A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 30 September 28 2013 who security consultant by vocation mess around with computers code CTFs by avocation frustrated when things feel like a black box ID: 552454
Download Presentation The PPT/PDF document "Hello ASM World:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Hello ASM World:A Painless and Contextual Introduction to x86 Assembly
rogueclown
DerbyCon
3.0
September 28, 2013Slide2
who?security consultant by vocation
mess around with computers, code, CTFs by avocation
frustrated when things feel like a black boxSlide3
what is assembly language?not exactly machine language…but closeinstructions: mnemonics for machine operations
normally a one-to-one correlation between ASM instruction and machine instruction
varies by processor
today, we will be discussing 32-bit x86Slide4
why learn assembly language?some infosec disciplines require it
curious about lower-level details of memory or interfacing with an operating system
it’s fun and challenging!Slide5
how does assemblylanguage work?Slide6
hello memorywhat parts of computer memory does assembly
language commonly access?
how does assembly language
access those parts of computer
memory?Slide7
where is this memory? what one “normally” thinks of as memory
RAM
virtual memory
CPU
registersSlide8
computer memory layoutheapglobal variables, usually allocated at compile-time
envision a bookshelf…that won’t let you push books together when you take one
out
stack
local, contextual variables
envision a card game discard
pile
you will use this when coding ASM. a lot.Slide9
registersmemory located on the CPUregisters are awesome because they are fast.
registers are a pain because they are tiny.Slide10
registersgeneral purpose registersalphabet soupeax
,
ebx
,
ecx
,
edx
can address in parts: ax, ah, al
stack and base pointers
esp
ebp
index registers
esi
,
ediSlide11
registersinstruction pointereip
records the next instruction for the program to follow
other registers
eflags
segment registersSlide12
instructionsmovmoves a value to a register
can either specify a value, or specify a register where a value resides
syntax in assembly
Intel syntax:
mov
ebx
, 0xfee1dead
AT&T syntax:
mov
$0xfee1dead, %
eaxSlide13
instructionsinterruptint
0x80
int
0x3
system calls
how a program interacts with the kernel of the
OSSlide14
instructionsmathematical instructionsadd, sub, mul
, div
mov
eax
, 10
cdq
;
edx
is now 0
div 3 ;
eax
is now 3,
edx
is now 1
dec
,
inc
– useful for looping
mov
ecx
, 3
dec
ecx
;
ecx
is now 2Slide15
jumpsjge, jg
,
jle
,
jl
work with a compare (
cmp
) instruction
jz
,
jnz
,
js
,
jns
check zero flag or sign flag for jumpSlide16
instructionsstack operations: push and popmov
eax
, 10
push
eax
; 10 on top of stack
inc
eax
;
eax
is now 11
push
eax
; 11 on top of stack
pop
ebx
;
ebx
is now 11
pop
ecx
;
ecx
is now 10Slide17
instructionsfunction access instructionscall
places the address of the next instruction on top of the stack
moves execution to identified function
ret
returns to the memory address on top of the stack
designed to work in tandem with the “call” instruction…but we’re hackers, yes?
Slide18
sections of ASM code.dataconstant variables initialized at compile time.
bss
declaration of variables that may are set of changed during runtime
.text
executable instructionsSlide19
$%&#@%^ instructions: how do they work?Slide20
putting it togethertime to take a bit of C code, and
reimplement
it in assembly language!Slide21
where does shellcodecome in?Slide22
what is shellcode?instructions injected into a running process
lacks some of the luxuries of writing a stand-alone program
no laying out nice memory segments in a .
bss
or .data section
basically, just one big .text sectionSlide23
a first stab at shellcode…
this is going to look mostly familiar, except for how data is handled.Slide24
why did it fail?bad charactersshellcode
is often passed to an application as a string.
if a character makes a string act funny, you may not want it in your
shellcode
0x00, 0x0a, 0x0d, etc.
use an encoder, or do it yourselfSlide25
try that shellcode again…Slide26
where can i learn more about assembly language?Slide27
suggested resourcesdead trees“Hacking: The Art of Exploitation” by Jon Erickson
“Practical Malware Analysis” by Michael
Sikorski
and Andrew
Honig
“Gray Hat Python” by Justin SeitzSlide28
suggested resourcesthe series of tubeshttp://ref.x86asm.net – quick and dirty
opcode
reference
http://
www.nasm.us
/doc –
N
etwide
Assembler documentation
system calls
Linux:
/
usr
/include/
asm
/
unistd.h
man 2 $
syscall
Windows
:
http
://
msdn.microsoft.com
/library/windows/desktop/hh920508%28vs.85%
29 – Windows API referenceSlide29
how to find meTwitter: @rogueclown
email: rogueclown@rogueclown.net
IRC: #
derbycon
, #
misec
, or #
burbsec
on
Freenode
or, just wave me down at the con