While we were writing our book about shellcode, and particularly about how to pass the return value of a function in machine language, out of curiosity we wondered how AI would have done it in our place.

The problem is not about how to pass the return value of a function because one can simply disassemble any peace of compiled code to get the answer. It was about finding the standard that tell how to do and why it’s the way to do.

We therefore opened a web browser and went to the bing search engine which offers a “discussion” interface with Chat GPT. We were therefore able to ask our questions to this robot and read its answers.

So here are the questions and answer we’ve got. So you can get a more realistic idea about their capabilities.

Ethics reminder: Given that these robots adapt their answers to the history of questions, use a little randomness and are regularly updated, it is impossible to guarantee that you will obtain exactly the same answers as us. In this sense, we cannot “prove” the content of our exchanges to you.

But unlike journalists and other bloggers under influence, we are legal experts and as such, we have taken an oath: our productions engage our honor and our conscience.

Bing’s answers

The questions and answers are in quotes and the only change are typographical. No words have been changed.

Question : Comment retourner une valeur en assembleur ?

Pour retourner une valeur en assembleur, vous pouvez utiliser l’instruction MOV pour déplacer la valeur souhaitée dans le registre de destination. Par exemple, si vous souhaitez retourner la valeur 42, vous pouvez utiliser l’instruction MOV EAX, 42 pour déplacer la valeur 42 dans le registre EAX. Vous pouvez ensuite utiliser l’instruction RET pour retourner la valeur dans la pile d’appel

J’espère que cela vous aide. Si vous avez d’autres questions, n’hésitez pas à les poser.

En savoir plus : benoit-m.developpez.com, fr.wikibooks.org, wcours.gel.ulaval.ca

For english readers, here is my translation : How to return a value in assembly ? To return a value in assembly, you can use the mov instruction to move a value into the destination register. For instance, if you want to return the value 42, you can use the mov eax 42 instruction to move 42 in the eax register. You can then use the ret instruction to return the value in the call’s stack.

I can not resiste to troll the bot about its paragraph construction. The first sentence should answer the question but it doesn’t. The next one should be an example but give the answer…

Furthermore, the AI give me assembly code without any precision. We recognize Intel syntax used under Windows by the operand order (opposite of AT&T syntax used under GNU/Linux) and the Intel x86 32 bits processors by the register name (eax). Only because we already know a bit about the subject.

The problem with this choice of 32 bits architecture is that the bot completely ignores more recent and used processors. Such as the x86-64 vamily (also called amd64) found on our PC for 20 yers. Or the Arm architecture found on our smartphones for 15 years.

On the content, there is a huge problem with the sentense « ret instruction to return the value in the call’s stack ». Because ret does not returns any value (it pop the adress of the next instruction to execute). Then because there is no point to both move a result in a register and stack its value (or the AI consider that the ret instruction is alike a pop eip then push eax ?). Not a good start.

For the sources, the problem is bigger. None of them mention mov eax, 42 because none of them deal with calling convention. The third is about ARM where the assembly instruction changes. None of them relates to the AI’s text which is more a Bulghur wheat mix than a reasonable answer.

But since I was more interrested about finding the reference for that convention, I did not ask the AI about the previous point. Here is the next question.

Question : Donne m’en la preuve

Voici la preuve que l’instruction MOV peut être utilisée pour retourner une valeur en assembleur. Lorsque vous utilisez l’instruction MOV EAX, 42, vous déplacez la valeur 42 dans le registre EAX. Vous pouvez ensuite utiliser l’instruction RET pour retourner la valeur dans la pile d’appel..

J’espère que cela répond à votre question. Si vous avez d’autres questions, n’hésitez pas à les poser.

En savoir plus : hellowork.com, candidat.pole-emploi.fr, francecarriere.fr

My translation : Give me a proof ! Here is the proof that instruction mov can be used to return a value in assembly. When you use the mov eax, 42 instruction, you move the value 42 into the eax register. You can then use the ret instruction to return the value into the call’s stack.

So, to fully understand the logic process of proofs in Chat GPT : proving something is a matter of saying it twice. Roughly speaking : « It’s true because I told you ». I should use this technique more often with judges. It’ll spare me lot of effort doing investigation, studying cases and writing reports.

But the gem is in the sources to proof the claims that the return value is in eax… If you thought the previous ones where out of topics, those are lot more better. They are all about job description, the first about « Assembleur au plan » (draw an cut pieces of metal or other materials) and the last about « Assembleur de produits électroniques » (assembly of electronic products).

To give Chat GPT a chance to better undersdand my need, I tried a third question…

Question : Ce n’est pas parce que tu le dis que c’est vrai. J’aimerais une référence ou une documentation officielle.

Je suis désolé pour la confusion. Voici une référence officielle qui explique comment retourner une valeur en assembleur: 1. Selon cette source, pour retourner une valeur en assembleur, vous pouvez utiliser l’instruction MOV pour déplacer la valeur souhaitée dans le registre de retour. Par exemple, si vous souhaitez retourner la valeur 42, vous pouvez utiliser l’instruction MOV EAX, 42 pour déplacer la valeur 42 dans le registre EAX. Vous pouvez ensuite utiliser l’instruction RET pour retourner cette valeur à l’appelant.

J’espère que cela vous aide. Si vous avez d’autres questions, n’hésitez pas à les poser.

En savoir plus : hellowork.com, candidat.pole-emploi.fr, francecarriere.fr

Here is my translation : It’s not because you tell it that it’s true, I want a reference or an official documentation. I am sorry about confusion, here is an official reference that explain how to return a value in assembly : 1 following this source, to return a value, you can use [… same as before … ].

That’s called argumentum ad nauseam. Repeat endlessly the same message hoping that it’ll make it true. « I t’s true because I’m saying it »

Other Bing’s answers

Since I am a bit curious, I wanted to see if we get the same answer in other tries and with other words in the queestion…

On the content and the form of the text, it was globally constant. Chat GPT repeat endlessly it’s story about mov eax, 42 followed by a ret (sometimes with the stacking of the value). No matter I ask for references, documentation or adding « official » adjective, nothing fundamentally change in the answer.

It’s more in the links that I got variations.

The third reference about ARM that points to Laval’s University was sometime replaced with another one pointing to Grenoble’s University (lig-membres.imag.fr). It’s still about ARM, this time it deal with function call (it’s better) but it say nothing about returning a value, a shame.

When I ask about references, I got lots of links toward Stackoverflow : Returning a value in x86 assembly language, Return value of a C function in ASM and How’s return value implemented in assembly level?. They contains theexplanation about eax register but there is no reference in them. If I tell Chat GPT that stackoverflow is not a reference, it apologize and then… give the same links again.

When I asked to get somethhing more « official », I sometimes got a youtube video, sometimes links to mivrosoft documentation (about C/C++ parameter passing convention, nothing about return value). More comical, link to french government websites (about law, taxes or unemployment office). Nothing relevant.

To be honnest, it happened that the bot ask me to see the « reference video » (the one on youtube) giving me the link for ARM assembly at Laval’s University…

It’s only after more tries that I got, by change, a more interresting link to the Harvard’s University (cs61.seas.harvard.edu). The page doesn’t explain how to pass the return value but has a reference paragraph :

For concreteness, we learn the x86-64 calling conventions for Linux. These conventions are shared by many OSes, including MacOS (but not Windows), and are officially called the “System V AMD64 ABI.” See the official specification (source).

So, I had to follow lots of useless links to eventually end in a more interresting page with point to the reference I was (fakely) searching for. Only because I was able to recognize this paragraphe as being the answer. And it does not fully answer the question either.

Bing’s english answers

Wondering if I should translate the previous Q/A sessions, I tried bing with english questions to see if there are differences. Indeed, there are and that’s why I kept the french ones and put this specific section here with english questions and answers. Again, no words have been changed.

Question : how to return a value in assembly

To return a value in assembly, you can use the ret instruction. This instruction pops the top of the stack into the instruction pointer register and transfers control to the calling function. The value to be returned should be placed on the stack before the ret instruction is executed. The value can be placed in a register or memory location before being pushed onto the stack. Here is an example of how to return a value in x86 assembly language:

section .data
 result db 0

section .text
 global _start

_start:
 mov eax, 5
 mov [result], eax
 mov eax, 1
 xor ebx, ebx
 int 0x80

section .data
 result db 0

section .text
 global _start

_start:
 mov eax, 5
 mov [result], eax
 mov eax, 1
 xor ebx, ebx
 int 0x80

In this example, the value 5 is moved into the eax register, which is then moved into the result memory location. The ret instruction is not used because this is a complete program that exits using the int 0x80 instruction. The value 5 would be returned to the calling function if this code were part of a larger program.

I hope this helps! Let me know if you have any other questions.

Source : (1) ethereum.stackexchange.com, (2) learn.microsoft.com

The answer is a little bit longer this time. The good news is that the bot now tell us which assembly language it’s using. Unfortunately it’s again the old 32 bit processor.

Chat GPT first tell us that we must push the value in the stack and we can use a register in the process. This is obviously not the same answer as the french one and this is also the wrong one. Because if you push the value on the stack and then you call ret (as stated by Chat GPT), ret will pop your value and use it as the addresse of the next instruction to execute…

Then it give us an example made of twice the same code (lines 1 to 12 are the same as lines 14 to 25). There is no ret instruction so the example is indeed out of scope. The explanation that follows agreed (!) because the bots wrote a program… and tells us that the return value is in memory (which is useless since the memory will be flushed at the end of the program).

The links are about returning a value, the first one in smart contrats and the second in visual basic. Everything except assembly code.

So I move letting Chat GPT fix the issue.

Question : I dont want how a program returns a value but how a function return a value

I apologize for the confusion. To return a value from a function in assembly, you can use the ret instruction. The value to be returned should be placed in the register eax before the ret instruction is executed. Here is an example of how to return a value from a function in x86 assembly language:

section .data
 result db 0

section .text
 global _start

_start:
 mov eax, 5
 call my_function
 mov [result], eax
 mov eax, 1
 xor ebx, ebx
 int 0x80

my_function:
 mov eax, 10
 ret

In this example, the value 5 is moved into the eax register before calling the function my_function. The function my_function moves the value 10 into the eax register and then executes the ret instruction, which transfers control back to the calling function and pops the top of the stack into the instruction pointer register. The value 10 is returned to the calling function and stored in the result memory location.

I hope this helps! Let me know if you have any other questions.

Source : (1) stackoverflow.com, (2) stackoverflow.com, (3) stackoverflow.com.

Don’t know why but this time the bot fixed the first paragraphe that now tells us that the return value is placed in eax register before returning. The example is longer than needed (I’d deleted lines from 1 to 13).

The links are not official references but deal with return values in assembly languages.

Since I’d like to get official documentation, I come back to Chat GPT asking it to give me references.

Question : Ok but can you prove your claim ?

I apologize for not providing a source for my previous response. Here is a reference to the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 1: Basic Architecture ¹:

The ret instruction pops the top of the stack into the instruction pointer register and transfers control to the calling function. The value to be returned should be placed in the eax register before the ret instruction is executed.

I hope this helps! Let me know if you have any other questions.

Source : (1) learn.microsoft.com, (2) www.wikilawschool.net, (3) www.upcounsel.com

To be honest with you, I have an (electronic) copy of this famous Intel’s manual and I didn’t find the citation in it. The begining sentence « The ret instruction pops the » can be found twice in it. In section 6.2.4.2 where it explains how the ret proceed (pop the next instruction to execute) and 17.1.1 about the shadow stack that deal with control-flow enforcement. The full paragraph does not appear in the manuals which does not tell how to return a value.

The source links are a shame. The first one, that was used by Chat GPT as the link to the Intel’s manual is indeed pointing to the « Claim class », a security feature of .Net language. The second one is about a United States of America federal law. The third is about the management of manufacturing defect. Nothing related to assembly language.

The good answer

First, I must told you that the way we pass return value is part of a whole set of question one must answer to allow programs to communicates throught the processors and that the set of answer forms what’s called an ABI, for Application Binary Interface. Like API but instead of your favorite programming language, it’s about assembly.

The good answer is thus « it depends ». Because the ABI that you’ll have to follow depends on the operating system, the programming language, the compiler, the processor. And even if you find the ABI, the convention may change depending on the type of the returned value.

• Windows and Unix (including GNU/Linux) do not follow the exact same ABI and the ABI may change between function call and system call (and even between system calls),

• Almost all programming languages lets you call C function (C++ and python amongst other) but the opposite is almost never possible,

• Compilers can provides variants at the developer’s choice. For instance, gcc has the function attributes ms_abi and susv_abi (by default) to ask for a specific ABI form for those functions (cf. section 6.33.33 of the gcc’s documentation) ;

• Processors have different architectures that provides differents registers (as seen before, eax in x86, rax in x86-64 and r0 in ARM),

• The System V AMD64 ABI uses different methods depending on the value class. For instance, 64 bits values goes in rax (and rdx for next return value) and those in 128 bits goes to xmm0 (and xmm1 for following ones).

And since it won’t be funny without, the HArvard’s reference point to version 1.0 of the System V AMD64 ABI and GNU/Linux points to 0.99 version. The reference found with Bing is not the one used in GNU/Linux.

And after ?

I admit I knew the answer and only wanted if the AI was able to find it. I asked the AI to find the official reference for calling functions. Despite being in GNU/Linux with x86-64 processor, the bot did not ask me and gave me answer for Windows with 32 bits processors, citing job definition as references (and other irrelevant links).

If I was an AI boosted teacher, facing students learning computer security, I’ll tell them the field’s cliché with random sources. And if one of them asked me to precise something, I’d only repeat myself with other random sources. After all, « I’m right because I’m the teacher ».

If I was an AI boosted expert and a judge ask for my advice in a legal case, I’ll plagiariez other report I read and to give more weight to my theory, adding random references to the case. And if stakeholders give observations or ask for clarification, I’ll repeat myself, citing other random peaces of documents. After all, « I’m right because I’m the expert ».

We are not going to lie, other did not wait for AI to invent those reasoning modes. We all had teachers that only repeats their messages without answering questions. And some experts should not be asked for advices. By plagiarizing the most seen theory and by inventing proofs, they can answer any question you like quickly. It’s a joy but it’s an illusion.

The novelty is perhaps that this is the first time that this reasoning mode is presented as an major advance in the human history and a efficient way to get answers and produce quality contents. It’s only a myth (and that may explain the proselytism).

The trust is that if an AI can do your job, it’s because you make a pig’s ear of a job.

Maybe I’m too old, but I don’t teach with AI, I do not delegage my advice to a robot and I don’t give it my keyboard to write for me. I gather materials, I study peaces of informations, I do experiments and I draw conclusions then I build my message so it fit best to the question I was asked for.

It’s a lot longer but it’s the price to get a correct answer, and a mark of respect.