[Tutorial] Basic ASM / Reversing

[DeadLinez]

Basic ASM / Reversing

By DeadLinez & Aro



This tutorial contains the following information:

• CPU
• CPU Registers
• Stack
• Common Assembly Instructions
• Jump-instructions
• Program Structure

CPU (aka Central Processing Unit)

• Control Unit: Retrieve/Decode instructions,Retrieve / Storeage data in memory.
• Execution Unit: Acually Exectution of instruction.
• Register: Internal memory locations used as variables.
• Flags: Used to indicate various "event" when exectution is happening.

CPU Registers:

• Registers are internal memory locations used as variables. A register is 32 bits long or 4 bytes there are 8 registers. EAX, EBX, ECX, EDX,
  ESI, EDI, ESP, and EBP.
  
  The "E" in the beginning of all the registers indicates that it is a 32 bit register.
  
  General Purpose Registers
  
  
• EAX (Accumulator Register) : General used for storing operands and result data
• EBX (Base Register): Used for storing pointers to data. Only register that can be used as an index
• ECX (Counter Register): Used for loop operations.
• EDX (Data Register): Used as a input outup pointer.
• ESI, EDI (Pointer)- Data Pointer Registers from memory operations, generally used for string operations.
• ESP (Pointer): Stack Pointer Register.
• EBP (Pointer): Stack Data Pointer Register.

32 bit registers can be split into 16 bit. In 16 bit programs only the lowest bits of the registers are used. They have the same names as general registers but without the "E"
example:
AX, EX, CX, DX, SI, DI, SP, BP.



The 16 bit register can be spit into highbyte and lowbyte.
example:
EAX is 32 bit, AX is the lowest 16 bit of EAX and then the AX could be split
into AH (highbyte) and AL (lowbyte) which are one byte in size.




Segment Registers

• CS (Code segment) - 16 bit number that points to a active code-segment
• DS (Data segment) - 16 bit number that points to a active data-segment
• SS (Stack segment - 16 bit number that points to a active stack-segment
• ES (Extra segment) - 16 bit number that points to a active extra segment

*EIP (32 bit intruction pointer) points to the instruction being done.
A control register is a processor register which changes or controls the general behavior of a CPU or other digital device. Common tasks
performed by control registers include interrupt control, switching the addressing mode, paging control, and coprocessor control. Check
Control register - Wikipedia, the free encyclopedia for more information.

The Stack
As I said before. A stack is a temporary storage unit in computer memory where function arguments and local variables are stored. The LIFO Principle is last value you put in the first it comes out. Just imagine you have a stack of papers when I wanted my teach to correct my test first I would wait until everybody finished so when I put in my test on her desk I can sneak a peek on my score or how many red marks are on my test when she starts correcting it when we walk out of class.
When you PUSH two values on the stack you will get the last one first because of that method.

The 0x00000 you see below is hexadecimal. When the computer compiles a program it will covert it to machine code readable by the CPU then executed. The computer used hexadecimal because it more readable than 1's and 0's. The number system we use most is the decimal number system system 1,2,3,4,5,6,7,8,9,10.
Watch Youtube videos to learn about hexadecimal and binary numbers.
I'll get you started:
What the Hell is Hexadecimal? Part 1
What the Hell is Hexidecimal? Part 2

PUSH - pushes value on stack
POP - removes from stack
ESP - Points to stack



Right here is a example of a stack. The ESP register holds 0x000008 which is the top of the stack.
example: ESP 0x0000008

[IMG]https://img33.imageshack.us/img33/7066/50149555.png[/IMG

The stack adds a new value (0x0000007) and (0x0000006) using the PUSH operation.

Code:

PUSH 0x0000007
PUSH 0x0000006

Now we update the ESP pointer to the top of the stack to the address 0x00000006.

Code:

ESP 0x0000006

Now we use the POP operation to take that value of the stack. Which removes that last operation put into the stack (LIFO REMEMBER).

Code:

POP 0x00000006

Next we have to update the ESP pointer to value 0x0000007.

Code:

ESP 0x00000007

Next we have to POP the last first value we put in off the stack. (LIFO)

Code:

POP 0x00000007

Finally we update the ESP pointer register to the top of the stack.

Code:

ESP 0x0000008

Common Assembly Instructions

PUSH <value>
Puts value on top of the stack.

POP <register>
Gets data from the top of the stack and puts in of the stack and puts it in a register.

Example of PUSH and POP:

Code:

PUSH     0x01
PUSH     0X02
POP     EAX
POP     EDX

After these instructions are ran, EAX would be equal to 0x02 and EDX would be equal to 0x01 (LIFO).


TEST <value><value2>
Compares bitvalues in data often used TEST EAX,EAX in software to check if EAX is zero, example after a function that checks if the serial is correct



CMP <value1>,<value2>
Compares 2 numbers by subtracting the source from the destination and updates the flags.

Example:

Code:

CMP EAX,EDX

MOV <to>,<from>
Moves data from one address to a another
Example:

Code:

MOV EAX,01

CALL <address>
Calls (runs) a function. When you use the call instruction it pushes the return address onto the stack and then jumps to the function's address, and when the ret instruction is used it pops the address off of the stack and then jumps to that address. This knowledge is critical to understanding how stack overflows can be transformed into exploits. (thanks nosiop)
Example:

Code:

CALL 0x0123124

DEC <value>
Decreases a value by 1
Example:

Code:

DEC EAX

WIll decrease EAX by 1


RET
Returns from a subroutine or function to the code after the call that called the function.


INC <value>
Increases a value by 1
Example:

Code:

INC EAX

WIll increase EAX by 1


SUB <value1>,<value2>
Subracts two values, then puts the result in value1
Example:

Code:

SUB EAX,03

XOR <value1>,<value2>
exclusive or, most commonly used to quickly set a register to 0 or for simple encryption
Example:

Code:

XOR EAX,EAX

will make EAX 0

ADD <value1>,<value2>
Adds two values, then puts the result in value1
Example:

Code:

ADD EAX,05

Jump-instructions


Jumps are used to control the program-flow, they decide where in the programs we go, and in company of e.g. a CMP function the jump can decide weather the program is going to run code in one place or another.

This is compared to other languages like C/C++. They are like "if-cases" or "goto".

//C/C++

Code:

if(register == 0)
{
    RegisterPleaseScreen();
}

There are many jump-instructions which are used for different things. Here is a short list of the most common used ones.

Code:

JMP <address> - Jump (always jumps)
JZ <address> - Jump if zero
JNZ <address - Jump if Not Zero
JE <address - Jump if Equal
JNE <address - Jump if not equal
JGE <address> - Jump if Greater or Equal
JBE <address> - Jump if Below or Equal
JA <address - Jump if Above
JAE <address> - Jump if Above or Equal to

The code below is a example code of a program checking the serial number the user inputs and seeing if it is the right one.

Example of a ASM-code with Jumps

Code:

0x0000001 CALL CheckRegistered //Check is user is registered
0x0000002 TEST EAX, EAX //Checks if EAX is eqal to 0
0x0000003 JZ 0x0000006 // if EAX is eqaual to 0 jump to Please register screen
0x0000004 CALL ShowThanksForPurchase // else show Thanksforpurchasescreen
0x0000005 JMP ContinueProgram // coutinues with normal program routinue
0x0000006 CALL PleaseRegisterScreen // calls please register screen
0x0000007 JMP 0x0000009 // jmps to ExitProgram

....
# Exit Routine

0x0000009 movl $1, %eax
0x0000010 movl $0, %ecx
0x0000011 int $0x80

This might look confusing even though will the comments.

The numbers on the left side (0x0000001 example) are address (these are all made up for this example of course) and on the right side are the Assembly instructions that are on the address.

While cracking software you quite often see code similar to this.

First the code calls a function which check if we are registered,
then EAX is test if it is 0.
If EAX is NOT 0 the program calls the "Thank you for purchase"-screen.
If EAX is 0 it jumps to 0x0000006 and there it calls the screen the says you need to register and jumps again to the end of the program.

Program Structure
Now you maybe wondering HOW THE FREAK DO I BUILD A ASSEMBLY PROGRAM? Well we need to know how to structure our program. When we structure the program it is like the stack highest to lowest. We need to structure that program like that stack.



The first part of our assembly program we declare we declare the ".data" part of are program where are used initialized data is held or in other words data we give a variable.

Example:

Code:

.data

The second part of our assembly program is the ".bss" part of the program where put initialized data like buffers and other stuff.

Example:

Code:

.data

.bss

The third and final part of an assembly program is the .text function where the the actual code is put.

Example:

Code:

.data

.bss

.text

The foruth part of the program is where we declare ".globl _start" this is needed to be (declared for linker (ld)).

Example:

Code:

.data

.bss

.text
     .globl _start

The fifth part of our program is where we put the main part of the program. I like the main() function in C/C++ the equivalent to that in assembly is "_start:". (tell linker entry point).

Example:

Code:

.data

.bss

.text
     .globl _start

_start:
       //Code..

Data types
--------------------------

Now that you learned how to structure a assembly program now we need to learn about data types to use in our program. Now here we go.

Here is a list of data types:

Code:

.int  32 bit number

.ascii  String

.asciz Null Terminated String

.short 16 bit number

.byte 1 bytes (32 bits)

.float = Single precision point number

.double = Double precision point number

Other data types for .bss (uninitialized data) are:

Code:

.comm = this declares common memory area. Like global variables.

.lcomm = this declares local memory area. Like local variables in functions.

To declare our data types in our program we do it like this:

Code:

   dataname:
        .datatype  <value>

Here is another example with actual types for people who don't understand.

Code:

AroString:
        .asciz "Aro Rules!\n"

For Uninitialized data .bss:

Code:

.lcomm <dataname>, <size>
Real world example:
Code:
.comm arobuffer, 1024

Now lets insert each data type we learned into our program structure we learned how to make before name your program "Lesson.s":

Code:

# by the way to comment in asm put a pound key before the comment

.data
    
    AroString:
        .ascii "You are going to learn assembly quickly and easily"

    AroStringNull:
        .asciz "Can you imagine you learning assembly with ease"

    AroInt32:
        .int 13

    AroInt16:
        .int 8

    AroByte:
        .byte 10

    AroFloat:
        .float 12.23

    AroDouble:
        .double 12.131

.bss
    .comm AroBuffer,1024
    .lcomm YourBuffer, 1024

.text
        .globl _start

_start:

//code...

Finally its time to learn how to put assembly code in the .text function. Here we get down and dirty baby. Now in order to do this he need to learn sys calls.

I will teach you how to convert a Linux sys call into assembly. We will use the exit function. Here is the layout how the exit sys call:

Code:

int sys_exit(int status)

They way we pass arguments to syscalls is first we declare the EAX register for the System call number, EBX for the first argument, ECX for the two argument,
EDX for the third argument and for the fivith we use the EDI register. Then we end the $0x80 interrupt to show we are at the end of the function.

Now lets do this with the exit function.

First we need to find the sys call number here

"vim usr/include/asm/unistd_32.h"

The sys call number is 1. We will type it like this.

Code:

movl $1, %eax

Second we will need to use the argument 0 to exit our program by moving the value 0 in the %ebx register.

Code:

movl $0, %ecx

Now we show that the sys call has ended with the $0x80 interrupt

Code:

int $0x80

Let put it in the program

Code:

.data
    
    AroString:
        .ascii "You are going to learn assembly quickly and easily"

    AroStringNull:
        .asciz "Can you imagine you learning assembly with ease"

    AroInt32:
        .int 13

    AroInt16:
        .int 8

    AroByte:
        .byte 10

    AroFloat:
        .float 12.23

    AroDouble:
        .double 12.131

.bss
    .comm AroBuffer,1024
    .lcomm YourBuffer, 1024

.text
      .globl _start

_start:
            #Exit Routine
            movl $1, %eax
            movl $0, %ecx
            int $0x80

Code:

To compile the code in linux type:
    
    as -ggstabs -o <programname.o> <programname.s>
    ld -o <programname> <programname.o> // for linking
If you have windows use NASM (I dont know anything about so don't ask quesions) best is to just get a live CD or Vmware.

Now its your turn I taught you enough information to make a simple hello world program. Just follow the instructions I gave you.

To print a string you need the sys call write. Here is what it looks like:

Code:

ssize_t sys_write(unsigned int fd, const char * buf, size_t count)

That's all you get. Post you code when your done.

[flameswor10]

Holy shit that's a long fucking tutorial..

[DeadLinez]

yes, i am finishing up the reversing part now press thanks if i helped.

[flameswor10]

I always press the button. /

[topblast]

Thanks i was always stupid to ASM

[DeadLinez]

lol no prob topblast im adding more atm.

[mmbob]

Give credits rofl. This isn't yours.

[Void]

Wrong section. |:

[DeadLinez]

Give credits rofl. This isn't yours.

lol look at the top me and my friend made this a while ago ona diffrent forum

[mmbob]

lol look at the top me and my friend made this a while ago ona diffrent forum

So Aro is your friend? .

[DeadLinez]

So Aro is your friend? .

yes mam, from HF

[Xlilzoosk8rX]

my god, i been learning assembly for a few months now and you are amazing at explaining it.
the book im learning from doesnt even explain it as well as you do

[o-o]

Lol very long / will read this after

[Stephen]

Leecher .

[DeadLinez]

Leecher .

hmm a single cs, gets mad because he cant put out a single good thread?
"By DeadLinez & Aro" were on a diffrent site a while ago, and made this. What dont you understand?