Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
BASIC
ASSEMBLY
FOR REVERSE ENGINEERING
ABOUT
ME
email : sven@unlogic.co.uk
web: https://unlogic.co.uk
twatter : @binaryheadache
freenode : unlogic
you can find g...
ABOUT
THIS SESSION
▸x86 arch
▸Calling conventions
▸Basic ops
▸Identify some constructs
▸Cats
// If you have questions at a...
ABOUT
WHY RE?
▸interoperability
▸figure out how stuff works
▸keygen/cracks
▸exploit development
▸propriety fileformats
ASSUME
MAKING AN ASS OUT OF U AND ME
‣ You know data types and sizes
‣ 0xDEADBEEF isn’t a deceased cow to you
‣ You unders...
THE BASICS
THE STACK
▸area of memory given to the program by the OS
▸LIFO data structure
▸Grows to lower memory addresses
...
THE BASICS
THE HEAP & THE REST
▸Dynamic memory allocation
▸grows towards the stack
THE BASICS
REGISTERS
▸4 general purpose registers
▸6 segment registers
▸5 index and pointer registers
THE BASICS
REGISTERS
general purpose
EAX : return values
EBX : base register for memory access
ECX : loop counter
EDX : da...
THE BASICS
REGISTERS
segment
CS : stores code segment
DS : stores data segment
ES, FS, GS : far addressing (video mem etc)...
THE BASICS
REGISTERS
indexes and pointers
EDI : destination index register. Array ops
ESI : source index register. Array o...
THE BASICS
32/16/8 BIT REGISTERS
some registers can be accessed with 8 and 16bit instructions.
Most commonly used
THE BASICS
64 BIT
▸twice as good as 32bit
▸extended registers become really extended
rax, rip, rcx, rbp, etc
THE BASICS
FLAGS
Flags holds a number of one bit flags, but for now:
‣ ZF : zero flag
‣ SF : sign flag
CALLING
CONVEN
CALLING CONVENTIONS
CDECL
▸Arguments are passed on the stack in Right-to-Left order,
return values are passed in eax
▸The ...
CALLING CONVENTIONS
STDCALL (AKA WINAPI)
▸Arguments are passed right-to-left, and return value passed
in eax
▸The called f...
CALLING CONVENTIONS
FASTCALL
▸The first 2 or 3 32-bit (or smaller) arguments are passed in
registers, with the most common...
CALLING CONVENTIONS
THISCALL (C++)
▸Only non-static member functions. Also no variadics
▸Pointer to the class object is pa...
ASM BASICS
OPERAND TYPES
▸immediates : 0x3f
▸registers : eax
▸memory : [0x80542a], [eax]
▸offset : [eax + 0x4]
▸sib : [eax...
ASM BASICS
THE OPS YOU NEED TO KNOW (FOR
NOW)
▸mov
▸add, sub
▸cmp
▸test
▸jcc/jmp
▸push/pop
▸bitwise ops (and, xor, or)
ASM BASICS
MOV
▸mov eax, ecx
▸mov eax, [ecx]
▸mov [ecx], 0x44
▸mov edx, 0x34
▸mov edx, [0x6580fe]
▸mov [0x8045fe], eax
ASM BASICS
ADD
▸add eax, 1
▸add edx, eax
ASM BASICS
CMP
▸cmp eax, ecx
▸cmp eax, 0x45
ASM BASICS
TEST
▸test eax, ecx
▸test edx, 0x12
ASM BASICS
JCC
▸jz/jnz
▸ja/jae
▸jb/jbe/bjnb
…
ASM BASICS
PUSH & POP
▸push eax
▸pop ecx
▸push 0x32
ASM BASICS
BITWISE
▸and edx, ecx
▸and eax, 0x43
▸xor eax, eax
▸or edx, edx
▸not al
RECOGNISING
SOME
COMMON
COMMON CONSTRUCTS
FUNCTION PROLOGUE AND EPILOGUE
push ebp
mov ebp, esp
sub esp, N
.
.
.
mov esp, ebp
pop ebp
ret
COMMON CONSTRUCTS
ABOUT CALL & RET
▸have have an implicit op
▸call will push eip on the stack
▸ret will pop it
COMMON CONSTRUCTS
LOOPS
▸ecx is usually loop counter
▸conditional jumps based on loop counter
▸easier to spot in call grap...
COMMON CONSTRUCTS
LOOPS
0x00001f82 837df400 cmp dword [ebp - local_ch], 0
0x00001f86 0f8e17000000 jle 0x1fa3 ;[1]
0x00001f...
COMMON CONSTRUCTS
LOOPS
SWITCH STATEMENTS
▸different ways to do it depending on compiler settings and
what the cases are
▸the interesting one to m...
SWITCH STATEMENTS
COMMON CONSTRUCTS
ff2485e89704. jmp dword [eax*4 + 0x80497e8]
0x080497e8 e08b 0408 008c 0408 168c 0408 2...
#include <stdio.h>
int main(int argc, char **argv) {
switch (argv[1][0]) {
case 'a':
printf("Selected an");
break;
case 'b...
THE
THE BASICS
THE STACK
int add(int a, int b) {
int r;
r = a + b;
return r;
}
int main () {
int x = 19;
int y = 23;
int resul...
THE STACK
IN ACTION
THE BASICS
THE STACK
EBP
0x000000
0xffffff
stack growth
EBP
ESP
push ebp
mov ebp, espEAX
EBX
ECX
EDX
THE BASICS
THE STACK 0x000000
0xffffff
stack growth
sub esp, 0x18
EAX
EBX
ECX
EDX
EBP
ESP
THE BASICS
THE STACK
0
0x13
0x17
0
0x000000
0xffffff
stack growth
mov dword [ebp - 0x4], 0
mov dword [ebp - 0x8], 0x13
mov...
THE BASICS
THE STACK
0
0x13
0x17
0
0x000000
0xffffff
stack growth
EAX
mov eax, dword [ebp - 0x8]
mov ecx, dword [ebp - 0xc...
THE BASICS
THE STACK
0
0x13
0x17
0
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
mov dword [esp], eax
mov dword [es...
THE BASICS
THE STACK
0
0x13
0x17
0
0x17
0x13
[eip]
0x000000
0xffffff
stack growth
EAX
EBP
ESP
mov dword [esp], eax
mov dwo...
THE BASICS
THE STACK
0
0x13
0x17
0
0x17
0x13
[eip]
ebp
0x000000
0xffffff
stack growth
EAX
EBP
ESP
push ebp
mov ebp, esp
0X...
THE BASICS
THE STACK
[eip]
ebp
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
sub esp, 8
mov eax, dword [ebp + 0xc]
...
THE BASICS
THE STACK
[eip]
ebp
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
mov eax, dword [ebp - local_4h]
0X17
E...
THE BASICS
THE STACK
[eip]
ebp
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
add eax, dword [ebp - local_8h]
add es...
THE BASICS
THE STACK
0
0x13
0x17
0x2a
0x17
0x13
[eip]
0x000000
0xffffff
stack growth
EAX
EBP
ESP
xor ecx, ecx
mov dword [e...
WE’RE
Basic ASM by @binaryheadache
Basic ASM by @binaryheadache
Próxima SlideShare
Cargando en…5
×

Basic ASM by @binaryheadache

2.611 visualizaciones

Publicado el

By @binaryheadache for #camsec (www.camsec.org) October Meeting

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Basic ASM by @binaryheadache

  1. 1. BASIC ASSEMBLY FOR REVERSE ENGINEERING
  2. 2. ABOUT ME email : sven@unlogic.co.uk web: https://unlogic.co.uk twatter : @binaryheadache freenode : unlogic you can find github and the rest from there
  3. 3. ABOUT THIS SESSION ▸x86 arch ▸Calling conventions ▸Basic ops ▸Identify some constructs ▸Cats // If you have questions at any point, ask ‘em
  4. 4. ABOUT WHY RE? ▸interoperability ▸figure out how stuff works ▸keygen/cracks ▸exploit development ▸propriety fileformats
  5. 5. ASSUME MAKING AN ASS OUT OF U AND ME ‣ You know data types and sizes ‣ 0xDEADBEEF isn’t a deceased cow to you ‣ You understand endianness ‣ Intel syntax ‣ Have programmed before
  6. 6. THE BASICS THE STACK ▸area of memory given to the program by the OS ▸LIFO data structure ▸Grows to lower memory addresses ▸Remember ESP ▸keeps track of prior called functions, holds local vars, and used to pass args to functions
  7. 7. THE BASICS THE HEAP & THE REST ▸Dynamic memory allocation ▸grows towards the stack
  8. 8. THE BASICS REGISTERS ▸4 general purpose registers ▸6 segment registers ▸5 index and pointer registers
  9. 9. THE BASICS REGISTERS general purpose EAX : return values EBX : base register for memory access ECX : loop counter EDX : data register user for I/O
  10. 10. THE BASICS REGISTERS segment CS : stores code segment DS : stores data segment ES, FS, GS : far addressing (video mem etc) SS : Stack segment - usually same as ds
  11. 11. THE BASICS REGISTERS indexes and pointers EDI : destination index register. Array ops ESI : source index register. Array ops EBP : base pointer ESP : stack pointer EIP : instruction pointer
  12. 12. THE BASICS 32/16/8 BIT REGISTERS some registers can be accessed with 8 and 16bit instructions. Most commonly used
  13. 13. THE BASICS 64 BIT ▸twice as good as 32bit ▸extended registers become really extended rax, rip, rcx, rbp, etc
  14. 14. THE BASICS FLAGS Flags holds a number of one bit flags, but for now: ‣ ZF : zero flag ‣ SF : sign flag
  15. 15. CALLING CONVEN
  16. 16. CALLING CONVENTIONS CDECL ▸Arguments are passed on the stack in Right-to-Left order, return values are passed in eax ▸The calling function cleans the stack
  17. 17. CALLING CONVENTIONS STDCALL (AKA WINAPI) ▸Arguments are passed right-to-left, and return value passed in eax ▸The called function cleans the stack
  18. 18. CALLING CONVENTIONS FASTCALL ▸The first 2 or 3 32-bit (or smaller) arguments are passed in registers, with the most commonly used registers being edx, eax, and ecx ▸The calling function (usually) cleans the stack
  19. 19. CALLING CONVENTIONS THISCALL (C++) ▸Only non-static member functions. Also no variadics ▸Pointer to the class object is passed in ecx, the arguments are passed right-to-left on the stack and return value is passed in eax ▸the called function cleans the stack
  20. 20. ASM BASICS OPERAND TYPES ▸immediates : 0x3f ▸registers : eax ▸memory : [0x80542a], [eax] ▸offset : [eax + 0x4] ▸sib : [eax * 4 + 0x53], [eax * 2 + ecx]
  21. 21. ASM BASICS THE OPS YOU NEED TO KNOW (FOR NOW) ▸mov ▸add, sub ▸cmp ▸test ▸jcc/jmp ▸push/pop ▸bitwise ops (and, xor, or)
  22. 22. ASM BASICS MOV ▸mov eax, ecx ▸mov eax, [ecx] ▸mov [ecx], 0x44 ▸mov edx, 0x34 ▸mov edx, [0x6580fe] ▸mov [0x8045fe], eax
  23. 23. ASM BASICS ADD ▸add eax, 1 ▸add edx, eax
  24. 24. ASM BASICS CMP ▸cmp eax, ecx ▸cmp eax, 0x45
  25. 25. ASM BASICS TEST ▸test eax, ecx ▸test edx, 0x12
  26. 26. ASM BASICS JCC ▸jz/jnz ▸ja/jae ▸jb/jbe/bjnb …
  27. 27. ASM BASICS PUSH & POP ▸push eax ▸pop ecx ▸push 0x32
  28. 28. ASM BASICS BITWISE ▸and edx, ecx ▸and eax, 0x43 ▸xor eax, eax ▸or edx, edx ▸not al
  29. 29. RECOGNISING SOME COMMON
  30. 30. COMMON CONSTRUCTS FUNCTION PROLOGUE AND EPILOGUE push ebp mov ebp, esp sub esp, N . . . mov esp, ebp pop ebp ret
  31. 31. COMMON CONSTRUCTS ABOUT CALL & RET ▸have have an implicit op ▸call will push eip on the stack ▸ret will pop it
  32. 32. COMMON CONSTRUCTS LOOPS ▸ecx is usually loop counter ▸conditional jumps based on loop counter ▸easier to spot in call graphs int main() { int x = 0; int i = 0; for (i = 20; i > 0; i--) { x += i; } return 0; }
  33. 33. COMMON CONSTRUCTS LOOPS 0x00001f82 837df400 cmp dword [ebp - local_ch], 0 0x00001f86 0f8e17000000 jle 0x1fa3 ;[1] 0x00001f8c 8b45f4 mov eax, dword [ebp - local_ch] 0x00001f8f 0345f8 add eax, dword [ebp - local_8h] 0x00001f92 8945f8 mov dword [ebp - local_8h], eax 0x00001f95 8b45f4 mov eax, dword [ebp - local_ch] 0x00001f98 83c0ff add eax, -1 0x00001f9b 8945f4 mov dword [ebp - local_ch], eax 0x00001f9e e9dfffffff jmp 0x1f82 ;[2] 0x00001fa3 31c0 xor eax, eax 0x00001fa5 83c40c add esp, 0xc 0x00001fa8 5d pop ebp 0x00001fa9 c3 ret
  34. 34. COMMON CONSTRUCTS LOOPS
  35. 35. SWITCH STATEMENTS ▸different ways to do it depending on compiler settings and what the cases are ▸the interesting one to me is the look up table COMMON CONSTRUCTS
  36. 36. SWITCH STATEMENTS COMMON CONSTRUCTS ff2485e89704. jmp dword [eax*4 + 0x80497e8] 0x080497e8 e08b 0408 008c 0408 168c 0408 288c 0408 ............(... 0x080497f8 408c 0408 528c 0408 648c 0408 768c 0408 @...R...d...v... 0x08049808 2564 00 meanwhile, at 0x80497e8
  37. 37. #include <stdio.h> int main(int argc, char **argv) { switch (argv[1][0]) { case 'a': printf("Selected an"); break; case 'b': printf("Selected bn"); break; case 'c': printf("Selected cn"); break; default: printf("poopn"); break; } return 0; } COMMON CONSTRUCTS SWITCH STATEMENTS
  38. 38. THE
  39. 39. THE BASICS THE STACK int add(int a, int b) { int r; r = a + b; return r; } int main () { int x = 19; int y = 23; int result = 0; result = add(x, y); return 0; } ;— add 55 push ebp 89e5 mov ebp, esp 83ec08 sub esp, 8 8b450c mov eax, dword [ebp + arg_ch] ; [0xc:4]=2 8b4d08 mov ecx, dword [ebp + arg_8h] ; [0x8:4]=3 894dfc mov dword [ebp - local_4h], ecx 8945f8 mov dword [ebp - local_8h], eax 8b45fc mov eax, dword [ebp - local_4h] 0345f8 add eax, dword [ebp - local_8h] 83c408 add esp, 8 5d pop ebp c3 ret ;— main 55 push ebp 89e5 mov ebp, esp 83ec18 sub esp, 0x18 c745fc000000. mov dword [ebp - local_4h], 0 c745f8130000. mov dword [ebp - local_8h], 0x13 c745f4170000. mov dword [ebp - local_ch], 0x17 c745f0000000. mov dword [ebp - local_10h], 0 8b45f8 mov eax, dword [ebp - local_8h] 8b4df4 mov ecx, dword [ebp - local_ch] 890424 mov dword [esp], eax 894c2404 mov dword [esp + local_4h_2], ecx e8acffffff call sym._add 31c9 xor ecx, ecx 8945f0 mov dword [ebp - local_10h], eax 89c8 mov eax, ecx 83c418 add esp, 0x18 5d pop ebp c3 ret gcc -m32 -O0 -masm-intel -S main.c
  40. 40. THE STACK IN ACTION
  41. 41. THE BASICS THE STACK EBP 0x000000 0xffffff stack growth EBP ESP push ebp mov ebp, espEAX EBX ECX EDX
  42. 42. THE BASICS THE STACK 0x000000 0xffffff stack growth sub esp, 0x18 EAX EBX ECX EDX EBP ESP
  43. 43. THE BASICS THE STACK 0 0x13 0x17 0 0x000000 0xffffff stack growth mov dword [ebp - 0x4], 0 mov dword [ebp - 0x8], 0x13 mov dword [ebp - 0xc], 0x17 mov dword [ebp - 0x10], 0 -0x4 -0x8 -0xc -0x10 EAX EBX ECX EDX EBP ESP
  44. 44. THE BASICS THE STACK 0 0x13 0x17 0 0x000000 0xffffff stack growth EAX mov eax, dword [ebp - 0x8] mov ecx, dword [ebp - 0xc] 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10 EBP ESP
  45. 45. THE BASICS THE STACK 0 0x13 0x17 0 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP mov dword [esp], eax mov dword [esp + 0x4], ecx call sym._add 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10
  46. 46. THE BASICS THE STACK 0 0x13 0x17 0 0x17 0x13 [eip] 0x000000 0xffffff stack growth EAX EBP ESP mov dword [esp], eax mov dword [esp + 0x4], ecx call sym._add 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10
  47. 47. THE BASICS THE STACK 0 0x13 0x17 0 0x17 0x13 [eip] ebp 0x000000 0xffffff stack growth EAX EBP ESP push ebp mov ebp, esp 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10
  48. 48. THE BASICS THE STACK [eip] ebp 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP sub esp, 8 mov eax, dword [ebp + 0xc] mov ecx, dword [ebp + 0x8] mov dword [ebp - local_4h], ecx mov dword [ebp - local_8h], eax 0X13 EBX ECX 0X17 EDX
  49. 49. THE BASICS THE STACK [eip] ebp 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP mov eax, dword [ebp - local_4h] 0X17 EBX ECX 0X17 EDX
  50. 50. THE BASICS THE STACK [eip] ebp 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP add eax, dword [ebp - local_8h] add esp, 8 pop ebp ret0X2A EBX ECX 0X17 EDX
  51. 51. THE BASICS THE STACK 0 0x13 0x17 0x2a 0x17 0x13 [eip] 0x000000 0xffffff stack growth EAX EBP ESP xor ecx, ecx mov dword [ebp - local_10h], eax mov eax, ecx add esp, 0x18 pop ebp ret 0X0 EBX ECX 0X0 EDX -0x4 -0x8 -0xc -0x10
  52. 52. WE’RE

×