Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Basic ASM by @binaryheadache

2,175 views

Published on

By @binaryheadache for #camsec (www.camsec.org) October Meeting

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Basic ASM by @binaryheadache

  1. 1. BASIC ASSEMBLY FOR REVERSE ENGINEERING
  2. 2. ABOUT ME email : sven@unlogic.co.uk web: https://unlogic.co.uk twatter : @binaryheadache freenode : unlogic you can find github and the rest from there
  3. 3. ABOUT THIS SESSION ▸x86 arch ▸Calling conventions ▸Basic ops ▸Identify some constructs ▸Cats // If you have questions at any point, ask ‘em
  4. 4. ABOUT WHY RE? ▸interoperability ▸figure out how stuff works ▸keygen/cracks ▸exploit development ▸propriety fileformats
  5. 5. ASSUME MAKING AN ASS OUT OF U AND ME ‣ You know data types and sizes ‣ 0xDEADBEEF isn’t a deceased cow to you ‣ You understand endianness ‣ Intel syntax ‣ Have programmed before
  6. 6. THE BASICS THE STACK ▸area of memory given to the program by the OS ▸LIFO data structure ▸Grows to lower memory addresses ▸Remember ESP ▸keeps track of prior called functions, holds local vars, and used to pass args to functions
  7. 7. THE BASICS THE HEAP & THE REST ▸Dynamic memory allocation ▸grows towards the stack
  8. 8. THE BASICS REGISTERS ▸4 general purpose registers ▸6 segment registers ▸5 index and pointer registers
  9. 9. THE BASICS REGISTERS general purpose EAX : return values EBX : base register for memory access ECX : loop counter EDX : data register user for I/O
  10. 10. THE BASICS REGISTERS segment CS : stores code segment DS : stores data segment ES, FS, GS : far addressing (video mem etc) SS : Stack segment - usually same as ds
  11. 11. THE BASICS REGISTERS indexes and pointers EDI : destination index register. Array ops ESI : source index register. Array ops EBP : base pointer ESP : stack pointer EIP : instruction pointer
  12. 12. THE BASICS 32/16/8 BIT REGISTERS some registers can be accessed with 8 and 16bit instructions. Most commonly used
  13. 13. THE BASICS 64 BIT ▸twice as good as 32bit ▸extended registers become really extended rax, rip, rcx, rbp, etc
  14. 14. THE BASICS FLAGS Flags holds a number of one bit flags, but for now: ‣ ZF : zero flag ‣ SF : sign flag
  15. 15. CALLING CONVEN
  16. 16. CALLING CONVENTIONS CDECL ▸Arguments are passed on the stack in Right-to-Left order, return values are passed in eax ▸The calling function cleans the stack
  17. 17. CALLING CONVENTIONS STDCALL (AKA WINAPI) ▸Arguments are passed right-to-left, and return value passed in eax ▸The called function cleans the stack
  18. 18. CALLING CONVENTIONS FASTCALL ▸The first 2 or 3 32-bit (or smaller) arguments are passed in registers, with the most commonly used registers being edx, eax, and ecx ▸The calling function (usually) cleans the stack
  19. 19. CALLING CONVENTIONS THISCALL (C++) ▸Only non-static member functions. Also no variadics ▸Pointer to the class object is passed in ecx, the arguments are passed right-to-left on the stack and return value is passed in eax ▸the called function cleans the stack
  20. 20. ASM BASICS OPERAND TYPES ▸immediates : 0x3f ▸registers : eax ▸memory : [0x80542a], [eax] ▸offset : [eax + 0x4] ▸sib : [eax * 4 + 0x53], [eax * 2 + ecx]
  21. 21. ASM BASICS THE OPS YOU NEED TO KNOW (FOR NOW) ▸mov ▸add, sub ▸cmp ▸test ▸jcc/jmp ▸push/pop ▸bitwise ops (and, xor, or)
  22. 22. ASM BASICS MOV ▸mov eax, ecx ▸mov eax, [ecx] ▸mov [ecx], 0x44 ▸mov edx, 0x34 ▸mov edx, [0x6580fe] ▸mov [0x8045fe], eax
  23. 23. ASM BASICS ADD ▸add eax, 1 ▸add edx, eax
  24. 24. ASM BASICS CMP ▸cmp eax, ecx ▸cmp eax, 0x45
  25. 25. ASM BASICS TEST ▸test eax, ecx ▸test edx, 0x12
  26. 26. ASM BASICS JCC ▸jz/jnz ▸ja/jae ▸jb/jbe/bjnb …
  27. 27. ASM BASICS PUSH & POP ▸push eax ▸pop ecx ▸push 0x32
  28. 28. ASM BASICS BITWISE ▸and edx, ecx ▸and eax, 0x43 ▸xor eax, eax ▸or edx, edx ▸not al
  29. 29. RECOGNISING SOME COMMON
  30. 30. COMMON CONSTRUCTS FUNCTION PROLOGUE AND EPILOGUE push ebp mov ebp, esp sub esp, N . . . mov esp, ebp pop ebp ret
  31. 31. COMMON CONSTRUCTS ABOUT CALL & RET ▸have have an implicit op ▸call will push eip on the stack ▸ret will pop it
  32. 32. COMMON CONSTRUCTS LOOPS ▸ecx is usually loop counter ▸conditional jumps based on loop counter ▸easier to spot in call graphs int main() { int x = 0; int i = 0; for (i = 20; i > 0; i--) { x += i; } return 0; }
  33. 33. COMMON CONSTRUCTS LOOPS 0x00001f82 837df400 cmp dword [ebp - local_ch], 0 0x00001f86 0f8e17000000 jle 0x1fa3 ;[1] 0x00001f8c 8b45f4 mov eax, dword [ebp - local_ch] 0x00001f8f 0345f8 add eax, dword [ebp - local_8h] 0x00001f92 8945f8 mov dword [ebp - local_8h], eax 0x00001f95 8b45f4 mov eax, dword [ebp - local_ch] 0x00001f98 83c0ff add eax, -1 0x00001f9b 8945f4 mov dword [ebp - local_ch], eax 0x00001f9e e9dfffffff jmp 0x1f82 ;[2] 0x00001fa3 31c0 xor eax, eax 0x00001fa5 83c40c add esp, 0xc 0x00001fa8 5d pop ebp 0x00001fa9 c3 ret
  34. 34. COMMON CONSTRUCTS LOOPS
  35. 35. SWITCH STATEMENTS ▸different ways to do it depending on compiler settings and what the cases are ▸the interesting one to me is the look up table COMMON CONSTRUCTS
  36. 36. SWITCH STATEMENTS COMMON CONSTRUCTS ff2485e89704. jmp dword [eax*4 + 0x80497e8] 0x080497e8 e08b 0408 008c 0408 168c 0408 288c 0408 ............(... 0x080497f8 408c 0408 528c 0408 648c 0408 768c 0408 @...R...d...v... 0x08049808 2564 00 meanwhile, at 0x80497e8
  37. 37. #include <stdio.h> int main(int argc, char **argv) { switch (argv[1][0]) { case 'a': printf("Selected an"); break; case 'b': printf("Selected bn"); break; case 'c': printf("Selected cn"); break; default: printf("poopn"); break; } return 0; } COMMON CONSTRUCTS SWITCH STATEMENTS
  38. 38. THE
  39. 39. THE BASICS THE STACK int add(int a, int b) { int r; r = a + b; return r; } int main () { int x = 19; int y = 23; int result = 0; result = add(x, y); return 0; } ;— add 55 push ebp 89e5 mov ebp, esp 83ec08 sub esp, 8 8b450c mov eax, dword [ebp + arg_ch] ; [0xc:4]=2 8b4d08 mov ecx, dword [ebp + arg_8h] ; [0x8:4]=3 894dfc mov dword [ebp - local_4h], ecx 8945f8 mov dword [ebp - local_8h], eax 8b45fc mov eax, dword [ebp - local_4h] 0345f8 add eax, dword [ebp - local_8h] 83c408 add esp, 8 5d pop ebp c3 ret ;— main 55 push ebp 89e5 mov ebp, esp 83ec18 sub esp, 0x18 c745fc000000. mov dword [ebp - local_4h], 0 c745f8130000. mov dword [ebp - local_8h], 0x13 c745f4170000. mov dword [ebp - local_ch], 0x17 c745f0000000. mov dword [ebp - local_10h], 0 8b45f8 mov eax, dword [ebp - local_8h] 8b4df4 mov ecx, dword [ebp - local_ch] 890424 mov dword [esp], eax 894c2404 mov dword [esp + local_4h_2], ecx e8acffffff call sym._add 31c9 xor ecx, ecx 8945f0 mov dword [ebp - local_10h], eax 89c8 mov eax, ecx 83c418 add esp, 0x18 5d pop ebp c3 ret gcc -m32 -O0 -masm-intel -S main.c
  40. 40. THE STACK IN ACTION
  41. 41. THE BASICS THE STACK EBP 0x000000 0xffffff stack growth EBP ESP push ebp mov ebp, espEAX EBX ECX EDX
  42. 42. THE BASICS THE STACK 0x000000 0xffffff stack growth sub esp, 0x18 EAX EBX ECX EDX EBP ESP
  43. 43. THE BASICS THE STACK 0 0x13 0x17 0 0x000000 0xffffff stack growth mov dword [ebp - 0x4], 0 mov dword [ebp - 0x8], 0x13 mov dword [ebp - 0xc], 0x17 mov dword [ebp - 0x10], 0 -0x4 -0x8 -0xc -0x10 EAX EBX ECX EDX EBP ESP
  44. 44. THE BASICS THE STACK 0 0x13 0x17 0 0x000000 0xffffff stack growth EAX mov eax, dword [ebp - 0x8] mov ecx, dword [ebp - 0xc] 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10 EBP ESP
  45. 45. THE BASICS THE STACK 0 0x13 0x17 0 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP mov dword [esp], eax mov dword [esp + 0x4], ecx call sym._add 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10
  46. 46. THE BASICS THE STACK 0 0x13 0x17 0 0x17 0x13 [eip] 0x000000 0xffffff stack growth EAX EBP ESP mov dword [esp], eax mov dword [esp + 0x4], ecx call sym._add 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10
  47. 47. THE BASICS THE STACK 0 0x13 0x17 0 0x17 0x13 [eip] ebp 0x000000 0xffffff stack growth EAX EBP ESP push ebp mov ebp, esp 0X13 EBX ECX 0X17 EDX -0x4 -0x8 -0xc -0x10
  48. 48. THE BASICS THE STACK [eip] ebp 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP sub esp, 8 mov eax, dword [ebp + 0xc] mov ecx, dword [ebp + 0x8] mov dword [ebp - local_4h], ecx mov dword [ebp - local_8h], eax 0X13 EBX ECX 0X17 EDX
  49. 49. THE BASICS THE STACK [eip] ebp 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP mov eax, dword [ebp - local_4h] 0X17 EBX ECX 0X17 EDX
  50. 50. THE BASICS THE STACK [eip] ebp 0x17 0x13 0x000000 0xffffff stack growth EAX EBP ESP add eax, dword [ebp - local_8h] add esp, 8 pop ebp ret0X2A EBX ECX 0X17 EDX
  51. 51. THE BASICS THE STACK 0 0x13 0x17 0x2a 0x17 0x13 [eip] 0x000000 0xffffff stack growth EAX EBP ESP xor ecx, ecx mov dword [ebp - local_10h], eax mov eax, ecx add esp, 0x18 pop ebp ret 0X0 EBX ECX 0X0 EDX -0x4 -0x8 -0xc -0x10
  52. 52. WE’RE

×