Ravi Rajput

“Painless pill for the complicated topic”

/usr/bin/whoami

• Student of Information Technology

• A n00b with time in my hand

• Have interest in Information Security

• A person who have BIG dreams :P

Agenda• To wet our hands in the Ocean of REVERSE ENGINEERING

• Will cover basic fundas of Assembly Language

• It’s a Painless pill for the complicated topic.

CPU

Contd.• CONTROL UNIT:- Retrieve/Decode

instructions and store in memory • Execution Unit:- Actual Execution of

instructions.• Registers:- Internal Memory

Locations used as “variables”• Flags:- Used to indicate various

events @execution time.

General Purpose Registers• EAX• EBX• ECX• EDX• ESI• EDI• ESP• EBP

Contd.• EAX :- Accumulator register used for

storing operands and result data• EBX :- (base register) Pointer to data

• ECX :- (Counter Register) Loop operations

• EDX :- (data register) I/O pointers

Contd.• ESI & EDI :- Data pointer registers for

memory operations• ESP :- (top of the stack) Stack Pointer

Register • EBP :- Stack Data pointer register

Contd.

StackSTACK

Unused Memory

Heap

.bss

.data

.text

Used to store function arguments & local variables

Dynamic memory

Uninitialized Data

Initialized Data

Program Code

NOTE :- stack is LIFO and starts from High memory to low memory

General Structure.data

.bss

.text.globl_start

_start:

All initialized data

All uninitialized data

(External callable routine)

main() (in c program)

Program Instructions

System Calls• System calls are invoked by

processes using a software interrupt – int 0x80

• EAX :- System call number• EBX :- First Arguments

• ECX :- Second Arguments

and so on… up to EDI

Finally..!!

• Ya …finally after boring theory we are going to learn about coding in ASSEMBLY LANGUAGE ..

Steps1. Declare all initialized data in

“.data” section.For eg. hello_world:

.ascii “Hello World”2. Pass system call in EAX3. Pass arguments in EBX,ECX,EDX..4. Raise the software interrupt.

Hello World.datahello_world:

.ascii “Hello World”.text

.gobl_start_start:

#load all the arguments for write()movl $4, %eaxmovl $1, %ebxmovl $hello_world, %ecxmovl $11, %edx

Hello World Contd.int $0x80

#while write next code for exit to terminate the program

movl $1, %eaxmovl $0, %ebxint $0x80

Congratulations…!!!• There are 11 instructions mostly used

in every program.

• And you have done all 11 instructions in this Hello World Program.

• Congratulations for your First program in Assembly Language

I didn’t know that

• But what is these .ascii & movl in last program ???

Data TypeIn .data

.byte = 1 byte

.ascii = string

.asciz = null terminated string

.int = 32 bit integer

.short = 16 bit integer

.float = single precision floating point number

.double = double precision floating point number

Space reserved at compile time

Data Type Contd.In .bss

.comm = declares common memory area

.lcomm = declares local common memory area

Space created at runtime

Moving DataSyntax : movx source, destination

mvl = moves a 32 bit valuemvl %eax,%ebx

mvw = moves a 16 bit valuemvw %ax,%bx

mvb = moves a 8 bit valuemvb %ah,%bh

Scenario of Moving Data1. Between Registers

movl %eax, %ebx

2. Between Registers and Memorylocation:

.int 10movl %eax , locationmovl location, %ebx

Contd.3. Directly Moving into Registers:

movl $10,%eax

4. Immediate value into memory locationlocation:

.byte 0movb $10, location

NOTE :- We have to choose the appropriateregisters carefully according to the memory requirements

Contd.5. Moving Data into an indexed Memory location

IntegerArray:.int 10,20,30,40,50

#Selecting 3rd integer “30”#BaseAddress(Offset, Index, Size)#IntegerAddress(0,2,4)

movl %eax, IntegerArray(0,2,4)

Important thing for REIn Next slides so

Conditional JumpsTake it as JXX – JA , JAE , JE … JZ , JNZ

NOTE :- Conditional Jumps are short and near … “NOT” far anyway ..Short jumps are +128 to -128 bytesFar jumps are jumps pointing to different section.Well , near are …..

short > near < farSO .. ?? The moral of the story is ..The authentication code can within + or – 128 bytes

Conditional JumpsSCENARIO

If the key of “Nonreversible software v2.0.1” is 1337 Then (Use the software) only set FLAG 0 else (no rights to use it.. Purchase ..!! :O )FLAG NOT 0 (It sets EFLAGS)Because @the first the flags are not set 0 until and unless you match that hex code We can use xorl to xor the registers and make 0

Processor Flags• CF – Carry Flag :- Set on high-order bit carry or

borrow ; cleared otherwise.• PF – Parity Flag :- Set if low-order eight bits of

result contain an even number of “1” bits; cleared otherwise.

• ZF – Zero Flag :- Set if result is Zero; cleared otherwise.

• SF – Sign Flag :- Set equal to high-order bit of result (0 if positive 1 if negative).

• OF – Overflow Flag :- Set if result is too large or too small to fit in destination operand.

SCENARIOIf the key of “Nonreversible software v2.0.1” is 1337 And you are so genius that you bypassed that authentication code and used the registered version.

“Congratulations..!! you are have registered the software.Thank you for using our software.”

This message makes feel good..

Unconditional Jumps• JMP

1> like goto statement in C programming2> Syntax JMP label/address3> Short , Near and far supported

• So you can bypass authentication and directly jump on the software code … Wwwoohhaa..!!!!

• I intentionally left CALL & LOOP instructions as we will study in Exploit writing

Unconditional Jumps is like

Register??

Yes No

Enjoy the software

JNZ 0X0884568

0X08844455

JMP 0X08844455

Road Map• Security Tube Assembly Language Mega primer for Linux

and Windows Assembly Language Mega primer Click here

• Introductory Intel x86 www.opensecuritytraning.info Click here

• http://securityxploded.com/• http://garage4hackers.com/forumdisplay.php?f=24• Gray Hat Python Book

ASK ME ANYTHING … ANYTHING MEANS ANYTHING

You can Contact me

Gmail :- rajputravi645@gmail.comFacebook :- fb.com/rajputravitLinkedIn :-www.linkedin.com/profile/view?id=328373563