WEBVTT

1
00:00.950 --> 00:02.510
Hello and welcome back.

2
00:02.510 --> 00:05.180
In this lesson, we are going to study IMUL.

3
00:05.600 --> 00:08.600
IMUL is for signed multiplication.

4
00:08.600 --> 00:10.070
It differs from MUL.

5
00:10.070 --> 00:14.480
In the previous lesson, we used MUL for unsigned multiplication.

6
00:16.580 --> 00:19.520
There are two main forms of the IMUL instruction.

7
00:19.550 --> 00:22.520
The first is IMUL, followed by one operand.

8
00:22.700 --> 00:27.320
In this case, we have to move the first operand into the - register.

9
00:27.470 --> 00:31.850
Then in this instruction, we specify the second operand.

10
00:32.060 --> 00:34.040
Maybe - or -.

11
00:34.550 --> 00:39.260
Then the second form is IMUL operand 1, operand 2. In this

12
00:39.290 --> 00:40.490
in this form,

13
00:40.520 --> 00:44.000
both operands are storing the values.

14
00:44.780 --> 00:46.760
Maybe operand one is -.

15
00:46.760 --> 00:49.100
Operand two could be -, -.

16
00:49.550 --> 00:55.340
And then when we perform the instruction, it will take the value in operand two, multiply with operand

17
00:55.340 --> 00:57.470
one and store the result in operand one.

18
00:59.430 --> 01:00.690
The one operand form.

19
01:00.960 --> 01:02.070
IMUL operand.

20
01:02.130 --> 01:03.780
This is similar to MUL.

21
01:04.140 --> 01:11.040
This form multiplies the - register by the operand, and the result is stored in the - - pair.

22
01:11.250 --> 01:18.510
The most significant bits of the result are stored in -, and the least significant 64 bits are

23
01:18.510 --> 01:19.950
stored in -.

24
01:21.520 --> 01:22.690
Two operand form.

25
01:22.690 --> 01:24.640
IMUL operand 1, operand 2.

26
01:24.670 --> 01:29.830
This form multiplies the second operand by the first operand and stores the result in the first operand

27
01:29.830 --> 01:30.490
register.

28
01:30.700 --> 01:37.180
In this case, - is not inherently used unless it is explicitly specified as the destination operand,

29
01:37.540 --> 01:39.640
so there is a basic difference here.

30
01:39.970 --> 01:45.760
The IMUL operand one, two form, the result is stored only in the - register.

31
01:45.790 --> 01:53.500
- is not used, so the size of the register is half of the size that is used in the IMUL

32
01:54.040 --> 01:54.970
the first form.

33
01:57.330 --> 01:58.980
When dealing with the IMUL instruction.

34
01:58.980 --> 02:00.330
Signed multiplication.

35
02:00.330 --> 02:06.060
Whether or not the - register is used to store part of the result depends on the specific form

36
02:06.060 --> 02:07.770
of the IMUL instruction being used.

37
02:08.220 --> 02:13.020
So if we use this form, then it will store the result in - -.

38
02:13.410 --> 02:19.740
But if we use this form, it will only store the result in the first operand, which is only a single

39
02:19.740 --> 02:21.990
register in the two operand form.

40
02:21.990 --> 02:25.620
What happens if the result of the IMUL is too large to store in the first operand?

41
02:27.190 --> 02:33.370
So if that is the case in the two operand form, if the result of the multiplication is too large

42
02:33.370 --> 02:38.740
to fit in the 64-bit destination register, the overflow will not be stored in another register.

43
02:38.740 --> 02:43.720
Instead, the result will be truncated to fit within the 64-bit destination register.

44
02:43.750 --> 02:49.450
This means that only the least significant 64 bits of the result are kept, and the most significant

45
02:49.450 --> 02:51.610
bits which cannot fit are discarded.

46
02:52.780 --> 02:58.990
Unlike the one operand form of IMUL, which stores the overflow into the - register, the two operand

47
02:59.020 --> 03:04.210
form does not inherently provide any direct indication of overflow within the registers.

48
03:04.210 --> 03:09.340
To detect an overflow condition from a two operand IMUL, you will need to analyze the flags in the

49
03:09.490 --> 03:10.480
flags register.

50
03:13.580 --> 03:15.800
The carry flag and the overflow flag are set

51
03:15.800 --> 03:22.160
if the result is too large to be represented in the destination register, indicating an overflow condition.

52
03:22.190 --> 03:24.980
These flags need to be checked after the operation

53
03:24.980 --> 03:29.540
if the preservation of the full result or the detection of an overflow is important to the logic of

54
03:29.540 --> 03:30.230
the program.

55
03:31.040 --> 03:38.210
So in summary, for IMUL in 64-bit mode, - is used to store the most significant 64 bits of the

56
03:38.210 --> 03:44.150
results only in the one operand form of the instruction, where the operation affects the - - register

57
03:44.150 --> 03:44.510
pair.

58
03:44.960 --> 03:51.770
In the two operand form, - is not used to store the result unless it is explicitly specified as the

59
03:51.770 --> 03:58.190
destination operand, and we need to check the - and - flags to know whether an overflow has occurred.

60
03:58.760 --> 04:03.620
So now let's take a look at the example inside the

61
04:04.910 --> 04:05.960
x64dbg.

62
04:06.380 --> 04:09.200
I've loaded my template 2X file.

63
04:09.350 --> 04:16.490
So now we are going to move a number inside the register -.

64
04:16.490 --> 04:17.510
So we move

65
04:19.810 --> 04:20.560
-

66
04:24.060 --> 04:24.840
five.

67
04:29.600 --> 04:35.900
We are now going to move - negative three.

68
04:36.110 --> 04:39.410
Note that I am entering here a decimal number.

69
04:39.410 --> 04:44.660
So when it enters into the x64dbg, it will convert it into hex.

70
04:45.230 --> 04:46.280
So this is five.

71
04:46.280 --> 04:47.270
This is negative three.

72
04:47.270 --> 04:49.580
And you can confirm that with your calculator.

73
04:49.850 --> 04:53.840
If you enter negative three, select decimal, three,

74
04:53.840 --> 04:58.910
and then negative, you will see the negative three is indeed all Fs followed by D.

75
04:59.900 --> 05:02.930
So now let's go and do the first operand.

76
05:02.990 --> 05:04.550
Single operand form.

77
05:05.060 --> 05:08.240
The single operand form is IMUL -.

78
05:12.230 --> 05:14.150
So when you step over this.

79
05:14.750 --> 05:17.180
So we run to our breakpoint, step over.

80
05:18.080 --> 05:24.290
It moves five to our -, and then it moves negative three to -.

81
05:24.320 --> 05:29.840
Now it's going to multiply - to - and store the result in - -.

82
05:30.470 --> 05:34.550
Step over and you see the result is in - -.

83
05:34.760 --> 05:36.740
The result is this result.

84
05:36.740 --> 05:46.190
So if we take our calculator and then we retry, we enter five, select decimal first, five, and then

85
05:46.190 --> 05:48.200
multiply with negative three.

86
05:49.500 --> 05:50.820
We will get this result.

87
05:50.820 --> 05:52.350
All Fs followed by one.

88
05:52.860 --> 05:55.650
So if we see here, we get all Fs

89
05:57.000 --> 05:58.440
or Fs followed by one.

90
05:58.440 --> 06:00.390
So this is correct.

91
06:00.780 --> 06:05.910
So the result is -15, which is represented by all Fs followed by one.

92
06:05.910 --> 06:08.580
Note that this is a signed multiplication.

93
06:08.580 --> 06:14.430
That's why you see F. The most significant bit is a one, indicating that it is a negative number.

94
06:14.880 --> 06:18.780
Now we're going to try the second form of IMUL which takes two operands.

95
06:19.470 --> 06:24.390
So this time we are going to move -.

96
06:25.380 --> 06:27.390
We are going to move five into -.

97
06:28.170 --> 06:29.880
And then we are going to move.

98
06:30.300 --> 06:34.800
We are going to move, uh, negative three into -.

99
06:36.360 --> 06:40.020
So as you can see now, five is in -.

100
06:40.200 --> 06:43.050
And then negative three is in -.

101
06:43.320 --> 06:49.020
Now we are going to do a multiplication in the second form of IMUL which takes two operands.

102
06:49.140 --> 06:51.180
So -, -.

103
06:53.820 --> 06:57.450
-, so the result will be stored in -.

104
06:58.950 --> 07:01.320
So we step over.

105
07:01.980 --> 07:03.570
It is move five to our -.

106
07:03.900 --> 07:09.660
It has moved five to -, and it has moved negative three to -.

107
07:09.840 --> 07:13.770
So now we are going to multiply the two, and the result should be stored in -.

108
07:15.480 --> 07:21.210
So this is how we can use the assembly inside x64dbg to implement IMUL.

109
07:21.330 --> 07:22.830
That's all for this video.

110
07:22.860 --> 07:24.030
Thank you for watching.