Praise for Reverse Engineering for Beginners • “It’s very well done and for free amazing.”1 Daniel Bilar, Siege Technologies, LLC • “ excellent and free”2 Pete Finnigan, Oracle RDBMS security guru • “ book is interesting, great job!” Michael Sikorski, author of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software • “ my compliments for the very nice tutorial!” Herbert Bos, full professor at the Vrije Universiteit Amsterdam • “ It is amazing and unbelievable.” Luis Rocha, CISSP / ISSAP, Technical Manager, Network & Information Security at Verizon Business • “Thanks for the great work and your book.” Joris van de Vis, SAP Netweaver & Security specialist • “ reasonable intro to some of the techniques.”3 (Mike Stay, teacher at the Federal Law Enforcement Training Center, Georgia, US.) • “I love this book! I have several students reading it at the moment, plan to use it in graduate course.”4 (Sergey Bratus, Research Assistant Professor at the Computer Science Department at Dartmouth College) https://twitter.com/daniel_bilar/status/436578617221742593 https://twitter.com/petefinnigan/status/400551705797869568 http://www.reddit.com/r/IAmA/comments/24nb6f/i_was_a_professional_ password_cracker_who_taught/ https://twitter.com/sergeybratus/status/505590326560833536 Reverse Engineering for Beginners Dennis Yurichev cbnd ©2013-2014, Dennis Yurichev This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License To view a copy of this license, visit http: //creativecommons.org/licenses/by-nc-nd/3.0/ Text version (October 10, 2014) There is probably a newer version of this text, and Russian language version also accessible at http://beginners.re A4-format version is also available on the page You may also subscribe to my twitter, to get information about updates of this text, etc: @yurichev , or facebook subscribe to mailing list https://twitter.com/yurichev https://www.facebook.com/Dennis.Yurichev http://yurichev.com/mailing_lists.html ii or to Please donate! I worked more than one year on this book, here are more than 750 pages, and it’s free Same level books has price tag from $20 to $50 More about it: 0.0.1 I also look for a publisher who may want to translate and publish my “Reverse Engineering for Beginners” book to a language other than English/Russian, under condition that English/Russian version will remain freely available in open-source form Interesting? dennis(a)yurichev.com i ii SHORT CONTENTS SHORT CONTENTS Short contents I Code patterns II Important fundamentals 726 III Finding important/interesting stuff in the code 734 IV OS-specific 766 V Tools 842 VI More examples 848 VII Examples of reversing proprietary file formats 1020 VIII Other things 1049 IX Books/blogs worth reading 1076 X Exercises 1080 Afterword Appendix 1122 iii 1124 CONTENTS CONTENTS Contents 0.0.1 I Donate Code patterns vi 1 Short introduction to the CPU 1.1 Couple words about x86 and ARM Hello, world! 2.1 x86 2.1.1 MSVC 2.1.2 GCC 2.1.3 GCC: AT&T syntax 2.2 x86-64 2.2.1 MSVC—x86-64 2.2.2 GCC—x86-64 2.3 GCC—one more thing 2.4 ARM 2.4.1 Non-optimizing Keil 6/2013 (ARM mode) 2.4.2 Non-optimizing Keil 6/2013 (thumb mode) 2.4.3 Optimizing Xcode 4.6.3 (LLVM) (ARM mode) 2.4.4 Optimizing Xcode 4.6.3 (LLVM) (thumb-2 mode) 2.4.5 ARM64 2.5 Conclusion 2.6 Exercises 2.6.1 Exercise #1 5 11 11 11 13 14 14 16 17 18 20 22 22 22 Function prologue and epilogue 3.1 Recursion 23 23 Stack 4.1 Why does the stack grow backward? 4.2 What is the stack used for? 25 26 26 iv CONTENTS 4.2.1 Save the return address where a function must return control after execution 4.2.2 Passing function arguments 4.2.3 Local variable storage 4.2.4 x86: alloca() function 4.2.5 (Windows) SEH 4.2.6 Buffer overflow protection 4.3 Typical stack layout 4.4 Noise in stack 4.5 Exercises 4.5.1 Exercise #1 4.5.2 Exercise #2 26 28 29 30 33 33 33 33 37 37 38 printf() with several arguments 5.1 x86: arguments 5.1.1 MSVC 5.1.2 MSVC and OllyDbg 5.1.3 GCC 5.1.4 GCC and GDB 5.2 x64: arguments 5.2.1 MSVC 5.2.2 GCC 5.2.3 GCC + GDB 5.3 ARM: arguments 5.3.1 32-bit ARM 5.3.2 ARM64 5.4 ARM: arguments 5.4.1 Optimizing Keil 6/2013: ARM mode 5.4.2 Optimizing Keil 6/2013: thumb mode 5.4.3 Optimizing Xcode 4.6.3 (LLVM): ARM mode 5.4.4 Optimizing Xcode 4.6.3 (LLVM): thumb-2 mode 5.4.5 ARM64 5.5 Conclusion 5.6 By the way 40 40 40 42 46 47 50 51 51 52 55 55 57 58 58 60 60 61 62 63 64 scanf() 6.1 Simple example 6.1.1 About pointers 6.1.2 x86 6.1.3 MSVC + OllyDbg 6.1.4 x64 6.1.5 ARM 6.2 Global variables 6.2.1 MSVC: x86 66 66 66 67 70 73 74 76 76 v CONTENTS 6.2.2 MSVC: x86 + OllyDbg 6.2.3 GCC: x86 6.2.4 MSVC: x64 6.2.5 ARM: Optimizing Keil 6/2013 (thumb mode) 6.2.6 ARM64 6.3 scanf() result checking 6.3.1 MSVC: x86 6.3.2 MSVC: x86: IDA 6.3.3 MSVC: x86 + OllyDbg 6.3.4 MSVC: x86 + Hiew 6.3.5 MSVC: x64 6.3.6 ARM 6.3.7 Exercise Accessing passed arguments 7.1 x86 7.1.1 MSVC 7.1.2 MSVC + OllyDbg 7.1.3 GCC 7.2 x64 7.2.1 MSVC 7.2.2 GCC 7.2.3 GCC: uint64_t instead of int 7.3 ARM 7.3.1 Non-optimizing Keil 6/2013 (ARM mode) 7.3.2 Optimizing Keil 6/2013 (ARM mode) 7.3.3 Optimizing Keil 6/2013 (thumb mode) 7.3.4 ARM64 79 80 80 81 83 84 85 86 90 93 94 95 97 99 99 99 100 101 102 102 104 105 106 106 108 108 108 More about results returning 111 8.1 Attempt to use result of function returning void 111 8.2 What if not to use function result? 112 8.3 Returning a structure 113 Pointers 9.1 Global variables example 9.2 Local variables example 9.3 Conclusion 116 116 122 126 10 GOTO 127 10.1 Dead code 131 10.2 Exercise 131 vi CONTENTS 11 Conditional jumps 11.1 Simple example 11.1.1 x86 11.1.2 ARM 11.2 Conditional operator 11.2.1 x86 11.2.2 ARM 11.2.3 ARM64 11.2.4 Let’s rewrite it in if/else way 11.2.5 Conclusion 11.2.6 Exercise 11.3 Conclusion 11.3.1 x86 11.3.2 ARM 132 132 133 146 150 150 152 153 153 154 154 154 154 155 12 switch()/case/default 12.1 Few number of cases 12.1.1 x86 12.1.2 ARM: Optimizing Keil 6/2013 (ARM mode) 12.1.3 ARM: Optimizing Keil 6/2013 (thumb mode) 12.1.4 ARM64: Non-optimizing GCC (Linaro) 4.9 12.1.5 ARM64: Optimizing GCC (Linaro) 4.9 12.1.6 Conclusion 12.2 A lot of cases 12.2.1 x86 12.2.2 ARM: Optimizing Keil 6/2013 (ARM mode) 12.2.3 ARM: Optimizing Keil 6/2013 (thumb mode) 12.2.4 Conclusion 12.3 When there are several case in one block 12.3.1 MSVC 12.3.2 GCC 12.3.3 ARM64: Optimizing GCC 4.9.1 12.4 Fallthrough 12.4.1 MSVC x86 12.4.2 ARM64 12.5 Exercises 12.5.1 Exercise #1 156 156 156 167 168 169 170 170 170 171 178 181 183 184 185 187 187 190 191 192 193 193 13 Loops 13.0.2 Simple example 13.0.3 Several iterators 13.1 Conclusion 13.2 Exercises 13.2.1 Exercise #1 194 194 207 213 215 215 vii CONTENTS 13.2.2 Exercise #2 216 13.2.3 Exercise #3 216 13.2.4 Exercise #4 218 14 Simple C-strings processings 14.1 strlen() 14.1.1 x86 14.1.2 ARM 14.2 Strings trimming 14.2.1 x64: Optimizing MSVC 2013 14.2.2 x64: Non-optimizing GCC 4.9.1 14.2.3 x64: Optimizing GCC 4.9.1 14.2.4 ARM64: Non-optimizing GCC (Linaro) 4.9 14.2.5 ARM64: Optimizing GCC (Linaro) 4.9 14.2.6 ARM: Optimizing Keil 6/2013 (ARM mode) 14.2.7 ARM: Optimizing Keil 6/2013 (thumb mode) 14.3 Exercises 14.3.1 Exercise #1 220 220 220 228 232 234 236 238 239 241 242 243 244 244 15 Replacing arithmetic instructions to other ones 15.1 Multiplication 15.1.1 Multiplication using addition 15.1.2 Multiplication using shifting 15.1.3 Multiplication using shifting/subtracting/adding 15.2 Division 15.2.1 Division using shifts 15.3 Division by 15.3.1 x86 15.3.2 ARM 15.3.3 How it works 15.3.4 Getting divisor 15.4 Exercises 15.4.1 Exercise #1 15.4.2 Exercise #2 247 247 247 248 249 253 253 254 254 256 257 259 261 261 262 16 Floating-point unit 16.1 Simple example 16.1.1 x86 16.1.2 ARM: Optimizing Xcode 4.6.3 (LLVM) (ARM mode) 16.1.3 ARM: Optimizing Keil 6/2013 (thumb mode) 16.1.4 ARM64: Optimizing GCC (Linaro) 4.9 16.1.5 ARM64: Non-optimizing GCC (Linaro) 4.9 16.2 Passing floating point number via arguments 16.2.1 x86 263 264 264 272 273 274 275 276 276 viii Glossary Glossary decrement Decrease by 15, 194, 223, 704, 764, 946, 1135, 1139, 1146 increment Increase by 16, 194, 199, 223, 229, 405, 408, 704, 911, 940, 1134, 1135 integral data type usual numbers, but not floating point ones 279 product Multiplication result 100, 258, 270, 273, 519, 550, 1168 stack pointer A register pointing to the place in the stack 6, 8, 16, 25, 29, 41, 57, 59, 75, 102, 624, 711, 767, 769–771, 1128, 1136, 1154, 1177 tail call It is when compiler (or interpreter) transforms recursion (with which it is possible: tail recursion) into iteration for efficiency: http://en.wikipedia org/wiki/Tail_call 24 quotient Division result 254, 255, 265, 268, 269, 273, 549, 605, 870 anti-pattern Generally considered as bad practice 28, 76, 732 atomic operation “ατ oµoς” mean “indivisible” in Greek, so atomic operation is what guaranteed not to be broke up during operation by other threads 840, 1063 basic block a group of instructions not having jump/branch instructions, and also not having jumps inside block from the outside In IDA it looks just like as a list of instructions without breaking empty lines 1073, 1075 callee A function being called by another 23, 28, 29, 45, 66, 85, 99, 102, 105, 159, 534, 624, 711, 767, 769–771, 774–776 caller A function calling another 7, 45, 85, 99, 100, 104, 113, 159, 534, 559, 624, 767, 768, 770, 771, 776 compiler intrinsic A function specific to a compiler which is not usual library function Compiler generate a specific machine code instead of call to it It is often a pseudofunction for specific CPU instruction Read more: (77) 1145 1184 Glossary Glossary CP/M Control Program for Microcomputers: a very basic disk OS used before MSDOS 1001 dongle Dongle is a small piece of hardware connected to LPT printer port (in past) or to USB Its function was akin to security token, it has some memory and, sometimes, secret (crypto-)hashing algorithm 878 endianness Byte order: 39 19, 79, 442, 1141, 1167 GiB Gibibyte: 230 or 1024 mebibytes or 1073741824 bytes 12 heap usually, a big chunk of memory provided by OS so that applications can divide it by themselves as they wish malloc()/free() works with heap 26, 29, 444, 648, 651, 652, 671, 673, 795, 796 jump offset a part of JMP or Jcc instruction opcode, it just to be added to the address of the next instruction, and thus is how new PC is calculated May be negative as well 94, 142, 1135 kernel mode A restrictions-free CPU mode in which it executes OS kernel and drivers cf user mode 1185 keygenme A program which imitates fictional software protection, for which one needs to make a keys/licenses generator 1120 leaf function A function which is not calling any other function 28 link register (RISC) A register where return address is usually stored This makes calling leaf functions without stack usage, i.e., faster 28, 880, 1154, 1155 loop unwinding It is when a compiler instead of generation loop code of n iteration, generates just n copies of the loop body, in order to get rid of loop maintenance instructions 197 name mangling used at least in C++, where compiler need to encode name of class, method and argument types in the one string, which will become internal name of the function read more here: 34.1.1 622, 736, 737 NaN not a number: special cases of floating point numbers, usually signaling about errors 282, 304, 1070 NEON AKA “Advanced SIMD”—SIMD from ARM 1155 NOP “no operation”, idle instruction 764 1185 Glossary Glossary NTAPI API available only in Windows NT line Largely, not documented by Microsoft 849 PDB (Win32) Debugging information file, usually just function names, but sometimes also function arguments and local variables names 735, 799, 849, 851, 858, 859, 865, 972, 973 POKE BASIC language instruction writing byte on specific address 764 register allocator Compiler’s function assigning local variables to CPU registers 222, 386, 534 reverse engineering act of understanding, how the thing works, sometimes, in order to clone it v, 1145 security cookie A random value, different at each execution Read more about it: 17.3 826 stack frame Part of stack containing information specific to the current functions: local variables, function arguments, RA, etc 68, 100, 101, 570, 571, 826 stdout standard output 18, 30, 159, 1115 thunk function Tiny function with a single role: call another function 20, 504, 879, 892 tracer My own simple debugging tool Read more about it: 58.1 200–202, 743, 756, 761, 762, 820, 833, 976, 986, 992, 993, 997, 1054, 1118 user mode A restricted CPU mode in which it executes all applied software code cf kernel mode 904, 1184 Windows NT Windows NT, 2000, XP, Vista, 7, 351, 529, 709, 748, 781, 797, 839, 1006, 1145 word data type fitting in GPR In the computers older than personal, memory size was often measured in words rather then bytes 656 xoring often used in English language, meaning applying XOR operation 826, 896, 901 1186 Index NET, 804 AT&T syntax, 10, 32 Buffer Overflow, 328, 826 C language elements Pointers, 66, 75, 116, 494, 533 Post-decrement, 703 Post-increment, 703 Pre-decrement, 703 Pre-increment, 703 C99, 114 bool, 383 restrict, 576 variable length arrays, 342 const, 6, 83 for, 194, 418 if, 132, 158 return, 7, 85, 113 switch, 156, 158, 167 while, 220 C standard library alloca(), 30, 342, 732, 813 assert(), 349, 751 atexit(), 655 atoi(), 610, 957 calloc(), 930 close(), 787 exit(), 559 free(), 732 fseek(), 929 ftell(), 929 getenv(), 959 localtime(), 723 localtime_r(), 452 longjmp(), 159 malloc(), 446, 732 memchr(), 1139 memcmp(), 589, 754, 1142 memcpy(), 10, 67, 585, 1137 memset(), 992, 1140 open(), 787 pow(), 276 puts(), 18 qsort(), 495 rand(), 741, 855, 858, 910 read(), 787 realloc(), 732 scanf(), 66 strcmp(), 581, 787 strcpy(), 10, 585, 911 strlen(), 220, 235, 527, 584, 1139 strstr(), 1171 time(), 723 tolower(), 938 va_arg, 604 va_list, 608 vprintf, 608 Compiler’s anomalies, 210, 243, 362, 397, 413, 1056 C++, 978 exceptions, 813 C++11, 671, 780 ostream, 644 References, 645 RTTI, 643 STL, 735 std::forward_list, 670 1187 INDEX INDEX std::list, 656 std::map, 681 std::set, 681 std::string, 646 std::vector, 671 grep usage, 202, 314, 735, 756, 761, 974 Intel syntax, 10, 14 Mac OS X, 845 position-independent code, 15, 783 RAM, 82 ROM, 82, 83 Base address, 796 Global variables, 76 Binary tree, 681 Dynamically loaded libraries, 19 Linker, 82, 622 RISC pipeline, 148 Non-a-numbers (NaNs), 304 OOP Polymorphism, 622 Buffer overflow, 335 Hash functions, 866 Recursion, 23, 27, 575 Tail recursion, 23 Stack, 25, 99, 159 Stack overflow, 27 Stack frame, 68 Syntactic Sugar, 158, 453 thumb-2 mode, 19 iPod/iPhone/iPad, 14 OllyDbg, 42, 70, 79, 100, 117, 136, 174, 199, 224, 267, 283, 294, 322, 330, 333, 352, 353, 403, 442, 465, 466, 471, 476, 499, 800, 844, 1160 Oracle RDBMS, 7, 519, 750, 809, 979, 991, 994, 1028, 1041, 1056, 1073 Angry Birds, 313, 314 ARM, 229, 595, 879, 1153 ARM mode, Instructions ADD, 18, 110, 146, 203, 257, 413, 1156 1188 ADDAL, 146 ADDCC, 180 ADDS, 108, 1156 ADR, 15, 146 ADRcc, 146, 147, 167, 168, 733 ADRP/ADD pair, 21, 58, 84, 347, 364, 706 ASR, 429 ASRS, 257, 397 B, 57, 146, 148 Bcc, 97 BCS, 148, 315 BEQ, 96, 167 BGE, 148 BIC, 396, 397, 431 BL, 15, 17, 19–21, 147, 708 BLcc, 147 BLE, 148 BLS, 148 BLT, 203 BLX, 19 BNE, 148 BX, 107, 183 CLZ, 1096, 1097 CMP, 96, 97, 146, 168, 180, 203, 413, 1156 CSEL, 153, 414 FCMPE, 316 FCSEL, 316 FMOV, 706 IT, 155, 313, 342 LDMccFD, 147 LDMEA, 25 LDMED, 25 LDMFA, 25 LDMFD, 16, 25, 147 LDP, 22 LDR, 59, 75, 82, 325, 346, 703 LDR.W, 360 LDRB, 467 LDRB.W, 230 LDRSB, 229 LSL, 414, 429 INDEX INDEX LSL.W, 414 LSLS, 326 LSR, 429 MADD, 108 MLA, 107, 108 MOV, 16, 18, 257, 413 MOVK, 705 MOVT, 18, 257 MOVT.W, 19 MOVW, 19 MUL, 110 MULS, 108 MVNS, 230 NEG, 619 ORR, 396 POP, 15–17, 25, 28 PUSH, 17, 25, 28 RET, 22 RSB, 359, 413, 618 SMMUL, 257 STMEA, 25 STMED, 25 STMFA, 25, 61 STMFD, 15, 25 STMIA, 59 STMIB, 61 STP, 20, 57 STR, 59, 325 SUB, 59, 359, 413 SUBEQ, 231 SXTB, 467 SXTW, 364 TEST, 222 TST, 388, 413 VADD, 273 VDIV, 273 VLDR, 273 VMOV, 273, 312 VMOVGT, 312 VMRS, 312 VMUL, 273 Pipeline, 180 Mode switching, 107, 183 Adressing modes, 703 mode switching, 19 Registers APSR, 312 FPSCR, 312 Link Register, 15, 16, 28, 57, 183, 1154 R0, 111, 1154 scratch registers, 229, 1154 X0, 1155 Z, 96, 1154 thumb mode, 4, 148, 182 thumb-2 mode, 4, 182, 312, 314 armel, 274 armhf, 274 Condition codes, 146 D-registers, 273, 1154 Data processing instructions, 257 DCB, 16 hard float, 274 if-then block, 313 Leaf function, 28 Optional operators ASR, 257, 413 LSL, 325, 359, 413, 705 LSR, 257, 413 ROR, 413 RRX, 413 S-registers, 273, 1154 soft float, 274 ASLR, 797 AWK, 759 bash, 112 BASIC POKE, 764 binary grep, 755, 847 BIND.EXE, 803 Bitcoin, 1058 Borland C++Builder, 737 Borland Delphi, 737, 746, 1053 BSoD, 781 BSS, 798 1189 INDEX INDEX C11, 780 Callbacks, 494 Canary, 336 cdecl, 41, 767 COFF, 889 column-major order, 352 Compiler intrinsic, 31, 1055 CRC32, 416, 866 CRT, 791, 820 Cygwin, 737, 743, 805, 845 8080, 229 8086, 229, 395, 904 Memory model, 720, 1071 8253, 1004 80286, 904, 1072 80386, 395, 1072 80486, 263 FPU, 263 Intel C++, 7, 519, 1056, 1073, 1137 Itanium, 1067 DES, 518, 534 dlopen(), 787 dlsym(), 787 DOSBox, 1006 DosBox, 762 double, 264, 775 dtruss, 845 Duff’s device, 599 jumptable, 172, 182 Keil, 14 kernel panic, 781 kernel space, 781 LD_PRELOAD, 787 Linux, 387, 783, 979 libc.so.6, 385, 504 LLVM, 14 long double, 264 Loop unwinding, 197 EICAR, 1000 ELF, 80 Error messages, 750 GCC, 736, 1157, 1161 GDB, 47, 52, 335, 505, 506, 844, 1161 Glibc, 505 Mac OS Classic, 878 MD5, 753, 866 MFC, 801, 959 MIDI, 754 MinGW, 737 minifloat, 706 MIPS, 597, 798, 879 MS-DOS, 339, 716, 754, 762, 764, 796, 904, 1000, 1002, 1021, 1053, 1071, 1124, 1138, 1145, 1146 DOS extenders, 1072 MSVC, 1158, 1161 Hex-Rays, 867 Hiew, 93, 142, 745, 799, 800, 805, 1054 Name mangling, 622 NEC V20, 1005 IDA, 86, 590, 749, 1037, 1159 var_?, 59, 75 IEEE 754, 263, 488, 544, 1124 Inline code, 204, 396, 580, 630, 676 Intel objdump, 786, 805 OEP, 796, 804 opaque predicate, 700 OpenMP, 740, 1058 OpenWatcom, 737, 771 fastcall, 11, 64, 385, 769 float, 264, 775 FORTRAN, 352, 364, 576, 737 Function epilogue, 23, 57, 59, 147, 467, 759 Function prologue, 8, 23, 28, 58, 336, 759 Fused multiply–add, 107, 108 1190 INDEX INDEX Page (memory), 529 Pascal, 746 PDP-11, 703 PowerPC, 878 puts() instead of printf(), 18, 73, 112, 144 Raspberry Pi, 14 ReactOS, 817 Register allocation, 534 Relocation, 19 row-major order, 351 RVA, 797 SAP, 735, 972 SCO OpenServer, 889 Scratch space, 773 Security cookie, 336, 826 SHA1, 866 SHA512, 1058 Shadow space, 104, 105, 546 Shellcode, 699, 781, 797, 1001, 1150 Signed numbers, 134, 727 SIMD, 544, 589 SSE, 544 SSE2, 544 stdcall, 767, 1053 strace, 787, 845 syscall, 385, 781, 845 UTF-8, 746 VA, 796 Watcom, 737 Windows, 839 API, 1124 IAT, 797 INT, 797 KERNEL32.DLL, 384 MSVCR80.DLL, 497 NTAPI, 849 ntoskrnl.exe, 979 PDB, 735, 799, 849, 858, 972 Structured Exception Handling, 33, 805 TIB, 339, 805, 1129 Win32, 383, 748, 786, 796, 1072 GetProcAddress, 804 LoadLibrary, 804 Ordinal, 801 RaiseException(), 805 SetUnhandledExceptionFilter(), 809 Windows 2000, 798 Windows 3.x, 709, 1072 Windows NT4, 798 Windows Vista, 796, 849 Windows XP, 798, 804, 858 Wine, 817 Wolfram Mathematica, 260, 261, 869 TCP/IP, 730 thiscall, 621, 624, 771 thunk-functions, 20, 803, 879, 892 x86 TLS, 339, 780, 798, 804, 1129 Flags Callbacks, 804 CF, 1134, 1135, 1139, 1142, 1146, tracer, 200, 501, 503, 743, 756, 761, 820, 1148 833, 844, 976, 986, 992, 993, DF, 1142, 1148 996, 1054, 1118 IF, 1142, 1148 Instructions Unicode, 746 AAA, 1152 Unrolled loop, 204, 341, 586 AAS, 1152 uptime, 787 ADC, 511, 716, 1134 USB, 881 ADD, 6, 41, 100, 612, 716, 1135 user space, 781 ADDSD, 545 UTF-16LE, 746, 748 ADDSS, 557 1191 INDEX INDEX ADRcc, 152 AND, 8, 384, 390, 401, 430, 474, 1135, 1141 BSF, 531, 1094, 1141 BSR, 1141 BSWAP, 731, 1141 BT, 1141 BTC, 1141 BTR, 840, 1141 BTS, 1141 CALL, 6, 26, 592, 802, 1135 CBW, 728, 1141 CDQ, 516, 728, 1141 CDQE, 728, 1141 CLD, 1142 CLI, 1142 CMC, 1142 CMOVcc, 148, 152, 154, 733, 1142 CMP, 85, 1135, 1152 CMPSB, 754, 1142 CMPSD, 1142 CMPSQ, 1142 CMPSW, 1142 COMISD, 555 COMISS, 557 CPUID, 471, 1145 CWD, 716, 728, 1017, 1141 CWDE, 728, 1141 DEC, 223, 1135, 1152 DIV, 728, 1145 DIVSD, 545, 758 FABS, 1148 FADD, 1148 FADDP, 266, 272, 1148 FATRET, 411, 412 FCHS, 1148 FCMOVcc, 307 FCOM, 293, 304, 1148 FCOMP, 281, 1148 FCOMPP, 1148 FDIV, 265, 756, 757, 1149 FDIVP, 265, 1149 FDIVR, 272, 1149 1192 FDIVRP, 1149 FILD, 1149 FIST, 1149 FISTP, 1149 FLD, 277, 281, 1149 FLD1, 1149 FLDCW, 1149 FLDZ, 1149 FMUL, 266, 1149 FMULP, 1149 FNSTCW, 1149 FNSTSW, 281, 305, 1149 FSINCOS, 1149 FSQRT, 1149 FST, 1150 FSTCW, 1149 FSTP, 277, 1150 FSTSW, 1149 FSUB, 1150 FSUBP, 1150 FSUBR, 1150 FSUBRP, 1150 FUCOM, 304, 1150 FUCOMI, 307 FUCOMP, 1150 FUCOMPP, 304, 1150 FWAIT, 263 FXCH, 1150 IDIV, 255, 728, 1145 IMUL, 100, 362, 728, 1135, 1152 IN, 592, 904, 1004, 1146 INC, 223, 1054, 1135, 1152 INT, 1001, 1145 INT3, 743 IRET, 1145, 1146 JA, 134, 306, 727, 1135, 1152 JAE, 134, 1135, 1152 JB, 134, 727, 1135, 1152 JBE, 134, 1135, 1152 JC, 1135 Jcc, 97 JCXZ, 1135 JE, 158, 1135, 1152 INDEX INDEX JECXZ, 1135 JG, 134, 727, 1135 JGE, 133, 1135 JL, 134, 727, 1135 JLE, 133, 1135 JMP, 26, 57, 803, 1053, 1135 JNA, 1135 JNAE, 1135 JNB, 1135 JNBE, 305, 1135 JNC, 1135 JNE, 85, 86, 133, 1135, 1152 JNG, 1135 JNGE, 1135 JNL, 1135 JNLE, 1135 JNO, 1135, 1152 JNS, 1135, 1152 JNZ, 1135 JO, 1135, 1152 JP, 282, 1005, 1135, 1152 JPO, 1135 JRCXZ, 1135 JS, 1135, 1152 JZ, 96, 158, 1056, 1135 LAHF, 1136 LEA, 68, 103, 421, 449, 561, 612, 774, 853, 1136 LEAVE, 8, 1136 LES, 911, 1016 LOCK, 839 LODSB, 1005 LOOP, 194, 215, 759, 1016, 1146 MAXSD, 555 MOV, 7, 10, 585, 592, 800, 1054, 1138 MOVDQA, 523 MOVDQU, 523 MOVSB, 1137 MOVSD, 553, 587, 936, 1137 MOVSDX, 553 MOVSQ, 1137 MOVSS, 557 1193 MOVSW, 1137 MOVSX, 221, 229, 465, 467, 728, 1138 MOVSXD, 344 MOVZX, 222, 446, 879, 1138 MUL, 728, 1138 MULSD, 545 NEG, 617, 1138 NOP, 421, 1050, 1053, 1138 NOT, 228, 230, 943, 1138 OR, 235, 390, 1138 OUT, 592, 904, 1146 PADDD, 523 PCMPEQB, 530 PLMULHW, 519 PLMULLD, 519 PMOVMSKB, 531 POP, 7, 25, 27, 1138, 1152 POPA, 1146, 1152 POPCNT, 1146 POPF, 1004, 1146 PUSH, 6, 8, 25, 26, 68, 592, 1138, 1152 PUSHA, 1146, 1152 PUSHF, 1146 PXOR, 530 RCL, 759, 1146 RCR, 1146 RET, 7, 27, 336, 624, 711, 1053, 1138 ROL, 412, 1055, 1147 ROR, 1055, 1147 SAHF, 304, 1139 SAL, 1147 SALC, 1005 SAR, 429, 728, 1016, 1147 SBB, 511, 1139 SCASB, 1005, 1139 SCASD, 1139 SCASQ, 1139 SCASW, 1139 SETALC, 1005 SETcc, 223, 305, 1148 INDEX INDEX SHL, 248, 321, 429, 1140 SSE, 518 SHR, 253, 429, 474, 1140 SSE2, 518 SHRD, 515, 1140 x86-64, 11, 50, 67, 73, 94, 102, 533, 544, STC, 1148 594, 771, 786, 1125, 1132 STD, 1148 Xcode, 14 STI, 1148 Z3, 866, 872 STOSB, 602, 1140 STOSD, 1140 STOSQ, 1140 STOSW, 1140 SUB, 7, 8, 85, 158, 612, 1135, 1141 SYSCALL, 1145, 1148 SYSENTER, 782, 1145, 1148 TEST, 221, 384, 388, 430, 1141 UD2, 1148 XADD, 841 XCHG, 1138, 1141 XOR, 7, 85, 228, 759, 896, 1054, 1141, 1152 Prefixes LOCK, 840, 1134 REP, 1134, 1137, 1140 REPE/REPNE, 1134 REPNE, 1139 Registers Flags, 85, 136, 1129 AH, 1136, 1139 CS, 1071 DR6, 1132 DR7, 1133 DS, 1071 EAX, 85, 111 EBP, 68, 100 ECX, 621 ES, 1016, 1071 ESP, 41, 68 JMP, 178 RIP, 786 SS, 1071 ZF, 86, 384 AVX, 518 FPU, 1130 MMX, 518 1194 BIBLIOGRAPHY Bibliography [al12] Nick Montfort et al 10 PRINT CHR$(205.5+RND(1)); : GOTO 10 Also available as http://trope-tank.mit.edu/10_PRINT_121114 pdf The MIT Press, 2012 [AMD13a] AMD AMD64 Architecture Programmer’s Manual Also available as http: //developer.amd.com/resources/documentation-articles/ developer-guides-manuals/ 2013 [AMD13b] AMD Software Optimization Guide for AMD Family 16h Processors Also available as http://yurichev.com/mirrors/AMD/SOG_16h_ 52128_PUB_Rev1_1.pdf 2013 [App10] Apple iOS ABI Function Call Guide Also available as http://developer apple.com/library/ios/documentation/Xcode/Conceptual/ iPhoneOSABIReference/iPhoneOSABIReference.pdf 2010 [ARM12] ARM ARM® Architecture Reference Manual, ARMv7-A and ARMv7-R edition 2012 [ARM13a] ARM ARM Architecture Reference Manual, ARMv8, for ARMv8-A architecture profile 2013 [ARM13b] ARM ELF for the ARM 64-bit Architecture (AArch64) Also available as http://infocenter.arm.com/help/topic/com.arm.doc ihi0056b/IHI0056B_aaelf64.pdf 2013 [ARM13c] ARM Procedure Call Standard for the ARM 64-bit Architecture (AArch64) Also available as http://infocenter.arm.com/help/topic/ com.arm.doc.ihi0055b/IHI0055B_aapcs64.pdf 2013 [Bro] Ralf Brown The x86 Interrupt List Also available as http://www cs.cmu.edu/~ralf/files.html [Bur] Mike Burrell “Writing Effcient Itanium Assembly Code” In: () Also available as http://yurichev.com/mirrors/RE/itanium pdf [Cli] Marshall Cline C++ FAQ Also available as http://www.parashift com/c++-faq-lite/index.html 1195 BIBLIOGRAPHY BIBLIOGRAPHY [Cor+09] Thomas H Cormen et al Introduction to Algorithms, Third Edition 3rd The MIT Press, 2009 ISBN: 0262033844, 9780262033848 [Dij68] Edsger W Dijkstra “Letters to the editor: go to statement considered harmful” In: Commun ACM 11.3 (Mar 1968), pp 147–148 ISSN: 00010782 DOI: 10.1145/362929.362947 URL: http://doi.acm org/10.1145/362929.362947 [Dol13] Stephen Dolan “mov is Turing-complete” In: (2013) Also available as http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf [Fog13a] Agner Fog Optimizing software in C++: An optimization guide for Windows, Linux and Mac platforms http://agner.org/optimize/ optimizing_cpp.pdf 2013 [Fog13b] Agner Fog The microarchitecture of Intel, AMD and VIA CPUs / An optimization guide for assembly programmers and compiler makers http: //agner.org/optimize/microarchitecture.pdf 2013 [Fog14] Agner Fog Calling conventions http://www.agner.org/optimize/ calling_conventions.pdf 2014 [IBM00] IBM PowerPC(tm) Microprocessor Family: The Programming Environments for 32-Bit Microprocessors Also available as http : / / yurichev com/mirrors/PowerPC/6xx_pem.pdf 2000 [Int13] Intel Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes:1, 2A, 2B, 2C, 3A, 3B, and 3C Also available as http: / / www intel com / content / dam / www / public / us / en / documents/manuals/64-ia-32-architectures-softwaredeveloper-manual-325462.pdf 2013 [ISO07] ISO ISO/IEC 9899:TC3 (C C99 standard) Also available as http : / / www.open- std.org/jtc1/sc22/WG14/www/docs/n1256 pdf 2007 [ISO13] ISO ISO/IEC 14882:2011 (C++ 11 standard) Also available as http : / / www open - std org / jtc1 / sc22 / wg21 / docs / papers / 2013/n3690.pdf 2013 [Ker88] Brian W Kernighan The C Programming Language Ed by Dennis M Ritchie 2nd Prentice Hall Professional Technical Reference, 1988 ISBN: 0131103709 [Knu74] Donald E Knuth “Structured Programming with go to Statements” In: ACM Comput Surv 6.4 (Dec 1974) Also available as http : / / yurichev.com/mirrors/KnuthStructuredProgrammingGoTo pdf, pp 261–301 ISSN: 0360-0300 DOI: 10.1145/356635.356640 URL: http://doi.acm.org/10.1145/356635.356640 1196 BIBLIOGRAPHY BIBLIOGRAPHY [Knu98] Donald E Knuth The Art of Computer Programming Volumes 1-3 Boxed Set 2nd Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 1998 ISBN: 0201485419 [Loh10] Eugene Loh “The Ideal HPC Programming Language” In: Queue 8.6 (June 2010), 30:30–30:38 ISSN: 1542-7730 DOI: 10.1145/1810226 1820518 URL: http:/ /doi.acm org / 10 1145/ 1810226 1820518 [Ltd94] Advanced RISC Machines Ltd The ARM Cookbook Also available as http://yurichev.com/ref/ARM%20Cookbook%20(1994) 1994 [Mit13] Michael Matz / Jan Hubicka / Andreas Jaeger / Mark Mitchell System V Application Binary Interface AMD64 Architecture Processor Supplement Also available as http://x86-64.org/documentation/abi pdf 2013 [One96] Aleph One “Smashing The Stack For Fun And Profit” In: Phrack (1996) Also available as http://yurichev.com/mirrors/phrack/ p49-0x0e.txt [Pie] Matt Pietrek “A Crash Course on the Depths of Win32™ Structured Exception Handling” In: MSDN magazine () URL: http://www.microsoft com/msj/0197/Exception/Exception.aspx [Pie02] Matt Pietrek “An In-Depth Look into the Win32 Portable Executable File Format” In: MSDN magazine (2002) URL: http://msdn.microsoft com/en-us/magazine/bb985992.aspx [RA09] Mark E Russinovich and David A Solomon with Alex Ionescu Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition 2009 [Ray03] Eric S Raymond The Art of UNIX Programming Also available as http: //catb.org/esr/writings/taoup/html/ Pearson Education, 2003 ISBN: 0131429019 [Rit79] Dennis M Ritchie “The Evolution of the Unix Time-sharing System” In: (1979) [Rit86] Dennis M Ritchie Where did ++ come from? (net.lang.c) http : / / yurichev com / mirrors / C / c _ dmr _ postincrement txt [Online; accessed 2013] 1986 [Rit93] Dennis M Ritchie “The development of the C language” In: SIGPLAN Not 28.3 (Mar 1993) Also available as http://yurichev.com/ mirrors/C/dmr- The%20Development%20of%20the%20C% 20Language-1993.pdf, pp 201–208 ISSN: 0362-1340 DOI: 10 1145/155360.155580 URL: http://doi.acm.org/10.1145/ 155360.155580 1197 BIBLIOGRAPHY BIBLIOGRAPHY [RT74] D M Ritchie and K Thompson “The UNIX Time Sharing System” In: (1974) Also available as http://dl.acm.org/citation.cfm? id=361061 [Sch94] Bruce Schneier Applied Cryptography: Protocols, Algorithms, and Source Code in C 1994 [SK95] SunSoft Steve Zucker and IBM Kari Karhi SYSTEM V APPLICATION BINARY INTERFACE: PowerPC Processor Supplement Also available as http: / / yurichev com / mirrors / PowerPC / elfspec _ ppc pdf 1995 [Sko12] Igor Skochinsky Compiler Internals: Exceptions and RTTI Also available as http://yurichev.com/mirrors/RE/Recon- 2012Skochinsky-Compiler-Internals.pdf 2012 [Str13] Bjarne Stroustrup The C++ Programming Language, 4th Edition 2013 [War02] Henry S Warren Hacker’s Delight Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 2002 ISBN: 0201914654 [Yur12] Dennis Yurichev “Finding unknown algorithm using only input/output pairs and Z3 SMT solver” In: (2012) Also available as http:// yurichev.com/writings/z3_rockey.pdf [Yur13] Dennis Yurichev C/C++ programming language notes Also available as http://yurichev.com/writings/C-notes-en.pdf 2013 1198