The document discusses an introduction to x86-32 assembly language and reversing techniques. It covers common x86 registers, instructions, stack operations, and calling conventions. The presentation is part of a reversing and malware analysis training program delivered by SecurityXploded members Amit Malik and Swapnil Pathak, who are security researchers at McAfee Labs. It provides contact information and outlines the topics that will be discussed, including x86 architecture, assembly language, demonstrations, and a Q&A section.
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This presentation goes over basic exploitation techniques. Topics include:
- Introduction to x86 paradigms used exploited by these techniques
- Stack overflows including the classic stack smashing attack
- Ret2libc
- Format string exploits
- Heap overflows and metadata corruption attacks
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)securityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This presentation goes over basic exploitation techniques. Topics include:
- Introduction to x86 paradigms used exploited by these techniques
- Stack overflows including the classic stack smashing attack
- Ret2libc
- Format string exploits
- Heap overflows and metadata corruption attacks
This is the slide deck of the Zend webinar "Using PHP 5.3 Namespaces for Fame and Fortune". In this webinar, Matthew Weier O'Phinney looks at the basics of using namespaces, some strategies for organizing your code to use namespaces effectively, and some tips and tricks for using namespaced and non-namespaced code together. A recording of this webinar can be watched at http://bit.ly/pcVMKR, after a short registration.
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
Binary obfuscation is a mysterious ritual employed by malware authors and software vendors alike that no one really seems to talk about. It's almost like a secret society. Interestingly, you don't have to write a program to obfuscate the binary-- you can also write high-level code that obfuscates at compile-time, rather than afterward.
My presentation in SDCC 2012 (http://sdcc.csdn.net/index_en.html). The video recording of this session is available at http://v.csdn.hudong.com/s/article.html?arcid=2810640
Avec la version 9 sortie en septembre 2017, Java appuie sur la pédale ! Le rythme des livraisons passe à une version majeure tous les 6 mois. Java 10 est sorti en mars, prochaine version en septembre. Java 10 apporte le 'var' et l'inférence de type pour les variables locales. D'autres nouveautés sont en préparation : les constantes dynamiques, les classes de données, un nouveau switch à base de lambda, des interfaces fermées, de nouvelles choses du coté des génériques et bien plus encore.
Cela viendra-t-il en 11, 12, 15 ? Ne spéculons pas, mais quand ces nouveautés seront prêtes, elles sortiront en quelques mois. On se propose de présenter ces nouveautés, celles qui sont presque prêtes, celles qui seront prêtes bientôt, et celles qui ne seront pas prêtes avant un moment. Quels seront les impacts sur le langage, sur la JVM et donc sur les performances ? Que cela va-t-il nous apporter au quotidien, en tant que développeurs ? Quels seront les nouveaux patterns ? Voici le programme de cette présentation, avec des slides, du code, de la joie et de la bonne humeur !
Project Lambda: Functional Programming Constructs in Java - Simon Ritter (Ora...jaxLondonConference
Presented at JAX London 2013
The big language features for Java SE 8 are lambda expressions (closures) and default methods (formerly called defender methods or virtual extension methods). Adding lambda expressions to the language opens up a host of new expressive opportunities for applications and libraries. You might assume that lambda expressions are simply a more syntactically compact form of inner classes, but, in fact, the implementation of lambda expressions is substantially different and builds on the invokedynamic feature added in Java SE 7.
Everyone must migrate to PHP 7! Take advantage of exceptional performance improvements, cut your hardware use in half and enjoy the best of PHP. This workshop is for everyone that is still eyeing PHP 7 while still using PHP 5, and wants to review their 1 million LOC project before jumping to PHP 7. When migrating, we need to check old code and target only the interesting issues. This session will connect the backward incompatibilities and new features to their actual location in the code, relying on static analysis to quickly process a large code base. Based on our accumulated experience and tools, we'll review the issues, diagnose criticality, select the best fixes and prioritize the tasks. All tools are Open Source, and ready to be integrated into your project lifecycle.
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Advance procedures in assembly are fully explained by me and my group mates.
Main topics are:
*Stack frames
-Recursion
-ADDR, INVOKE , LOCAL, PROC , PROTO directives and variables
-MultiModule Programs in assembly
This is the slide deck of the Zend webinar "Using PHP 5.3 Namespaces for Fame and Fortune". In this webinar, Matthew Weier O'Phinney looks at the basics of using namespaces, some strategies for organizing your code to use namespaces effectively, and some tips and tricks for using namespaced and non-namespaced code together. A recording of this webinar can be watched at http://bit.ly/pcVMKR, after a short registration.
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
Binary obfuscation is a mysterious ritual employed by malware authors and software vendors alike that no one really seems to talk about. It's almost like a secret society. Interestingly, you don't have to write a program to obfuscate the binary-- you can also write high-level code that obfuscates at compile-time, rather than afterward.
My presentation in SDCC 2012 (http://sdcc.csdn.net/index_en.html). The video recording of this session is available at http://v.csdn.hudong.com/s/article.html?arcid=2810640
Avec la version 9 sortie en septembre 2017, Java appuie sur la pédale ! Le rythme des livraisons passe à une version majeure tous les 6 mois. Java 10 est sorti en mars, prochaine version en septembre. Java 10 apporte le 'var' et l'inférence de type pour les variables locales. D'autres nouveautés sont en préparation : les constantes dynamiques, les classes de données, un nouveau switch à base de lambda, des interfaces fermées, de nouvelles choses du coté des génériques et bien plus encore.
Cela viendra-t-il en 11, 12, 15 ? Ne spéculons pas, mais quand ces nouveautés seront prêtes, elles sortiront en quelques mois. On se propose de présenter ces nouveautés, celles qui sont presque prêtes, celles qui seront prêtes bientôt, et celles qui ne seront pas prêtes avant un moment. Quels seront les impacts sur le langage, sur la JVM et donc sur les performances ? Que cela va-t-il nous apporter au quotidien, en tant que développeurs ? Quels seront les nouveaux patterns ? Voici le programme de cette présentation, avec des slides, du code, de la joie et de la bonne humeur !
Project Lambda: Functional Programming Constructs in Java - Simon Ritter (Ora...jaxLondonConference
Presented at JAX London 2013
The big language features for Java SE 8 are lambda expressions (closures) and default methods (formerly called defender methods or virtual extension methods). Adding lambda expressions to the language opens up a host of new expressive opportunities for applications and libraries. You might assume that lambda expressions are simply a more syntactically compact form of inner classes, but, in fact, the implementation of lambda expressions is substantially different and builds on the invokedynamic feature added in Java SE 7.
Everyone must migrate to PHP 7! Take advantage of exceptional performance improvements, cut your hardware use in half and enjoy the best of PHP. This workshop is for everyone that is still eyeing PHP 7 while still using PHP 5, and wants to review their 1 million LOC project before jumping to PHP 7. When migrating, we need to check old code and target only the interesting issues. This session will connect the backward incompatibilities and new features to their actual location in the code, relying on static analysis to quickly process a large code base. Based on our accumulated experience and tools, we'll review the issues, diagnose criticality, select the best fixes and prioritize the tasks. All tools are Open Source, and ready to be integrated into your project lifecycle.
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Advance procedures in assembly are fully explained by me and my group mates.
Main topics are:
*Stack frames
-Recursion
-ADDR, INVOKE , LOCAL, PROC , PROTO directives and variables
-MultiModule Programs in assembly
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
Slides from my ROOTCON12 training. This material contains an introduction to stack-based buffer overflow. This is also helpful for those who are doing OSCP and wanted to learn exploit development.
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This presentation covers very basics of assembly language with some computer organization concept. I took this session as part of on going series on assembly at NULL Hyderabad meets. PART II will cover instruction sets and more in detail.
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]securityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
2. Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS"
without any warranty or conditions of any kind. Also the views/ideas/knowledge
expressed here are solely of the trainer’s only and nothing to do with the company or
the organization in which the trainer is currently working.
However in no circumstances neither the trainer nor SecurityXploded is responsible for
any damage or loss caused due to use or misuse of the information presented here.
www.SecurityXploded.com
3. Acknowledgement
Special thanks to null & Garage4Hackers community for their extended support and
cooperation.
Thanks to all the Trainers who have devoted their precious time and countless hours to
make it happen.
www.SecurityXploded.com
4. Reversing & Malware Analysis Training
This presentation is part of our Reverse Engineering & Malware Analysis Training
program. Currently it is delivered only during our local meet for FREE of cost.
For complete details of this course, visit our Security Training page.
www.SecurityXploded.com
5. Who am I #1
Amit Malik (sometimes DouBle_Zer0,DZZ)
Member SecurityXploded
Security Researcher @ McAfee Labs
RE, Exploit Analysis/Development, Malware Analysis
Email: m.amit30@gmail.com
www.SecurityXploded.com
6. Who am I #2
Swapnil Pathak
Member SecurityXploded
Security Researcher @ McAfee Labs
RE, Malware Analysis, Network Security
Email: swapnilpathak101@gmail.com
www.SecurityXploded.com
7. Course Q&A
Keep yourself up to date with latest security news
http://www.securityphresh.com
For Q&A, join our mailing list.
http://groups.google.com/group/securityxploded
www.SecurityXploded.com
9. x86-32
32 bit instruction set architecturesbased on Intel 8086 CPU
Addressa linear address spaceup to 4GB
8, 32 bit General PurposeRegisters(GPR)
6,16 bit Segment Registers
EFLAGS and EIP register
ControlRegisters(CR0-CR4)(16 bits)
Memory ManagementRegistersDescriptorTableRegisters (GDTR, IDTR,
LDTR)
Debug Registers ( DR0-DR7)
www.SecurityXploded.com
10. Registers Usage - RE
Register
StorageLocations.
Much fasteraccess compareto memory locations.
EAX: Accumulator, mostly storesreturn values fromfunctions(APIs)
EBX: Base index (for use with arrays)
ECX: Counter
EDX: Data/general
ESI: Sourceindex for string operations.
www.SecurityXploded.com
11. Registers Usage – RE Cont.
EDI: Destination index forstring operations.
ESP: Stack pointerfortop address of the stack.
EBP: Stack base pointerforholding theaddress of the current stack frame.
EIP: Instructionpointer.Holds the programcounter, thenext instruction address.
Segment registers:
Used to address particularsegments ofmemory ( code, data, stack )
!) CS: Code !!) SS: Stack
!!!) ES: Extra !V) DS: Data V) FS, GS
www.SecurityXploded.com
13. (R/E)Flags Register
Bit field of states
Status Flags
Carrry (CF) : set when an arithmetic carry/borrow has been generated out of the
MSB.
Zero (ZF) : set when an arithmetic operation result is zero and reset otherwise.
Sign (SF) : set when an arithmetic operation set the MSB i.e. the result value was
negative.
Trap (TF ) : when set permits operation of processor in single-step. Mostly used by
debuggers.
Interrupt (IF) : determines whether the CPU should handle maskable hardware
interrupts.
Direction (DF) : determines the direction (left-to-right or right-to-left) of string
processing.
Overflow (OF) : indicates arithmetic overflow.
www.SecurityXploded.com
14. Assembly Language
Low level programming language
Symbolicrepresentationof machinecodes, constants.
Assemblylanguageprogramconsist ofsequenceof process instructions and meta
statements
Assemblertranslates themto executableinstructionsthat are loaded into memory and
executed.
BasicStructure
[label]: opcode operand1,operand2
opcode – mnemonicthat symbolizeinstructions
Example.
MOV AL, 61h => 1011000001100001
www.SecurityXploded.com
15. Instructions
ADD dst, src
- Adds thevalues of src and dst and stores the result into dst.
- For exampleADD EAX, 1
SUB dst, src
- Subtractssrcvalue from dst and stores the result in dst.
- For exampleSUB EAX, 1
CMPdst, src
- Subtractssrcvalue from dst but does storethe result in dst
- Mostlyused to set/reset decisionmaking bits in EFLAGS registersuch as ZF
- For exampleCMP EAX, EBX
www.SecurityXploded.com
16. Instructions cont.
MOV dst, src
- Moves datafrom src (left operand)to destination(right operand)
- For examplemov EDI, ESI
Note:
- Both operands cannotbe memory locations.
- Both the operands must be of the same size
LEAdst, src
- Stands forLoad EffectiveAddress.
- Computestheeffectiveaddress of src operand and stores it in dst operand.
- For exampleLEA ECX,[EBX + 5]
Note:
- Generally bracketsdenotevalueat memory locations.
- In case of LEA it does simplearithmeticand stores it in dst
www.SecurityXploded.com
17. Instructions cont.
XOR dst, src
- Performs a bitwiseexclusiveORoperation on the dst and src and stores the
result in dst.
- Each bit of the result is 1 if the correspondingbits ofthe operands are different,
0 if the correspondingbit are same
Note:
- When used with same register clears the contents ofthe register
- Optimizedway to clear the register. Betterthan MOV EAX, 0
www.SecurityXploded.com
18. Instructions cont.
REP
- Used with string operations
- Repeats a string instructionuntil ECX (counterregister)valueis equal to zero.
- For exampleREPMOVS byte ptr DS:[EDI], DS:[ESI]
LOOP
- Similarto loops in high level languages
- Used to executesequenceof instructionsmultipletimes.
- For example
MOV ECX, 10
Test : INC EBX
INC EAX
LOOP Test
www.SecurityXploded.com
19. Instructions cont.
TEST dst, src
- Performs bitwiselogicaland between dst and src
- UpdatestheZero flag bit of the EFLAGS register
- Mostlyused to check if the return valueof the function is not zero
- For exampleTEST EAX, EAX
INT3h
- Breakpointinstruction
- Used by debuggersto stop execution ofthe programat particularinstruction
www.SecurityXploded.com
20. Instructions cont.
CALLaddress
- Performs two functions
- Push address of the next instructionon stack (return address)
- Jump to the address specifiedby the instruction
- For exampleCALL dword ptr [EAX+4]
RET
- Transfers thecontrol to the address previously pushedon the stack by CALL
instruction
- Mostlydenotestheend of the function
www.SecurityXploded.com
21. Instructions cont.
Jump instructions
- Categorized as conditional and unconditional
- Unconditionaljump instructions
- JMP(Far Jump) – E9 – (Cross segments)
- JMP( Short Jump ) – EB – (-127 to 128 bytes)
- JMP( Near Jump ) – E9 – (in a segment)
- For exampleJMPEAX
- Conditional jump instructions
- Jumps according to bit flags set in the EFLAGS register
- JC, JNC, JZ, JNZ, JS, JNS, JO, JNO
- UnsignedcomparisonsJA, JAE, JB, JBE
- Signed comparisonsJG, JGE, JL, JLE
- Usually followedby CMP instruction
www.SecurityXploded.com
22. Instructions cont.
PUSH operand
- Pushes operandon the stack
- Decrementsthestack pointerregisterby operand size
- For examplePUSH EAX
POP operand
- Stores thevalue pointedby the stack pointerin operand
- Incrementsthestack pointerregisterby operand size
- For examplePOPEAX
Note: POP/PUSHEIPis an invalid instruction
PUSHF, POPF
www.SecurityXploded.com
23. Calling Conventions
Describeshow thearguments are passed and values returned by functions.
Steps performed when a functionis called
Arguments are passed to the called function
Program execution is transferred to the address of the called function
Called function starts with lines of code that prepare stack and registers for use within the function.Also
known as function prologue.
○ For e.g.
push ebp
mov ebp, esp
or with enter instruction
Called function ends with lines of code that restore stack and registers set initially. Also known as function
epilogue.
○ For e.g.
mov esp, ebp
pop ebp
ret
or with leave instruction
Passed arguments are removed from the stack, known as stack cleanup. Can be performed by both calling
function or called function depending on the calling convention used.
www.SecurityXploded.com
24. Calling conventions cont.
__cdecl (C calling convention)
Arguments are passed from right to left and placed on the stack
Stack cleanup is performed by the caller
Return values are stored in EAX register
Standard calling convention used by C compilers
__stdcall(Standardcallingconvention)
Arguments are passed from right to left and placed on the stack
Stack cleanup is performed by the called function
Return values are stored in EAX register
Standard calling convention for Microsoft Win32 API
__fastcall(Fast calling convention)
Arguments passed are stored in registers for faster access
Thiscall
Arguments are passed from right to left and placed on the stack. this pointer placed in ECX
- Standard calling convention for calling member functions of C++ classeswww.SecurityXploded.com
25. Stack operations
Stack is a LIFO (Last In First Out) typedata structure
Stacks grows downward in memory, from highermemory address to lower
memory address
PUSH decrement the stack pointer i.eESP
POPIncrement thestack pointer i.e ESP
Eachfunction has its own stack frame
Function prologuesetup thestack frame for each function
Local variableof a functionare storedinto its stack frame
www.SecurityXploded.com
28. Each function creates its own stack.
Callerfunctionstack: knownas parent stack.
Called function stack:known as child stack.
For e.g.
main(){ ASMPseudo:
sum(); _main:
} 123: push ebp
124: mov ebp,esp
125: sub esp,val
126: call _sum
127: mov esp,ebp
128: pop ebp
129: ret
* The parentand child notation is theinstructor notation, technically it shouldbecaller and callee stack frames.
Stack #3
www.SecurityXploded.com
32. DEMO (Source Code)
#include <stdio.h>
/*
Author:Amit Malik
http://www.securityxploded.com - Compile in Dev C++
*/
int mysum(int,int);
int main()
{
int a,b,s;
a = 5;
b = 6;
s = mysum(a,b); // call mysum function
printf("sum is: %d",s);
getchar();
}
int mysum(int l, int m) // mysum function
{
int c;
c = l + m;
return c;
}
www.SecurityXploded.com
34. x86-64 Intro.
64 bit instruction set architecturesbased on Intel 8086 CPU
Addressa linear address spaceup to 16TB
16, 64 bit General PurposeRegisters(GPR)
6, 16 bit Segment Registers
RFLAGS and RIP register
ControlRegisters(CR0-CR4) and CR8 (16 bits)
Memory ManagementRegisters DescriptorTableRegisters(GDTR, IDTR,
LDTR)size expanded to 10 bytes
Debug Registers ( DR0-DR7)
www.SecurityXploded.com