Reverse engineering for beginners en

Reverse Engineering for Beginners Dennis Yurichev Reverse Engineering for Beginners Dennis Yurichev c bnd ©2013-2015, Dennis Yurichev This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ Text version (November 25, 2015) The latest version (and Russian edition) of this text accessible at beginners.re An e-book reader version is also available There is also a LITE-version (introductory short version), intended for those who want a very quick introduction to the basics of reverse engineering: beginners.re You can also follow me on twitter to get information about updates of this text: @yurichev1 or to subscribe to the mailing list2 The cover was made by Andy Nechaevsky: facebook twitter.com/yurichev yurichev.com i ABRIDGED CONTENTS ABRIDGED CONTENTS Abridged contents I Code patterns II Important fundamentals 430 III Slightly more advanced examples 439 IV Java 586 V Finding important/interesting stuff in the code 624 VI OS-specific 647 VII Tools 701 VIII Examples of real-world RE tasks 707 IX Examples of reversing proprietary file formats 822 X Other things 853 XI Books/blogs worth reading 871 Afterword 876 Appendix 878 Acronyms used 908 Reverse Engineering ii CONTENTS CONTENTS Contents I Code patterns 1 A short introduction to the CPU 1.1 A couple of words about different ISA4 s 3 The simplest Function 2.1 x86 2.2 ARM 2.3 MIPS 2.3.1 A note about MIPS instruction/register names 5 6 Hello, world! 3.1 x86 3.1.1 MSVC 3.1.2 GCC 3.1.3 GCC: AT&T syntax 3.2 x86-64 3.2.1 MSVC—x86-64 3.2.2 GCC—x86-64 3.3 GCC—one more thing 3.4 ARM 3.4.1 Non-optimizing Keil 6/2013 (ARM mode) 3.4.2 Non-optimizing Keil 6/2013 (Thumb mode) 3.4.3 Optimizing Xcode 4.6.3 (LLVM) (ARM mode) 3.4.4 Optimizing Xcode 4.6.3 (LLVM) (Thumb-2 mode) 3.4.5 ARM64 3.5 MIPS 3.5.1 A word about the “global pointer” 3.5.2 Optimizing GCC 3.5.3 Non-optimizing GCC 3.5.4 Role of the stack frame in this example 3.5.5 Optimizing GCC: load it into GDB 3.6 Conclusion 3.7 Exercises 7 10 10 11 12 12 13 14 14 15 17 18 18 18 20 21 21 22 22 Function prologue and epilogue 23 4.1 Recursion 23 Stack 5.1 Why does the stack grow backwards? 5.2 What is the stack used for? 5.2.1 Save the function’s return address 5.2.2 Passing function arguments 5.2.3 Local variable storage 5.2.4 x86: alloca() function 5.2.5 (Windows) SEH 5.2.6 Buffer overflow protection 5.2.7 Automatic deallocation of data in stack 5.3 A typical stack layout 5.4 Noise in stack Instruction Set Architecture iii 24 24 25 25 26 27 27 29 29 29 29 29 CONTENTS CONTENTS 5.4.1 MSVC 2013 33 5.5 Exercises 34 printf() with several arguments 6.1 x86 6.1.1 x86: arguments 6.1.2 x64: arguments 6.2 ARM 6.2.1 ARM: arguments 6.2.2 ARM: arguments 6.3 MIPS 6.3.1 arguments 6.3.2 arguments 6.4 Conclusion 6.5 By the way 35 35 35 43 46 46 47 51 51 53 57 58 scanf() 7.1 Simple example 7.1.1 About pointers 7.1.2 x86 7.1.3 MSVC + OllyDbg 7.1.4 x64 7.1.5 ARM 7.1.6 MIPS 7.2 Global variables 7.2.1 MSVC: x86 7.2.2 MSVC: x86 + OllyDbg 7.2.3 GCC: x86 7.2.4 MSVC: x64 7.2.5 ARM: Optimizing Keil 6/2013 (Thumb mode) 7.2.6 ARM64 7.2.7 MIPS 7.3 scanf() result checking 7.3.1 MSVC: x86 7.3.2 MSVC: x86: IDA 7.3.3 MSVC: x86 + OllyDbg 7.3.4 MSVC: x86 + Hiew 7.3.5 MSVC: x64 7.3.6 ARM 7.3.7 MIPS 7.3.8 Exercise 7.4 Exercise 59 59 59 60 62 65 66 67 68 68 70 71 71 72 73 73 77 77 78 82 84 85 86 87 88 88 Accessing passed arguments 8.1 x86 8.1.1 MSVC 8.1.2 MSVC + OllyDbg 8.1.3 GCC 8.2 x64 8.2.1 MSVC 8.2.2 GCC 8.2.3 GCC: uint64_t instead of int 8.3 ARM 8.3.1 Non-optimizing Keil 6/2013 (ARM mode) 8.3.2 Optimizing Keil 6/2013 (ARM mode) 8.3.3 Optimizing Keil 6/2013 (Thumb mode) 8.3.4 ARM64 8.4 MIPS 89 89 89 90 90 91 91 92 93 94 94 95 95 95 97 More about results returning 9.1 Attempt to use the result of a function returning void 9.2 What if we not use the function result? 9.3 Returning a structure 98 98 99 99 iv CONTENTS CONTENTS 10 Pointers 10.1 Global variables example 10.2 Local variables example 10.3 Conclusion 101 101 107 110 11 GOTO operator 111 11.1 Dead code 113 11.2 Exercise 114 12 Conditional jumps 12.1 Simple example 12.1.1 x86 12.1.2 ARM 12.1.3 MIPS 12.2 Calculating absolute value 12.2.1 Optimizing MSVC 12.2.2 Optimizing Keil 6/2013: Thumb mode 12.2.3 Optimizing Keil 6/2013: ARM mode 12.2.4 Non-optimizing GCC 4.9 (ARM64) 12.2.5 MIPS 12.2.6 Branchless version? 12.3 Ternary conditional operator 12.3.1 x86 12.3.2 ARM 12.3.3 ARM64 12.3.4 MIPS 12.3.5 Let’s rewrite it in an if/else way 12.3.6 Conclusion 12.4 Getting minimal and maximal values 12.4.1 32-bit 12.4.2 64-bit 12.4.3 MIPS 12.5 Conclusion 12.5.1 x86 12.5.2 ARM 12.5.3 MIPS 12.5.4 Branchless 12.6 Exercise 115 115 115 126 129 132 132 132 132 133 133 133 133 134 135 135 136 136 136 137 137 139 141 141 141 141 142 142 142 13 switch()/case/default 13.1 Small number of cases 13.1.1 x86 13.1.2 ARM: Optimizing Keil 6/2013 (ARM mode) 13.1.3 ARM: Optimizing Keil 6/2013 (Thumb mode) 13.1.4 ARM64: Non-optimizing GCC (Linaro) 4.9 13.1.5 ARM64: Optimizing GCC (Linaro) 4.9 13.1.6 MIPS 13.1.7 Conclusion 13.2 A lot of cases 13.2.1 x86 13.2.2 ARM: Optimizing Keil 6/2013 (ARM mode) 13.2.3 ARM: Optimizing Keil 6/2013 (Thumb mode) 13.2.4 MIPS 13.2.5 Conclusion 13.3 When there are several case statements in one block 13.3.1 MSVC 13.3.2 GCC 13.3.3 ARM64: Optimizing GCC 4.9.1 13.4 Fall-through 13.4.1 MSVC x86 13.4.2 ARM64 13.5 Exercises 13.5.1 Exercise #1 143 143 143 153 153 154 155 155 156 156 156 163 164 166 167 168 168 169 170 171 172 173 173 173 v CONTENTS CONTENTS 14 Loops 14.1 Simple example 14.1.1 x86 14.1.2 x86: OllyDbg 14.1.3 x86: tracer 14.1.4 ARM 14.1.5 MIPS 14.1.6 One more thing 14.2 Memory blocks copying routine 14.2.1 Straight-forward implementation 14.2.2 ARM in ARM mode 14.2.3 MIPS 14.2.4 Vectorization 14.3 Conclusion 14.4 Exercises 174 174 174 178 178 180 183 184 184 184 185 186 186 187 188 15 Simple C-strings processing 15.1 strlen() 15.1.1 x86 15.1.2 ARM 15.1.3 MIPS 189 189 189 196 199 16 Replacing arithmetic instructions to other ones 16.1 Multiplication 16.1.1 Multiplication using addition 16.1.2 Multiplication using shifting 16.1.3 Multiplication using shifting, subtracting, and adding 16.2 Division 16.2.1 Division using shifts 16.3 Exercise 200 200 200 200 201 205 205 205 17 Floating-point unit 17.1 IEEE 754 17.2 x86 17.3 ARM, MIPS, x86/x64 SIMD 17.4 C/C++ 17.5 Simple example 17.5.1 x86 17.5.2 ARM: Optimizing Xcode 4.6.3 (LLVM) (ARM mode) 17.5.3 ARM: Optimizing Keil 6/2013 (Thumb mode) 17.5.4 ARM64: Optimizing GCC (Linaro) 4.9 17.5.5 ARM64: Non-optimizing GCC (Linaro) 4.9 17.5.6 MIPS 17.6 Passing floating point numbers via arguments 17.6.1 x86 17.6.2 ARM + Non-optimizing Xcode 4.6.3 (LLVM) (Thumb-2 mode) 17.6.3 ARM + Non-optimizing Keil 6/2013 (ARM mode) 17.6.4 ARM64 + Optimizing GCC (Linaro) 4.9 17.6.5 MIPS 17.7 Comparison example 17.7.1 x86 17.7.2 ARM 17.7.3 ARM64 17.7.4 MIPS 17.8 Stack, calculators and reverse Polish notation 17.9 x64 17.10Exercises 206 206 206 206 206 207 207 214 215 215 216 217 217 218 218 219 219 220 221 221 248 251 253 253 253 253 18 Arrays 18.1 Simple example 18.1.1 x86 18.1.2 ARM 18.1.3 MIPS 18.2 Buffer overflow 18.2.1 Reading outside array bounds 254 254 254 257 260 261 261 vi CONTENTS CONTENTS 264 269 270 272 272 273 274 275 276 276 279 279 280 282 285 285 287 287 288 288 289 289 19 Manipulating specific bit(s) 19.1 Specific bit checking 19.1.1 x86 19.1.2 ARM 19.2 Setting and clearing specific bits 19.2.1 x86 19.2.2 ARM + Optimizing Keil 6/2013 (ARM mode) 19.2.3 ARM + Optimizing Keil 6/2013 (Thumb mode) 19.2.4 ARM + Optimizing Xcode 4.6.3 (LLVM) (ARM mode) 19.2.5 ARM: more about the BIC instruction 19.2.6 ARM64: Optimizing GCC (Linaro) 4.9 19.2.7 ARM64: Non-optimizing GCC (Linaro) 4.9 19.2.8 MIPS 19.3 Shifts 19.4 Setting and clearing specific bits: FPU5 example 19.4.1 A word about the XOR operation 19.4.2 x86 19.4.3 MIPS 19.4.4 ARM 19.5 Counting bits set to 19.5.1 x86 19.5.2 x64 19.5.3 ARM + Optimizing Xcode 4.6.3 (LLVM) (ARM mode) 19.5.4 ARM + Optimizing Xcode 4.6.3 (LLVM) (Thumb-2 mode) 19.5.5 ARM64 + Optimizing GCC 4.9 19.5.6 ARM64 + Non-optimizing GCC 4.9 19.5.7 MIPS 19.6 Conclusion 19.6.1 Check for specific bit (known at compile stage) 19.6.2 Check for specific bit (specified at runtime) 19.6.3 Set specific bit (known at compile stage) 19.6.4 Set specific bit (specified at runtime) 19.6.5 Clear specific bit (known at compile stage) 19.6.6 Clear specific bit (specified at runtime) 19.7 Exercises 290 290 290 292 293 294 299 300 300 300 300 301 301 301 301 302 302 304 304 306 307 315 317 318 318 318 319 321 321 321 322 322 322 323 323 18.3 18.4 18.5 18.6 18.7 18.8 18.9 18.2.2 Writing beyond array bounds Buffer overflow protection methods 18.3.1 Optimizing Xcode 4.6.3 (LLVM) (Thumb-2 mode) One more word about arrays Array of pointers to strings 18.5.1 x64 18.5.2 32-bit ARM 18.5.3 ARM64 18.5.4 MIPS 18.5.5 Array overflow Multidimensional arrays 18.6.1 Two-dimensional array example 18.6.2 Access two-dimensional array as one-dimensional 18.6.3 Three-dimensional array example 18.6.4 More examples Pack of strings as a two-dimensional array 18.7.1 32-bit ARM 18.7.2 ARM64 18.7.3 MIPS 18.7.4 Conclusion Conclusion Exercises 20 Linear congruential generator 324 20.1 x86 324 20.2 x64 325 20.3 32-bit ARM 326 Floating-point unit vii CONTENTS CONTENTS 20.4 MIPS 326 20.4.1 MIPS relocations 327 20.5 Thread-safe version of the example 328 21 Structures 21.1 MSVC: SYSTEMTIME example 21.1.1 OllyDbg 21.1.2 Replacing the structure with array 21.2 Let’s allocate space for a structure using malloc() 21.3 UNIX: struct tm 21.3.1 Linux 21.3.2 ARM 21.3.3 MIPS 21.3.4 Structure as a set of values 21.3.5 Structure as an array of 32-bit words 21.3.6 Structure as an array of bytes 21.4 Fields packing in structure 21.4.1 x86 21.4.2 ARM 21.4.3 MIPS 21.4.4 One more word 21.5 Nested structures 21.5.1 OllyDbg 21.6 Bit fields in a structure 21.6.1 CPUID example 21.6.2 Working with the float type as with a structure 21.7 Exercises 329 329 331 331 332 334 334 337 338 340 341 342 344 344 348 349 350 350 352 352 352 356 359 22 Unions 22.1 Pseudo-random number generator example 22.1.1 x86 22.1.2 MIPS 22.1.3 ARM (ARM mode) 22.2 Calculating machine epsilon 22.2.1 x86 22.2.2 ARM64 22.2.3 MIPS 22.2.4 Conclusion 22.3 Fast square root calculation 360 360 361 362 363 364 365 365 366 366 366 23 Pointers to functions 23.1 MSVC 23.1.1 MSVC + OllyDbg 23.1.2 MSVC + tracer 23.1.3 MSVC + tracer (code coverage) 23.2 GCC 23.2.1 GCC + GDB (with source code) 23.2.2 GCC + GDB (no source code) 368 369 371 373 375 375 376 377 24 64-bit values in 32-bit environment 24.1 Returning of 64-bit value 24.1.1 x86 24.1.2 ARM 24.1.3 MIPS 24.2 Arguments passing, addition, subtraction 24.2.1 x86 24.2.2 ARM 24.2.3 MIPS 24.3 Multiplication, division 24.3.1 x86 24.3.2 ARM 24.3.3 MIPS 24.4 Shifting right 24.4.1 x86 24.4.2 ARM 380 380 380 380 381 381 381 382 383 384 384 386 387 388 388 388 viii CONTENTS CONTENTS 24.4.3 MIPS 24.5 Converting 32-bit value into 64-bit one 24.5.1 x86 24.5.2 ARM 24.5.3 MIPS 389 389 389 389 390 391 391 392 397 401 26 64 bits 26.1 x86-64 26.2 ARM 26.3 Float point numbers 404 404 410 411 27 Working with floating point numbers using SIMD 27.1 Simple example 27.1.1 x64 27.1.2 x86 27.2 Passing floating point number via arguments 27.3 Comparison example 27.3.1 x64 27.3.2 x86 27.4 Calculating machine epsilon: x64 and SIMD 27.5 Pseudo-random number generator example revisited 27.6 Summary 412 412 412 413 420 421 421 422 422 423 423 28 ARM-specific details 28.1 Number sign (#) before number 28.2 Addressing modes 28.3 Loading a constant into a register 28.3.1 32-bit ARM 28.3.2 ARM64 28.4 Relocs in ARM64 425 425 425 426 426 426 427 25 SIMD 25.1 Vectorization 25.1.1 Addition example 25.1.2 Memory copy example 25.2 SIMD strlen() implementation 29 MIPS-specific details 429 29.1 Loading constants into register 429 29.2 Further reading about MIPS 429 II Important fundamentals 430 30 Signed number representations 31 Endianness 31.1 Big-endian 31.2 Little-endian 31.3 Example 31.4 Bi-endian 31.5 Converting data 432 32 Memory 434 434 434 434 435 435 436 33 CPU 437 33.1 Branch predictors 437 33.2 Data dependencies 437 34 Hash functions 438 34.1 How one-way function works? 438 III Slightly more advanced examples 439 35 Temperature converting 440 ix Acronyms used 907 APPENDIX F CHEATSHEETS APPENDIX F CHEATSHEETS OS Operating System xix OOP Object-Oriented Programming 523 PL Programming language PRNG Pseudorandom number generator xii ROM Read-only memory 72 ALU Arithmetic logic unit 19 RA Return Address 16 PE Portable Executable: 68.2 on page 671 671 SP stack pointer SP/ESP/RSP in x86/x64 SP in ARM 13 DLL Dynamic-link library 671 PC Program Counter IP/EIP/RIP in x86/64 PC in ARM 13 LR Link Register IDA Interactive Disassembler and debugger developed by Hex-Rays IAT Import Address Table 672 INT Import Name Table 672 RVA Relative Virtual Address 671 VA Virtual Address 671 OEP Original Entry Point 660 MSVC Microsoft Visual C++ MSVS Microsoft Visual Studio 892 ASLR Address Space Layout Randomization 672 MFC Microsoft Foundation Classes 674 TLS Thread Local Storage xviii AKA Also Known As CRT C runtime library : 68.1 on page 668 CPU Central processing unit xix 908 APPENDIX F CHEATSHEETS APPENDIX F CHEATSHEETS FPU Floating-point unit vii CISC Complex instruction set computing 13 RISC Reduced instruction set computing GUI Graphical user interface 668 RTTI Run-time type information 537 BSS Block Started by Symbol 18 SIMD Single instruction, multiple data 184 BSOD Black Screen of Death 661 DBMS Database management systems xviii ISA Instruction Set Architecture iii HPC High-Performance Computing 493 SEH Structured Exception Handling : 68.3 on page 677 29 ELF Executable file format widely used in *NIX systems including Linux xviii TIB Thread Information Block 270 PIC Position Independent Code: 67.1 on page 663 xviii NAN Not a Number 884 NOP No OPeration 20 BEQ (PowerPC, ARM) Branch if Equal 86 BNE (PowerPC, ARM) Branch if Not Equal 197 BLR (PowerPC) Branch to Link Register 731 XOR eXclusive OR 889 MCU Microcontroller unit 467 RAM Random-access memory 73 EGA Enhanced Graphics Adapter 868 VGA Video Graphics Array 868 API Application programming interface 629 909 APPENDIX F CHEATSHEETS APPENDIX F CHEATSHEETS ASCII American Standard Code for Information Interchange 475 ASCIIZ ASCII Zero (null-terminated ASCII string) 84 IA64 Intel Architecture 64 (Itanium): 93 on page 865 435 EPIC Explicitly parallel instruction computing 865 OOE Out-of-order execution 437 MSB Most significant bit/byte 302 LSB Least significant bit/byte STL (C++) Standard Template Library: 51.4 on page 539 544 PODT (C++) Plain Old Data Type 555 HDD Hard disk drive 566 VM Virtual Memory WRK Windows Research Kernel 642 GPR General Purpose Registers xvi SSDT System Service Dispatch Table 661 RE Reverse Engineering ii BCD Binary-coded decimal 810 BOM Byte order mark 632 GDB GNU debugger 40 FP Frame Pointer 17 MBR Master Boot Record 637 JPE Jump Parity Even (x86 instruction) 226 CIDR Classless Inter-Domain Routing 455 STMFD Store Multiple Full Descending (ARM instruction) LDMFD Load Multiple Full Descending (ARM instruction) STMED Store Multiple Empty Descending (ARM instruction) 24 LDMED Load Multiple Empty Descending (ARM instruction) 24 910 APPENDIX F CHEATSHEETS APPENDIX F CHEATSHEETS STMFA Store Multiple Full Ascending (ARM instruction) 24 LDMFA Load Multiple Full Ascending (ARM instruction) 24 STMEA Store Multiple Empty Ascending (ARM instruction) 24 LDMEA Load Multiple Empty Ascending (ARM instruction) 24 APSR (ARM) Application Program Status Register 249 FPSCR (ARM) Floating-Point Status and Control Register 249 PID Program/process ID 721 LF Line feed (10 or’\n’ in C/C++) 501 CR Carriage return (13 or’\r’ in C/C++) 501 RFC Request for Comments 635 TOS Top Of Stack 588 LVA (Java) Local Variable Array 594 JVM Java virtual machine xii JIT Just-in-time compilation 587 EOF End of file 77 911 Glossary Glossary Glossary real number numbers which may contain a dot this is float and double in C/C++ 205 decrement Decrease by 13, 174, 191, 425, 645, 773, 886, 888, 892 increment Increase by 14, 174, 178, 191, 196, 311, 314, 425, 769, 886 integral data type usual numbers, but not a real ones may be used for passing variables of boolean data type and enumerations 220 product Multiplication result 90, 212, 215, 392, 417, 472 arithmetic mean a sum of all values divided by their count 496 stack pointer A register pointing to a place in the stack 8, 9, 14, 24, 27, 35, 47, 48, 66, 91, 525, 576, 648–651, 881, 887, 897, 908 tail call It is when the compiler (or interpreter) transforms the recursion (with which it is possible: tail recursion) into an iteration for efficiency: wikipedia 451 quotient Division result 205, 208, 210, 211, 215, 416, 469, 497, 725 anti-pattern Generally considered as bad practice 26, 68, 436 atomic operation “ατ oµoς” stands for “indivisible” in Greek, so an atomic operation is guaranteed not to be interrupted by other threads 699, 862 basic block a group of instructions that not have jump/branch instructions, and also don’t have jumps inside the block from the outside In IDA it looks just like as a list of instructions without empty lines 615, 869, 870 callee A function being called by another 23, 26, 39, 59, 77, 89, 91, 93, 145, 404, 436, 525, 576, 648–650, 653, 654, 900 caller A function calling another 5, 6, 8, 39, 77, 89, 90, 92, 99, 145, 404, 440, 525, 648, 650, 651, 654 compiler intrinsic A function specific to a compiler which is not an usual library function The compiler generates a specific machine code instead of a call to it Often, it’s a pseudofunction for a specific CPU instruction Read more: ( 90 on page 857) 892 CP/M Control Program for Microcomputers: a very basic disk OS used before MS-DOS 808 dongle Dongle is a small piece of hardware connected to LPT printer port (in past) or to USB Its function was similar to a security token, it has some memory and, sometimes, a secret (crypto-)hashing algorithm 730 endianness Byte order: 31 on page 434 15, 70, 331, 890 GiB Gibibyte: 230 or 1024 mebibytes or 1073741824 bytes 11 heap usually, a big chunk of memory provided by the OS so that applications can divide it by themselves as they wish malloc()/free() work with the heap 24, 26, 332, 540, 543, 555, 557, 670, 671 jump offset a part of the JMP or Jcc instruction’s opcode, to be added to the address of the next instruction, and this is how the new PC is calculated May be negative as well 85, 124, 886 kernel mode A restrictions-free CPU mode in which the OS kernel and drivers execute cf user mode 913 leaf function A function which does not call any other function 21, 26 link register (RISC) A register where the return address is usually stored This makes it possible to call leaf functions without using the stack, i.e., faster 26, 731, 897, 898 912 Glossary Glossary loop unwinding It is when a compiler, instead of generating loop code for n iterations, generates just n copies of the loop body, in order to get rid of the instructions for loop maintenance 176 name mangling used at least in C++, where the compiler needs to encode the name of class, method and argument types in one string, which will become the internal name of the function You can read more about it here: 51.1.1 on page 523 523, 626, 627 NaN not a number: a special cases for floating point numbers, usually signaling about errors 222, 244, 867 NEON AKA “Advanced SIMD”—SIMD from ARM 898 NOP “no operation”, idle instruction 645 NTAPI API available only in the Windows NT line Largely not documented by Microsoft 709 PDB (Win32) Debugging information file, usually just function names, but sometimes also function arguments and local variables names 625, 673, 709, 710, 717, 721, 790 POKE BASIC language instruction for writing a byte at a specific address 645 register allocator The part of the compiler that assigns CPU registers to local variables 190, 292, 404 reverse engineering act of understanding how the thing works, sometimes in order to clone it iv, 892 security cookie A random value, different at each execution You can read more about it here: 18.3 on page 269 690 stack frame A part of the stack that contains information specific to the current function: local variables, function arguments, RA, etc 60, 90, 448, 690 stdout standard output 15, 27, 145 thunk function Tiny function with a single role: call another function 16, 376, 731, 739 tracer My own simple debugging tool You can read more about it here: 70.3 on page 703 178–180, 630, 639, 643, 686, 695, 791, 798, 802, 804, 856 user mode A restricted CPU mode in which it all application software code is executed cf kernel mode 746, 912 Windows NT Windows NT, 2000, XP, Vista, 7, 278, 402, 575, 633, 661, 672, 699, 811, 892 word data type fitting in GPR In the computers older than PCs, the memory size was often measured in words rather than bytes 546 xoring often used in the English language, which implying applying the XOR operation 690, 742, 744 913 Index NET, 676 AT&T syntax, 10, 29 Buffer Overflow, 261, 690 C language elements Pointers, 59, 66, 101, 368, 404 Post-decrement, 425 Post-increment, 425 Pre-decrement, 425 Pre-increment, 425 C99, 100 bool, 290 restrict, 491 variable length arrays, 272 const, 7, 73 for, 174, 453 if, 115, 144 return, 8, 78, 99 switch, 143, 144, 153 while, 189 C standard library alloca(), 27, 272, 436, 682 assert(), 277, 636 atexit(), 545 atoi(), 475, 780 calloc(), 762 close(), 666 exit(), 440 free(), 436 fseek(), 762 ftell(), 762 getenv(), 781 localtime(), 584 localtime_r(), 340 longjmp(), 145 malloc(), 333, 436 memchr(), 888 memcmp(), 489, 638, 890 memcpy(), 10, 59, 487, 887 memset(), 485, 802, 889 open(), 666 pow(), 217 puts(), 15 qsort(), 368 rand(), 324, 629, 714, 717, 750 read(), 666 realloc(), 436 scanf(), 59 strcmp(), 483, 666 strcpy(), 10, 485, 751 strlen(), 189, 401, 485, 502, 888 time(), 584 tolower(), 768 toupper(), 510 va_arg, 496 va_list, 499 vprintf, 499 Compiler’s anomalies, 137, 217, 287, 300, 317, 463, 507, 858 C++, 793 exceptions, 682 C++11, 555, 656 ostream, 538 References, 539 RTTI, 537 STL, 625 std::forward_list, 555 std::list, 546 std::map, 562 std::set, 562 std::string, 539 std::vector, 555 Garbage collector, 609 grep usage, 180, 250, 625, 639, 643, 791 Hash functions, 438 Intel syntax, 10, 13 Mac OS X, 704 position-independent code, 13, 663 RAM, 72 ROM, 72, 73 Base address, 671 Global variables, 68 Binary tree, 562 Dynamically loaded libraries, 16 Linker, 73, 523 RISC pipeline, 127 Non-a-numbers (NaNs), 244 OOP Polymorphism, 523 Reverse Polish notation, 253 Buffer overflow, 267 Entropy, 825 Recursion, 23, 25, 451 Tail recursion, 451 Stack, 24, 89, 145 Stack overflow, 25 Stack frame, 60 Syntactic Sugar, 144 Thumb-2 mode, 15 iPod/iPhone/iPad, 12 OllyDbg, 37, 62, 70, 90, 102, 118, 159, 178, 192, 209, 223, 234, 256, 263, 266, 279, 280, 309, 331, 347, 348, 352, 355, 371, 674, 703, 904 Oracle RDBMS, 8, 391, 635, 679, 794, 801, 803, 838, 847, 858, 869 Ada, 97 Alpha AXP, AMD, 653 914 INDEX INDEX Angry Birds, 249, 250 ARM, 197, 517, 730, 897 ARM mode, Instructions ADC, 383 ADD, 15, 96, 127, 181, 306, 317, 471, 899 ADDAL, 127 ADDCC, 164 ADDS, 95, 383, 899 ADR, 13, 127 ADRcc, 127, 153, 437 ADRP/ADD pair, 17, 47, 73, 276, 288, 427 ANDcc, 512 ASR, 321 ASRS, 300, 471 B, 47, 127, 128 Bcc, 87, 88, 138 BCS, 128, 251 BEQ, 86, 153 BGE, 128 BIC, 299, 300, 305, 322 BL, 13–17, 127, 428 BLcc, 127 BLE, 128 BLS, 128 BLT, 181 BLX, 15, 16 BNE, 128 BX, 95, 165 CMP, 86, 87, 127, 153, 164, 181, 317, 899 CSEL, 135, 140, 142, 318 EOR, 305 FCMPE, 251 FCSEL, 251 FMOV, 427 FMRS, 306 IT, 142, 249, 272 LDMccFD, 127 LDMEA, 24 LDMED, 24 LDMFA, 24 LDMFD, 14, 24, 127 LDP, 18 LDR, 48, 66, 73, 258, 275, 425 LDR.W, 284 LDRB, 348 LDRB.W, 197 LDRSB, 196 LSL, 318, 321 LSL.W, 318 LSLR, 512 LSLS, 258, 305, 512 LSR, 321 LSRS, 305 MADD, 95 MLA, 94, 95 MOV, 5, 14, 15, 317, 470 MOVcc, 138, 142 MOVK, 426 MOVT, 15, 470 MOVT.W, 16 MOVW, 16 MUL, 96 MULS, 95 MVNS, 197 NEG, 480 ORR, 299 POP, 13, 14, 24, 26 PUSH, 14, 24, 26 RET, 18 RSB, 132, 284, 317, 480 SBC, 383 SMMUL, 471 STMEA, 24 STMED, 24 STMFA, 24, 50 STMFD, 13, 24 STMIA, 48 STMIB, 50 STP, 17, 47 STR, 48, 258 SUB, 48, 284, 317 SUBcc, 512 SUBEQ, 198 SUBS, 383 SXTB, 349 SXTW, 288 TEST, 190 TST, 293, 317, 318 VADD, 214 VDIV, 214 VLDR, 214 VMOV, 214, 249 VMOVGT, 249 VMRS, 249 VMUL, 214 XOR, 133, 306 Pipeline, 164 Mode switching, 95, 165 Addressing modes, 425 mode switching, 16 Registers APSR, 249 FPSCR, 249 Link Register, 13, 14, 26, 47, 165, 897 R0, 897 scratch registers, 197, 897 X0, 898 Z, 86, 898 Thumb mode, 3, 128, 165 Thumb-2 mode, 3, 165, 249, 250 armel, 215 armhf, 215 Condition codes, 127 D-registers, 214, 898 Data processing instructions, 471 DCB, 14 hard float, 215 if-then block, 249 Leaf function, 26 Optional operators ASR, 317, 471 LSL, 258, 284, 317, 318, 426 LSR, 317, 471 ROR, 317 RRX, 317 Registers R0, 98 915 INDEX S-registers, 214, 898 soft float, 215 ARM64 lo12, 47 ASLR, 672 AWK, 641 Base64, 634 base64, 635 bash, 99 BASIC POKE, 645 binary grep, 638, 706 BIND.EXE, 676 binutils, 364 Bitcoin, 859 Borland C++Builder, 627 Borland Delphi, 627, 631, 856 BSoD, 661 BSS, 673 C11, 656 Callbacks, 368 Canary, 269 cdecl, 35, 648 COFF, 737 column-major order, 279 Compiler intrinsic, 28, 857 CRC32, 438, 452 CRT, 668, 687 Cygwin, 626, 630, 677, 704 DES, 391, 404 dlopen(), 666 dlsym(), 666 DOSBox, 811 DosBox, 643 double, 206, 653 dtruss, 704 Duff’s device, 466 EICAR, 807 ELF, 71 Error messages, 635 fastcall, 11, 58, 291, 649 float, 206, 653 Forth, 608 FORTRAN, 279, 491, 572, 627 Function epilogue, 23, 47, 48, 127, 348, 641 Function prologue, 9, 23, 26, 48, 269, 641 Fused multiply–add, 94, 95 Fuzzing, 481 GCC, 626, 902, 905 GDB, 21, 40, 44, 268, 376, 377, 703, 905 Glibc, 376, 661 Hex-Rays, 722 Hiew, 84, 124, 631, 673, 674, 677, 856 IDA, 78, 364, 490, 618, 633, 844, 904 var_?, 48, 66 IEEE 754, 206, 301, 360, 412, 878 Inline code, 182, 299, 482, 529, 559 Integer overflow, 97 INDEX Intel 8080, 197 8086, 197, 299, 746 Memory model, 582, 868 8253, 810 80286, 746, 868 80386, 299, 868 80486, 206 FPU, 206 Intel C++, 8, 392, 858, 869, 887 Itanium, 865 Java, 587 jumptable, 157, 165 Keil, 12 kernel panic, 661 kernel space, 661 LD_PRELOAD, 665 Linux, 292, 663, 794 libc.so.6, 291, 376 LLVM, 12 long double, 206 Loop unwinding, 176 Mac OS Classic, 730 MD5, 438, 637 MFC, 674, 781 MIDI, 637 MinGW, 626 minifloat, 427 MIPS, 4, 518, 644, 673, 730 Global Pointer, 18 Instructions ADD, 97 ADD.D, 217 ADDIU, 19, 76 ADDU, 97 AND, 301 BC1F, 253 BC1T, 253 BEQ, 88, 129 BLTZ, 133 BNE, 129 BNEZ, 167 BREAK, 471 C.LT.D, 253 DIV.D, 217 J, 6, 19 JAL, 97 JALR, 19, 97 JR, 156 LB, 186 LBU, 186 LI, 429 LUI, 19, 76, 217, 304, 429 LW, 19, 67, 76, 156 LWC1, 217 MFC1, 220 MFHI, 97, 471, 900 MFLO, 97, 471, 900 MTC1, 366 MUL.D, 217 MULT, 97 916 INDEX INDEX NOR, 199 SHA1, 438 OR, 21 SHA512, 859 ORI, 301, 429 Shadow space, 92, 93, 413 SB, 186 Shellcode, 519, 661, 672, 808, 895 SLL, 167, 201, 320 Signed numbers, 116, 432 SLLV, 320 SIMD, 412, 489 SLT, 129 SSE, 412 SLTIU, 167 SSE2, 412 SLTU, 129, 130, 167 stdcall, 648, 856 SRL, 205 strace, 665, 704 SUBU, 133 syscall, 291, 661, 704 SW, 54 TCP/IP, 435 Pseudoinstructions thiscall, 523, 525, 650 B, 184 thunk-functions, 16, 675, 731, 739 BEQZ, 130 TLS, 270, 656, 673, 676, 881 L.D, 217 Callbacks, 659 LA, 21 Callbacks, 677 LI, tracer, 178, 373, 375, 630, 639, 643, 686, 695, 703, 791, 798, MOVE, 19, 75 802, 804, 856 NEGU, 133 NOP, 21, 75 Unicode, 632 NOT, 199 Unrolled loop, 182, 272, 486 Registers uptime, 665 FCCR, 253 USB, 732 HI, 471 user space, 661 LO, 471 UTF-16LE, 632, 633 Branch delay slot, UTF-8, 632 Global Pointer, 284 Load delay slot, 156 VA, 671 O32, 54, 58, 900 MS-DOS, 270, 579, 637, 643, 645, 671, 746, 807, 809, 831, Watcom, 627 856, 868, 878, 888, 892 Windows, 699 DOS extenders, 868 API, 878 MSVC, 903, 905 IAT, 672 INT, 672 Name mangling, 523 KERNEL32.DLL, 290 Native API, 672 MSVCR80.DLL, 369 NEC V20, 811 NTAPI, 709 ntoskrnl.exe, 794 objdump, 364, 665, 677 PDB, 625, 673, 709, 717, 789 OEP, 671, 676 Structured Exception Handling, 29, 677 opaque predicate, 520 TIB, 270, 677, 881 OpenMP, 628, 859 Win32, 290, 633, 665, 671, 868 OpenWatcom, 627, 650 GetProcAddress, 676 LoadLibrary, 676 Page (memory), 402 Ordinal, 674 Pascal, 631 RaiseException(), 677 PDP-11, 425 SetUnhandledExceptionFilter(), 679 PowerPC, 4, 18, 730 Windows 2000, 672 puts() instead of printf(), 15, 64, 98, 125 Windows 3.x, 575, 868 Quake III Arena, 367 Windows NT4, 672 Windows Vista, 671, 709 Raspberry Pi, 12 Windows XP, 672, 676, 717 ReactOS, 684 Wine, 684 Register allocation, 404 Wolfram Mathematica, 473, 474, 724, 825 Relocation, 16 row-major order, 279 x86 RVA, 671 Flags CF, 886, 888, 890, 893 SAP, 625, 789 DF, 890, 893 SCO OpenServer, 737 IF, 890, 893 Scratch space, 652 Instructions Security cookie, 269, 690 AAA, 896 Security through obscurity, 635 AAS, 896 917 INDEX INDEX ADC, 382, 579, 886 ADD, 8, 35, 90, 476, 579, 886 ADDSD, 413 ADDSS, 423 ADRcc, 135 AND, 9, 291, 294, 307, 321, 354, 886, 889 BSF, 403, 890 BSR, 890 BSWAP, 435, 890 BT, 890 BTC, 303, 890 BTR, 303, 699, 890 BTS, 303, 890 CALL, 8, 25, 515, 675, 886 CBW, 433, 890 CDQ, 389, 433, 890 CDQE, 433, 890 CLD, 890 CLI, 890 CMC, 890 CMOVcc, 127, 134, 136, 138, 142, 437, 890 CMP, 77, 78, 886, 896 CMPSB, 638, 890 CMPSD, 890 CMPSQ, 890 CMPSW, 890 COMISD, 421 COMISS, 423 CPUID, 352, 892 CWD, 433, 579, 819, 890 CWDE, 433, 890 DEC, 191, 886, 896 DIV, 433, 892 DIVSD, 412, 640 FABS, 894 FADD, 894 FADDP, 208, 214, 894 FATRET, 316, 317 FCHS, 894 FCMOVcc, 245 FCOM, 233, 244, 894 FCOMP, 221, 894 FCOMPP, 894 FDIV, 208, 639, 894 FDIVP, 208, 894 FDIVR, 214, 894 FDIVRP, 894 FILD, 894 FIST, 894 FISTP, 894 FLD, 218, 221, 894 FLD1, 894 FLDCW, 894 FLDZ, 894 FMUL, 208, 894 FMULP, 894 FNSTCW, 894 FNSTSW, 222, 244, 894 FSINCOS, 894 FSQRT, 894 FST, 894 FSTCW, 894 FSTP, 218, 894 FSTSW, 894 FSUB, 895 FSUBP, 895 FSUBR, 894 FSUBRP, 894 FUCOM, 244, 895 FUCOMI, 245 FUCOMP, 895 FUCOMPP, 244, 895 FWAIT, 206 FXCH, 895 IDIV, 433, 469, 892 IMUL, 90, 287, 433, 886, 896 IN, 515, 746, 810, 892 INC, 191, 856, 886, 896 INT, 808, 892 INT3, 630 IRET, 892 JA, 116, 245, 432, 886, 896 JAE, 116, 886, 896 JB, 116, 432, 886, 896 JBE, 116, 886, 896 JC, 886 Jcc, 88, 137 JCXZ, 886 JE, 145, 886, 896 JECXZ, 886 JG, 116, 432, 886 JGE, 116, 886 JL, 116, 432, 886 JLE, 116, 886 JMP, 25, 47, 675, 856, 886 JNA, 886 JNAE, 886 JNB, 886 JNBE, 244, 886 JNC, 886 JNE, 77, 78, 116, 886, 896 JNG, 886 JNGE, 886 JNL, 886 JNLE, 886 JNO, 886, 896 JNS, 886, 896 JNZ, 886 JO, 886, 896 JP, 222, 811, 886, 896 JPO, 886 JRCXZ, 886 JS, 886, 896 JZ, 86, 145, 858, 886 LAHF, 887 LEA, 61, 92, 335, 441, 454, 476, 652, 712, 887 LEAVE, 9, 887 LES, 751, 819 LOCK, 699 LODSB, 810 LOOP, 174, 188, 641, 819, 892 MAXSD, 421 MOV, 5, 8, 10, 486, 487, 515, 674, 856, 888 MOVDQA, 394 MOVDQU, 394 MOVSB, 887 MOVSD, 420, 487, 767, 887 MOVSDX, 420 918 INDEX MOVSQ, 887 MOVSS, 423 MOVSW, 887 MOVSX, 190, 196, 347–349, 433, 888 MOVSXD, 273 MOVZX, 190, 333, 730, 888 MUL, 433, 888 MULSD, 413 NEG, 479, 888 NOP, 454, 854, 856, 888 NOT, 195, 197, 771, 888 OR, 294, 502, 888 OUT, 515, 746, 892 PADDD, 394 PCMPEQB, 403 PLMULHW, 392 PLMULLD, 392 PMOVMSKB, 403 POP, 8, 24, 25, 888, 896 POPA, 892, 896 POPCNT, 892 POPF, 810, 893 PUSH, 8, 9, 24, 25, 60, 515, 888, 896 PUSHA, 893, 896 PUSHF, 893 PXOR, 403 RCL, 641, 893 RCR, 893 RET, 5, 8, 25, 269, 525, 576, 856, 888 ROL, 316, 857, 893 ROR, 857, 893 SAHF, 244, 888 SAL, 893 SALC, 811 SAR, 321, 433, 494, 819, 893 SBB, 382, 888 SCASB, 810, 811, 888 SCASD, 888 SCASQ, 888 SCASW, 888 SETALC, 811 SETcc, 129, 191, 244, 893 SHL, 201, 255, 321, 889 SHR, 205, 321, 354, 889 SHRD, 388, 889 STC, 893 STD, 893 STI, 893 STOSB, 889 STOSD, 889 STOSQ, 486, 889 STOSW, 889 SUB, 8, 9, 78, 145, 476, 886, 889 SYSCALL, 892, 893 SYSENTER, 662, 892, 894 TEST, 190, 291, 293, 321, 889 UD2, 894 XADD, 700 XCHG, 888, 889 XOR, 8, 78, 195, 494, 641, 742, 856, 889, 896 Prefixes LOCK, 699, 885 REP, 885, 887, 889 REPE/REPNE, 885 INDEX REPNE, 888 Registers Flags, 78, 118, 881 AH, 887, 888 CS, 868 DR6, 884 DR7, 884 DS, 868 EAX, 77, 98 EBP, 60, 90 ECX, 523 ES, 819, 868 ESP, 35, 60 FS, 657 GS, 270, 657, 660 JMP, 163 RIP, 664 SS, 868 ZF, 78, 291 AVX, 391 FPU, 882 Instructions STOSB, 468 MMX, 391 SSE, 391 SSE2, 391 x86-64, 10, 11, 43, 59, 65, 85, 91, 404, 412, 516, 650, 664, 878, 884 Xcode, 12 Z3, 722, 725 919 BIBLIOGRAPHY BIBLIOGRAPHY Bibliography [al12] Nick Montfort et al 10 PRINT CHR$(205.5+RND(1)); : GOTO 10 Also available as http : / / go yurichev com/17286 The MIT Press, 2012 [AMD13a] AMD AMD64 Architecture Programmer’s Manual Also available as http : / / go yurichev com / 17284 2013 [AMD13b] AMD Software Optimization Guide for AMD Family 16h Processors Also available as http://go.yurichev com/17285 2013 [App10] Apple iOS ABI Function Call Guide Also available as http://go.yurichev.com/17276 2010 [ARM12] ARM ARM® Architecture Reference Manual, ARMv7-A and ARMv7-R edition 2012 [ARM13a] ARM ARM Architecture Reference Manual, ARMv8, for ARMv8-A architecture profile 2013 [ARM13b] ARM ELF for the ARM 64-bit Architecture (AArch64) Also available as http://go.yurichev.com/17288 2013 [ARM13c] ARM Procedure Call Standard for the ARM 64-bit Architecture (AArch64) Also available as http://go.yurichev com/17287 2013 [Bro] Ralf Brown The x86 Interrupt List Also available as http://go.yurichev.com/17292 [Bur] Mike Burrell “Writing Effcient Itanium Assembly Code” In: () Also available as http://go.yurichev.com/ 17265 [Cli] Marshall Cline C++ FAQ Also available as http://go.yurichev.com/17291 [Cor+09] Thomas H Cormen et al Introduction to Algorithms, Third Edition 3rd The MIT Press, 2009 ISBN: 0262033844, 9780262033848 [Dij68] Edsger W Dijkstra “Letters to the editor: go to statement considered harmful” In: Commun ACM 11.3 (Mar 1968), pp 147–148 ISSN: 0001-0782 DOI: 10 1145 / 362929 362947 URL: http : / / go yurichev com / 17299 [Dol13] Stephen Dolan “mov is Turing-complete” In: (2013) Also available as http://go.yurichev.com/17269 [Dre07] Ulrich Drepper What Every Programmer Should Know About Memory Also available as http://go.yurichev com/17341 2007 [Dre13] Ulrich Drepper “ELF Handling For Thread-Local Storage” In: (2013) Also available as http://go.yurichev com/17272 [Eic11] Jens Eickhoff Onboard Computers, Onboard Software and Satellite Operations: An Introduction 2011 [Fog13a] Agner Fog Optimizing software in C++: An optimization guide for Windows, Linux and Mac platforms http:// go.yurichev.com/17279 2013 [Fog13b] Agner Fog The microarchitecture of Intel, AMD and VIA CPUs / An optimization guide for assembly programmers and co http://go.yurichev.com/17278 2013 [Fog14] Agner Fog Calling conventions http://go.yurichev.com/17280 2014 [haq] papasutra of haquebright “WRITING SHELLCODE FOR IA-64” In: () Also available as http://go.yurichev com/17340 [IBM00] IBM PowerPC(tm) Microprocessor Family: The Programming Environments for 32-Bit Microprocessors Also available as http://go.yurichev.com/17281 2000 [Int13] Intel Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes:1, 2A, 2B, 2C, 3A, 3B, and 3C Also available as http://go.yurichev.com/17283 2013 [Int14] Intel Intel® 64 and IA-32 Architectures Optimization Reference Manual Also available as http://go.yurichev com/17342 September 2014 [ISO07] ISO ISO/IEC 9899:TC3 (C C99 standard) Also available as http://go.yurichev.com/17274 2007 [ISO13] ISO ISO/IEC 14882:2011 (C++ 11 standard) Also available as http://go.yurichev.com/17275 2013 920 BIBLIOGRAPHY BIBLIOGRAPHY [Jav13] Java The Java® Virtual Machine Specification Java SE Edition Also available as http : / / go yurichev com/17345 and http://go.yurichev.com/17346 February 2013 [Ker88] Brian W Kernighan The C Programming Language Ed by Dennis M Ritchie 2nd Prentice Hall Professional Technical Reference, 1988 ISBN: 0131103709 [Knu74] Donald E Knuth “Structured Programming with go to Statements” In: ACM Comput Surv 6.4 (Dec 1974) Also available as http://go.yurichev.com/17271, pp 261–301 ISSN: 0360-0300 DOI: 10.1145/356635 356640 URL: http://go.yurichev.com/17300 [Knu98] Donald E Knuth The Art of Computer Programming Volumes 1-3 Boxed Set 2nd Boston, MA, USA: AddisonWesley Longman Publishing Co., Inc., 1998 ISBN: 0201485419 [Loh10] Eugene Loh “The Ideal HPC Programming Language” In: Queue 8.6 (June 2010), 30:30–30:38 ISSN: 1542-7730 DOI: 10.1145/1810226.1820518 URL: http://go.yurichev.com/17298 [Ltd94] Advanced RISC Machines Ltd The ARM Cookbook Also available as http://go.yurichev.com/17273 1994 [Mit13] Michael Matz / Jan Hubicka / Andreas Jaeger / Mark Mitchell System V Application Binary Interface AMD64 Architecture P Also available as http://go.yurichev.com/17295 2013 [Mor80] Stephen P Morse The 8086 Primer Also available as http://go.yurichev.com/17351 1980 [One96] Aleph One “Smashing The Stack For Fun And Profit” In: Phrack (1996) Also available as http://go.yurichev com/17266 [Pie] Matt Pietrek “A Crash Course on the Depths of Win32™ Structured Exception Handling” In: MSDN magazine () URL: http://go.yurichev.com/17293 [Pie02] Matt Pietrek “An In-Depth Look into the Win32 Portable Executable File Format” In: MSDN magazine (2002) URL: http://go.yurichev.com/17318 [Pre+07] William H Press et al Numerical Recipes 2007 [RA09] Mark E Russinovich and David A Solomon with Alex Ionescu Windows® Internals: Including Windows Server 2008 and W 2009 [Ray03] Eric S Raymond The Art of UNIX Programming Also available as http : / / go yurichev com / 17277 Pearson Education, 2003 ISBN: 0131429019 [Rit79] Dennis M Ritchie “The Evolution of the Unix Time-sharing System” In: (1979) [Rit86] Dennis M Ritchie Where did ++ come from? (net.lang.c) http://go.yurichev.com/17296 [Online; accessed 2013] 1986 [Rit93] Dennis M Ritchie “The development of the C language” In: SIGPLAN Not 28.3 (Mar 1993) Also available as http://go.yurichev.com/17264, pp 201–208 ISSN: 0362-1340 DOI: 10.1145/155360.155580 URL: http://go.yurichev.com/17297 [RT74] D M Ritchie and K Thompson “The UNIX Time Sharing System” In: (1974) Also available as http://go yurichev.com/17270 [Sch94] Bruce Schneier Applied Cryptography: Protocols, Algorithms, and Source Code in C 1994 [SK95] SunSoft Steve Zucker and IBM Kari Karhi SYSTEM V APPLICATION BINARY INTERFACE: PowerPC Processor Supplement Also available as http://go.yurichev.com/17282 1995 [Sko12] Igor Skochinsky Compiler Internals: Exceptions and RTTI Also available as http : / / go yurichev com / 17294 2012 [Str13] Bjarne Stroustrup The C++ Programming Language, 4th Edition 2013 [Swe10] Dominic Sweetman See MIPS Run, Second Edition 2010 [War02] Henry S Warren Hacker’s Delight Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 2002 ISBN: 0201914654 [Yur12] Dennis Yurichev “Finding unknown algorithm using only input/output pairs and Z3 SMT solver” In: (2012) Also available as http://go.yurichev.com/17268 [Yur13] Dennis Yurichev C/C++ programming language notes Also available as http://go.yurichev.com/17289 2013 921