CloudFlare suffered a massive security issue affecting all of its customers, including Rosetta Code. All passwords not changed since February 19th 2017 have been expired, and session cookie longevity will be reduced until late March.--Michael Mol (talk) 05:15, 25 February 2017 (UTC)

Machine code

From Rosetta Code
Task
Machine code
You are encouraged to solve this task according to the task description, using any language you may know.

The task requires poking machine code directly into memory and executing it. This is strictly for x86 (32 bit) architectures. The machine code is the opcodes of the following simple program:

mov EAX, [ESP+4]
add EAX, [ESP+8]
ret

which translates into the following opcodes: (139 68 36 4 3 68 36 8 195) and in Hex this would correspond to the following: ("8B" "44" "24" "4" "3" "44" "24" "8" "C3")

Implement the following in your favorite programming language (take the common lisp code as an example if you wish):

  1. Poke the above opcodes into a memory pointer
  2. Excute it with the following arguments: [ESP+4] => unsigned-byte argument of value 7; [ESP+8] => unsigned-byte argument of value 12; The result would be 19.
  3. Free the Pointer

AutoHotkey[edit]

MCode Tutorial (Forum Thread)

MCode4GCC (Forum Thread | GitHub) - An MCode generator using the GCC Compiler.

MCode(Var, "8B44240403442408C3")
MsgBox, % DllCall(&Var, "Char",7, "Char",12)
Var := ""
return
 
; http://www.autohotkey.com/board/topic/19483-machine-code-functions-bit-wizardry/
MCode(ByRef code, hex) { ; allocate memory and write Machine Code there
VarSetCapacity(code, StrLen(hex) // 2)
Loop % StrLen(hex) // 2
NumPut("0x" . SubStr(hex, 2 * A_Index - 1, 2), code, A_Index - 1, "Char")
}

BBC BASIC[edit]

Note that BBC BASIC for Windows includes an 80386/80486 assembler as standard!

      REM Claim 9 bytes of memory
SYS "GlobalAlloc",0,9 TO code%
 
REM Poke machine code into it
P%=code%
[OPT 0
mov EAX, [ESP+4]
add EAX, [ESP+8]
ret
]
 
REM Run code
SYS code%,7,12 TO result%
PRINT result%
 
REM Free memory
SYS "GlobalFree",code%
END

C[edit]

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
 
int test (int a, int b)
{
/*
mov EAX, [ESP+4]
add EAX, [ESP+8]
ret
*/

char code[] = {0x8B, 0x44, 0x24, 0x4, 0x3, 0x44, 0x24, 0x8, 0xC3};
void *buf;
int c;
/* copy code to executable buffer */
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON,-1,0);
 
memcpy (buf, code, sizeof(code));
/* run code */
c = ((int (*) (int, int))buf)(a, b);
/* free buffer */
munmap (buf, sizeof(code));
return c;
}
 
int main ()
{
printf("%d\n", test(7,12));
return 0;
}

Common Lisp[edit]

;;Note that by using the 'CFFI' library, one can apply this procedure portably in any lisp implementation; 
;; in this code however I chose to demonstrate only the implementation-dependent programs.
 
;;CCL
;; Allocate a memory pointer and poke the opcode into it
(defparameter ptr (ccl::malloc 9))
 
(loop for i in '(139 68 36 4 3 68 36 8 195)
for j from 0 do
(setf (ccl::%get-unsigned-byte ptr j) i))
 
;; Execute with the required arguments and return the result as an unsigned-byte
(ccl::ff-call ptr :UNSIGNED-BYTE 7 :UNSIGNED-BYTE 12 :UNSIGNED-BYTE)
 
;; Output = 19
 
;; Free the pointer
(ccl::free ptr)
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;SBCL
(defparameter mmap (list 139 68 36 4 3 68 36 8 195))
 
(defparameter pointer (sb-alien:make-alien sb-alien:unsigned-char (length mmap)))
 
(defparameter callp (loop for byte in mmap
for i from 0
do
(setf (sb-alien:deref pointer i) byte)
finally
(return (sb-alien:cast pointer (function integer integer integer)))))
 
(sb-alien:alien-funcall callp 7 12)
 
(loop for i from 0 below 18 collect (sb-alien:deref ptr i))
 
(sb-alien:free-alien pointer)
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;CLISP
(defparameter mmap (list 139 68 36 4 3 68 36 8 195))
 
(defparameter POINTER (FFI:FOREIGN-ADDRESS (FFI:FOREIGN-ALLOCATE 'FFI:UINT8 :COUNT 9)))
 
(loop for i in mmap
for j from 0 do
(FUNCALL #'(SETF FFI:MEMORY-AS) i POINTER 'FFI:INT j))
 
(FUNCALL
(FFI:FOREIGN-FUNCTION POINTER
(LOAD-TIME-VALUE
(FFI:PARSE-C-TYPE
'(FFI:C-FUNCTION (:ARGUMENTS 'FFI:INT 'FFI:INT) (:RETURN-TYPE FFI:INT) (:LANGUAGE :STDC)))))
7 12)
 
(FFI:FOREIGN-FREE POINTER)
 

D[edit]

In D you usually use a nicer asm {} statement for similar purposes.

Generally new operating systems forbid execution of any address unless it's known to contain executable code. This is a basic version that unlike the C entry executes from array memory. This may crash on some operating systems.

int test(in int a, in int b) pure nothrow @nogc {
/*
mov EAX, [ESP+4]
add EAX, [ESP+8]
ret
*/

immutable ubyte[9] code = [0x8B, 0x44, 0x24, 0x4, 0x3, 0x44, 0x24, 0x8, 0xC3];
alias F = extern(C) int function(int, int) pure nothrow @nogc;
immutable f = cast(F)code.ptr;
return f(a, b); // Run code.
}
 
void main() {
import std.stdio;
 
test(7, 12).writeln;
}
Output:
 19

Nim[edit]

Translation of: C
import posix
 
when defined(macosx) or defined(bsd):
const MAP_ANONYMOUS = 0x1000
elif defined(solaris):
const MAP_ANONYMOUS = 0x100
else:
var
MAP_ANONYMOUS {.importc: "MAP_ANONYMOUS", header: "<sys/mman.h>".}: cint
 
proc test(a, b: cint): cint =
# mov EAX, [ESP+4]
# add EAX, [ESP+8]
var code = [0x8B'u8, 0x44, 0x24, 0x4, 0x3, 0x44, 0x24, 0x8, 0xC3]
 
# create executable buffer
var buf = mmap(nil, sizeof(code), PROT_READ or PROT_WRITE or PROT_EXEC,
MAP_PRIVATE or MAP_ANONYMOUS, -1, 0)
 
# copy code to buffer
copyMem(addr buf, addr code[0], sizeof(code))
 
# run code
{.emit: "`result` = ((int (*) (int, int))&`buf`)(`a`,`b`);".}
 
# free buffer
discard munmap(buf, sizeof(code))
 
echo test(7, 12)

PARI/GP[edit]

GP can't peek and poke into memory, but PARI can add in those capabilities via C.

Translation of: C
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <pari/pari.h>
 
int
test(int a, int b)
{
char code[] = {0x8B, 0x44, 0x24, 0x4, 0x3, 0x44, 0x24, 0x8, 0xC3};
void *buf;
int c;
/* copy code to executable buffer */
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON,-1,0);
 
memcpy (buf, code, sizeof(code));
/* run code */
c = ((int (*) (int, int))buf)(a, b);
/* free buffer */
munmap (buf, sizeof(code));
return c;
}
 
void
init_auto(void)
{
pari_printf("%d\n", test(7,12));
return 0;
}

Pascal[edit]

Tested under Linux with Freepascal 2.6.4-32BIt ( like the Code used ) cdecl doesn't work in Freepascal under Linux 64-bit

Program Example66;
{Inspired... program to demonstrate the MMap function. Freepascal docs }
Uses
BaseUnix,Unix;
 
const
code : array[0..9] of byte = ($8B, $44, $24, $4, $3, $44, $24, $8, $C3, $00);
a :longInt= 12;
b :longInt= 7;
type
tDummyFunc = function(a,b:LongInt):LongInt;cdecl;
Var
Len,k : cint;
P : Pointer;
 
begin
len := sizeof(code);
P:= fpmmap(nil,
len+1 ,
PROT_READ OR PROT_WRITE OR PROT_EXEC,
MAP_ANONYMOUS OR MAP_PRIVATE,
-1, // for MAP_ANONYMOUS
0);
If P = Pointer(-1) then
Halt(4);
 
for k := 0 to len-1 do
pChar(p)[k] := char(code[k]);
 
k := tDummyFunc(P)(a,b);
 
Writeln(a,'+',b,' = ',k);
if fpMUnMap(P,Len)<>0 Then
Halt(fpgeterrno);
end.
output
12+7 = 19

Phix[edit]

atom mem = allocate(9)
poke(mem,{#8B,#44,#24,#04,#03,#44,#24,#08,#C3})
constant mfunc = define_c_func({},mem,{C_INT,C_INT},C_INT)
?c_func(mfunc,{12,7})
free(mem)

In Phix the #ilASM statement (which has guards to allow 32/64/WIN/LNX variants) is usually used for inline assembly, for example (but sticking to the task):

atom mem = allocate(9)
poke(mem,{#8B,#44,#24,#04,#03,#44,#24,#08,#C3})
integer res
#ilASM{ mov eax,[mem]
call :%pLoadMint -- eax:=(int32)eax, in case mem>#3FFFFFFF
push 12
push 7
call eax
add esp,8
mov [res],eax }
?res
free(mem)

Better yet, albeit deviating somewhat from the task (and this runs on both 32 and 64 bit):

integer res
#ilASM{ jmp @f
 ::add
[32]
mov eax,[esp+4]
add eax,[esp+8]
[64]
mov rax,[rsp+8]
add rax,[rsp+16]
[]
ret
@@:
push 12
push 7
call :add
[32]
add esp,8
mov [res],eax
[64]
add rsp,16
mov [res],rax
[]
}
?res

All three cases output 19

PicoLisp[edit]

The following runs on 64-bit PicoLisp. Therefore we need some glue code to interface to the task's 32-bit code.

(setq P
(struct (native "@" "malloc" 'N 39) 'N
# Align
144 # nop
144 # nop
 
# Prepare stack
106 12 # pushq $12
184 7 0 0 0 # mov $7, %eax
72 193 224 32 # shl $32, %rax
80 # pushq %rax
 
# Rosetta task code
139 68 36 4 3 68 36 8
 
# Get result
76 137 227 # mov %r12, %rbx
137 195 # mov %eax, %ebx
72 193 227 4 # shl $4, %rbx
128 203 2 # orb $2, %bl
 
# Clean up stack
72 131 196 16 # add $16, %rsp
 
# Return
195 ) # ret
foo (>> 4 P) )
 
# Execute
(println (foo))
 
# Free memory
(native "@" "free" NIL P)

Output:

19

Python[edit]

Works with: CPython version 3.x

The ctypes module is meant for calling existing native code from Python, but you can get it to execute your own bytes with some tricks. The bulk of the code is spent establishing an executable memory area - once that's done, the actual execution takes just a few lines.

import ctypes
import os
from ctypes import c_ubyte, c_int
 
code = bytes([0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3])
 
code_size = len(code)
# copy code into an executable buffer
if (os.name == 'posix'):
import mmap
executable_map = mmap.mmap(-1, code_size, mmap.MAP_PRIVATE | mmap.MAP_ANON, mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC)
# we must keep a reference to executable_map until the call, to avoid freeing the mapped memory
executable_map.write(code)
# the mmap object won't tell us the actual address of the mapping, but we can fish it out by allocating
# some ctypes object over its buffer, then asking the address of that
func_address = ctypes.addressof(c_ubyte.from_buffer(executable_map))
elif (os.name == 'nt'):
# the mmap module doesn't support protection flags on Windows, so execute VirtualAlloc instead
code_buffer = ctypes.create_string_buffer(code)
PAGE_EXECUTE_READWRITE = 0x40 # Windows constants that would usually come from header files
MEM_COMMIT = 0x1000
executable_buffer_address = ctypes.windll.kernel32.VirtualAlloc(0, code_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
if (executable_buffer_address == 0):
print('Warning: Failed to enable code execution, call will likely cause a protection fault.')
func_address = ctypes.addressof(code_buffer)
else:
ctypes.memmove(executable_buffer_address, code_buffer, code_size)
func_address = executable_buffer_address
else:
# for other platforms, we just hope DEP isn't enabled
code_buffer = ctypes.create_string_buffer(code)
func_address = ctypes.addressof(code_buffer)
 
prototype = ctypes.CFUNCTYPE(c_int, c_ubyte, c_ubyte) # build a function prototype from return type and argument types
func = prototype(func_address) # build an actual function from the prototype by specifying the address
res = func(7,12)
print(res)
 

PureBasic[edit]

Using the Windows API:

CompilerIf #PB_Compiler_Processor <> #PB_Processor_x86
CompilerError "Code requires a 32-bit processor."
CompilerEndIf
 
 
; Machine code using the Windows API
 
Procedure MachineCodeVirtualAlloc(a,b)
*vm = VirtualAlloc_(#Null,?ecode-?scode,#MEM_COMMIT,#PAGE_EXECUTE_READWRITE)
If(*vm)
CopyMemory(?scode, *vm, ?ecode-?scode)
eax_result=CallFunctionFast(*vm,a,b)
VirtualFree_(*vm,0,#MEM_RELEASE)
ProcedureReturn eax_result
EndIf
EndProcedure
 
rv=MachineCodeVirtualAlloc( 7, 12)
MessageRequester("MachineCodeVirtualAlloc",Str(rv)+Space(50),#PB_MessageRequester_Ok)
 
#HEAP_CREATE_ENABLE_EXECUTE=$00040000
 
Procedure MachineCodeHeapCreate(a,b)
hHeap=HeapCreate_(#HEAP_CREATE_ENABLE_EXECUTE,?ecode-?scode,?ecode-?scode)
If(hHeap)
CopyMemory(?scode, hHeap, ?ecode-?scode)
eax_result=CallFunctionFast(hHeap,a,b)
HeapDestroy_(hHeap)
ProcedureReturn eax_result
EndIf
EndProcedure
 
rv=MachineCodeHeapCreate(7,12)
MessageRequester("MachineCodeHeapCreate",Str(rv)+Space(50),#PB_MessageRequester_Ok)
End
 
; 8B442404 mov eax,[esp+4]
; 03442408 add eax,[esp+8]
; C20800 ret 8
 
DataSection
scode:
Data.a $8B,$44,$24,$04,$03,$44,$24,$08,$C2,$08,$00
ecode:
EndDataSection

Racket[edit]

#lang racket/base
 
(require ffi/unsafe)
 
; set up access to racket internals
(define scheme-malloc-code
(get-ffi-obj 'scheme_malloc_code #f (_fun (len : _intptr) -> _pointer)))
(define scheme-free-code
(get-ffi-obj 'scheme_free_code #f (_fun _pointer -> _void)))
 
(define opcodes '(139 68 36 4 3 68 36 8 195))
 
(define code (scheme-malloc-code 64))
 
(for ([byte opcodes]
[i (in-naturals)])
(ptr-set! code _ubyte i byte))
 
(define function (cast code _pointer (_fun _ubyte _ubyte -> _ubyte)))
 
(function 7 12)
 
(scheme-free-code code)

Tcl[edit]

Translation of: C
Library: Critcl
package require critcl
 
critcl::ccode {
#include <sys/mman.h>
}
 
# Define a command using C. The C is embedded in Tcl, and will be
# built into a shared library at runtime. Note that Tcl does not
# provide a native way of doing this sort of thing; this thunk is
# mandatory.
critcl::cproc runMachineCode {Tcl_Obj* codeObj int a int b} int {
int size, result;
unsigned char *code = Tcl_GetByteArrayFromObj(codeObj, &size);
void *buf;
 
/* copy code to executable buffer */
buf = mmap(0, (size_t) size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON, -1, 0);
memcpy(buf, code, (size_t) size);
/* run code */
result = ((int (*) (int, int)) buf)(a, b);
/* dispose buffer */
munmap(buf, (size_t) size);
 
return result;
}
 
# But now we have our thunk, we can execute arbitrary binary blobs
set code [binary format c* {0x8B 0x44 0x24 0x4 0x3 0x44 0x24 0x8 0xC3}]
puts [runMachineCode $code 7 12]

Note that it would be more common to put that thunk in its own package (e.g., machineCodeThunk) and then just do something like this:

package require machineCodeThunk 1.0
 
set code [binary format c* {0x8B 0x44 0x24 0x4 0x3 0x44 0x24 0x8 0xC3}]
puts [runMachineCode $code 7 12]