• Welcome to Valhalla Legends Archive.
 

Inline asm issue in VC++ 6

Started by Yegg, April 06, 2007, 09:16 PM

Previous topic - Next topic
Print
|
Go Down Pages 1 2 3 4
User actions

Joe[x86]

#45
April 22, 2007, 10:25 PM
Quote from: iago on April 22, 2007, 01:41 PM
No Intel instruction uses one processor cycle. And xor uses less than mov, but not a significant amount.

Ah.. how's that so? I've never known that.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Newby

#46
April 22, 2007, 10:33 PM
Quote from: brew on April 22, 2007, 05:36 PM
Wouldn't xor eax, eax be slower? the value of xor eax, eax needs to be calculated where mov eax, 0 moves a constant value into eax. Maybe not by very much (if anything at all) but yes, xor eax, eax is far more efficient anyways.

You can't do mov eax, 0 with shellcode, can you? I would personally use xor eax, eax over mov eax, 0 just because of that.
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Skywing

#47
April 23, 2007, 10:15 AM
Most nontrivial shellcode today will be prefixed by a small decoder program, so that the bulk of it need not be written with the constraints of the buffer (e.g. no nulls, no uppercase, and soforth).

iago

#48
April 23, 2007, 07:25 PM
Quote from: Skywing on April 22, 2007, 09:03 PM
xor reg, reg is pretty much the de-facto way to zero out a register as far as x86 goes, so I would tend to disagree in this case.

I wouldn't advise being overly "tricky" with assembler without good reason, but there are a couple of cases where some instructions have "well-understood" implied connotations beyond their "original intended" use.

To be realistic, the "xor reg, reg" construct is so widely used that all but the most inexperienced at x86 assembler will recognize what it means.
That may be true, but if I was teaching somebody assembly, I definitely wouldn't teach them shortcuts like that. I might teach them to recognize it, because you're right that it's very common, but I wouldn't encourage them to do it that way.

Quote from: Joex86] link=topic=16593.msg168295#msg168295 date=1177298758]
Ah.. how's that so? I've never known that.
How? By taking up more than one cycle. There really isn't much more to say on that.

Quote from: Newby on April 22, 2007, 10:33 PM
You can't do mov eax, 0 with shellcode, can you? I would personally use xor eax, eax over mov eax, 0 just because of that.
First of all, who cares about shellcode? Shellcode is special code that has special limitations, which are often bypassed with, like Skywing said, a decoder (aka, polymorphic shellcode).

But in trivial shellcode, it depends on the buffer. Often, you can have a null character in shellcode if you want, as long as it isn't required that your code is used like a null-terminated string somewhere. In a simple buffer overflow, you're jumping straight to the shellcode that was entered, so having null characters within the string is actually fine.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Print
|
Go Up Pages 1 2 3 4
User actions