Blog – Page 107 – TRUEANGLE

SUB – Subtract

| SUB instruction |

(gdb) disass
Dump of assembler code for function *__GI___poll:
   0x00007fc50ab670b0 :	sub    $0x28,%rsp
   0x00007fc50ab670b4 :	mov    0x29c52e(%rip),%eax        # 0x7fc50ae035e8 
   0x00007fc50ab670ba :	test   %eax,%eax
   0x00007fc50ab670bc :	jne    0x7fc50ab670d5 
   0x00007fc50ab670be :	movslq %edx,%rdx
   0x00007fc50ab670c1 :	mov    $0x7,%eax
   0x00007fc50ab670c6 :	syscall
=> 0x00007fc50ab670c8 :	cmp    $0xfffffffffffff000,%rax
   0x00007fc50ab670ce :	ja     0x7fc50ab67121 
   0x00007fc50ab670d0 :	add    $0x28,%rsp
   0x00007fc50ab670d4 :	retq
   0x00007fc50ab670d5 :	mov    %edx,0x8(%rsp)
   0x00007fc50ab670d9 :	mov    %rsi,0x10(%rsp)

sub $0x28(value at memory 0x28) ,%rsp(value at 64 bit general purpose register)

Process Involved

$ping gnu.org
PING gnu.org (199.232.41.10) 56(84) bytes of data.

Explanation

Usage: SUB dest,src
The source is subtracted from the destination and the result is
stored in the destination.

source  : http://www.penguin.cz/~literakl/intel/s.html#SUB

addition. using PHP

addition

#!/usr/bin/php
# Author : Jeffrin
# jeffrin@rocketmail.com
# License GNU GPL V3
# usage : php addition.php
<?php
$f='1';
$s='1';
echo  $f + $s ;
echo "\n";
?>

A Screenshot

$./addition.php
# Author : Jeffrin
# jeffrin@rocketmail.com
# License GNU GPL V3
# usage : php addition.php

2
$

What is a SYSENTER instruction ?

ABOUT sysenter instruction

The SYSENTER instruction is part of the "Fast System Call" facility introduced on the Pentium(R) II
processor. The SYSENTER instruction is optimized to provide the maximum performance for transitions to
protection ring 0 (CPL  0). The SYSENTER instruction sets the following registers according to values
specified by the operating system in certain model-specific registers. CS register set to the value of
(SYSENTER_CS_MSR) EIP register set to the value of  (SYSENTER_EIP_MSR) SS register set to the sum of (8
plus the value in SYSENTER_CS_MSR) ESP register set to the value of (SYSENTER_ESP_MSR) The processor
does not save user stack or return address information, and does not save any registers.

[bash]
(gdb) disass
Dump of assembler code for function __kernel_vsyscall:
0xb780b414 : push %ecx
0xb780b415 : push %edx
0xb780b416 : push %ebp
0xb780b417 : mov %esp,%ebp
0xb780b419 : sysenter
0xb780b41b : nop
0xb780b41c : nop
0xb780b41d : nop
0xb780b41e : nop
0xb780b41f : nop
0xb780b420 : nop
0xb780b421 : nop
0xb780b422 : jmp 0xb780b417
=> 0xb780b424 : pop %ebp
0xb780b425 : pop %edx
0xb780b426 : pop %ecx
0xb780b427 : ret
End of assembler dump.
(gdb)

[/bash]
0xb780b419 : sysenter

LINKS
https://wiki.osdev.org/SYSENTER
http://www.intel.com/software/products/documentation /vlin/mergedprojects/analyzer_ec/mergedprojects/reference _olh/mergedprojects/instructions/instruct32_hh/vc311.htm (This link is either broken or not correct)

SYSENTER instruction.. Pentium II..

| sysenter instruction |

(gdb) disass
Dump of assembler code for function __kernel_vsyscall:
   0xb780b414 :	push   %ecx
   0xb780b415 :	push   %edx
   0xb780b416 :	push   %ebp
   0xb780b417 :	mov    %esp,%ebp
   0xb780b419 :	sysenter
   0xb780b41b :	nop
   0xb780b41c :	nop
   0xb780b41d :	nop
   0xb780b41e :	nop
   0xb780b41f :	nop
   0xb780b420 :	nop
   0xb780b421 :	nop
   0xb780b422 :	jmp    0xb780b417 
=> 0xb780b424 :	pop    %ebp
   0xb780b425 :	pop    %edx
   0xb780b426 :	pop    %ecx
   0xb780b427 :	ret
End of assembler dump.
(gdb)
 0xb780b419 :	sysenter

The SYSENTER instruction is part of the "Fast System Call" facility
introduced on the Pentium(R) II processor. The
SYSENTER instruction is optimized to provide the maximum
performance for transitions to protection ring 0 (CPL  0).
The SYSENTER instruction sets the following registers according to
values specified by the operating system in certain model-specific
registers. CS register set to the value of (SYSENTER_CS_MSR) EIP
register set to the value of  (SYSENTER_EIP_MSR) SS register set
to the sum of (8 plus the value in SYSENTER_CS_MSR) ESP register set to the value of (SYSENTER_ESP_MSR) The processor
does not save user stack or return address information, and does
not save any registers.

http://www.intel.com/software/products/documentation
/vlin/mergedprojects/analyzer_ec/mergedprojects/reference
_olh/mergedprojects/instructions/instruct32_hh/vc311.htm

NOUVEAU modeset . HOWTO

Problem

I  attempted to go along with a new resolution with  boot time
messages, but there was a conflict, the boot time messages
differed from console resolution when a [nouveau] driver took control.

Debian Based Solution

Find out the module which which takes over.

[ dmesg | grep fb ]
2.

Look for the arguments allowed during module startup.

[ modinfo nouveau ]
3.

Set the resolution inside “grub.cfg”.

[ gfxmode=1024×768 also gfxpayload=keep ]
4.

Pass the module argument during Kernel boot.

[ inside grub.cfg : linux <…..> nouveau.modeset=0 ]
5.

Reboot.

A Screen Shot

$modinfo nouveau
filename:       /lib/modules/2.6.32-5-amd64/kernel/drivers/gpu/drm/nouveau/nouveau.ko
license:        GPL and additional rights
description:    nVidia Riva/TNT/GeForce
author:         Stephane Marchesin
alias:          pci:v000012D2d*sv*sd*bc03sc*i*
alias:          pci:v000010DEd*sv*sd*bc03sc*i*
depends:        drm,drm_kms_helper,ttm,i2c-core,button,i2c-algo-bit
vermagic:       2.6.32-5-amd64 SMP mod_unload modversions
parm:           ctxfw:Use external firmware blob for grctx init (NV40) (int)
parm:           modeset:Enable kernel modesetting (int)
parm:           vbios:Override default VBIOS location (charp)
parm:           vram_pushbuf:Force DMA push buffers to be in VRAM (int)
parm:           vram_notify:Force DMA notifiers to be in VRAM (int)
.
.
.
parm:           reg_debug:Register access debug bitmask:
                0x1 mc, 0x2 video, 0x4 fb, 0x8 extdev,
                0x10 crtc, 0x20 ramdac, 0x40 vgacrtc, 0x80 rmvio,
                0x100 vgaattr, 0x200 EVO (G80+).  (int)
$

NOP machine instruction

| Cracking |

(gdb) disass
Dump of assembler code for function main:
   0x0000000000400494 :	push   %rbp
   0x0000000000400495 :	mov    %rsp,%rbp
   0x0000000000400498 :	nop
=> 0x0000000000400499 :	jmp    0x400498 
End of assembler dump.
(gdb)

#include<stdio.h>
main ()
{
while (1)
asm("nop");
}

NOPs are often involved when cracking software that checks for serial
numbers, specific hardware or software requirements, presence or
absence of hardware dongles, etc. This is accomplished by altering
functions and subroutines to bypass security checks and instead simply
return the expected value being checked for. Since most of the
instructions in the security check routine will be unused, these would be
replaced with NOPs.

source : http://en.wikipedia.org/wiki/NOP

NOP machine instruction

| NOP instruction |



source : | Windows Debugger |

In computer science NOP or NOOP (short for No Operation or No
 Operation Performed) is an assembly language instruction, sequence of
 programming language statements, or computer protocol command that
 effectively does nothing at all.

source : http://en.wikipedia.org/wiki/NOP

What is a PUSH instruction ?

ABOUT PUSH INSTRUCTION RELATED

In 8086, the main stack register is called stack pointer - SP. The stack segment register (SS) is usually used to store information about the memory segment that stores the call stack of currently executed program. SP points to current stack top. By default, the stack grows downward in memory, so newer values are placed at lower memory addresses. To push a value to the stack, the PUSH instruction is used. To pop a value from the stack, the POP instruction is used.

TYPICAL GDB SESSION
[bash]
(gdb) disass
Dump of assembler code for function _IO_default_uflow:
0x00007f7c1e9964d0 : mov 0xd8(%rdi),%rax
=> 0x00007f7c1e9964d7 : push %rbx
0x00007f7c1e9964d8 : mov %rdi,%rbx
0x00007f7c1e9964db : callq *0x20(%rax)
0x00007f7c1e9964de : cmp $0xffffffffffffffff,%eax
0x00007f7c1e9964e1 : je 0x7f7c1e9964f2
0x00007f7c1e9964e3 : mov 0x8(%rbx),%rdx
0x00007f7c1e9964e7 : movzbl (%rdx),%eax
0x00007f7c1e9964ea : add $0x1,%rdx
0x00007f7c1e9964ee : mov %rdx,0x8(%rbx)
0x00007f7c1e9964f2 : pop %rbx
0x00007f7c1e9964f3 : retq
End of assembler dump.
(gdb)
[/bash]

rbx is the 64 bit equivelant for ebx register

PUSH instruction pushes  a value onto  the stack. Here i think push instruction pushes the value of rbx register on to the stack.

LINKS
https://en.wikipedia.org/wiki/Stack_register
https://en.wikipedia.org/wiki/X86_instruction_listings

push instruction.. push %rbx

| push instruction |

(gdb) disass
Dump of assembler code for function _IO_default_uflow:
   0x00007f7c1e9964d0 :	mov    0xd8(%rdi),%rax
=> 0x00007f7c1e9964d7 :	push   %rbx
   0x00007f7c1e9964d8 :	mov    %rdi,%rbx
   0x00007f7c1e9964db :	callq  *0x20(%rax)
   0x00007f7c1e9964de :	cmp    $0xffffffffffffffff,%eax
   0x00007f7c1e9964e1 :	je     0x7f7c1e9964f2 
   0x00007f7c1e9964e3 :	mov    0x8(%rbx),%rdx
   0x00007f7c1e9964e7 :	movzbl (%rdx),%eax
   0x00007f7c1e9964ea :	add    $0x1,%rdx
   0x00007f7c1e9964ee :	mov    %rdx,0x8(%rbx)
   0x00007f7c1e9964f2 :	pop    %rbx
   0x00007f7c1e9964f3 :	retq
End of assembler dump.
(gdb)

rbx is the 64 bit equivelant for ebx register

PUSH instruction pushes  a value onto  the stack.
Here i think push instruction pushes the value of rbx register
on to the stack.

pop instruction and stack…

| POP Instruction |



source : Windows Debugger.

 MOV   AX,1234H
 MOV   BX,5678H
 PUSH  AX
 PUSH  BX
 POP   AX
 POP   BX
The values: AX=5678h BX=1234h First the value 1234h was pushed
 after that the value 5678h was pushed to the stack. Acording to LIFO
 5678h comes of first, so AX will pop that value and BX will pop the
 next.

source :
http://www.xs4all.nl/~smit/asm01001.htm