assembly/disassembly instruction operand

Looking at some of the assembly and disassembly code in "The Shellcoder's Handbook", I foun开发者_开发问答d that the sequence operand for an instruction is not the same.

For example, on assembly:

mov ebx,0

and, on disassembly:

mov 0,ebx

Why is this so?

Either there's something wrong with your assembler or disassembler, or there's a simple mismatch in notation.

For example, the two common notations for x86 (Intel and AT&T) reverse the order of the operands, like:

mov  ebx, 0     ; Intel
mov  $0, %ebx   ; AT&T

Both of these mean the same thing, setting the ebx register to zero.

In the Shellcoder's Handbook that you reference, the tools being used are using the two different notations. For example, on one page (pg 39 in my edition), you see this text:

Let's write these three steps in assembly. We can then get an ELF binary; from this file we can finally extract the opcodes.

Section .text
global _start
_start:
    mov ebx,0
    mov eax,1
    int 0x80

Now we want to use the nasm assembler to create our object file, and then use the GNU linker to link object files:

[slap@0day root] nasm -f elf exit_shellcode.asm
[slap@0day root] ld -o exit_shellcode exit_shellcode.o

Finally, we are ready to get our opcodes. In this example, we will use objdump. The objdump utility is a simple tool that displays the contents of object files in human readable form. It also prints out the opcode nicely when displaying contents of the object file, which makes it useful in designing shellcode. Run our program through objdump, like this:

[slap@0day root] objdump -d exit_shellcode
exit_shellcode:file format elf32-i386
Disassembly of section .text:
08048080 <.text>:
8048080: bb 00 00 00 00 mov $0x0,%ebx
8048085: b8 01 00 00 00 mov $0x1,%eax
804808a: cd 80          int $0x80

From that, you can see quite clearly that nasm expects the Intel notation but objdump produces AT&T notation. You just have to get used to the differences between them.