The FASM code as below (can be compiled by FASM on any operating system, but the assembled binary is targeting Linux x64):



This prints "Hello World", but can you find out why a series of "MOV RAX, qword" can prints text string in terminal?



This post has been edited by MatQuasar: Jul 20 2023, 05:50 PM


Attached File(s)
 hw.zip ( 459bytes ) Number of downloads: 4

%rax|System call|%rdi|%rsi |%rdx
1|sys_write|unsigned int fd |const char *buf |size_t count

you set rdi with file descriptor. 1 mean stdout
rsi where your string is
rdx is your string length
rax is syscall no for sys_write

you call sys_write twice


That mov instructions turn into a series of byte values after compilation. Then you jump to certain offset within that byte value. Hard for me to explain it, but it is like obfuscation technique to confuse disassembler

Nice, how did you able to solve it? Manual tweaking, or using plain debugger?

It is crafted by author of ARM assembler (FASMARM), he and Tomasz (author of x86/x64 assembler) are experts in this field.

This is his original code (with macro language) to create the program at Post #1:



Hope you can make the best use of your skill, @epud2!

Thanks. I wish the same for you as well

I fisrt tried to copy paste the code on a program that ran by x64dbg. It kinda stupid but it is still valid asm instructions which mean i can step through the instructions.
However i'm stuck with the jump instruction. Don't really know what the jump is, so I moved on to another thing.

This time I modified the code as PE binary and debug it with x64dbg. I already have fasm in my PC so it was easy thing to do.
As I step over the code I noticed instructions that move 6 and 1 into register. And I also noticed syscall instruction.
Stepping over syscall caused an error and it is expected since the code is supposed to run on linux.

The reason I debug in windows was because i'm not sure if i still have a debugger in my linux vm.
When i ran my linux machine i found out i do still have it. It is called edb, quite similar to x64dbg, written in qt and open source.

I didn't use debugger, but this is how I tweaked it so that it disassembles correctly in IDA Free:



If I understand correctly, "MOV RAX,qword" is 2-byte opcode, so I change it with NOP in order to show the real Assembly code beneath it.

Actually the "JMP $$ +22" will jump directly the code after the double NOP.