Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32

Thread: Assembly Programming videos Share/Save - My123World.Com!

  1. #11
    Garage Member
    Join Date
    Jun 2012
    Location
    Unkn0wn City,Unkn0wn State,Unkn0wn Country,Unkn0wn Continent,PLanet Eart,Milkyway Galaxy,Virgo Super
    Posts
    51
    Do u have any good IDE for Asm

  2. #12
    Thats correct ADI. It is a simple trick but along with it I am trying to break the assembly code also completely. Actually I disassembled the C program written for being tested, I could not completely understand the assembly code prepared from that C program when we assemble it. Some segment registers also get involved. So i want to completely breakdown the disassembled code. And moreover I am learning by myself. The only support for this poor guy is Youtube, internet & great vivek ramachandran videos.
    Last edited by marc_kriss; 09-02-2012 at 12:25 PM.

  3. #13
    Quote Originally Posted by H@CK3R_ADI View Post
    Do u have any good IDE for Asm
    Nothing, I am using only nano editor , then assembling & then linking it. I dont have any environment other than included in videos.

  4. #14
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by marc_kriss View Post
    Thats correct ADI. It is a simple trick but along with it I am trying to break the assembly code also completely. Actually I disassembled the C program written for being tested, I could not completely understand the assembly code prepared from that C program when we assemble it. Some segment registers also get involved. So i want to completely breakdown the disassembled code. And moreover I am learning by myself. The only support for this poor guy is Youtube, internet & great vivek ramachandran videos.
    Hey mark, thanks for the videos. Btw, if you have any trouble understanding BoF, post the code in the forums, we will help you out!

    Best Regards.

  5. #15
    thanks sebas_phoenix. I am trying to break down code for a BOF program in C:-
    #include<stdio.h>
    void display()
    {
    char buff[8];
    gets(buff);
    puts(buff);
    }
    main()
    {
    display();
    return(0);
    }
    ### And the disassembled code for main:-
    Dump of assembler code for function main:
    0x080484ae <+0>: push %ebp
    0x080484af <+1>: mov %esp,%ebp
    0x080484b1 <+3>: call 0x8048474 <display>
    0x080484b6 <+8>: mov $0x0,%eax
    0x080484bb <+13>: pop %ebp
    0x080484bc <+14>: ret
    End of assembler dump.
    ### Disassembled code for display:-
    Dump of assembler code for function display:
    0x08048474 <+0>: push %ebp
    0x08048475 <+1>: mov %esp,%ebp
    0x08048477 <+3>: sub $0x10,%esp
    0x0804847a <+6>: mov %gs:0x14,%eax
    0x08048480 <+12>: mov %eax,-0x4(%ebp)
    0x08048483 <+15>: xor %eax,%eax
    0x08048485 <+17>: lea -0xc(%ebp),%eax
    0x08048488 <+20>: mov %eax,(%esp)
    0x0804848b <+23>: call 0x8048374 <gets@plt>
    0x08048490 <+28>: lea -0xc(%ebp),%eax
    0x08048493 <+31>: mov %eax,(%esp)
    0x08048496 <+34>: call 0x80483a4 <puts@plt>
    0x0804849b <+39>: mov -0x4(%ebp),%eax
    0x0804849e <+42>: xor %gs:0x14,%eax
    0x080484a5 <+49>: je 0x80484ac <display+56>
    0x080484a7 <+51>: call 0x8048394 <__stack_chk_fail@plt>
    0x080484ac <+56>: leave
    0x080484ad <+57>: ret
    End of assembler dump.

    There are no issues in understanding BOF. Basically I am trying to figure out, exactly whats going on in assembly code. How the stack values are getting shifted to where. Perhaps almost done. Just some hickups remaining.
    Last edited by marc_kriss; 09-03-2012 at 10:07 PM.

  6. #16
    Garage Member
    Join Date
    Jun 2012
    Location
    Unkn0wn City,Unkn0wn State,Unkn0wn Country,Unkn0wn Continent,PLanet Eart,Milkyway Galaxy,Virgo Super
    Posts
    51
    aha vuln detected see at line char buff[8]
    it reads from:
    0 1 2 3 4 6 7 8 9

    this can be used for malicious code execution

  7. #17
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Quote Originally Posted by H@CK3R_ADI View Post
    aha vuln detected see at line char buff[8]
    it reads from:
    0 1 2 3 4 6 7 8 9

    this can be used for malicious code execution
    gets() is the culprit here and depreciated function to use.

    Cheers!
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  8. #18
    Garage Member
    Join Date
    Jun 2012
    Location
    Unkn0wn City,Unkn0wn State,Unkn0wn Country,Unkn0wn Continent,PLanet Eart,Milkyway Galaxy,Virgo Super
    Posts
    51
    And regarding function main the assembled code do the following:

    <+0>Value of ebp is pushed on stack
    <+1>Value of ebp is pushed on esp
    <+3>Then it calls the Display
    <+8>Before telling this please tell me you are on IA-32 or AT&T
    <+13>it pops/take out the contents from the stack
    <+14>Val ret

  9. #19
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by marc_kriss View Post
    thanks sebas_phoenix. I am trying to break down code for a BOF program in C:-
    #include<stdio.h>
    void display()
    {
    char buff[8];
    gets(buff);
    puts(buff);
    }
    main()
    {
    display();
    return(0);
    }
    ### And the disassembled code for main:-
    Dump of assembler code for function main:
    0x080484ae <+0>: push %ebp
    0x080484af <+1>: mov %esp,%ebp
    0x080484b1 <+3>: call 0x8048474 <display>
    0x080484b6 <+8>: mov $0x0,%eax
    0x080484bb <+13>: pop %ebp
    0x080484bc <+14>: ret
    End of assembler dump.
    ### Disassembled code for display:-
    Dump of assembler code for function display:
    0x08048474 <+0>: push %ebp
    0x08048475 <+1>: mov %esp,%ebp
    0x08048477 <+3>: sub $0x10,%esp
    0x0804847a <+6>: mov %gs:0x14,%eax
    0x08048480 <+12>: mov %eax,-0x4(%ebp)
    0x08048483 <+15>: xor %eax,%eax
    0x08048485 <+17>: lea -0xc(%ebp),%eax
    0x08048488 <+20>: mov %eax,(%esp)
    0x0804848b <+23>: call 0x8048374 <gets@plt>
    0x08048490 <+28>: lea -0xc(%ebp),%eax
    0x08048493 <+31>: mov %eax,(%esp)
    0x08048496 <+34>: call 0x80483a4 <puts@plt>
    0x0804849b <+39>: mov -0x4(%ebp),%eax
    0x0804849e <+42>: xor %gs:0x14,%eax
    0x080484a5 <+49>: je 0x80484ac <display+56>
    0x080484a7 <+51>: call 0x8048394 <__stack_chk_fail@plt>
    0x080484ac <+56>: leave
    0x080484ad <+57>: ret
    End of assembler dump.

    There are no issues in understanding BOF. Basically I am trying to figure out, exactly whats going on in assembly code. How the stack values are getting shifted to where. Perhaps almost done. Just some hickups remaining.
    Ok lets do it one step at a time for more clarity.

    Code:
    0x080484ae <+0>:	push   %ebp
    0x080484af <+1>:	mov    %esp,%ebp
    Typical function prologue. esp is not subtracted indicating no local variables are involved(useful when you don't have the source not now).

    Code:
    0x080484b6 <+8>:	mov    $0x0,%eax
    0x080484bb <+13>:	pop    %ebp
    0x080484bc <+14>:	ret
    Typical function epilogue..returns 0x0 (always eax holds the return value). Now let's look at the disassembly of display()

    Code:
    0x08048474 <+0>:	push   %ebp
    0x08048475 <+1>:	mov    %esp,%ebp
    0x08048477 <+3>:	sub    $0x10,%esp
    Again standard prologue of a function except that local variables are involved. Compiler allocates 0x10(16) bytes of memory for the local variables. Now there is something that you should note here, the 16 bytes may/may not be completely used by the local variables. Compiler can use some padding bytes to align dwords @ addresses that are multiples of 4 (I am assuming a 32-bit machine) for optimized access. Short story, dont take the 0x10 as the size of the local vars.

    Code:
     0x0804847a <+6>:	mov    %gs:0x14,%eax
     0x08048480 <+12>:	mov    %eax,-0x4(%ebp)
    gs is a segment register @ offset 0x14 you can find a global cookie value. Read about GS cookies, basically they prevent buffer overflows. How they work is that, they are inserted between the local variables and the saved frame pointer at the function prologue with a unique value that cannot be guessed by the attacker(hopefully!). Incase of a buffer overflow, the cookie value gets overwritten. The value of the cookie is check @ the function epilogue and if it is corrupted, the application crashes by calling
    this code.

    Code:
    0x080484a7 <+51>:	call 0x8048394 <__stack_chk_fail@plt>
    This is where the check happens at the function epilogue
    Code:
    0x0804849b <+39>:	mov -0x4(%ebp),%eax
    0x0804849e <+42>:	xor %gs:0x14,%eax
    0x080484a5 <+49>:	je 0x80484ac <display+56>
    what this does is that it compares the stack cookie in our stack frame with the one that is stored in gs:0x14 and xor's them. Note that A (xor) A is 0. So if they both are the same, then the program proceeds as usual. Else it crashes.

    I am assuming you are using a version of gcc that has stack protector enabled. To disable it , compile using -fno-stack-protector flag.

    Hope that helps. Best Regards. I hope you got the buffer overflow part.

    ~peace
    Last edited by sebas_phoenix; 09-04-2012 at 06:00 PM.

  10. #20
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by H@CK3R_ADI View Post
    And regarding function main the assembled code do the following:

    <+0>Value of ebp is pushed on stack
    <+1>Value of ebp is pushed on esp
    <+3>Then it calls the Display
    <+8>Before telling this please tell me you are on IA-32 or AT&T
    <+13>it pops/take out the contents from the stack
    <+14>Val ret
    AT&T is not a processor, it is a syntax for assembly. As you can obviously see,it is AT&T considering the %(register) and <opcode> <source> <destination> format!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •