Archive for March, 2010

Assembly 101 – Memory

March 23, 2010 Leave a comment

It seems that this blog got abandoned by me due to busy schedule, but anyway, since this blog is a little storage from the corner of my mind, I think it is no problem if I don’t have time to write on this blog all the time. Time is essentials, a little time is so much worth if we can appreciate it. It happens that I have a little free time today, so I guess I am going to dig some old memories in the dark corner of my long gone memory of my mind.

I used to start learning Assembly since I was in High School 1st grade, and it’s actually pretty exciting to discover new things of my own, for the notice, I learn assembly in the hard way, I didn’t read books a lot, just facing in DOS era and learn from there, even crack how the AND, OR, XOR operator working of my own, since nobody will tell me back then, and lack of book resources lead me to self education which is the hard way.

Well enough with the blabbering…

I think I’ll start again writing on this blog on the matter of assembly.

If you ask me, what is assembly, well my answer is: type Assembly in google. You’ll be much better understand it that way rather than explained by me.

Okay, let start with computer memory.
In the old days of DOS (miss those days), we only know that Intel uses the concept of Real Mode in its memory. Meaning that, if you have an operating system in some chunk of address space in memory, then you have an application in other chunk of memory, then that application of yours can easily write and modify your operating system code on its chunk of memory, meaning that any application can overwrite the OS code in the OS memory, which lead us to where? crash. Just see the old MS DOS for example, if you a program then that program is hang, what can you do to go back to the DOS Prompt? Well the options is not much, you just have to hit the reset button or press Ctrl + Alt + Delete. In today’s Operating System if a application crash, you close it without having to reset the whole computer system, bla.. bla.. bla..

Why is that happen? because Real Mode provides us with no protection at all in accessing memory. Anybody from anywhere can access memory in every where. That’s the big picture of real mode.

But, hey, since now is another era of computing, what happen with the real mode now? is it still there in our computer or not? The answer is YES, it is still there. Can I overwrite the OS memory now, since it still there? the answer is NO if you are using Windows, or any modern OS that uses the latest memory model from Intel.

Question is, what kind of memory model that prevent us from overwriting the memory area of the OS aka Kernel? The answer is Protected Mode. I first learned Protected Mode in Hight School too. So I am saying this is my long gone of memory.

So, now we know 2 kind of memory mode in Intel processor, which is Real Mode and Protected Mode. And actually there’s another memory mode that Intel use, it was called System Management Mode (SMM), but I am not going to discuss that now.

In Protected Mode, the memory is protected by some kind of protection mechanism that prevent unauthorized application to overwrite the kernel memory.

There are a couple protection mechanism, there’s a segment protection and paging protection.
Yeah, you heard me, Segment Protection and Paging Protection.

What the h**l is that you’re asking again?
OK, the answer you must wait for the next post… For now I got work to do reversing some codes…

Categories: Reverse Engineering