    divides the 64 bits in edx:eax
     by the value:
         EDX holds remainder
         EAX holds result

logical operations:

   xor eax, eax
   or eax, 0x7575
   and eax, ebx

shift operations

 logical:
   shl eax, 2
   shr ebx, 1
 arithmetic
   sal eax, 2
   sar ebx, 1
 rotation:
   rol ebx, 3
   ror eax, 2

No-operation

   nop

------------------------------------------
        What do the shifts do?
  7. stack
------------------------------------------
              THE STACK
high addresses
   EBP --> +--------------------------+
           |                          |
           |                          |
           |           |              |
           |           |              |
           |           v              |
           |                          |
           |                          |
           |                          |
           |                          |
   ESP --> |                          |
           +--------------------------+
low addresses

     push 0xC
     pop [eax+4]

------------------------------------------
        Does push increment or decrement ESP?
        Where does the top of the stack go when pop is executed?
        What happens if there is no space for the push?
  8. functions
------------------------------------------
           FUNCTION CALL AND RETURN

Using the ccdecl calling convention in x86

  CALLER                CALLEE
  ========================================
  push arg1
  ...
  push argn
  call fun  ; sets EIP to fun, saves AFTER

                       push dword [ebp] ; or enter
                       ; work of fun
                       pop ebp          ; or leave
                       ret  ; jump to AFTER

  AFTER: times n pop

------------------------------------------
------------------------------------------
            STACK FRAME IN X86

high address
        +--------------------------------+
        |          arg n                 |
        +--------------------------------+
        |           ...                  |
        +--------------------------------+
        |          arg 1                 |
        +--------------------------------+
        |          return address        |
        +================================+
  EBP ->|         old EBP                |
        +--------------------------------+
        |          local 1               |
        +--------------------------------+
        |            ...                 |
        +--------------------------------+
  ESP ->|          local M               |
        +--------------------------------+
low address

------------------------------------------
  9. conditionals
------------------------------------------
                CONDITIONALS

Performing comparisons

   test eax, ebx   ; like and but

   cmp eax, [ebx]  ; like sub but


   cmp dst, src       ZF      CF
   =============================
   dst == src         1       0
   dst < src          0       1
   dst > src          0       0

------------------------------------------
        Which flag do we care about after test?
        Which flag do we care about after test?
  10. branching
------------------------------------------
          BRANCHING INSTRUCTIONS

 OPCODE   MEANING
 =======================================
 jz loc   if ZF = 1, jump to loc 
 jnz loc  if ZF = 0, jump to loc 
 je loc   if ZF = 1, jump to loc, used after cmp
 jne loc  if ZF = 0, jump to loc, used after cmp 
 jg loc   if ZF=0 & CF = 0, jump, used after cmp
 jge loc  if CF != 1, jump, used after cmp
 jl loc   if ZF=0 & CF = 1, jump, used after cmp
 jle loc
 jo loc   if OF = 1, jump to loc
 js loc   if SF = 1, jump to loc
 jecxz loc if ECX=0, jump to loc
------------------------------------------
  11. rep instructions
------------------------------------------
           REP PREFIX INSTRUCTIONS

Manipulate data buffers 
   (i.e., strings = arrays of bytes)

  Used with registers:
    ESI (source index)
    EDI (destination index)
    ECX (count)

  PREFIX    MEANING
  ======================================
  REP       repeat until ECX == 0
  REPE      repeat until ECX==0 or ZF==0
  REPZ      repeat until ECX==0 or ZF==0
  REPNE     repeat until ECX==0 or ZF==1
  REPNZ     repeat until ECX==0 or ZF==1

Examples (MASM syntax),
   assuming EDI and ESI are buffer addresses,
     and ECX is length of both buffers:

   repe cmpsb ; compare until ECX == 0 or buffers differ

   rep stosb  ; puts AL's value into buffer 
              ; starting at EDI

   rep movsb  ; copies buffer of bytes

   repne scasb ; searches buffer for a byte

------------------------------------------
  12. C translation
   a. main function
------------------------------------------
            HMAIN.C FILE

#include <stdio.h>
extern long hailstone(long);
int main(int argc, char *argv[]) {
  long x = 1;
  long res = 0;
  if (argc != 1) {
    fprintf(stderr, "requires 1 argument");
    return 1;
  }

  sscanf(argv[1], "%li", &x);
  res = hailstone(x);
  printf("%li\n", res);
  return 0;
}
------------------------------------------
------------------------------------------
      TRANSLATION TO ASM (MASM SYNTAX)

using gcc -S -masm=intel -m32

	.file	"hmain.c"
	.intel_syntax noprefix
	.def	___main;	.scl	2;	.type	32;	.endef
	.section .rdata,"dr"
LC0:
	.ascii "requires 1 argument\0"
LC1:
	.ascii "%li\0"
LC2:
	.ascii "%li\12\0"
	.text
	.globl	_main
	.def	_main;	.scl	2;	.type	32;	.endef
_main:
	push	ebp
	mov	ebp, esp
	and	esp, -16
	sub	esp, 32
	call	___main
	mov	DWORD PTR [esp+24], 1
	mov	DWORD PTR [esp+28], 0
	cmp	DWORD PTR [ebp+8], 1
	je	L2
	call	___getreent
	mov	eax, DWORD PTR [eax+12]
	mov	DWORD PTR [esp+12], eax
	mov	DWORD PTR [esp+8], 19
	mov	DWORD PTR [esp+4], 1
	mov	DWORD PTR [esp], OFFSET FLAT:LC0
	call	_fwrite
	mov	eax, 1
	jmp	L4
L2:
	mov	eax, DWORD PTR [ebp+12]
	add	eax, 4
	mov	eax, DWORD PTR [eax]
	lea	edx, [esp+24]
	mov	DWORD PTR [esp+8], edx
	mov	DWORD PTR [esp+4], OFFSET FLAT:LC1
	mov	DWORD PTR [esp], eax
	call	_sscanf
	mov	eax, DWORD PTR [esp+24]
	mov	DWORD PTR [esp], eax
	call	_hailstone
	mov	DWORD PTR [esp+28], eax
	mov	eax, DWORD PTR [esp+28]
	mov	DWORD PTR [esp+4], eax
	mov	DWORD PTR [esp], OFFSET FLAT:LC2
	call	_printf
	mov	eax, 0
L4:
	leave
	ret
	.ident	"GCC: (GNU) 4.9.3"
	.def	___getreent;	.scl	2;	.type	32;	.endef
	.def	_fwrite;	.scl	2;	.type	32;	.endef
	.def	_sscanf;	.scl	2;	.type	32;	.endef
	.def	_hailstone;	.scl	2;	.type	32;	.endef
	.def	_printf;	.scl	2;	.type	32;	.endef

------------------------------------------
        What is right after the label "main"?
        What does and esp, -16 do?
        What does sub esp, 32 do?
        What does call ___main do?
        What is at esp+24?
        What is at esp+28?
        What is at ebp+8?
        What does the je L2 do?
        What happens at L2?
        What is the lea edx, [esp+24] doing?
        Then what happens with mov DWORD PTR [esp+8], edx?
        Then what happens with mov DWORD PTR [esp+4], OFFSET FLAT:LC1?
II. calling conventions
 A. stack frames (background)
------------------------------------------
           STACK FRAME FOR A FUNCTION


high addrs
   EBP --> +--------------------------+
           |                          |
           |                          |
           |           |              |
           |           |              |
           |           v              |
           |                          |
           |                          |
           |                          |
           |                          |
   ESP --> |                          |
           +--------------------------+
low addrs

     push 0xC
     pop [eax+4]

------------------------------------------
        Does push increment or decrement ESP?
        Where does the top of the stack go when pop is executed?
        What happens if there is no space for the push?
 B. _cdecl calling convention
------------------------------------------
      FUNCTION CALL AND RETURN (GCC, ...)

Using the _cdecl calling convention in x86

  CALLER                CALLEE
  ========================================
  push argn ; last argument (rightmost)
  ...
  push arg1 ; first argument (leftmost)
  call fun  ; pushes AFTER, sets EIP to fun
                       push ebp
                       mov ebp, esp
                       ; work of fun
                       pop ebp
                       ret  ; jump to AFTER

  AFTER: times n pop

------------------------------------------
        Which argument is closest to where ebp points?
------------------------------------------
        SUMMARY POINTS FOR _CDECL

arguments
   pushed on the stack
   in 

   caller pops 



result in    

Benefits:
   first argument near top of stack,
   so works well with 



------------------------------------------
     If a function has a variable number of arguments (like
     printf), who can best clean up the stack: the caller or callee?
------------------------------------------
            STACK FRAME FOR _CDECL

high address
        +--------------------------------+
        |          arg n                 |
        +--------------------------------+
        |           ...                  |
        +--------------------------------+
        |          arg 1                 |
        +--------------------------------+
        |          return address        |
        +================================+
  EBP ->|         old EBP                |
        +--------------------------------+
        |          local 1               |
        +--------------------------------+
        |            ...                 |
        +--------------------------------+
  ESP ->|          local M               |
        +--------------------------------+
low address

------------------------------------------
        So, in a 32 bit program, what is the address of arg 1?
        What is the address of arg 2?
------------------------------------------
           EXAMPLE C CODE

#include <stdio.h>

void swap(int *x, int *y) {
  int temp = *x;
  *x = *y;
  *y = temp;
}

int main(int argc, char *argv[]) {
  int i = 3;
  int n = 4;
  printf("i = %d, n = %d\n", i, n);
  swap(&i, &n);
  printf("i = %d, n = %d\n", i, n);
  return 0;
}
------------------------------------------
------------------------------------------
  ASSEMBLY CODE (from gcc -S -masm=intel)

	.text
	.globl	_swap
	.def	_swap;	.scl	2;	.type	32;	.endef
_swap:
LFB7:
	.cfi_startproc
	push	ebp
	.cfi_def_cfa_offset 8
	.cfi_offset 5, -8
	mov	ebp, esp
	.cfi_def_cfa_register 5
	sub	esp, 16
	mov	eax, DWORD PTR [ebp+8]
	mov	eax, DWORD PTR [eax]
	mov	DWORD PTR [ebp-4], eax
	mov	eax, DWORD PTR [ebp+12]
	mov	edx, DWORD PTR [eax]
	mov	eax, DWORD PTR [ebp+8]
	mov	DWORD PTR [eax], edx
	mov	eax, DWORD PTR [ebp+12]
	mov	edx, DWORD PTR [ebp-4]
	mov	DWORD PTR [eax], edx
	leave
	.cfi_restore 5
	.cfi_def_cfa 4, 4
	ret
	.cfi_endproc
LFE7:
	.def	___main;	.scl	2;	.type	32;	.endef
	.section .rdata,"dr"
LC0:
	.ascii "i = %d, n = %d\12\0"
	.text
	.globl	_main
	.def	_main;	.scl	2;	.type	32;	.endef
_main:
LFB8:
	.cfi_startproc
	push	ebp
	.cfi_def_cfa_offset 8
	.cfi_offset 5, -8
	mov	ebp, esp
	.cfi_def_cfa_register 5
	and	esp, -16
	sub	esp, 32
	call	___main
	mov	DWORD PTR [esp+28], 3
	mov	DWORD PTR [esp+24], 4
	mov	edx, DWORD PTR [esp+24]
	mov	eax, DWORD PTR [esp+28]
	mov	DWORD PTR [esp+8], edx
	mov	DWORD PTR [esp+4], eax
	mov	DWORD PTR [esp], OFFSET FLAT:LC0
	call	_printf
	lea	eax, [esp+24]
	mov	DWORD PTR [esp+4], eax
	lea	eax, [esp+28]
	mov	DWORD PTR [esp], eax
	call	_swap
	mov	edx, DWORD PTR [esp+24]
	mov	eax, DWORD PTR [esp+28]
	mov	DWORD PTR [esp+8], edx
	mov	DWORD PTR [esp+4], eax
	mov	DWORD PTR [esp], OFFSET FLAT:LC0
	call	_printf
	mov	eax, 0
	leave
	.cfi_restore 5
	.cfi_def_cfa 4, 4
	ret
	.cfi_endproc
------------------------------------------
 C. stdcall (standard) calling convention
------------------------------------------
  MICROSOFT "STANDARD" CALLING CONVENTION

Using the _stdcall calling convention in x86

  CALLER                CALLEE
  ========================================
  push argn ; last argument (rightmost)
  ...
  push arg1 ; first argument (leftmost)
  call fun  ; pushes AFTER, sets EIP to fun
                       push ebp
                       mov ebp, esp
                       ; work of fun
                       pop ebp
                       ret n*4 ; clean stack and return

  AFTER: 

------------------------------------------
        Is that the same as cdecl?
        Which argument is closest to where ebp points?
------------------------------------------
        SUMMARY POINTS FOR _STDCALL

arguments
   pushed on the stack
   in right-to-left order

   callee pops 


   result in eax

Benefits:
   cleanup code only in callee
   so 



------------------------------------------
     Will this work with variable argument functions?
------------------------------------------
            STACK FRAME FOR _STDECL

high address
        +--------------------------------+
        |          arg n                 |
        +--------------------------------+
        |           ...                  |
        +--------------------------------+
        |          arg 1                 |
        +--------------------------------+
        |          return address        |
        +--------------------------------+
        |         old EBP                |
        +================================+
  EBP ->|          local 1               |
        +--------------------------------+
        |            ...                 |
        +--------------------------------+
  ESP ->|          local M               |
        +--------------------------------+
low address

------------------------------------------
        So, in a 32 bit program, what is the address of arg 1?
        What is the address of arg 2?
------------------------------------------
           EXAMPLE C CODE

#include <stdio.h>

int demo_stdcall(int w, int x, int y, int z) {
  return w+x+y+z;
}

int main() {
  int res;
  res = demo_stdcall(1,22,333,4444);
  printf("res is %d", res);
  return 0;
}
------------------------------------------
------------------------------------------
.text:00401280 ; Attributes: bp-based frame
.text:00401280
.text:00401280 _main           proc near               ; CODE XREF: start-82
.text:00401280
.text:00401280 res             = dword ptr -4
.text:00401280
.text:00401280                 push    ebp
.text:00401281                 mov     ebp, esp
.text:00401283                 push    ecx             ; save ecx
.text:00401284                 push    115Ch           ; z (which is 4444)
.text:00401289                 push    14Dh            ; y (which is 333)
.text:0040128E                 push    16h             ; x (= 22)
.text:00401290                 push    1               ; w
.text:00401292                 call    demo_stdcall
.text:00401297                 add     esp, 10h        ; recover space from call
.text:0040129A                 mov     [ebp+res], eax  ; save result in res
.text:0040129D                 mov     eax, [ebp+res]  ; put res back in eax
.text:004012A0                 push    eax             ; push res on stack for call to printf
.text:004012A1                 push    offset aResIsD  ; "res is %d"
.text:004012A6                 call    sub_401300      ; call printf("res is %d\n", res);
.text:004012AB                 add     esp, 8          ; recover stack from call
.text:004012AE                 xor     eax, eax        ; return 0
.text:004012B0                 mov     esp, ebp
.text:004012B2                 pop     ebp
.text:004012B3                 retn
.text:004012B3 _main           endp

.text:00401260 ; Attributes: bp-based frame
.text:00401260
.text:00401260 demo_stdcall    proc near               ; CODE XREF: _main+12
.text:00401260
.text:00401260 w               = dword ptr  8
.text:00401260 x               = dword ptr  0Ch
.text:00401260 y               = dword ptr  10h
.text:00401260 z               = dword ptr  14h
.text:00401260
.text:00401260                 push    ebp
.text:00401261                 mov     ebp, esp
.text:00401263                 mov     eax, [ebp+w]
.text:00401266                 add     eax, [ebp+x]
.text:00401269                 add     eax, [ebp+y]
.text:0040126C                 add     eax, [ebp+z]
.text:0040126F                 pop     ebp
.text:00401270                 retn
.text:00401270 demo_stdcall    endp

------------------------------------------
 D. fastcall calling convention
------------------------------------------
       FASTCALL CALLING CONVENTION

Like stdcall but:
  passes up to 2 parameters in registers
     (arg1 in ecx, arg2 in edx)
  rest on stack (in right-to-left order
------------------------------------------
III. using IDA Pro (free version)
 A. overview of use
  1. starting and stopping
------------------------------------------
             STARTING IDA PRO

Start it as an app (double click)

Asks:
   New (disassemble new file)
   Go  (work on your own)
  Previous (load an old disassembly)

Examples...
------------------------------------------
  2. conceptual view
------------------------------------------
      IDA PRO IS A DATABASE PROGRAM

The code is put into a database
   stored in an


IDA Pro shows you 
------------------------------------------
------------------------------------------
          SAVING THE DATABASE

You can return to your work if you


Don't forget to 


------------------------------------------
------------------------------------------
           VIEWS OF THE DATABASE

Disassembly window (IDA-View)

   - as a control flow graph with basic blocks
   - as text


Function names
Strings
Hex
Exports
Imports
...
------------------------------------------
 B. declarations in IDA Pro's disassembly
------------------------------------------
           DECLARATIONS

Visible in the text view

Example:

.text:004011D7 ; Attributes: bp-based frame
.text:004011D7
.text:004011D7 sub_4011D7      proc near
.text:004011D7
.text:004011D7 var_10	       = dword ptr -10h
.text:004011D7 var_C	       = dword ptr -0Ch
.text:004011D7 var_8	       = dword ptr -8
.text:004011D7 var_4	       = dword ptr -4
.text:004011D7 arg_0	       = dword ptr  8
.text:004011D7 arg_4	       = dword ptr  0Ch
.text:004011D7 arg_8	       = dword ptr  10h
.text:004011D7 arg_C	       = dword ptr  14h
.text:004011D7 arg_10	       = dword ptr  18h
.text:004011D7 arg_14	       = dword ptr  1Ch
.text:004011D7
.text:004011D7		       push    ebp
.text:004011D8		       mov     ebp, esp
 
Automatically generated names:

    var_N   is 

    arg_N   is 

Very helpful to right click on a name
  and


------------------------------------------
 C. commenting lines
------------------------------------------
            COMMENTING INSTRUCTIONS

Put cursor on the line
  Type a colon (:)
  Enter text
  Click OK

This is the way to edit comments also
------------------------------------------
 D. examples