By @binaryheadache for #camsec (www.camsec.org) October Meeting

1. BASIC
ASSEMBLY
FOR REVERSE ENGINEERING

2. ABOUT
ME
email : sven@unlogic.co.uk
web: https://unlogic.co.uk
twatter : @binaryheadache
freenode : unlogic
you can find github and the rest from there

3. ABOUT
THIS SESSION
▸x86 arch
▸Calling conventions
▸Basic ops
▸Identify some constructs
▸Cats
// If you have questions at any point, ask ‘em

4. ABOUT
WHY RE?
▸interoperability
▸figure out how stuff works
▸keygen/cracks
▸exploit development
▸propriety fileformats

5. ASSUME
MAKING AN ASS OUT OF U AND ME
‣ You know data types and sizes
‣ 0xDEADBEEF isn’t a deceased cow to you
‣ You understand endianness
‣ Intel syntax
‣ Have programmed before

6. THE BASICS
THE STACK
▸area of memory given to the program by the OS
▸LIFO data structure
▸Grows to lower memory addresses
▸Remember ESP
▸keeps track of prior called functions, holds local vars, and
used to pass args to functions

7. THE BASICS
THE HEAP & THE REST
▸Dynamic memory allocation
▸grows towards the stack

8. THE BASICS
REGISTERS
▸4 general purpose registers
▸6 segment registers
▸5 index and pointer registers

9. THE BASICS
REGISTERS
general purpose
EAX : return values
EBX : base register for memory access
ECX : loop counter
EDX : data register user for I/O

10. THE BASICS
REGISTERS
segment
CS : stores code segment
DS : stores data segment
ES, FS, GS : far addressing (video mem etc)
SS : Stack segment - usually same as ds

11. THE BASICS
REGISTERS
indexes and pointers
EDI : destination index register. Array ops
ESI : source index register. Array ops
EBP : base pointer
ESP : stack pointer
EIP : instruction pointer

12. THE BASICS
32/16/8 BIT REGISTERS
some registers can be accessed with 8 and 16bit instructions.
Most commonly used

13. THE BASICS
64 BIT
▸twice as good as 32bit
▸extended registers become really extended
rax, rip, rcx, rbp, etc

14. THE BASICS
FLAGS
Flags holds a number of one bit flags, but for now:
‣ ZF : zero flag
‣ SF : sign flag

15. CALLING
CONVEN

16. CALLING CONVENTIONS
CDECL
▸Arguments are passed on the stack in Right-to-Left order,
return values are passed in eax
▸The calling function cleans the stack

17. CALLING CONVENTIONS
STDCALL (AKA WINAPI)
▸Arguments are passed right-to-left, and return value passed
in eax
▸The called function cleans the stack

18. CALLING CONVENTIONS
FASTCALL
▸The first 2 or 3 32-bit (or smaller) arguments are passed in
registers, with the most commonly used registers being edx,
eax, and ecx
▸The calling function (usually) cleans the stack

19. CALLING CONVENTIONS
THISCALL (C++)
▸Only non-static member functions. Also no variadics
▸Pointer to the class object is passed in ecx, the arguments
are passed right-to-left on the stack and return value is
passed in eax
▸the called function cleans the stack

21. ASM BASICS
OPERAND TYPES
▸immediates : 0x3f
▸registers : eax
▸memory : [0x80542a], [eax]
▸offset : [eax + 0x4]
▸sib : [eax * 4 + 0x53], [eax * 2 + ecx]

22. ASM BASICS
THE OPS YOU NEED TO KNOW (FOR
NOW)
▸mov
▸add, sub
▸cmp
▸test
▸jcc/jmp
▸push/pop
▸bitwise ops (and, xor, or)

23. ASM BASICS
MOV
▸mov eax, ecx
▸mov eax, [ecx]
▸mov [ecx], 0x44
▸mov edx, 0x34
▸mov edx, [0x6580fe]
▸mov [0x8045fe], eax

24. ASM BASICS
ADD
▸add eax, 1
▸add edx, eax

25. ASM BASICS
CMP
▸cmp eax, ecx
▸cmp eax, 0x45

26. ASM BASICS
TEST
▸test eax, ecx
▸test edx, 0x12

27. ASM BASICS
JCC
▸jz/jnz
▸ja/jae
▸jb/jbe/bjnb
…

28. ASM BASICS
PUSH & POP
▸push eax
▸pop ecx
▸push 0x32

29. ASM BASICS
BITWISE
▸and edx, ecx
▸and eax, 0x43
▸xor eax, eax
▸or edx, edx
▸not al

30. RECOGNISING
SOME
COMMON

31. COMMON CONSTRUCTS
FUNCTION PROLOGUE AND EPILOGUE
push ebp
mov ebp, esp
sub esp, N
.
.
.
mov esp, ebp
pop ebp
ret

32. COMMON CONSTRUCTS
ABOUT CALL & RET
▸have have an implicit op
▸call will push eip on the stack
▸ret will pop it

33. COMMON CONSTRUCTS
LOOPS
▸ecx is usually loop counter
▸conditional jumps based on loop counter
▸easier to spot in call graphs
int main() {
int x = 0;
int i = 0;
for (i = 20; i > 0; i--) {
x += i;
}
return 0;
}

34. COMMON CONSTRUCTS
LOOPS
0x00001f82 837df400 cmp dword [ebp - local_ch], 0
0x00001f86 0f8e17000000 jle 0x1fa3 ;[1]
0x00001f8c 8b45f4 mov eax, dword [ebp - local_ch]
0x00001f8f 0345f8 add eax, dword [ebp - local_8h]
0x00001f92 8945f8 mov dword [ebp - local_8h], eax
0x00001f95 8b45f4 mov eax, dword [ebp - local_ch]
0x00001f98 83c0ff add eax, -1
0x00001f9b 8945f4 mov dword [ebp - local_ch], eax
0x00001f9e e9dfffffff jmp 0x1f82 ;[2]
0x00001fa3 31c0 xor eax, eax
0x00001fa5 83c40c add esp, 0xc
0x00001fa8 5d pop ebp
0x00001fa9 c3 ret

35. COMMON CONSTRUCTS
LOOPS

36. SWITCH STATEMENTS
▸different ways to do it depending on compiler settings and
what the cases are
▸the interesting one to me is the look up table
COMMON CONSTRUCTS

37. SWITCH STATEMENTS
COMMON CONSTRUCTS
ff2485e89704. jmp dword [eax*4 + 0x80497e8]
0x080497e8 e08b 0408 008c 0408 168c 0408 288c 0408 ............(...
0x080497f8 408c 0408 528c 0408 648c 0408 768c 0408 @...R...d...v...
0x08049808 2564 00
meanwhile, at 0x80497e8

38. #include <stdio.h>
int main(int argc, char **argv) {
switch (argv[1][0]) {
case 'a':
printf("Selected an");
break;
case 'b':
printf("Selected bn");
break;
case 'c':
printf("Selected cn");
break;
default:
printf("poopn");
break;
}
return 0;
}
COMMON CONSTRUCTS
SWITCH STATEMENTS

40. THE

41. THE BASICS
THE STACK
int add(int a, int b) {
int r;
r = a + b;
return r;
}
int main () {
int x = 19;
int y = 23;
int result = 0;
result = add(x, y);
return 0;
}
;— add
55 push ebp
89e5 mov ebp, esp
83ec08 sub esp, 8
8b450c mov eax, dword [ebp + arg_ch] ; [0xc:4]=2
8b4d08 mov ecx, dword [ebp + arg_8h] ; [0x8:4]=3
894dfc mov dword [ebp - local_4h], ecx
8945f8 mov dword [ebp - local_8h], eax
8b45fc mov eax, dword [ebp - local_4h]
0345f8 add eax, dword [ebp - local_8h]
83c408 add esp, 8
5d pop ebp
c3 ret
;— main
55 push ebp
89e5 mov ebp, esp
83ec18 sub esp, 0x18
c745fc000000. mov dword [ebp - local_4h], 0
c745f8130000. mov dword [ebp - local_8h], 0x13
c745f4170000. mov dword [ebp - local_ch], 0x17
c745f0000000. mov dword [ebp - local_10h], 0
8b45f8 mov eax, dword [ebp - local_8h]
8b4df4 mov ecx, dword [ebp - local_ch]
890424 mov dword [esp], eax
894c2404 mov dword [esp + local_4h_2], ecx
e8acffffff call sym._add
31c9 xor ecx, ecx
8945f0 mov dword [ebp - local_10h], eax
89c8 mov eax, ecx
83c418 add esp, 0x18
5d pop ebp
c3 ret
gcc -m32 -O0 -masm-intel -S main.c

42. THE STACK
IN ACTION

43. THE BASICS
THE STACK
EBP
0x000000
0xffffff
stack growth
EBP
ESP
push ebp
mov ebp, espEAX
EBX
ECX
EDX

44. THE BASICS
THE STACK 0x000000
0xffffff
stack growth
sub esp, 0x18
EAX
EBX
ECX
EDX
EBP
ESP

45. THE BASICS
THE STACK
0
0x13
0x17
0
0x000000
0xffffff
stack growth
mov dword [ebp - 0x4], 0
mov dword [ebp - 0x8], 0x13
mov dword [ebp - 0xc], 0x17
mov dword [ebp - 0x10], 0
-0x4
-0x8
-0xc
-0x10
EAX
EBX
ECX
EDX
EBP
ESP

46. THE BASICS
THE STACK
0
0x13
0x17
0
0x000000
0xffffff
stack growth
EAX
mov eax, dword [ebp - 0x8]
mov ecx, dword [ebp - 0xc]
0X13
EBX
ECX
0X17
EDX
-0x4
-0x8
-0xc
-0x10
EBP
ESP

47. THE BASICS
THE STACK
0
0x13
0x17
0
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
mov dword [esp], eax
mov dword [esp + 0x4], ecx
call sym._add
0X13
EBX
ECX
0X17
EDX
-0x4
-0x8
-0xc
-0x10

48. THE BASICS
THE STACK
0
0x13
0x17
0
0x17
0x13
[eip]
0x000000
0xffffff
stack growth
EAX
EBP
ESP
mov dword [esp], eax
mov dword [esp + 0x4], ecx
call sym._add
0X13
EBX
ECX
0X17
EDX
-0x4
-0x8
-0xc
-0x10

49. THE BASICS
THE STACK
0
0x13
0x17
0
0x17
0x13
[eip]
ebp
0x000000
0xffffff
stack growth
EAX
EBP
ESP
push ebp
mov ebp, esp
0X13
EBX
ECX
0X17
EDX
-0x4
-0x8
-0xc
-0x10

50. THE BASICS
THE STACK
[eip]
ebp
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
sub esp, 8
mov eax, dword [ebp + 0xc]
mov ecx, dword [ebp + 0x8]
mov dword [ebp - local_4h], ecx
mov dword [ebp - local_8h], eax
0X13
EBX
ECX
0X17
EDX

51. THE BASICS
THE STACK
[eip]
ebp
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
mov eax, dword [ebp - local_4h]
0X17
EBX
ECX
0X17
EDX

52. THE BASICS
THE STACK
[eip]
ebp
0x17
0x13
0x000000
0xffffff
stack growth
EAX
EBP
ESP
add eax, dword [ebp - local_8h]
add esp, 8
pop ebp
ret0X2A
EBX
ECX
0X17
EDX

53. THE BASICS
THE STACK
0
0x13
0x17
0x2a
0x17
0x13
[eip]
0x000000
0xffffff
stack growth
EAX
EBP
ESP
xor ecx, ecx
mov dword [ebp - local_10h], eax
mov eax, ecx
add esp, 0x18
pop ebp
ret
0X0
EBX
ECX
0X0
EDX
-0x4
-0x8
-0xc
-0x10

54. WE’RE