📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page
  • MOV instruction
  • LEA
  • XCHG

Was this helpful?

  1. Linux 64-bit Assembly

Moving Data

PreviousEndiannessNextpush, pop, and the stack

Last updated 1 year ago

Was this helpful?

Before going ahead, here are three rules:

a) In 64-bit mode, operands generate a 64-bit result in the destination GP register b) In 32-bit mode, operands generate a 32-bit result, zero-extended to a 64-bit result in the destination general purpose register c) In 8-bit and 16-bit mode, operands generate an 8 or 16 bit result. The upper 56 or 48 bits of the GPR are untouched d) If the result of an 8 or 16-bit operation is intended for 64-bit address calculation, explicitly sign-extend the register to the full 64-bits.

"Zero extended"??? We'll talk about this after introducing a few operands that are used to move data in assembly.

MOV instruction

MOV is the most common instruction in assembly. It allows data moving in the following formats:

  1. Between registers

  2. Memory to registers and Registers to Memory

  3. Immediate data to registers

  4. Immediate data to memory

LEA

LEA=> Load Effective Address.

It loads pointer values in registers

Eg: LEA RAX, [var1]

Where var1 is the label given to any data type (talked in data type article here: )

Please note that, these two instructions essentially mean the same thing:

mov rax, sample

lea rax,[sample]

XCHG

Swaps values in between:

  1. Register and Register: XCHG RAX, RBX

  2. Register and Memory: XCHG RAX, <memory address>

Demo:

Here is an assembly program for us to dissect into.

global _start

section .text
_start:

        ; mov immediate data to register 
        mov rax, 0xaaaaaaaabbbbbbbb
        mov eax, 0xaaaaaaaa
        mov rax, 0xaaaaaaaabbbbbbbb
        mov al, 0x11
        mov rax, 0xaaaaaaaabbbbbbbb
        mov ah, 0xcc
        mov rax, 0xaaaaaaaabbbbbbbb
        mov ax, 0xdddd

         
        ; mov register to register 

        mov rbp, rax
        mov r10, rbp

        mov r11d, r10d
        mov r12w, r11w
        mov r13b, r12b


        ; mov from memory into register 

        mov rsi, [sample2]
        mov r14d, [sample]
        mov r15w, [sample]
        mov dil, [sample]


        ; mov from register into memory 

        mov rax, [sample2]
        mov byte [sample], al
        mov word [sample], ax
        mov dword [sample], eax
        mov qword [sample], rax


        ; lea demo

        lea rax, [sample]
        lea rbx, [rax] 


        ; xchg demo 
        mov rax, 0x1234567890abcdef
        mov rbx, 0x9999999999999999

        xchg rax, rbx
 

        ; exit the program gracefully  

        mov rax, 0x3c
        mov rdi, 0
        syscall


section .data

sample: db 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22
sample2: dq 0x1122334455667788
sample3: times 8 db 0x00

Note at the end we are exiting by giving rax a value 0x3c which is hex equivalent of "60" which is the syscall number of exit()

gdb -q ./MovingData -tui

Instruction 1: Rule A applies

Instruction 2: Note how a 32 bit value output zeros out the upper 32 bits of the register. 3rd instruction resets RAX.

Instruction 4: Rule C applies and the remaining 30 bits are unaffected

Instruction 9: Moves rax into rbp

Instruction 14: This instruction assigns value of sample2 variable in RSI.

On stepi we'll see the change

Instruction 19: Changes sample variables 1 byte with that of al.

Notice al has 88 right now and sample starts with 0xaa. This gets overwritten

Instruction 23: LEA would load 0x402000 intro RAX. Note that this is the memory address of sample variable.

Upon stepi or si, we see RAX being overwritten with the address of sample

Instruction 24: This instruction (lea rbx, [rax]) essentially loads the value in RAX into RBX

Instruction 27: This instruction would exchange RAX and RBX. Notice how rax and rbx have been overwritten first by 64 bit absolute values

One more stepi

Finally, we exit the program using 0x3c (hex value for 60->syscall number for exit()) with rdi as 0 for error code.

https://hexisanoob.gitbook.io/hexisanoob/application-security/linux-64-bit-assembly/data-types