What is the RAVM, and why create it?

Learning how programs work at the assembly level is crucial towards gaining a holistic understanding of modern day computing. While studying Computer Science at the United States Military Academy, I was introduced to a fantastic piece of in-house developed software: the MARC and MARASM (available publicly here). The MARC is a virtual 16-bit CPU programmed in ADA. When paired with the MARASM, an assembler for the MARC, cadets can write, assemble, and run assembly programs with a simplistic toolchain.

The MARC is a perfect example of using simple applications geared towards education to teach concepts, not features. Students trying to learn new concepts need tools that just work. I wanted to borrow the concepts of the MARC and create a piece of software which could be used as a stepping stone towards x86 assembly. More specifically, I wanted:

• A more comprehensive, but not complicated, instruction set which more closely mimicked an x86 instruction set.
• 32-bit, little endian words.
• A way to help students visualize what was happening in memory while their programs were running.
• A code base programmed in C, making it more accessible for expansion and hacking by others.

With these goals in mind, I created the RAVM, the Rainbowsandpwnies Assembler and Virtual Machine. The RAVM comes with three parts: assembler, disassembler, and virtual machine. Here’s how you can grab a copy of the RAVM in Ubuntu:

sudo apt-get install git build-essential libncurses5-dev
git clone git://github.com/endeav0r/ravm.git
cd ravm
make

An example

The RAVM comes with a few example assembly programs, but let’s start with our own. We will create a function that adds two numbers together and returns the result. We will then call our function to add together 5 and 7, and then stop.

main :
    mov r0, 7
    push r0
    mov r0, 5
    push r0
    call sum     ; sum(5, 7)
    add rsp, 0x8 ; this is the cdecl call convention
    hlt

sum :
    push rbp
    mov rbp, rsp

    push r1      ; callee saves registers r1-r7

    mov r1, rbp  ; place second argument in r1
    add r1, 0xc
    mov r1, [r1]

    mov r0, rbp  ; place first argument in r0
    add r0, 0x8
    mov r0, [r0]

    add r0, r1   ; perform the addition

    pop r1       ; restore saved registers
    pop rbp

    ret ; return

As of this writing, push and pop only accepts registers. The instruction set is still being expanded.

What we have here is a simple assembly program. Now let’s see where the RAVM really earns its money.

The vm that comes with RAVM features, “godmode.” Godmode is, in my opinion, the best way to visualize a program in memory. Let’s take a look.

We can assemble and run the above program by saving the contents in sum.asm and running the following commands

./assembler sum.bin sum.asm
./vm -i sum.bin -g

This will present us with the following screen:

On the left side of the screen are the addresses for all available memory locations (the VM is currently running with 512 bytes of memory). Starting at address 0, highlighted in cyan is the image loaded from sum.bin. Highlighted in green is the current instruction pointed to by our instruction pointer. The last word in memory, highlighted in red, shows the memory location pointed to by rsp, our stack pointer. In yellow is the user cursor, movable by the arrow keys.

At the bottom of the screen, starting from the top-left of the bottom, we have the address of the cursor, the value of the instruction pointer, a disassembled description of the current instruction, and then the value of every general purpose register.

The user steps through the instruction by pressing (or holding) the “s” key. Let’s step forward in our program until we are sitting on the add r0, r1 instruction.

We are now introduced to two new colors, blue and purple. Blue shows us the space occupied by the stack. Purple shows us the memory pointed to by the base pointer.

As the user continues to step through the program, he/she is simultaneously presented with the entire program laid out and color-coded in memory, the next instruction to execute, and the value of all registers. I have found that after an explanation of how a computer works, a real-time visual learning aid answers many questions.

Teaching security with the RAVM

My favorite example program in the RAVM is that of a basic strlen buffer overflow, overwriting the return address to point back into the stack and execute attacker instructions. When the program executes as intended, it takes two strings, one as a password and one as simulated user input. A function is called, and the user input string is copied into a buffer with a strcpy. The two strings are then compared with strcmp, and if the two strings match a value in memory holding 0xdeadbeef is zeroed to 0×00000000. If the two strings do not match, the memory location is not zeroed and the program terminates.

To assemble the buffer overflow example, run this command:

./assembler buffer_overflow.bin buffer_overflow.asm string.asm

Here’s a quick screenshot of RAVM godmode during the buffer overflow action, exploit in place, to get us started (vm memory size restored to 1024 bytes, the default):

The jump that is about to execute on the stack will jump the user onto the instructions which execute after a successful strcmp. The creation of this simple, one instruction exploit requires the use of all three tools: assembler, disassembler and vm. Let’s take a look at the first several instruction of buffer_overflow.bin as they appear from ./disassembler:

00000000      10000000020c  MOV  r0, 524 (0000020c)
00000006              3200  PUSH r0
00000008        3000000022  CALL 34 (0000002f)
0000000d      060800000004  ADD  rsp, 4 (00000011)
00000013      410000000001  CMP  r0, 1 (00000014)
00000019        2200000001  JE   1 (0000001f)
0000001e                80  HLT
0000001f      100000000234  MOV  r0, 564 (00000253)
00000025      100100000000  MOV  r1, 0 (00000025)
0000002b            130001  MOV  [r0], r1
0000002e                80  HLT
0000002f              3209  PUSH rbp
00000031            110908  MOV  rbp, rsp
00000034      0608ffffffec  ADD  rsp, -20 (00000020)
0000003a            110009  MOV  r0, rbp
0000003d      060000000008  ADD  r0, 8 (00000045)
00000043            120000  MOV  r0, [r0]
00000046              3200  PUSH r0
00000048            110009  MOV  r0, rbp
0000004b      0600ffffffec  ADD  r0, -20 (00000037)
00000051              3200  PUSH r0
00000053        30000000e9  CALL 233 (00000141)
00000058      060800000008  ADD  rsp, 8 (00000060)
0000005e            110009  MOV  r0, rbp
00000061      0600ffffffec  ADD  r0, -20 (0000004d)
00000067              3200  PUSH r0
00000069      100000000228  MOV  r0, 552 (00000291)

Currently, constant values are followed by their offset in the instructions. This isn’t required for all instructions. Work in progress.

We start by pushing the address of our user supplied string on the stack and making a function call to check it against the password. After some stack cleanup, we check the result for a 1, which indicates a successful match. On a successful match, we jump to the instructions at 0x0000001f to zero out memory. On an unsuccessful match, we simply halt the program.

The disassembler provides us with an easy way to see all of our instructions next to their assembled addresses (and the addresses they will hold in memory). The attacker can then run his program in memory and calculate the offset from where the stack will be located after a return address overflow to the instructions he needs executed. Finally, the attacker has to find some instruction he can write on the stack which will include no 0×00 bytes. A carefully crafted attacker-supplied string which returns back into the stack and executes a JMP instruction does the trick.

It’s an interesting exercise in creative thinking to manipulate a system, the RAVM, in ways unintended.

Conclusion

That’s what I use to teach concepts in low-level programming and assembly. I’m interested in any suggestions, criticisms and feedback people have. If this is something you would like to use, everything is available under the GPL license. Please let me know how it goes!

Intel Assembly Comprehensive Cheat Sheet

danukeru from reddit posted a link to this cheat sheet, which lists x86 opcodes, what their abbreviations mean, and their Intel syntax. It is awesome, and I wish I had it earlier.

A little more into lea

This comes from jputnam at reddit as a suggestion.

A quick google search turns up a few articles which are helpful. I especially like this one from the University of Illinois at Urbana-Champaign.

Basically, lea sets a register equal to a value, after computations on that value are completed. Usually, this is an offset from another register. This is different from mov, which is used to set a memory location pointed to by a register equal to a value.

Let’s say we want to set our register ecx equal to ebp+0×12, because that’s where one of our stack variables are, and instead of using [ebp+0x12] everytime we want to refer to that stack variable, we’re going to use ecx (I have no idea why we would ever want to do this, but we’ll pretend). We would use the lea instruction to do this all very neatly in one line.

lea ecx, [ebp+0x12]

If you’re still not entirely cleared up on lea, visit some of the links above. They do an excellent job explaining this instruction.

Explain why eax is set to 0 at the end of main

Another one from jputnam.

It is a common convention to set eax to the return value. Main returns 0. Therefor, we set eax to 0.

If you call a function and want to check its returned value, check eax.

Spend a little more time explaing ebp

This one comes from stevep98 at reddit.

Given this C function:

void function ebp_explanation (int argument)
{
	int i;
}

This is a simplistic example of how this function may look on the stack (ditaa is cool):

Image has been accidentally deleted

0×74 is memory we reserve for int i. Normally, we reserve this space by setting esp somewhere beneath 0×74, so when we push things on to the stack they do not overwrite the memory at 0×74.

We then set ebp somewhere consistent on our stack, and we leave it there. Convention is to set ebp to where it is in the above illustration. From there, when we want to refer to certain pieces of memory (IE stack variables), we refer to them by an offset from ebp. If we want to add 1 to int i, it will look like this:

add DWORD PTR [ebp-0x4], 0x1

Like storing the return value in eax, this is a convention, but not a rule. In fact, when we take our same program from the first tutorial, give gcc the -O3 flag, and look at the disassembled code, we will see gcc decides to refer to int i in regards to esp instead of in regards to ebp.

Stack Alignment

jldugger commented on stack alignment.

If you want some more information stack alignment, which I admittedly didn’t do a terrific job of explaining, a simple google search returns these two pages: ( one | two ). They should help clear things up. I’m going to leave it at that for stack alignment.

What’s to come

I won’t know 100% what will come next until it’s written, but these are the next three topics I would like to hit (remember, I’m learning as I’m writing):

1. Take one.c (the example program from x86 Assembly for C Programmers 1) compiled with -O2 and -O3, and analyze why the compiler does what it does with different levels/kinds of optimization.
2. Begin looking at some more complicated examples, more of the instruction set, and expand our knowledge of the x86 instruction set.
3. We will take a C program, break it down in to assembly, and begin optimizing it in assembly. This will be the first installment of writing/modifying the assembly code.

Beyond that, we’ll find out when we get there.

I’m writing a series of tutorials on x86 assembly for C programmers who are already familiar with many of the basics of programming and computing. The assembly tutorials available online just aren’t doing it for me, and I need something organized the way I think, on the topics I’m interested in, presented in a way which make comprehensive understanding easy. I’ll do the work, go find the answers, and then drop everything here for you to enjoy.

Please note I do not claim to be an expert on the assembly language.

My interest in assembly is for both optimizing C applications, and the purpose of developing exploits for vulnerabilities in common applications, not write applications in assembly from scratch. I’m not interested in, “Good,” examples of assembly, I’m interested in real examples. This will affect the assembly we look at. More specifically, I write the code in C, compile it with gcc, and what comes out is what we’ll be dissecting.

For the purposes of these tutorials, 32-bit x86 assembly. Everything compiled/built/disassembled on the latest stable distro of Ubuntu.

References

The Art of Assembly is an excellent reference, and if you need clarification of any of the topics discussed, I recommend checking it out. Chapter six covers all of the instructions, how they work, and what specifically they do.

Thanks To:

Bushmills from irc.freenode.net##asm for taking the time to explain to a noob why the first 7 lines of assembly were what they were.

The Code

Let’s take a look at a simple C application, and it’s disassembled assembly code.
gcc one.c -o one

#include 

int main (int argc, char * argv [])
{

	int i;

	argc++;

	for (i = 0; i < 10; i++)
		printf("%d\n", i);

	return 0;

}

Disassembled counterpart (for main):
objdump -d one -M intel

080483c4 :
 80483c4:	8d 4c 24 04          	lea    ecx,[esp+0x4]
 80483c8:	83 e4 f0             	and    esp,0xfffffff0
 80483cb:	ff 71 fc             	push   DWORD PTR [ecx-0x4]
 80483ce:	55                   	push   ebp
 80483cf:	89 e5                	mov    ebp,esp
 80483d1:	51                   	push   ecx
 80483d2:	83 ec 24             	sub    esp,0x24
 80483d5:	83 01 01             	add    DWORD PTR [ecx],0x1
 80483d8:	c7 45 f8 00 00 00 00 	mov    DWORD PTR [ebp-0x8],0x0
 80483df:	eb 17                	jmp    80483f8
 80483e1:	8b 45 f8             	mov    eax,DWORD PTR [ebp-0x8]
 80483e4:	89 44 24 04          	mov    DWORD PTR [esp+0x4],eax
 80483e8:	c7 04 24 d0 84 04 08 	mov    DWORD PTR [esp],0x80484d0
 80483ef:	e8 04 ff ff ff       	call   80482f8

 80483f4:	83 45 f8 01          	add    DWORD PTR [ebp-0x8],0x1
 80483f8:	83 7d f8 09          	cmp    DWORD PTR [ebp-0x8],0x9
 80483fc:	7e e3                	jle    80483e1
 80483fe:	b8 00 00 00 00       	mov    eax,0x0
 8048403:	83 c4 24             	add    esp,0x24
 8048406:	59                   	pop    ecx
 8048407:	5d                   	pop    ebp
 8048408:	8d 61 fc             	lea    esp,[ecx-0x4]
 804840b:	c3                   	ret
 804840c:	90                   	nop
 804840d:	90                   	nop
 804840e:	90                   	nop
 804840f:	90                   	nop

This is a list of the instructions that are used above. We'll explain which each of these instructions do as we come across them later:

• lea - Load Effective Address
• and - logical AND
• push - PUSH data on to the stack
• mov - MOVe data from one register to another
• sub - SUBtract
• jmp - JuMP
• call - CALL another subfunction
• add - ADDition
• cmp - CoMPare
• pop - POP data off the stack
• ret - Return control to the parent function

You'll notice we left off jle. jle means jump if less than or equal to, and is a variant of the jmp instruction. You can find all the variations with any assembly reference.

Now let's take a look at the registers used. (ESP/EBP)

• esp - Stack Pointer (for the top of the stack).
• ecx - Counter (used for other purposes described later)
• ebp - Base Pointer
• eax - Accumulator Register (Arithmetic Operations)

If you don't understand exactly what all these registers are, we'll describe them later, and you will see how they are used.

Some Background:

First, some vocabulary:

• Stack: This is, surprise, an implementation of the data structure known as the stack. We use this stack to keep track of information about the program during the course of its running.
• Register: Think of registers as our variables. Think of them as pointers, and we dereference them by putting them in [].
• Instruction: An instruction is an operation we want to run on the processor.
• Operand: Quite simply, an operand is an argument to an instruction.
• Word: Every 4 bytes is considered a word. Wikipedia defines word as the smallest unit of data used by a computer design. We're using a 32 bit operating system, so 32 bit words, 4 byte words...

The x86 Stack and esp

The x86 stack is a LIFO mechanism we use to store information, LIFO being Last In, First Out. push puts data on the stack, pop takes data off the stack. push and pop manipulate data relative to esp, which is the stack pointer.

The stack grows down, meaning we start at higher memory addresses, and as the stack grows, we end up with lower memory addresses. esp is often referred to as pointing to the top of the stack, but in diagrams, the top of the stack is depicted as at the bottom (because we have higher addresses at the top, and lower addresses at the bottom).

esp decrements before adding a value to the stack, not after, so esp will always point to the last element added to the stack.

This may be a bit confusing now, but by the end of the first 7 instructions, you should have a good handle on it.

When we call a function, the stack typically looks like this:

------------------
| argument 1     |
------------------
| argument 0     |
------------------
| return address | <- esp is here
------------------

This is how the function will inherit the stack. In most simplistic tutorials, a few more commands will be executed at the beginning of the function to give us a stack like this:

------------------------
| argument 1           |
------------------------
| argument 0           |
------------------------
| return address       |
------------------------
| original ebp         | <- ebp points here
------------------------
| stack data variables | <- esp is here
------------------------

Aligning the Stack

This stack, as you will see, is nothing more than a bunch of memory in relation to esp, and esp is the only way we can identify where we are in the stack. If we change esp, we change our location in the stack, without using push or pop.

We want the stack to be "aligned", meaning we want our stack variables to start on a word whose address ends in 0, or the memory is evenly divisible by 16, however is easiest for you to think of it. This apparently speeds up the computation of some operations, but more importantly, with the introduction of SSE instructions (which work on 128 bits at once), having your variables aligned improperly can lead to some spectacular failures.

It all has to do with memory segmentation (Edit: Not really. See jldugger's comment. Processor design is important here. Visit the following link to learn more. I'm going to go ahead and mark this under not too terribly important to understand. Keep reading, you'll be fine, I promise.) If you're really interested, do some reading. For now, just know we want our stack to be properly aligned, and that's what gcc is doing in the first seven instructions.

The Assembly

We're going to go instruction by instruction, explaining what's happening, and looking at the stack, along with where our registers are, each step along the way.

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     |
     ------------------
0x78 |   ret addr     | <- esp points here
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |                |
     ------------------
0x68 |                |
     ------------------
0x64 |                |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

lea ecx,[esp+0x4]

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here now
     ------------------
0x78 |   ret addr     | <- esp points here
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |                |
     ------------------
0x68 |                |
     ------------------
0x64 |                |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

and esp,0xfffffff0

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here
     ------------------
0x78 |   ret addr     |
     ------------------
0x74 |                |
     ------------------
0x70 |                | <- esp points here now
     ------------------
0x6c |                |
     ------------------
0x68 |                |
     ------------------
0x64 |                |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

push DWORD PTR [ecx-0x4]

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here
     ------------------
0x78 |   ret addr     |
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |   ret addr     | <- esp points here now
     ------------------
0x68 |                |
     ------------------
0x64 |                |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

push ebp

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here
     ------------------
0x78 |   ret addr     |
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |   ret addr     |
     ------------------
0x68 | original ebp   | <- esp points here now
     ------------------
0x64 |                |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

mov ebp,esp

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here
     ------------------
0x78 |   ret addr     |
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |   ret addr     |
     ------------------
0x68 | original ebp   | <- esp and ebp point here
     ------------------
0x64 |                |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

push ecx

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here
     ------------------
0x78 |   ret addr     |
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |   ret addr     |
     ------------------
0x68 | original ebp   | <- ebp points here
     ------------------
0x64 |      0x7c      | <- esp points here now
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                |
     ------------------

sub esp,0x24

     ------------------
0x80 | char * argv[]  |
     ------------------
0x7c |   int argc     | <- ecx points here
     ------------------
0x78 |   ret addr     |
     ------------------
0x74 |                |
     ------------------
0x70 |                |
     ------------------
0x6c |   ret addr     |
     ------------------
0x68 | original ebp   | <- ebp points here
     ------------------
0x64 |      0x7c      |
     ------------------
     ~     ~   ~      ~
     ------------------
0x40 |                | <- esp points here now
     ------------------

The first seven instructions are the most confusing, and things become much simpler from here. Hopefully you have become familiar with the working of the stack. I'm going to omit stack pictures from the remainder of this tutorial.

add DWORD PTR [ecx],0x1

The add instruction works like the sub instruction, except instead of subtraction we are working with addition.

Because of the brackets, we are not adding 1 to ecx, but instead to the memory pointed to by ecx. If you remember from our stack, ecx points to the first argument we passed to main, or int argc. If you remember from our C code, after declaring int i, we incremented argc. Well, here's the assembly instruction for that line of code.

DWORD PTR because integers are 4 bytes (int argc).

mov DWORD PTR [ebp-0x8],0x0

Now we are entering our for loop. The first thing our for loop does is set int i equal to 0. Well, we know int i is a stack variable. We also know the common convention is to refer to stack variables as an offset from ebp. So guess where int i is on the stack? That's right, it's at ebp-0x8. Here we are setting int i equal to 0, the first part of our for loop.

80483df:   eb 17   jmp   80483f8

The jmp instruction is used to "JuMP" from one place in the code to another. I included the two bytes which form this instruction because I wanted to point something out. While we see "jmp 80483f8", which makes this instruction look absolute, it's actually relative. We are jumping 0x17 bytes ahead. 0xdf + 0x02 + 0x17 = 0xf8. Why add the 0x02? Because this jmp instruction is two bytes, and the jump starts after the jmp instruction.

We're going to do some skipping around now. Instead of following the assembly from first instruction to last, I'd instead like to go through the assembly in the order the instructions will be executed.

80483f8:   83 7d f8 09   cmp   DWORD PTR [ebp-0x8],0x9

The CoMPare instruction compares two values, and sets the x86 flags register appropriately. Yes, there's an x86 flags register. No, we aren't that concerned with it right now. Just know that the cmp instruction sets flags which correspond to a comparison between its two operands.

80483fc:   7e e3   jle   80483e1

The Jump if Less than or Equal to instruction will execute a jmp instruction if the x86 flags register has the appropriate flags set, indicating the previous cmp instruction compared one value that was less than or equal to a second value.

We're beginning to see exactly how our for loop executes on the processor. After setting the initial value, we jump immediately down to the comparison, or for our for () statement, "i < 10". The comparison actually comes out to "i <= 9". If this condition holds true, we perform another jump to where the beginning of our for loop code would be.

80483e1:   8b 45 f8   mov   eax,DWORD PTR [ebp-0x8]

eax is one of our general purpose registers we haven't mentioned yet. Here, we are setting it equal to [ebp-0x8], or int i.

80483e4:   89 44 24 04   mov   DWORD PTR [esp+0x4],eax

We are preparing to call the function printf. Printf takes two arguments. Remember, arguments are with the first argument closest to the top of the stack, and the last argument closest to the bottom. We are now positioning arguments on the stack. Int i represents our second argument in our printf() function call, and we are placing it closest to the bottom of the stack here.

80483e8:   c7 04 24 d0 84 04 08   mov   DWORD PTR [esp],0x80484d0

Here we are moving the value 0x80484d0 in to the memory where esp is currently located. We're placing this value into the stack without altering esp. You're probably wondering what is at memory address 0x80484d0. It's these 4 bytes:

0x25 0x64 0x0a 0x00

The C String equivalent would be "%d\n". I hope it looks familiar, because it's the first argument to our printf call.

80483ef:   e8 04 ff ff ff   call   80482f8

And here we go ahead and make the printf call. The call instruction will do a few things. For simplicity's sake, we will say it pushes the address of the next instruction on to the stack (the return address for the next function/procedure), and then begins executing the assembly instruction at the specified location. If you absolutely must know...

We don't really need to worry too much about this now. Just know that 0x80483f4 just got pushed on to the stack, and the next instruction that will be executed is 0x80482f8. When the procedure we call returns, its ret instruction will pop the return address off the stack, meaning the stack should by just as we left it before the call instruction.

80483f4:   83 45 f8 01   add   DWORD PTR [ebp-0x8],0x1

After the printf(), and before we do our next comparison, we need to increment int i. This is where that tiny piece of magic happens.

After this add instruction, we're back to our cmp instruction. We've already covered this, so let's skip ahead to the remaining six instructions, starting at the memory location 0x80483fe.

 80483fe:	b8 00 00 00 00       	mov    eax,0x0
 8048403:	83 c4 24             	add    esp,0x24
 8048406:	59                   	pop    ecx
 8048407:	5d                   	pop    ebp
 8048408:	8d 61 fc             	lea    esp,[ecx-0x4]
 804840b:	c3                   	ret

You should be able to understand what's going on now in these last six lines. If not, here's a quick synopsis to help you on your way:

• 80483fe: Zero out eax... eax := 0
• 8048403: Return esp to its original position, before we made room for stack variables. Need more help? Look at memory location 0x80483d2.
• 8048406: Get ecx back off the stack.
• 8048407: Set ebp to its original value before we entered the procedure. We're returning to our parent function, and it probably wants to know where its stack variables are.
• 8048408: Set esp back to its original value when we entered the main() procedure.
• 804840b: Return, which will pop the return address off the stack, and the next instruction executed will now be at that return address.

Take another look at the assembly instructions. You should now understand all the basics of what is happening at the processor.

In the next tutorial, we'll take a better look at what exactly is happening, with a little less abstraction and a little more detail.