1
00:00:00,440 --> 00:00:01,460
Hello, my name is Stephen.

2
00:00:01,460 --> 00:00:05,090
And in this lecture we are going to the main function.

3
00:00:06,000 --> 00:00:06,460
PDB.

4
00:00:06,930 --> 00:00:10,800
So we will start a gdb with hello to our analysis.

5
00:00:10,800 --> 00:00:14,670
But firstly, if you didn't watch the previous lecture here we have this.

6
00:00:14,670 --> 00:00:15,660
Hello here.

7
00:00:15,840 --> 00:00:20,280
So we created this in previous section here.

8
00:00:20,280 --> 00:00:22,020
So if we run this.

9
00:00:22,050 --> 00:00:28,080
So we wrote that assembler language and so basically it prints out the Hello world message.

10
00:00:28,080 --> 00:00:29,820
And we also have this.

11
00:00:30,750 --> 00:00:31,890
Source code here.

12
00:00:32,910 --> 00:00:37,140
Sam's here, so we will open the project here.

13
00:00:37,140 --> 00:00:37,380
Hello.

14
00:00:38,040 --> 00:00:38,850
So this is our.

15
00:00:38,850 --> 00:00:39,110
The.

16
00:00:39,150 --> 00:00:40,700
This is our source code.

17
00:00:40,710 --> 00:00:46,980
Uh, and then we will compile that to Hello here and now we will disassemble the main.

18
00:00:46,980 --> 00:00:54,270
So we will start the gdb here and after that we will pass the hello file.

19
00:00:54,840 --> 00:00:59,430
So you need to be in the same directory as your output file.

20
00:00:59,430 --> 00:01:06,930
So now um, here, as you learned before this, the Hello World program first initializes initializes

21
00:01:06,930 --> 00:01:16,410
some data in this section, the data and section.bs here so and then proceeds the to the main label

22
00:01:16,410 --> 00:01:19,140
and this is where the action starts here.

23
00:01:19,140 --> 00:01:21,720
So let's begin our examination there.

24
00:01:21,870 --> 00:01:26,160
And at the gdb prompt you will type the disassemble.

25
00:01:27,410 --> 00:01:27,920
Tumble.

26
00:01:29,060 --> 00:01:33,830
Main and here gdb returns your source code more or less.

27
00:01:33,830 --> 00:01:40,040
So the return source code isn't exactly the same as your source code were originally right and right.

28
00:01:40,040 --> 00:01:44,960
So it's actually has some move, move move apps here.

29
00:01:44,960 --> 00:01:48,920
So as you can see it's not um the same.

30
00:01:48,920 --> 00:01:52,130
And uh, gdb returns your source code more or less.

31
00:01:52,130 --> 00:01:55,730
But uh, let's actually question that.

32
00:01:55,760 --> 00:01:56,630
Strange isn't it?

33
00:01:56,630 --> 00:01:57,050
Right.

34
00:01:57,050 --> 00:01:58,010
What happened there?

35
00:01:58,010 --> 00:02:01,430
And there is some analysis needed here.

36
00:02:01,430 --> 00:02:11,300
So uh, the long numbers on the left, um, starting with 0X000 and so on, are these are the memory

37
00:02:11,300 --> 00:02:11,960
addresses.

38
00:02:11,960 --> 00:02:15,860
So, um, this long numbers on the left are the memory addresses.

39
00:02:15,860 --> 00:02:22,490
Uh, so they are the places where the machine instructions of our program are stored, as you can see

40
00:02:22,490 --> 00:02:24,680
here from the addresses.

41
00:02:24,680 --> 00:02:26,110
Um, and, um.

42
00:02:27,380 --> 00:02:28,520
Well, Plaza's here.

43
00:02:28,700 --> 00:02:35,750
Zero plus five, ten, 20, 25, 27, 32, 37 in the second line here.

44
00:02:36,120 --> 00:02:38,330
Uh, this is the first instruction.

45
00:02:38,330 --> 00:02:39,110
Move.

46
00:02:39,650 --> 00:02:46,640
Move X0X1 needs five bytes of memory.

47
00:02:46,640 --> 00:02:47,090
So.

48
00:02:47,090 --> 00:02:48,020
But wait a minute.

49
00:02:48,020 --> 00:02:53,060
So in our source code, we wrote mov rax one.

50
00:02:53,470 --> 00:02:55,670
So what's the deal with the x here?

51
00:02:55,670 --> 00:02:56,060
Right.

52
00:02:56,060 --> 00:03:02,780
So, well, if you look at the register table on our Linux here, so you will see that a x is the low

53
00:03:02,780 --> 00:03:05,990
of 32 bit part of the rax register.

54
00:03:05,990 --> 00:03:14,000
So the assembler is smart enough to figure out that the 64 register is far too much to heart, too much

55
00:03:14,000 --> 00:03:20,210
waste of resources for storing the number one, so it uses the 32 bit register.

56
00:03:20,210 --> 00:03:28,410
So the same is true for the use of edX here and addicts add add and add x here.

57
00:03:28,770 --> 00:03:30,540
Add add x.

58
00:03:30,690 --> 00:03:41,040
So here in this table we have our we have the RDA and the x, but here our compiler change it to add

59
00:03:41,040 --> 00:03:44,700
and add x so it uses here.

60
00:03:45,790 --> 00:03:47,370
And this is the same apply.

61
00:03:47,380 --> 00:03:55,360
So our compiler didn't want to waste so much memory for this decimal numbers it needed to.

62
00:03:55,360 --> 00:04:02,500
And the 64 bit assembler is an extension of the 32 bit assembler and you will see that whenever possible

63
00:04:02,500 --> 00:04:06,400
the assembler will use 32 bit instructions.

64
00:04:06,400 --> 00:04:14,380
So the 0X1 is the hexadecimal representation of the decimal number one.

65
00:04:14,380 --> 00:04:14,710
Right?

66
00:04:14,710 --> 00:04:18,400
So you learn that in the previous lecture and 0XD.

67
00:04:19,620 --> 00:04:24,260
A0X or 0XC is zero.

68
00:04:24,260 --> 00:04:30,380
X is the decimal representation of 13 and zero x.

69
00:04:30,410 --> 00:04:34,010
C is a decimal representation of 12.

70
00:04:34,810 --> 00:04:42,670
And but 0X3C is a decimal representation of 60.

71
00:04:42,700 --> 00:04:52,840
So the Nop instruction here by the Nop instruction means that no operation and is inserted there by

72
00:04:52,840 --> 00:04:54,820
the assembler.

73
00:04:55,970 --> 00:04:58,070
Memory management reason.

74
00:04:58,070 --> 00:05:00,670
But you might be.

75
00:05:00,680 --> 00:05:02,270
We might be missing something here.

76
00:05:02,270 --> 00:05:02,570
Right?

77
00:05:02,570 --> 00:05:06,620
So what happened to our message?

78
00:05:06,650 --> 00:05:07,340
Right.

79
00:05:07,700 --> 00:05:11,960
So we don't have any message here, as you can see here.

80
00:05:12,820 --> 00:05:13,510
Now.

81
00:05:15,470 --> 00:05:18,020
This instruction here.

82
00:05:18,200 --> 00:05:18,680
Move.

83
00:05:18,860 --> 00:05:19,200
Move!

84
00:05:19,230 --> 00:05:19,490
ABS.

85
00:05:19,670 --> 00:05:20,030
RSI.

86
00:05:20,690 --> 00:05:22,490
Um, here, as you can see.

87
00:05:22,490 --> 00:05:22,850
Here.

88
00:05:22,880 --> 00:05:23,270
Move.

89
00:05:23,450 --> 00:05:24,170
Move.

90
00:05:24,200 --> 00:05:24,770
RSI.

91
00:05:24,810 --> 00:05:28,650
Message got replaced by move.

92
00:05:28,670 --> 00:05:30,650
Actually, let's make it always on top.

93
00:05:30,650 --> 00:05:36,620
So this RSI message here got replaced by Move.

94
00:05:36,660 --> 00:05:39,230
ABS Move Apps RSI.

95
00:05:39,650 --> 00:05:44,930
And here we have this hexadecimal number zero x 44 to 10.

96
00:05:44,930 --> 00:05:48,040
So don't worry about move apps for now.

97
00:05:48,050 --> 00:05:56,060
So is it there because of the 64 bit addressing and it used to put an immediate value in a register

98
00:05:56,060 --> 00:06:03,290
and this zero x 44 to 10 is the memory address where message is stored on our computer.

99
00:06:03,290 --> 00:06:06,650
And this can be different address in your case.

100
00:06:06,650 --> 00:06:09,920
So it's actually changing and.

101
00:06:11,440 --> 00:06:12,620
At the GDP.

102
00:06:13,190 --> 00:06:16,610
Let's actually type this following here.

103
00:06:16,970 --> 00:06:20,060
X/S0X.

104
00:06:20,060 --> 00:06:27,800
So you will use this slash where you are using this for the URLs on your browser, not the reverse slash

105
00:06:27,800 --> 00:06:28,370
here.

106
00:06:28,460 --> 00:06:33,560
So zero x 4040 ten.

107
00:06:34,370 --> 00:06:35,570
Um, here.

108
00:06:35,570 --> 00:06:38,240
Or actually, instead, you will write this.

109
00:06:38,990 --> 00:06:41,000
You say this will be different on your system.

110
00:06:41,000 --> 00:06:42,680
This value will be different on your system.

111
00:06:42,680 --> 00:06:45,360
So you will you write, uh, this, uh.

112
00:06:47,020 --> 00:06:49,850
Your value here and not 44%.

113
00:06:49,870 --> 00:06:55,120
So in this case, I will write 44% because it resides on our message resides on that.

114
00:06:55,120 --> 00:07:01,770
And here we access here and we will press enter and that's it.

115
00:07:01,780 --> 00:07:06,850
So here we have a hello world message on our on this memory.

116
00:07:07,590 --> 00:07:15,770
And the X here stands for examine and here's stands for string.

117
00:07:15,780 --> 00:07:24,480
And the gdb answered that on our zero x 44 to 10 decimal hexadecimal number is the start of the string

118
00:07:24,480 --> 00:07:31,380
message and tries to show the whole string up until the string terminating zero here that we plotted

119
00:07:31,380 --> 00:07:31,860
here.

120
00:07:31,860 --> 00:07:38,880
So now you know, one of the reasons why we put a terminating zero after the Hello world and you can

121
00:07:38,880 --> 00:07:41,070
also type the.

122
00:07:42,700 --> 00:07:43,780
No, they are, actually.

123
00:07:43,780 --> 00:07:46,330
You can also type this here.

124
00:07:46,540 --> 00:07:53,530
Uh, instead of s, you can type C, and here we got this H here.

125
00:07:53,650 --> 00:07:59,860
So, uh, with the C here with the C here, you ask for a character.

126
00:08:00,840 --> 00:08:01,220
Right.

127
00:08:01,580 --> 00:08:09,830
So here, GDP returns the first character of our message, preceded by the decimal Ascii code of the

128
00:08:09,860 --> 00:08:10,880
of that character.

129
00:08:10,880 --> 00:08:20,330
In this case, it's 104 and do a Google search here or a table of Ascii codes to verify and keep that

130
00:08:20,330 --> 00:08:22,070
table handy for future use.

131
00:08:22,070 --> 00:08:30,350
So there's no need to memorize, memorize it or open an additional terminal window, um, here and type

132
00:08:30,500 --> 00:08:34,850
man Ascii here and here.

133
00:08:35,120 --> 00:08:37,850
We will see all the Ascii tables here.

134
00:08:37,850 --> 00:08:48,290
And it wrote something like it's actually 100, 104 here, so 104.

135
00:08:48,290 --> 00:08:50,870
So it's actually.

136
00:08:52,050 --> 00:08:53,220
H here need to be.

137
00:08:53,270 --> 00:08:53,730
H.

138
00:08:56,620 --> 00:08:58,920
A, B, C, D, as you can see here, characters.

139
00:08:58,930 --> 00:09:00,640
And we also have.

140
00:09:02,050 --> 00:09:05,440
In the left side we have octal, decimal hex and character here.

141
00:09:10,720 --> 00:09:13,030
So we will press enter.

142
00:09:15,170 --> 00:09:17,540
We see the age.

143
00:09:18,060 --> 00:09:26,310
And as you can see here, in 104 of the decimal here, we are seeing our age.

144
00:09:28,300 --> 00:09:28,960
We can.

145
00:09:29,170 --> 00:09:33,790
This man is always useful for the Linux users here.

146
00:09:34,540 --> 00:09:35,260
And.

147
00:09:36,210 --> 00:09:39,150
Well, let's actually look at the other examples as well.

148
00:09:39,270 --> 00:09:47,610
So we will write here F before C we will write 13 C here and that's it.

149
00:09:47,610 --> 00:10:00,120
Here we have this h a l l o r comma space world here so you can use this, uh, following, uh, 13

150
00:10:00,120 --> 00:10:04,080
characters, uh, to write all the.

151
00:10:05,770 --> 00:10:09,190
The characters that reside on that memory address.

152
00:10:09,190 --> 00:10:16,240
And as you can see, it starts from 40, 40, ten and ends at 40 4018 here.

153
00:10:17,030 --> 00:10:17,510
So.

154
00:10:19,070 --> 00:10:19,580
No, that's it.

155
00:10:19,580 --> 00:10:22,640
And we can also do this here instead of characters.

156
00:10:22,640 --> 00:10:25,120
We can do the D here.

157
00:10:25,280 --> 00:10:29,840
Um, and as you can see here, instead of seeing characters, we are seeing the decimal representation

158
00:10:29,840 --> 00:10:32,300
of that characters in Ascii table.

159
00:10:32,570 --> 00:10:34,760
And we can also use this.

160
00:10:36,050 --> 00:10:39,040
You can also use X with this.

161
00:10:39,040 --> 00:10:45,820
Here we are seeing the 13 characters starting memory address in a hexadecimal representation.

162
00:10:47,220 --> 00:10:55,080
And we can also do this here, X and ampersand here and message.

163
00:10:55,410 --> 00:10:59,010
And as you can see, we are seeing full Hello world.

164
00:10:59,160 --> 00:11:06,150
And now let's return to disassemble the listing in next lecture.

165
00:11:06,150 --> 00:11:06,830
So I'm waiting you in.

166
00:11:06,840 --> 00:11:07,410
Next lecture.