Ok so before we move on and jump into writing and running 64 bit programs (because all programs today are 64bit these days no? j.k.) let's have a look how to compile a simple program for each of those architectures. This knowledge should also help you better understand how to start a nano VM and "debug" problems that might arise. To produce binaries we will use nasm compiler and to explore them we will use radare2 (https://rada.re/n/). Program that we will compile and analyse will be extremely simple. This is so we can focus on important aspects of 16, 32 and 64 bit programs rather than complexities in the programs themselves. Source code for all examples and compiling them is available in GitLab repo: . https://gitlab.com/mvuksano/kvm-playground/-/tree/master/05-assemly-compiling Let's jump into it. 16 bit assembly Let's compile the following program: , , , , , BITS 16 mov ax 'A' add ax '0' mov dx 0x3f8 out dx al mov eax 0xc000 jmp eax As you can see, it starts with directive. This tells compiler that we are want to produce a 16 bit binary. BITS 16 To produce a binary we only need to invoke compiler. nasm nasm -o a16.bin a16.asm There are a lot of tools that we could use at this point look into the executable. I'll use radare2 as it comes with some bells and whistles (e.g. nicely formatted and colored disassembly) The first line ( ) is represented using 3 bytes. b8 is the opcode for mov instruction while the following two bytes is number 0x41 written using two bytes in little endian format. mov ax, 0x41 Next line ( ) encodes instruction to add to whatever value is in register and store it back into . Notice how ax is 16 bit register and the immediate operand (0x30) is 8 bits in size. ADD instruction ( ) has numerous options that customize its operation. In this case we use to tell ADD op to use register as source and destination. 0x83c030 0x30 ax ax 0x83 0xc0 ax Following that is . This instruction does similar thing to in the first line. Notice how the second byte changed from to . This is because opcode of this instruction encodes which register is used. In this case this instruction tells CPU to use register . 0xbaf803 0xb84100 8 a dx instruction is a simple one. It's a one byte instruction telling our CPU. 0xee Following is . We've seen before. We also know that is target of our jump instruction written in little endian format. Two questions that remain are: 1. What is that in front of ? and what is that at the end of the instruction? 0x66b800c00000 0xb8 0x00c0 0x66 0xb8 0x0000 is part of the instruction which tells CPU to use non-default instruction length. In our 16bit program default length for instruction is 16 bits (e.g. register). Here we are putting value into 32bit register . In our case can be written as . We just added a number of zeros to get a 32bit number. Now if we write in little endian format we get . This is exactly sequence of digits that we see following . 0x66 MOV ax 0xc000 eax 0xc000 0x0000c000 0x0000c000 0x00c00000 0x66b8 is the last instruction in our program. 0x66 serves same purpose as in previous instruction - it tells CPU to "switch to" using 32 bit operands. is opcode for instruction. 0x66ffe0 0xffe0 jmp eax Before we move on to looking at 32bit version of the same program keep two things in mind: CPU expects operands to be 2bytes in size usually if we want to use 32bit operand size we need to use opcode prefix 0x66 to tell x86 CPU to do so. 32 bit assembly Let's have a look at what the same program looks like compiled using 32 bits: , , , , , BITS 32 mov eax 'A' add eax '0' mov edx 0x3f8 out dx al mov eax 0xc000 jmp eax You can notice a few changes. First line is directive that tells compiler that we want to output 32 bit binary. Also notice that instead of using as operand we use . is name of 32 bit register while is used to name 16 bit register. As a matter of fact represents lower 16 bits of register. nasm ax eax eax ax ax eax Looking at disassembly we can see that it's very similar. Another thing worth pointing out is that prefix in front of second last instruction is not there any more. In 32bit mode default operand size is 32 bits so there's no need for prefix in this case. 0x66 Size of binary has also slightly increased. Instead of being 13 bytes in size its not 15 bytes. 64 bit assembly Lastly let's look at equivalent 64 bit program: , , , , , BITS 64 mov rax QWORD 'A' add rax QWORD '0' mov rdx QWORD 0x3f8 out dx al mov rax QWORD 0xc000 jmp rax Besides directive telling compiler that it should output 64 bit program we use to explicitly specify that immediate operands should be 8 bytes in size. BITS QWORD Looking at the disassembly we can see that it grew in size again. This is expected as size of immediate operands is doubled. Besides the operand size this disassembly looks very similar to 32 bit one. One difference we can immediately notice is that a lot of instructions have prefix. This is so called REX prefix. It's available in 64 bit mode only and in this case tell CPU that the instruction should use 64 bit operand size. Keep in mind that some instructions, in 64 bit mode, do not use 64 bit operand by default but instead use 32 bit ones. MOV is an example of such an instruction. 0x48 Conclusion In this article we have taken a look at a very simple program and its representation as 16, 32 and 64 bit binary. I don't expect you will need to deal with assembly code day to day but being familiar with it is very useful when working with hypervisors and VMs. In the early stages of a VMs life there are very few tools for debugging and the best one you have is in knowing what the code does. In the following article we will modify our VM to switch into long mode and we will execute the 64 bit binary. References http://ref.x86asm.net/coder32.html https://c9x.me/x86/html/file_module_x86_id_222.html https://wiki.osdev.org/X86-64_Instruction_Encoding#togglelink:~:text=4.1.2%20REX%20prefix
![Adventures in Assembly #1 [How It Usually Begins]](https://images.unsplash.com/photo-1532882871449-7fbb1ec36d48?ixlib=rb-1.2.1&q=80&fm=jpg&crop=entropy&cs=tinysrgb&w=1080&fit=max&ixid=eyJhcHBfaWQiOjEwMDk2Mn0&auto=format)
![Bypassing SSL Pinning with LLDB on AppStore iOS apps [A Step by Step Guide]](https://images.unsplash.com/photo-1544890225-2f3faec4cd60?ixlib=rb-1.2.1&q=80&fm=jpg&crop=entropy&cs=tinysrgb&w=1080&fit=max&ixid=eyJhcHBfaWQiOjEwMDk2Mn0&auto=format)
![[CTF Series #1] The Reverse Engineering Challenge](https://firebasestorage.googleapis.com/v0/b/hackernoon-app.appspot.com/o/images%2F4wIVYgFfSifbXBgRGcYBelED8Nn2-kl628t2.jpeg?alt=media&token=ee7118d5-f29f-469f-b20b-70b14e0a57bf&auto=format&fit=max&w=3840)
