Assembly is Too High-Level: BSWAPin 16-bit Registers 1

  But what actually happens? As it turns out, the Intel manual is correct in stating that you should use xchg instead of bswap. In practice, it’s hard to say the result of this 16-bit bswap is ‘undefined;’ as it is consistent with what it does each time. Instead of swapping the contents of ah […]

bswap

addsub07

Assembly is Too High-Level: Self Modifying Code with Basic Arithmetic

I should say that we are able to do this trick all in assembly, but none of it would make sense without an understanding of machine code. This post is about simple self-modifying code tricks you can do with addition and subtraction to an instruction to make it another instruction, while also maintaining consistent addressing […]


Follow-up on creating Vm0wd2Qy > 9000

  This is referring to my previous post Vm0wd2Qy, and a clarification of how I got my results. If you repeatedly Base64 encode a string, you will eventually get Vm0wd2Qy as the first part of your string. In my previous post, I have 10,000 characters that you would eventually get as the first part of your string […]

base64_04

nearjump07

Assembly is Too High Level: Jump ‘Near’ When Short

This article is about a redundancy with short and near jumps. Both of the jumps I will talk about are relative; the immediate data after the jump instruction is a signed offset for how far to jump. The difference between a short and near jump is simple: the 0xeb short jump has a byte for […]


Vm0wd2Qy 2

This article will be about 2 encodings/interpretations of binary; ASCII and Base64. ASCII is an 8-bit (debatable I know, but go with it) character encoding, and Base64 is a 6-bit character encoding. Conversions can be made between them: Not too interesting. This post is more about a string like “Vm0wd2Qy”: [2nd command is just there […]

conversions3

rainbow-prop

Assembly is Too High Level: Subtracting by Comparing (Propeller)

If you’re familiar with x86, you’d know that a CMP (compare) instruction is the same as a SUB (subtract) instruction, with exception to the destination operand being written to. In other words, CMP is like a subtract, it just doesn’t write the value when done (but it does set all of the flags that a […]


Assembly is Too High-Level: AAD/AAM, Even the Math is Too High-Level

Oh boy, I love seeing words like these! Even though this post will focus on the AAD instruction, this applies to the below two instructions: I particularly love this one; because we get to see an illustration of abstractions being misleading on a few levels (assembly being too abstract, and even a mathematical formula being […]

Screen Shot 2015-10-20 at 5.45.36 PM

nopstick

Assembly is Too High Level: Propeller NOPs, like if_never 2

This post is not about x86/64, as the title goes, this is about the Propeller architecture. But first, here’s some x86 (hahaha): Note that if you encode the XCHG instruction with EAX, EAX, it would just be 0x90; the exact same machine code as: Sorry to have to put everyone though so much x86 for […]


Obscure FISTing 2

In the realms of assembly obfuscations, this isn’t extremely high in complexity. This is me finding an excuse to use the “FIST” instruction. In the context of the PoC, it is being used as a decoder for some encoded shellcode. Before going into the super technical details, below is a video of the PoC in […]

shellfistlogo

undoc09

Assembly Is Too High Level: Undocumented Code Exploration

With an assembler, your code gets assembled into machine code. All valid assembly instructions should be translated to corresponding machine code bytes. But in reverse, not every possible byte sequence is something that can be produced from assembly source. There a few categories of reasons for this: Reason 1:   Simple redundancies. XOR EAX, EAX […]