http://www.sizecoding.org/api.php?action=feedcontributions&feedformat=atom&user=ByteobserverSizeCoding - User contributions [en]2026-05-03T22:12:19ZUser contributionsMediaWiki 1.27.0http://www.sizecoding.org/index.php?title=Linux&diff=1354Linux2024-03-15T17:32:26Z<p>Byteobserver: /* Additional Resources */ add Tiny bitfield based text renderer</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old XOR pattern:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Syncing audio with visuals is unfortunately not as easy as one would hope. Unlike many oldskool platforms, you can't just write audio and video data in your main loop and have everything work out nicely. The reason for this is that the audio is buffered with a relatively large buffer size, which is not easy to change. The effect of this is that audio writes will succeed instantly without blocking until about 1 second of audio has been written, and then the next write will block for about 1 second. This process then repeats. As you can imagine this means the visuals will run at about 1 FPS.<br />
<br />
Even if you know the exact audio buffer size, it doesn't really help to synchronize things because the synchronization will be dependent on the CPU speed (as well as how much CPU time background processes are taking, etc). In order to synchronize things properly you will need to use a timer. See the Limiting FPS section below for how to do this. You are looking at a cost of about 22 bytes for this timer at the very least.<br />
<br />
After you have a timer set up, you just need to decide on a target FPS and calculate how much audio you should write per frame. The general formula that you should write <tt>rate * channels * sample width in bytes / FPS</tt> bytes per frame. For example, if your intro runs at 50 FPS and your audio uses 16bit samples in stereo at 8000Hz, then you should write <tt>8000*2*2/50 = 640</tt> bytes of audio for every frame.<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
timer:<br />
; NEW: smaller 18-byte setup!<br />
add ax,0x142<br />
push ecx<br />
mov edx,esp<br />
int 0x80<br />
push 1000000000/50 ; 50 fps<br />
add ebx,eax<br />
jns timer<br />
<br />
<br />
main:<br />
xor eax,eax<br />
mov al,3 ; read syscall<br />
mov ebx,eax ; file descriptor of timer<br />
mov dl,8 ; num bytes to read, edx can be any value >= 8<br />
mov ecx,esp ; write timer expiration info to the stack<br />
int 0x80 ; blocks until the next frame<br />
<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_VSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
* [https://www.onirom.fr/wiki/blog/25-09-2022_tiny_bitfield_based_text_renderer/ Tiny bitfield based text renderer]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=1011Linux2022-02-11T00:28:22Z<p>Byteobserver: /* Method 1: timerfd */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old XOR pattern:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Syncing audio with visuals is unfortunately not as easy as one would hope. Unlike many oldskool platforms, you can't just write audio and video data in your main loop and have everything work out nicely. The reason for this is that the audio is buffered with a relatively large buffer size, which is not easy to change. The effect of this is that audio writes will succeed instantly without blocking until about 1 second of audio has been written, and then the next write will block for about 1 second. This process then repeats. As you can imagine this means the visuals will run at about 1 FPS.<br />
<br />
Even if you know the exact audio buffer size, it doesn't really help to synchronize things because the synchronization will be dependent on the CPU speed (as well as how much CPU time background processes are taking, etc). In order to synchronize things properly you will need to use a timer. See the Limiting FPS section below for how to do this. You are looking at a cost of about 22 bytes for this timer at the very least.<br />
<br />
After you have a timer set up, you just need to decide on a target FPS and calculate how much audio you should write per frame. The general formula that you should write <tt>rate * channels * sample width in bytes / FPS</tt> bytes per frame. For example, if your intro runs at 50 FPS and your audio uses 16bit samples in stereo at 8000Hz, then you should write <tt>8000*2*2/50 = 640</tt> bytes of audio for every frame.<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
timer:<br />
; NEW: smaller 18-byte setup!<br />
add ax,0x142<br />
push ecx<br />
mov edx,esp<br />
int 0x80<br />
push 1000000000/50 ; 50 fps<br />
add ebx,eax<br />
jns timer<br />
<br />
<br />
main:<br />
xor eax,eax<br />
mov al,3 ; read syscall<br />
mov ebx,eax ; file descriptor of timer<br />
mov dl,8 ; num bytes to read, edx can be any value >= 8<br />
mov ecx,esp ; write timer expiration info to the stack<br />
int 0x80 ; blocks until the next frame<br />
<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_VSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=1010Linux2022-02-10T16:58:31Z<p>Byteobserver: /* Method 1: timerfd */ smaller setup code for timerfd</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old XOR pattern:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Syncing audio with visuals is unfortunately not as easy as one would hope. Unlike many oldskool platforms, you can't just write audio and video data in your main loop and have everything work out nicely. The reason for this is that the audio is buffered with a relatively large buffer size, which is not easy to change. The effect of this is that audio writes will succeed instantly without blocking until about 1 second of audio has been written, and then the next write will block for about 1 second. This process then repeats. As you can imagine this means the visuals will run at about 1 FPS.<br />
<br />
Even if you know the exact audio buffer size, it doesn't really help to synchronize things because the synchronization will be dependent on the CPU speed (as well as how much CPU time background processes are taking, etc). In order to synchronize things properly you will need to use a timer. See the Limiting FPS section below for how to do this. You are looking at a cost of about 22 bytes for this timer at the very least.<br />
<br />
After you have a timer set up, you just need to decide on a target FPS and calculate how much audio you should write per frame. The general formula that you should write <tt>rate * channels * sample width in bytes / FPS</tt> bytes per frame. For example, if your intro runs at 50 FPS and your audio uses 16bit samples in stereo at 8000Hz, then you should write <tt>8000*2*2/50 = 640</tt> bytes of audio for every frame.<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
timer:<br />
; NEW: smaller 18-byte setup!<br />
add ax,0x142<br />
push ecx<br />
mov edx,esp<br />
int 0x80<br />
push 1000000000/50 ; 50 fps<br />
add ebx,eax<br />
jns timer<br />
<br />
<br />
main:<br />
xor eax,eax<br />
mov al,3 ; read syscall<br />
mov ebx,eax ; file descriptor of timer<br />
mov dl,8 ; num bytes to read, edx can be any value >= 8<br />
mov ecx,esp ; write timer expiration info to the stack<br />
int 0x80<br />
<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_VSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=File_format&diff=1009File format2022-02-10T16:41:15Z<p>Byteobserver: /* Linux */ add details of Linux ELF file format</p>
<hr />
<div>=File formats=<br />
<br />
File formats describe the content of a file. <br />
<br />
This page is not about:<br />
* File systems which organize files on a partition<br />
* Disk images which save a (disk) file system within one file<br />
* Tape file formats, as they have a higher overhead usually<br />
<br />
==IBM PC==<br />
<br />
===COM===<br />
System: MS-DOS<br />
<br />
Header: 0 bytes see [https://en.wikipedia.org/wiki/COM_file here]<br />
<br />
Native size unit: Bytes<br />
<br />
Loads to: 0100h<br />
<br />
Starts at: <br />
<br />
File extension: .com<br />
<br />
===EXE===<br />
System: Windows<br />
<br />
Header: 200+<br />
<br />
Native size unit: Bytes<br />
<br />
Loads to: <br />
<br />
Starts at: <br />
<br />
File extension: .exe<br />
<br />
===ELF===<br />
System: Linux<br />
<br />
Header: 45 - 100+<br />
<br />
Native size unit: Bytes<br />
<br />
Loads to: Random location (see [https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux here])<br />
<br />
Starts at: from 0x10000 to around 0x80000000 for 32bit binaries<br />
<br />
File extension: none<br />
<br />
==Atari ST==<br />
===TOS===<br />
System: Atari ST<br />
<br />
Header: 32 Bytes <br />
<br />
Native size unit: ???<br />
<br />
Loads to: <br />
<br />
Starts at: <br />
<br />
File extension: <br />
<br />
<br />
==Amiga==<br />
===...===<br />
System: Amiga<br />
<br />
Header: <br />
<br />
Native size unit: ???<br />
<br />
Loads to: <br />
<br />
Starts at: <br />
<br />
File extension: <br />
<br />
==Commodore 64==<br />
===PRG===<br />
System: CBM-DOS (Commodore, e.g. C64)<br />
<br />
Header: 2 bytes (= start address)<br />
<br />
Native size unit: Blocks (256 bytes including 2 bytes linking to next block)<br />
<br />
Loads to: given address in header<br />
<br />
Starts at: given address in header<br />
<br />
File extension: .prg<br />
<br />
===P00===<br />
System: CBM-DOS / PC64 Emulator<br />
<br />
Header: extended 26 bytes; also includes the name; see [http://unusedino.de/ec64/technical/formats/pc64.html here]<br />
<br />
Native size unit: Blocks<br />
<br />
Loads to: given address in header<br />
<br />
Starts at: given address in header<br />
<br />
File extension: .p00<br />
<br />
==Atari 8bit==<br />
===XEX, EXE, COM===<br />
System: Atari<br />
<br />
Header: 6 bytes or more (FF FF <start address> <end address>); see also [https://www.atarimax.com/jindroush.atari.org/afmtexe.html here]<br />
<br />
Native size unit: ???<br />
<br />
Loads to: given start address in header<br />
<br />
Starts at: given end address in header<br />
<br />
File extension: .exe .com .xex (any ending possible)<br />
<br />
==Amstrad==<br />
===BIN===<br />
System: AMSDOS (Amstrad CPC)<br />
<br />
Header: 128 bytes (includes filename, start address, end address, etc.; 95 unused bytes; see also [https://www.cpcwiki.eu/index.php/AMSDOS_Header AMSDOS-Header]<br />
<br />
Native size unit: kb <br />
<br />
Loads to: given start address in header<br />
<br />
Starts at: given end address in header<br />
<br />
File extension: .bin (on PC)<br />
<br />
==Spectrum==<br />
===Binary===<br />
System: ZX Spectrum<br />
<br />
Header: none<br />
<br />
Native size unit: ???<br />
<br />
Loads to: special loader required; usually a BASIC program<br />
<br />
Starts at: see above<br />
<br />
File extension: ??? usually delivered within a disk image (.trd)</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=988Linux2021-12-27T21:48:45Z<p>Byteobserver: /* Getting something on screen */ Typo</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old XOR pattern:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Syncing audio with visuals is unfortunately not as easy as one would hope. Unlike many oldskool platforms, you can't just write audio and video data in your main loop and have everything work out nicely. The reason for this is that the audio is buffered with a relatively large buffer size, which is not easy to change. The effect of this is that audio writes will succeed instantly without blocking until about 1 second of audio has been written, and then the next write will block for about 1 second. This process then repeats. As you can imagine this means the visuals will run at about 1 FPS.<br />
<br />
Even if you know the exact audio buffer size, it doesn't really help to synchronize things because the synchronization will be dependent on the CPU speed (as well as how much CPU time background processes are taking, etc). In order to synchronize things properly you will need to use a timer. See the Limiting FPS section below for how to do this. You are looking at a cost of about 22 bytes for this timer at the very least.<br />
<br />
After you have a timer set up, you just need to decide on a target FPS and calculate how much audio you should write per frame. The general formula that you should write <tt>rate * channels * sample width in bytes / FPS</tt> bytes per frame. For example, if your intro runs at 50 FPS and your audio uses 16bit samples in stereo at 8000Hz, then you should write <tt>8000*2*2/50 = 640</tt> bytes of audio for every frame.<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_VSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=986Linux2021-12-27T21:36:18Z<p>Byteobserver: /* Syncing audio with visuals */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Syncing audio with visuals is unfortunately not as easy as one would hope. Unlike many oldskool platforms, you can't just write audio and video data in your main loop and have everything work out nicely. The reason for this is that the audio is buffered with a relatively large buffer size, which is not easy to change. The effect of this is that audio writes will succeed instantly without blocking until about 1 second of audio has been written, and then the next write will block for about 1 second. This process then repeats. As you can imagine this means the visuals will run at about 1 FPS.<br />
<br />
Even if you know the exact audio buffer size, it doesn't really help to synchronize things because the synchronization will be dependent on the CPU speed (as well as how much CPU time background processes are taking, etc). In order to synchronize things properly you will need to use a timer. See the Limiting FPS section below for how to do this. You are looking at a cost of about 22 bytes for this timer at the very least.<br />
<br />
After you have a timer set up, you just need to decide on a target FPS and calculate how much audio you should write per frame. The general formula that you should write <tt>rate * channels * sample width in bytes / FPS</tt> bytes per frame. For example, if your intro runs at 50 FPS and your audio uses 16bit samples in stereo at 8000Hz, then you should write <tt>8000*2*2/50 = 640</tt> bytes of audio for every frame.<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_VSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=985Linux2021-12-27T21:14:32Z<p>Byteobserver: /* Getting the screen size */ Fix typo</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_VSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=984Linux2021-12-27T21:11:57Z<p>Byteobserver: Add code for getting the screen resolution</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Getting the screen size ===<br />
<br />
A lot of Linux intros have the screen resolution hard-coded, and some include many executables in the release, each for a different screen resolution. If you have enough space, you can easily get the screen resolution using the <tt>ioctl</tt> syscall.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,0x36 ; ioctl<br />
mov ebx,0 ; ***PUT THE FILE DESCRIPTOR FOR /dev/fb0 HERE***<br />
xor ecx,ecx<br />
mov ch,0x46 ; FBIOGET_FSCREENINFO<br />
mov edx,esp<br />
int 0x80<br />
pop eax ; eax = horizontal resolution in pixels<br />
pop ebx ; ebx = vertical resolution in pixels<br />
</syntaxhighlight><br />
<br />
For more information about what you can do with ioctl on the framebuffer, see here: https://www.kernel.org/doc/html/latest/fb/api.html<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=973Linux2021-12-04T02:28:46Z<p>Byteobserver: /* Combining audio and video */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 10 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=972Linux2021-12-04T02:28:04Z<p>Byteobserver: /* Method 3: shell loader */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_<>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 or mmap directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=971Linux2021-12-03T23:35:27Z<p>Byteobserver: /* Miscellaneous Techniques */ add self modifying code section</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
=== Self modifying code ===<br />
With the tiny ELF header we've been using, the code segment is not writable, and unfortunately we need to sacrifice some bytes to make it so.<br />
So, in many cases it's better to avoid using self modifying code. But, if you want to try it out, there are two ways to go about it.<br />
In the ELF header, the p_flags field stores the access permissions of the code memory (1=execute, 2=write, 4=read).<br />
In the tiny header, p_flags overlaps with e_phoff, and e_phoff (the offset of the program header from the beginning of the file) needs to be 4.<br />
So, the only option for p_flags is read-only (turns out that the execute bit doesn't matter, and it will be executable anyways).<br />
To make the code writable, we have to change p_flags to 7 (6 and 3 also accomplish the same thing because some are implied by others).<br />
To do this we can either use a less overlapped header, or we can use the mprotect syscall to change<br />
the permissions.<br />
<br />
See here for examples of some headers that allow you to change p_flags: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html<br />
<br />
The mprotect method is as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
mov eax,0x7d ; mprotect<br />
mov ebx,$$ ; start address to change permissions for<br />
mov ecx,0x1000 ; number of bytes to change<br />
mov edx,7 ; new permissions<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=970Linux2021-12-03T23:13:19Z<p>Byteobserver: /* Limiting FPS */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program (all registers zeroed)<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
; assume eax < 256, ebx = 3, edx >= 8<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming this is at the beginning of the program (all registers zeroed)<br />
call callback ; set up signal handler initially<br />
<br />
; assume eax < 65536, ebx = 1<br />
mov ax,0x103 ; timer_create<br />
dec ebx<br />
push ebx<br />
push 1 ; SIGHUP<br />
push ebx<br />
mov ecx,esp<br />
mov edx,esp<br />
int 0x80<br />
<br />
mov ax,0x104 ; timer_settime<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov edx,esp<br />
int 0x80<br />
<br />
jmp $ ; loop forever<br />
<br />
callback:<br />
; assume eax < 256, ebx = 0<br />
mov al,0x30 ; signal<br />
inc ebx<br />
mov ecx,callback<br />
int 0x80 ; (re)install signal handler<br />
ret<br />
</syntaxhighlight><br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=969Linux2021-12-03T18:44:15Z<p>Byteobserver: Add section about limiting fps</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Techniques ==<br />
<br />
=== Limiting FPS ===<br />
<br />
The framebuffer device /dev/fb0 will allow you to write to it as quickly as your CPU can manage,<br />
so your intro can run at different speeds depending on the CPU speed. To correct this, you can use<br />
a timer to limit FPS. Beyond limiting the frame rate, using a timer is seemingly necessary if you<br />
want to have synchronized sound and graphics (but more research is needed).<br />
<br />
We will describe two approaches to setting up a timer. The first method uses the <tt>sys_timerfd_*</tt><br />
syscalls, which creates a file descriptor where reads block until the timer expires.<br />
The second uses the <tt>sys_timer_*</tt> syscalls, which send signals that can be caught by installing a signal handler.<br />
The first method is usually smaller.<br />
<br />
==== Method 1: timerfd ====<br />
<br />
<syntaxhighlight lang=nasm><br />
; assume this is placed at the beginning of the program<br />
mov ax,0x142 ; timerfd_create<br />
int 0x80<br />
<br />
mov ax,0x145 ; timerfd_settime<br />
push ebx<br />
push 1000000000/50 ; 50 fps<br />
push ebx<br />
mov bl,3 ; file descriptor of timer (returned by timerfd_create)<br />
mov edx,esp<br />
int 0x80<br />
<br />
main:<br />
mov al,3<br />
mov ecx,esp<br />
int 0x80 ; block until next frame<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
==== Method 2: signal handler ====<br />
<br />
TODO<br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=968Linux2021-12-01T16:27:28Z<p>Byteobserver: /* Allocating memory */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Tricks ==<br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 15 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=967Linux2021-12-01T16:26:24Z<p>Byteobserver: /* Allocating memory */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Tricks ==<br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call brk with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 17 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=966Linux2021-12-01T16:25:43Z<p>Byteobserver: /* Allocating memory */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Tricks ==<br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit or to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call break with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 17 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=965Linux2021-12-01T16:25:02Z<p>Byteobserver: Add section about allocating memory</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Miscellaneous Tricks ==<br />
<br />
=== Allocating memory ===<br />
<br />
On many Linux distros, the stack size is limited to 8MB by default. If this is not enough for your intro,<br />
it is possible to increase this stack limit to to allocate memory in the data segment.<br />
<br />
To allocate space in the data segment, you can use the brk system call (0x2d).<br />
This call takes in a memory address and attempts to set the value of the current ''program break'' to that address,<br />
then returns the new address. The program break is the smallest memory address that is beyond the data segment.<br />
By default, the data segment is zero bytes long.<br />
Unfortunately, on modern systems, the default value of the program break is <br />
randomized, so you can't just simply call brk with the amount of memory you want.<br />
Instead, you have to call break with an address of zero to get the current program break,<br />
then add the amount of memory you want and call brk with the new address.<br />
The following code does this in 17 bytes.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
mov al,0x2d<br />
int 0x80<br />
xchg eax,ebx<br />
add ebx,0x1000000 ; allocate 16MB<br />
mov al,0x2d<br />
int 0x80<br />
; eax now contains the address of the program break, i.e.,<br />
; you can use memory from eax-0x1000000 to eax-1 (inclusive)<br />
</syntaxhighlight><br />
<br />
To increase the stack size limit, you can use the setrlimit (0x4b) system call.<br />
The following 11-byte snippet will remove the stack size limit completely.<br />
Note that in some cases the user will not have permission to do this.<br />
<br />
<syntaxhighlight lang=nasm><br />
; assuming all registers are zeroed, e.g., this is at the beginning of the program<br />
dec ecx ; ecx = -1 aka set size to 'unlimited'<br />
push ecx<br />
push ecx<br />
mov bl,3 ; RLIMIT_STACK<br />
mov ecx,esp ; pointer to data for call<br />
mov al,0x4b ; setrlimit<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=964Linux2021-11-30T16:40:12Z<p>Byteobserver: /* Method 3: shell loader */ fix syntax highlighting</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight lang=shell><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=963Linux2021-11-30T05:50:00Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method (method 1) is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method (method 2) uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers. Method 3, which saves some bytes over method 2 (especially when combined with visuals), is to use a shell based loader script.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=962Linux2021-11-30T04:24:09Z<p>Byteobserver: /* Method 3: shell loader */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed (aka remove the loader)<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=961Linux2021-11-30T04:22:20Z<p>Byteobserver: /* Method 3: shell loader */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
Let's pick apart the shell loader. Remember that in bash, $_ is the last argument passed to the previous command,<br />
and $0 is the filename of the current executable.<br />
<br />
<syntaxhighlight><br />
cp $0 /tmp # copy the intro to /tmp<br />
sed -i 1d $_/$0 # remove the first line from the copy with sed<br />
$_|aplay # execute the intro<br />
rm $_ # remove the copy<br />
exit # exit (so that the binary data which follows doesn't get executed)<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=960Linux2021-11-30T04:12:06Z<p>Byteobserver: Add Method 3</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3: shell loader ===<br />
<br />
Everything we've seen so far has been focused on producing a "pure" ELF binary, to<br />
avoid the compatibility issues that plagued early Linux sizecoding techniques involving self compilation or<br />
binary patching. However, there is a way to embed the ELF binary in a shell script to<br />
save some bytes without sacrificing compatibility.<br />
<br />
In method 1, we effectively moved the audio device handling out of the intro and put the<br />
responsibility of connecting the intro to the audio device in the hands of the user.<br />
This is obviously not ideal, and in method 2 we fixed this by opening the audio device<br />
using syscalls. Here, we will use a hybrid approach. Our intro will appear to the<br />
operating system as a shell script, which when executed will unpack the intro to /tmp<br />
and then execute it, piping the output to aplay.<br />
<br />
The following example of this approach assembles to a 101-byte file.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay",10<br />
org $00010000-($-$$)<br />
top:<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd top ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
inc ebx ; we will write to stdout (1)<br />
main:<br />
mov edx,esi ; copy time into edx<br />
pop ecx ; grab previous sample from stack<br />
; bytebeat formula<br />
and ecx,edx<br />
shr edx,5<br />
mov ebp,entry ; useless, skips part of ELF header<br />
xor ecx,edx<br />
shr edx,5<br />
or ecx,edx<br />
push ecx ; write next sample<br />
<br />
mov ecx,esp ; pointer to audio data (the top byte of the stack)<br />
mov al,4 ; write syscall<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
inc esi ; increment time<br />
<br />
jmp main<br />
</syntaxhighlight><br />
<br />
Note that this code will leave a file in /tmp after it exits, and will also write a bunch of garbage (the binary) to the screen when it exits.<br />
Not only is this not very clean, but you may not be allowed to leave files around after your intro exits in some compos.<br />
To fix this, we can use the following (slightly longer) shell loader:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_|aplay;rm $_;exit",10<br />
</syntaxhighlight><br />
<br />
==== Combining audio and video ====<br />
<br />
Although this method is already saving a lot of bytes, we haven't even gotten to the best part yet.<br />
We can use the shell loader to also set up the framebuffer for us and make it very convenient to use, by using only 11 extra bytes!<br />
To do this, just modify the loader as follows:<br />
<br />
<syntaxhighlight lang=nasm><br />
db "cp $0 /tmp;sed -i 1d $_/$0;$_ 0>/dev/fb0|aplay",10<br />
</syntaxhighlight><br />
<br />
With this loader, you can use pwrite64 directly on file descriptor 0 (stdin) to write to the screen, and write to file descriptor 1 (stdout) to play audio.<br />
Just be careful to get the timing right if you're doing both audio and video, as the audio writes are blocking.<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=959Linux2021-11-29T21:57:12Z<p>Byteobserver: /* Method 2: pipe,fork,dup2,execve */ fix typo</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+8] ; get pointer to environ. this assumes only one dword has been popped so far,<br />
; and that there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3 ===<br />
<br />
Coming soon...<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=958Linux2021-11-29T21:38:24Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Method 3 ===<br />
<br />
Coming soon...<br />
<br />
=== Playing MIDI ===<br />
<br />
Coming soon...<br />
<br />
=== Syncing audio with visuals ===<br />
<br />
Coming soon...<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=957Linux2021-11-29T21:36:05Z<p>Byteobserver: /* Case study: 45-byte generative music intro */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely). The output is quite variable depending on the cycle counter, which is only reset when your computer powers on. So, try running it after different amounts of time since power-on, and you may be surprised how different it can sound!<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=956Linux2021-11-29T21:31:30Z<p>Byteobserver: /* Case study: 45-byte generative music intro */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
Which one is it? Well, the rdtsc instruction loads the low 32 bits of the CPU's<br />
cycle counter into eax, and the high 32 bits into edx. So, whether we do a write<br />
or not is effectively random depending on the current cycle count. Note that on<br />
oldskool platforms, this may be quite deterministic, but on Linux the code is interrupted<br />
many times a second, which causes effectively random fluctuations in the cycle count<br />
that the program reads.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It ''writes'' to standard ''input''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
ecx is clearly set to equal esp, so the write syscall will be getting its data from the stack.<br />
<br />
edx, the amount of data to write, is a bit more tricky. It is set to the bitwise and of the low 32 and high 32 bits of the CPU's cycle counter (rdtsc).<br />
This may seem problematic, because this number might be larger than the size of the stack. However, the write syscall will stop either after writing edx bytes,<br />
or when it encounters a memory access violation. So, it doesn't matter if edx is huge, because then it will just write the entire contents of the stack.<br />
<br />
You may have noticed that the code has a <tt>push</tt> instruction but no corresponding <tt>pop</tt>. Won't it overflow the stack? Yes, eventually. But this takes quite a while.<br />
<br />
So, overall what the program is does is it pushes the low 32 bits of the CPU's cycle counter to the stack, then<br />
randomly plays a variable length chunk of the stack as audio, or does nothing. This repeats until the stack overflows, which on my machine takes at least half an hour (note: you can change the stack size by running <tt>ulimit -s unlimited</tt> beforehand, so that it will run until your RAM fills up completely).<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=955Linux2021-11-29T21:11:48Z<p>Byteobserver: Clarify setting up section</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, logging in and making sure the user is in the video group. <br />
You can test if you are in the video group by running:<br />
<br />
$ cp /dev/urandom /dev/fb0<br />
<br />
which should cause the screen to fill with white noise before printing "no space left on device".<br />
If this is not the case, you can add your user to the videogroup like so (substituting <tt>username</tt> for your username):<br />
<br />
$ sudo usermod -a -G video username<br />
<br />
After doing this you will need to log out and log back in for the changes to take effect.<br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It '''writes''' to '''standard input'''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=954Linux2021-11-29T21:07:45Z<p>Byteobserver: Fix typo</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the /dev/fb0 framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It '''writes''' to '''standard input'''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=953Linux2021-11-29T19:57:37Z<p>Byteobserver: /* Case study: 45-byte generative music intro */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax,strict dword 4; e_phoff, p_flags<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works...<br />
<br />
The first thing to notice that that the origin is 0x25500000, unlike the origin of 0x00010000 that we used before. This is intentional.<br />
0x50 is the encoding of the <tt>push eax</tt> instruction, which appears after <tt>entry:</tt>,<br />
and 0x25 is the first byte of the <tt>and eax,strict dword 4</tt> instruction. These instructions actually overlap<br />
with the e_entry field of the header, so the high two bytes of the entry point (and origin) must match these instructions.<br />
The word <tt>0x001a</tt> that appears immediately before <tt>entry:</tt> forms the low two bytes of the entry point, i.e.,<br />
<tt>0x001a == (entry-$$)&0xffff</tt>.<br />
<br />
The instruction <tt>and eax,strict dword 4</tt> may seem odd, since this instruction is encoded as <tt>2504000000</tt>, which<br />
seems wasteful. However, doing <tt>and eax,4</tt> (which only takes 3 bytes) would not work here, because the dword 4<br />
needs to be stored here so that e_phoff (the program header offset) is correct.<br />
<br />
The rest of the code also overlaps the header, of course, but the fields that it overlaps are effectively ignored<br />
when the program is loaded, so we don't need to worry about setting them to the correct values.<br />
<br />
Now, lets strip away the header and see why this code actually produces the sound it does:<br />
<br />
<syntaxhighlight lang=nasm><br />
entry:<br />
push eax<br />
and eax,strict dword 4<br />
mov ecx,esp<br />
int $80<br />
rdtsc<br />
and edx,eax<br />
loop entry<br />
</syntaxhighlight><br />
<br />
Clearly, this code is calling some syscall (because of the <tt>int $80</tt>), but which one is it calling?<br />
The syscall number is stored in eax, and because of the instruction <tt>and eax,strict dword 4</tt><br />
we know that eax must either be 4 or 0. Syscall 4 is the write syscall, which is what we want. But<br />
what is syscall 0? The docs say that syscall 0 is <tt>restart_syscall</tt>, which is used to<br />
"restart a system call after interruption by a stop signal." The man page says<br />
"This system call is designed only for internal use by the kernel." And, luckily<br />
for us, when called from user space when the only other syscall we are using is write,<br />
this has absolutely no effect, and will probably always return -1 (EINTR).<br />
So, depending on eax&4, this code will either invoke the write syscall, or do nothing at all.<br />
<br />
The write syscall takes three arguments: the file to write to (in ebx), a pointer to the data to write (in ecx), and the amount of data to write (in edx).<br />
The code doesn't even mention ebx at all, and it is zeroed at program start. So this program writes to file descriptor 0, which is standard input.<br />
Now, that sounds weird. It '''writes''' to '''standard input'''? It turns out this is a perfectly fine thing to do, and we can redirect standard input to<br />
standard output by using <tt>./daemon45 0>&1</tt> on the command line.<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=952Linux2021-11-29T19:11:58Z<p>Byteobserver: Adding section on simpler sound method</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved.<br />
The simplest method is to write audio data to standard output and pipe it to aplay on the command line.<br />
A more clean and self-contained method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe to aplay on the command line ===<br />
<br />
The first method is the simplest, but will not be usable in all circumstances.<br />
With this method, instead of running your intro with <tt>./intro</tt>, you have to do <tt>./intro | aplay 2>/dev/null</tt>,<br />
which may not be allowed in some compos. However, with this method you can produce some extremely small generative music<br />
intros, including some that are only 45 bytes---where the entire intro fits inside of the ELF header!<br />
<br />
Some basic code to produce a bytebeat sound is below.<br />
It simply consists of a loop which repeatedly writes a single 8-bit audio sample to standard output using the write syscall (0x4).<br />
<br />
<syntaxhighlight lang=nasm><br />
audio:<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx ; grab previous sample from stack<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx ; push next sample to stack<br />
<br />
mov ecx,esp ; pointer to audio data (the top of the stack)<br />
xor eax,eax<br />
mov al,4 ; write syscall<br />
xor ebx,ebx<br />
inc ebx ; write to stdout (1)<br />
mov edx,ebx ; write 1 byte<br />
int 0x80<br />
<br />
jmp audio<br />
</syntaxhighlight><br />
<br />
==== Case study: 45-byte generative music intro ====<br />
<br />
Below is the complete 45-byte generative music intro.<br />
Try saving it in a file called daemon45.asm and running it with:<br />
$ nasm daemon45.asm<br />
$ chmod +x daemon45<br />
$ ./daemon45 0>&1 | aplay -fS32_LE -r16000 -c2<br />
<br />
<syntaxhighlight lang=nasm><br />
; daemon 45 by byteobserver<br />
bits 32<br />
org $25500000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dw $001a ; e_entry, p_memsz<br />
entry:<br />
push eax<br />
and eax, strict dword 4; e_phoff-1, p_flags-1<br />
mov ecx,esp ; e_shoff, p_align<br />
int $80<br />
rdtsc ; e_flags<br />
and edx,eax<br />
loop entry ; e_ehsize<br />
dw $20 ; e_phentsize<br />
db 1 ; e_phnum<br />
; e_shentsize<br />
; e_shnum<br />
; e_shstrndx<br />
</syntaxhighlight><br />
<br />
Let's pull this apart and see how it works... TODO.<br />
<br />
=== Method 2: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=951Linux2021-11-29T17:00:23Z<p>Byteobserver: /* Putting it all together */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
add ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=950Linux2021-11-29T16:59:32Z<p>Byteobserver: /* Putting it all together */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
mov ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
; if you want to add more args to aplay, you can push pointers to them here<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=949Linux2021-11-29T16:55:22Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
mov ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
== Additional Resources ==<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=948Linux2021-11-29T16:53:36Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
=== Method 1: pipe,fork,dup2,execve ===<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
==== Putting it all together ====<br />
<br />
Combining the above snippets and optimizing a bit, we can arrive at<br />
the following 118 byte program which plays a familiar bytebeat track.<br />
<br />
<syntaxhighlight lang=nasm><br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4<br />
entry:<br />
mov al,0x2a ; pipe<br />
mov ebx,esp ; store output of pipe on stack<br />
int 0x80<br />
lea edx,[ebx+12] ; environ pointer, to be used later<br />
mov ebp, entry ; e_phentsize, this must be here for the ELF header<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=childpid in parent process<br />
dec eax<br />
js child<br />
<br />
audioloop:<br />
pusha<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,eax ; input side of pipe created earlier<br />
lea ecx,[edx-12] ; pointer to audio data<br />
xor edx,edx<br />
inc edx ; set size to one byte<br />
int 0x80<br />
popa<br />
<br />
; some bytebeat<br />
inc esi<br />
mov eax,esi<br />
pop ebx<br />
mov ebx,eax<br />
shr eax,5<br />
or ebx,eax<br />
shr eax,5<br />
and ebx,eax<br />
push ebx<br />
<br />
jmp audioloop<br />
<br />
child:<br />
inc eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
; ecx is already zero<br />
int 0x80<br />
<br />
mov al,0xb ; execve<br />
lea ebx,[ebp+((aplay+5-entry)&0xff)] ; pointer to "aplay"<br />
push 0 ; null terminator for args list<br />
push ebx ; pointer to "aplay" aka argv[0]<br />
mov ecx,esp ; pointer to null terminated array of arguments<br />
mov bl,(aplay-$$)&0xff ; pointer to "/bin/aplay"<br />
; edx is already set up as the environ pointer<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
aplay:<br />
db "/bin/aplay"<br />
; no null terminator is necessary because memory past the end of the file is always zero<br />
<br />
</syntaxhighlight><br />
<br />
''Can you make this smaller? Feel free to edit it!''<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=947Linux2021-11-29T02:36:11Z<p>Byteobserver: Add syntax highlighting to sound section</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
==== Method 1: pipe,fork,dup2,execve ====<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
<syntaxhighlight lang=nasm><br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
</syntaxhighlight><br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
<syntaxhighlight lang=nasm><br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
</syntaxhighlight><br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
<syntaxhighlight lang=nasm><br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
<br />
args:<br />
dd aplay+5<br />
dd 0<br />
aplay:<br />
db "/bin/aplay", 0<br />
</syntaxhighlight><br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
<syntaxhighlight lang=nasm><br />
parent:<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
</syntaxhighlight><br />
<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=946Linux2021-11-29T01:54:19Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
==== Method 1: pipe,fork,dup2,execve ====<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
args: dd aplay+5<br />
dd 0<br />
aplay: db "/bin/aplay", 0<br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4). The following will produce a buzzing sound.<br />
<br />
parent:<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=945Linux2021-11-29T01:53:26Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
==== Method 1: pipe,fork,dup2,execve ====<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
parent:<br />
; code for the rest of your intro goes here<br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
args: dd aplay+5<br />
dd 0<br />
aplay: db "/bin/aplay", 0<br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4).<br />
<br />
parent:<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=944Linux2021-11-29T01:37:30Z<p>Byteobserver: Writing linux audio section</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
By default, aplay will play 8-bit mono audio at 8000Hz, but the format can be changed easily by specifying arguments.<br />
If no filename is passed to aplay, it will read audio data from standard input, which we will use to our<br />
advantage.<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
==== Method 1: pipe,fork,dup2,execve ====<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors. The first file descriptor is the read only/output side and the second is the write only/input side.<br />
<br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2, because eax should already be zero (indicating that the pipe was created successfully).<br />
<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
Now, we bind the standard input of the child (which aplay receives audio data from) to the output of the pipe, using the dup2 syscall (0x3f).<br />
<br />
child:<br />
xor eax,eax<br />
mov al,0x3f ; dup2<br />
pop ebx ; get file descriptor of output side of pipe<br />
xor ecx,ecx ; stdin is file descriptor 0<br />
int 0x80<br />
<br />
The following is optional. aplay will usually print a message saying<br />
some parameters of the stream that it is playing. If this interferes<br />
with your intro, you can close stderr to stop it from printing,<br />
with the close syscall (0x6).<br />
<br />
xor eax,eax<br />
mov al,6 ; close<br />
mov bl,2 ; stderr<br />
int 0x80<br />
<br />
Finally, we just have to execute aplay with the execve syscall (0xb).<br />
Constructing the arguments to this syscall takes a bit of work.<br />
Here we are doing it in a simple way which is a bit wasteful.<br />
You can save some bytes by constructing the arguments array<br />
on the stack.<br />
<br />
xor eax,eax ; shouldn't be necessary given the above<br />
mov al,0xb ; execve<br />
mov ebx,aplay ; pointer to aplay filename<br />
mov ecx,args ; pointer to null terminated array of arguments<br />
lea edx,[esp+12] ; get pointer to environ. this assumes nothing has been<br />
; pushed/popped yet, and there are no args passed to your program.<br />
; see here: http://www.mindfruit.co.uk/2012/01/initial-stack-reading-process-arguments.html<br />
; (we are trying to get the beginning of "Environment pointers")<br />
int 0x80 ; nothing after this point will be executed<br />
args: dd aplay+5<br />
dd 0<br />
aplay: db "/bin/aplay", 0<br />
<br />
Now everything should be set up, and we can start writing audio data with the write syscall (0x4).<br />
<br />
audioloop:<br />
xor eax,eax<br />
mov al,4 ; write<br />
mov ebx,[esp+4] ; input side of pipe created earlier<br />
mov ecx,esp ; pointer to audio data<br />
mov edx,1 ; length of audio data (in bytes)<br />
int 0x80<br />
inc byte [esp] ; increment the sample<br />
jmp audioloop<br />
<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=943Linux2021-11-29T00:59:51Z<p>Byteobserver: Starting on sound section</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
'''1) Self-compilation tricks (using gcc or python):''' The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
'''2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup:''' This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
'''So what can we realistically expect from a 256 intro on Linux?'''<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Additionally, since we're dealing with 32-bit code, expect some instructions (especially when dealing with direct values) to take up bit more space.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehdr and phdr parts and changing your entry point, we can get the header down to about the 48 bytes range with a nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (2) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap.<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the aplay command into your intro.<br />
aplay is available on almost all Linux setups. You can test it by running the following, which should produce some white noise:<br />
<br />
$ aplay /dev/urandom<br />
<br />
To use aplay in the context of an intro, there is a bit of setup work involved. One method uses 4 syscalls to start aplay<br />
as a child process, so that audio data can then be simply written to the appropriate file descriptor to send it to<br />
the speakers.<br />
<br />
==== Method 1: pipe,fork,dup2,execve ====<br />
<br />
This approach is as follows.<br />
First, we create a pipe using the pipe syscall (0x2a).<br />
This syscall takes a pointer to an array of 2 ints, which it fills with<br />
the file descriptors of the two ends of the pipe. In the following,<br />
we simply overwrite the top of the stack with the file descriptors.<br />
<br />
mov ebx,esp<br />
xor eax,eax<br />
mov al,0x2a ; pipe<br />
int 0x80<br />
<br />
Next, we fork the process (syscall 0x2). The child process will be used to exec aplay.<br />
If you do this right after creating the pipe, you don't need to zero eax before setting it to 2.<br />
<br />
mov al,2 ; fork<br />
int 0x80 ; returns eax=0 in child process and eax=1 in parent process<br />
dec eax<br />
js child<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics A dev/fb0 framebuffer binding + ELF header for small C programs]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=882Linux2021-08-09T04:38:40Z<p>Byteobserver: /* Adding Sound */</p>
<hr />
<div>== Introduction ==<br />
This section of the sizecoding.org wiki is about creating very small (<=256byte) 32-bit X86 based Linux binaries (ELF format).<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 Linux sizecoding. <br />
<br />
A huge thanks goes out to byteobserver (Xorchitecture (2021) - https://www.pouet.net/prod.php?which=88982) as well as some early work by frag/fsqrt (Lintro (2012) - https://www.pouet.net/prod.php?which=58560) for all their research and hard work in producing tiny ELF binaries for linux.<br />
<br />
=== Alternative methods and expectations ===<br />
As the development of actual tiny ELF assembler executables on linux is still in its early days, with about a handful of actual <256 byte tiny ELF binary productions, lets look at some of the other methods of getting tiny intros onto linux.<br />
<br />
1) Self-compilation tricks (using gcc or python): The executable executes a gcc (or python) compilation of the embedded code and executes it. This requires GCC and/or specific version of Python and potentially dynamically linked libraries to be installed. <br />
<br />
2) Linking a piece of compiled C code to a stripped ELF header + dev/fb0 setup: This method has been used by The Orz to create<br />
several sizecoded procedural graphics entries. For more information about this check out https://github.com/grz0zrg/tinycelfgraphics<br />
<br />
So what can we realistically expect from a 256 intro on Linux?<br />
<br />
Expect about ~100 byte cost for the ELF header, setting up fb0 , some form of update loop, framecounter and using either mmap setup or copying via pwrite64 to get you started. If you want audio as well, the avaialble byte-budget will shrink even more.<br />
<br />
Lets hope this wiki page will inspire and help people to get started and create newer, better Linux tiny intros ;-)<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : Any X86-based Linux distribution that allows for execution of 32-bit executables.<br />
* Assembler: NASM (or any other linux compatible 32-bit X86 assembler)<br />
<br />
Furthermore, it is important that the user has access to the dev/fbo framebuffer.<br />
This can be achieved by launching a virtual (fullscreen) console using CTRL-F3/F4 in most distributions, login and making sure the user has access to the video group. If this is not the case for some reason, you can add your user to the videogroup like so:<br />
<br />
<syntaxhighlight><br />
sudo usermod -a -G video username<br />
</syntaxhighlight><br />
<br />
Note: Make sure your binary is executable for everyone using the chmod 777 command after compilation :D<br />
<br />
=== System Calls ===<br />
Interaction with the Linux OS is mostly done via int 0x80 system calls.<br />
This usually includes dealing with opening files/framebuffer/audio and handling timers.<br />
<br />
A full list of system calls and their expected register arguments is available at:<br />
https://syscalls32.paolostivanin.com/<br />
<br />
<br />
=== ELF Header Information ===<br />
Like a 32-bit windows executable, a 32-bit binary for linux comes with a pretty hefty ELF header.<br />
<br />
<syntaxhighlight lang=nasm><br />
org 0x00010000 <br />
ehdr: ; Elf32_Ehdr<br />
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident<br />
times 8 db 0<br />
dw 2 ; e_type<br />
dw 3 ; e_machine<br />
dd 1 ; e_version<br />
dd _start ; e_entry<br />
dd phdr - $$ ; e_phoff<br />
dd 0 ; e_shoff<br />
dd 0 ; e_flags<br />
dw ehdrsize ; e_ehsize<br />
dw phdrsize ; e_phentsize<br />
dw 1 ; e_phnum<br />
dw 0 ; e_shentsize<br />
dw 0 ; e_shnum<br />
dw 0 ; e_shstrndx<br />
<br />
<br />
phdr: ; Elf32_Phdr<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dd $$ ; p_paddr<br />
dd filesize ; p_filesz<br />
dd filesize ; p_memsz<br />
dd 5 ; p_flags<br />
dd 0x1000 ; p_align<br />
<br />
<br />
_start:<br />
<br />
; your program here<br />
</syntaxhighlight><br />
<br />
Luckily some parts of the ELF header can be repurposed and used to store some data and code.<br />
There is quite an extensive journey about some header optimisations available at http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html for those that are interested.<br />
<br />
After merging the ehr and phr parts and changing your entry point, we can get the header down to about the 30 bytes range with a <br />
nifty /dev/fb0 string inserted which we'll be able to use later for setting up the framebuffer.<br />
<br />
<syntaxhighlight lang=nasm><br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
; this next instruction overlaps with a critical part of the elf header<br />
; it needs to look like XX YY YY YY YY where YYYYYYYY=fname<br />
; so you can change the register to something else or use push<br />
; but the four byte pointer to fname cannot be changed.<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
<br />
; e_shentsize, e_shnum, e_shstrndx are below but we can put whatever code/bytes we want there<br />
mov cl,1 ; set read/write mode (1 or inc ecx is sufficient for pcopy method, read/write (3) is needed for mmap)<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
</syntaxhighlight><br />
<br />
== Displaying Graphics ==<br />
Graphics can be produced by using and accessing the linux /dev/fb0 framebuffer.<br />
First the framebuffer has to be opened at the intro initialisation, and can then be used to either copy a piece of memory over using the pwrite64 syscall (0xb5) or using map a piece of memory directly to the framebuffer using syscall mmap (90)<br />
<br />
==== Setting up the framebuffer ====<br />
The dev/fb0 framebuffer can best be accessed from a virtual console (ctrl-f3/f4 in most distributions).<br />
<br />
To make sure your dev/fb0 framebuffer is set up properly, you can apt get the fbset tool and display and/or alter the framebuffer resolution as most intros will make an assumption about the resolution of your framebuffer.<br />
<br />
To test access to dev/fb0 framebuffer, you can use the following cat command:<br />
<syntaxhighlight><br />
cat /dev/urandom > /dev/fb0<br />
</syntaxhighlight><br />
which should produce random noise to the screen (ignorning the out of memory error that is expected from cat) <br />
<br />
Alternatively, if you don't like to use the virtual console during the development of your intro, or the framebuffer setup is somehow giving you problems, there is a smalle fbe.c / fbe binary supplied with the xorchitecture intro by byteobserver that has a SDL windows mmap'ed to tmp/fb0 which you can launch alongside your intro (don't forget to redirect the dev/fb0 pointer in your intro to tmp/fb0).<br />
<br />
==== Getting something on screen ====<br />
First we need to fill up our local memorybuffer with pixeldata, so lets start doing that using the old AND pattern<br />
<br />
<syntaxhighlight lang=nasm><br />
mov ecx,width*height<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
and eax,edx ; xor pattern<br />
<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
loop setpixels<br />
</syntaxhighlight><br />
<br />
Once your buffer (in this case marked by the esp stackpointer) is all filled up with pixeldata, you <br />
can copy it to the /dev/fb0 using the pwrite64 syscall like so: <br />
<br />
<syntaxhighlight lang=nasm><br />
; copy memorybuffer to screen (/dev/fb0) using the pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
</syntaxhighlight><br />
<br />
As an alternative to using pwrite64 you can also mmap )check out intros by The Orz for an example with mmap) to map <br />
a piece of memory to dev/fb0. However using mmap because you can get tearing, and you can't realistically do feedback effects without implementing a second buffer, as reading from the mmaped memory is VERY slow.<br />
<br />
<syntaxhighlight lang=nasm><br />
;mmap(NULL, buflen, PROT_WRITE, MAP_SHARED, fd, 0);<br />
push edx ;edx = 0<br />
push eax ;fd<br />
push byte 1 ;MAP_SHARED<br />
mov al, 90<br />
push eax ;we need to set second bit for PROT_WRITE, 90 = 01011010 and setting PROT_WRITE automatically set PROT_READ<br />
push width*height*4 ;buffer size<br />
push edx ;NULL<br />
mov ebx, esp ;args pointer<br />
int 80h ;eax <- buffer pointer<br />
</syntaxhighlight><br />
<br />
== Example Framework ==<br />
<br />
==== Munching squares ====<br />
So when we put all the above together, we can get a minimal kind of framework running that will look something like this<br />
munching square example provided to us by byteobserver:<br />
<br />
<syntaxhighlight lang=nasm><br />
; byte.observer's munching square linux example<br />
; assembles with nasm -fbin munch.asm -o munch<br />
width equ 1024<br />
height equ 768<br />
<br />
bits 32<br />
org $00010000<br />
db $7F,"ELF" ; e_ident<br />
dd 1 ; p_type<br />
dd 0 ; p_offset<br />
dd $$ ; p_vaddr<br />
dw 2 ; e_type, p_paddr<br />
dw 3 ; e_machine<br />
dd entry ; e_version, p_filesz<br />
dd entry ; e_entry, p_memsz<br />
dd 4 ; e_phoff, p_flags<br />
fname:<br />
db "/dev/fb0",0 ; e_shoff, p_align, e_flags, e_ehsize<br />
entry:<br />
mov ebx,fname ; e_phentsize, e_phnum<br />
inc ecx ; = 1 = O_WRONLY<br />
mov al,5 ; 5 = open syscall<br />
int 0x80 ; open /dev/fb0 = 3<br />
<br />
mov ebp,width*height*4 ; ebp = screen size<br />
sub esp,ebp ; make room on the stack for the video memory<br />
<br />
mainloop:<br />
mov ecx,ebp ; init pixel index<br />
shr ecx,2 ; divide by bits per pixel<br />
inc edi ; frame counter<br />
<br />
setpixels:<br />
mov ebx,width<br />
mov eax,ecx<br />
cdq<br />
div ebx ; edx = x-coord , eax=y coord<br />
xor eax,edx ; xor pattern<br />
add eax,edi ; make it munch<br />
mov [esp+ecx*4+0],al ; b<br />
mov [esp+ecx*4+1],al ; g<br />
mov [esp+ecx*4+2],al ; r<br />
mov [esp+ecx*4+3],al ; a<br />
loop setpixels<br />
<br />
; dump the whole thing to the screen using pwrite64 syscall<br />
mov ecx,esp ; buffer ptr<br />
mov edx,ebp ; screen size<br />
push edi ; save frame counter<br />
xor esi,esi ; seek to beginning of screen<br />
xor edi,edi <br />
mov ebx,3 ; fd of framebuffer<br />
mov eax,0xb5 ; pwrite64<br />
int 0x80 ; pwrite64 to framebuffer<br />
pop edi<br />
<br />
jmp mainloop<br />
</syntaxhighlight><br />
<br />
== Adding Sound ==<br />
It is possible to output digital audio by binding the the aplay command into your intro.<br />
APLAY is available on most of the Linux distributions and can be tested by running:<br />
<br />
$ aplay /dev/urandom<br />
<br />
<br />
==== Make some noise ====<br />
To be added soon.<br />
<br />
=== Additional Resources ===<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics] A dev/fb0 framebuffer binding + ELF header for small C programs.<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
<br />
== Larger productions (1k and 4k intros) ==<br />
Creating 1k and 4k intros on linux usually requires a different setup, for more information on this check out the following links:<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]</div>Byteobserverhttp://www.sizecoding.org/index.php?title=Linux&diff=846Linux2021-03-17T01:33:29Z<p>Byteobserver: /* Additional Resources */ Add additional links</p>
<hr />
<div>== Introduction ==<br />
For X86 related information, please check the main pages on this website, as a lot of the same tricks will also work with X86 linux sizecoding. This page goes into the specifics of getting small binaries on linux. <br />
<br />
<br />
=== Linux system ===<br />
To be added.<br />
<br />
=== Setting up ===<br />
Setting up your development platform for Linux development:<br />
<br />
* Suggested Distributions : -<br />
* Assembler: NASM (?)<br />
<br />
=== ELF Header Information ===<br />
To be added.<br />
<br />
=== System Calls ===<br />
To be added.<br />
<br />
=== Self compilation ===<br />
To be added.<br />
<br />
== Accessing video ==<br />
Accessing video<br />
<br />
==== Getting something on screen ====<br />
To be added soon.<br />
<br />
<br />
== Sound ==<br />
To be added soon.<br />
<br />
==== Make some noise ====<br />
To be added soon.<br />
<br />
=== Additional Resources ===<br />
* [https://pcy.ulyssis.be/pres/Lin.pdf The Intricacies of Sizecoding on Linux (PDF)]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=128b&platform%5B%5D=Linux Pouet: 128byte productions on Linux]<br />
* [https://www.pouet.net/prodlist.php?type%5B%5D=256b&platform%5B%5D=Linux Pouet: 256byte productions on Linux]<br />
* [https://github.com/grz0zrg/tinycelfgraphics Collection of tiny C ELF programs with graphics output]<br />
* [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux]<br />
* [https://linux.weeaboo.software/Home Linux Sizecoding wiki at weeaboo.software]</div>Byteobserver