mousey
mousey

Reputation: 11901

Need some help with x86 assembly

MODRM_EAX_06 MACRO   ;/* [EAX], with reg/opcode: /6 */ 
    BYTE    030h 
ENDM 

What does byte 030h do ?

For additional info this macro is used in

void vmxPtrld(u64 addr) 
VmxPtrld PROC StdCall _addr_low,_addr_high 
mov eax,8 
add eax,ebp 
vmx_ptrld 
MODRM_EAX_06 
ret 
VmxPtrld ENDP 

I just want to understand what the macro does in the following code?

Upvotes: 2

Views: 261

Answers (3)

Matthew Slattery
Matthew Slattery

Reputation: 47058

Many opcodes are followed by a ModR/M byte, which is split into 3 portions: the top two bits are "Mod", the next three are "Reg", and the bottom three are "R/M".

The combination of the "Mod" and "R/M" portions specify a register and addressing mode; the "Reg" portion may specify another register, or, in some cases, may specify a further extension to the opcode.

In this case, the ModR/M byte looks like this:

    0 0 1 1 0 0 0 0
    \_/ \___/ \___/
    Mod  Reg   R/M

Mod bits of 00 and R/M bits of 000 mean an addressing mode of [EAX] (in 32-bit mode).

The remaining Reg bits are 6 in decimal. Hence MODRM_EAX_06.

To fully understand what is going on in your example, you need to know what the vmx_ptrld macro does. Assuming that this is indeed what @sixlettervariables found, vmx_ptrld produces bytes 0F C7.

0F is the first byte of a two-byte opcode. In many cases, the next byte will complete the opcode; but C7 indicates that further bits must be read from the Reg field of the ModR/M byte to determine what the opcode is. So the final opcode is 0F followed by C7 followed by the 6 from the Reg field of the ModR/M byte, written as 0F C7 /6 in Intel's manuals (which can be found here).

0F C7 /6 is VMPTRLD, so the real meaning of your routine is:

mov eax,8 
add eax,ebp 
vmptrld [eax]
ret 

Presumably it has been written like this for the benefit of old assemblers which do not understand the (relatively recent) VMX instructions.

Upvotes: 5

ninjalj
ninjalj

Reputation: 43748

Looking at bluepill (which I guess is the code the OP is asking about), vmx_ptrld is also a macro, so

vmx_ptrld
MODRM_EAX_06

is a single instruction, MODRM_EAX_06 being the data for the instruction.

Rationale: bluepill is a PoC exploit for virtualization. When it was written, apparently the assembler that was used didn't yet support virtualization-related instructions, so they got coded inline via macros.

Upvotes: 1

Jerry Coffin
Jerry Coffin

Reputation: 490633

It looks like they're using this to generate instructions, and this is a mod r/m byte of an instruction.

Upvotes: 4

Related Questions