
Reverse engineering the Intel FSP: A Primer - Nelkins
https://puri.sm/posts/primer-to-reverse-engineering-intel-fsp/
======
userbinator
I found the odd mix of GNU/AT&T and Intel syntax a little disorienting ---
especially all the '%', which the author starts out using in the text but then
decides to just suddenly stop using halfway through.

The flowchart view is _extremely_ useful, and from my experience of having
taught an Asm class before, in which students were required to do both
compilation and decompilation, creating such a graphical representation of the
program flow really helps to clarify when going from C to Asm and vice-versa.
Lacking software to do it automatically, printing out the code and drawing
lines works reasonably well.

That "challenge" function should puzzle anyone who knows even the slightest
bit of Asm --- not because of its purpose, but because of how it does it.
Subtracting one number and then adding another, is entirely equivalent to
adding their sum; so that could be simplified to:

    
    
        call $+5
        pop eax
        sub eax, 5
        sub eax, [eax-15]
        ret
    

The "call $+5/pop" idiom for "where am I" is also used a lot in packers, so
those who have such experience with unpacking will recognise it too. Look at
enough Asm (particularly compiler output, but I doubt that example was
generated by one) and you'll start to pick up on small
inefficiencies/stupidities like this; it really tends to dampen your belief in
how optimising compilers actually are in practice. ;-)

------
hobo_mark
Nice but come on, pages and pages about what is a stack but not even a word
about what this "Intel FSP" is supposed to be?

[http://www.intel.com/FSP](http://www.intel.com/FSP)

Apparently it's their (closed) cpu initialization code that you are free to
take and reuse if you're creating a new device using Intel cpus.

~~~
ezconnect
Yes that is weird for a technical write up not to mention what FSP stands for.
I was expecting it on the first sentence.

~~~
waynecochran
FSP is a TLA for an API using Intel ISA code implemented on CPU with support
for BIOS used in some RTOS systems.

~~~
Dylan16807
Eh. 2/5\. Your sentence is quite comprehensible and doesn't answer the
question for reasons completely unrelated to acronyms. ("an interface" and
vague ideas about what it runs on don't tell you what something is)

~~~
waynecochran
Admittedly weak. As other commenters — I have strong distaste for writing that
doesn’t define widely unknown acronymns on first use.

------
comex
Just for reference, here is what the Hex-Rays decompiler produces for the
function in question:

[https://ghostbin.com/paste/jpeh5](https://ghostbin.com/paste/jpeh5)

Not as readable or semantically meaningful as the author's manually decompiled
version, but pretty decent.

So if you think x86 assembly sounds really arcane, you should know that you're
not strictly required to learn it to start experimenting with reverse
engineering: you can start with a decompiler, which is all you need in most
cases, and gradually learn how its output corresponds to assembly (which is
still necessary to deal with in harder cases). Hex-Rays is the only decompiler
I know that doesn't suck, and you _are_ required to fork out high sums to get
a legitimate copy of it… but it's easy enough to find a non-legitimate copy to
start out with.

Personally, even though I have a fair amount of experience with reverse
engineering at the assembly level, I find that using the decompiler lets me
understand the "big picture" of a function's purpose much more quickly. Maybe
I just need even more experience, and I'd be able to work just as fast from
assembly… but I don't think so. I'd rather write my own decompiler to handle
the stuff that Hex-Rays doesn't.

~~~
jlgaddis
> _... you should know that you 're not strictly required to learn it to start
> experimenting with reverse engineering ..._

+1. The only assembly I ever learned was some 6502 assembly many, many years
ago, and I didn't even learn that very well. But that didn't prevent me from
later figuring out how to "crack" a bunch of BBS door games (with SoftICE for
DOS) as a teenager. Hell, I'm not even a real programmer, and I was successful
in bypassing the license protections on a (Linux) binary from Cisco a few
years ago (although, ultimately, that was just NOP'ing out a "jump") using IDA
Pro. That took me maybe 30 minutes to do. Thanks, +Fravia! [0]

I am very far from an expert on this stuff but I think that getting started is
waaaay easier than people believe.

(N.B.: IDA Pro runs on Windows but even works on (Linux) ELF binaries.)

[0]:
[https://en.wikipedia.org/wiki/Fravia](https://en.wikipedia.org/wiki/Fravia)

~~~
jcranmer
The newest versions of IDA Pro run on Linux and OS X as well.

~~~
Fnoord
And its bloody expensive for hobbyist usage [1]. 5.0 is free for non-
commercial use but lacks all the features from 6.x and 7.x including Linux and
macOS port.

[1] [https://www.hex-rays.com/cgi-bin/quote.cgi](https://www.hex-rays.com/cgi-
bin/quote.cgi)

~~~
jlgaddis
Use 5.0 to reverse engineer 7.x and bypass the licensing? :)

------
invalid_name
_because the compiler knows that the structure is located exactly 0x1AB bytes
before the current function_

This should be 0xF bytes before the current function, shouldn't it? I liked
it.

