Reverse Engineering. Kwonyoup Kim. Digital Forensic Research Center Korea University
|
|
- Roger Armstrong
- 5 years ago
- Views:
Transcription
1 Reverse Engineering Kwonyoup Kim Digital Forensic Research Center Korea University
2 Software Reversing - Day 1: Background -
3 Day 1 Background From source to x86 Execution 3/110
4 Day 1 Background From source to x86 Execution 4/110
5 Day 1 Background From source to x86 Execution Registers 32-bit General-Purpose Registers EAX EBX ECX EDX EBP ESP ESI EDI EFLAGS 16-bit Segment Registers CS ES EIP SS DS FS GS 5/110
6 Day 1 Background From source to x86 Execution 6/110
7 Day 1 Background From source to x86 Execution 7/110
8 Day 1 Background From source to x86 Execution EFLAGS Register Bit Flag Description 0 CF Carry flag Carry flag 2 PF Parity flag Jump if (unsigned) above or equal 4 AF Adjust flag Carry of BCD numbers arithmetic operations 6 ZF Zero flag Set if the result of an operation is Zero (0) 7 SF Sign flag Set if the result of an operation is negative 8 TF Trap flag Set if step by step debugging 9 IF Interruption flag Set if interrupts are enabled 10 DF Direction flag 11 OF Overflow flag If set, string operations will decrement their point rather than incrementing it, reading memory backwards Set if signed arithmetic operations result in value too large for the register to contain 12,13 IOPL I/O Privilege field I/O Privilege level of the current process 14 NT Nested Task flag Set if the current process is linked to the next process 16 RF Resume flag Response to debug exceptions 17 VM Virtual-8086 Mode Set if in 8086 compatibility mode 18 AC Alignment Check Set if alignment checking in of memory references are done 19 VIF Virtual Interrupt flag 20 VIP Virtual Interrupt Pending flag Set if an interrupt is pending 21 ID Identification flag Support for CPUID instruction if can be set 8/110
9 Day 1 Background From source to x86 Execution 16-bit Segment Registers CS (Code Segment) SS (Stack Segment) DS (Data Segment) ES (Extra Segment) FS (Data Segment) SEH (Structured Exception Handling) TEB (Thread Environment Block) PEB (Process Environment Block) GS (Data Segment) 9/110
10 Day 1 Background From source to x86 Execution Caller-saved vs. Callee-saved Registers Platform Caller-Saved Registers (Volatile) Callee-saved Registers (Non-volatile) 16-bit Dos, Windows AX, BX, CX, DX, ES ST(0)~ST(7) SI, DI, BP, DS 32-bit Windows 64-bit Windows EAX, ECX, EDX, ST(0)~ST(7), XMM0~XMM7 RAX, RCX, RDX, R8~R11, ST(0)~ST(7), XMM0~XMM5, High half of XMM6~XMM15 EBX, ESI, EDI, EBP RBX, RSI,RDI, RBP, R12~R15, XMM6~XMM15 10/110
11 Day 1 Background From source to x86 Execution Other Registers FPU (Floating Pointer Unit) Registers MMX (Matrix Math extension) Registers 3DNow! Registers Control Registers Debug Registers (Hardware Breakpoints) DR0 ~ DR3 : Address DR4 ~ DR5 : Non-used DR6 : Debug state DR7 : Debug control 11/110
12 Day 1 Background From source to x86 Execution Control Registers CR0 : Enable paging, Monitor stack, Select protection mode CR1 : Reserved CR2 : Save page fault linear address CR3: PDBR (Page-Directory Base Register) CR4 : Extensible flags 12/110
13 Day 1 Background From source to x86 Execution Understanding Stack Definition The stack is an abstract data structure supported by a combination of hardware and software features. Stack operations are Last In First Out (LIFO) The PUSH instruction places a 32-bit value on the stack. The POP instruction removes a 32-bit value on the stack. The stack is used to pass parameters to functions The stack is used to maintain call chain state The Call instruction places a 32-bit value on the stack. In Windows, the stack is used to store the SEH (Structured Exception Handling) chain 13/110
14 Day 1 Background From source to x86 Execution Understanding Stack (1/21) 14/110
15 Day 1 Background From source to x86 Execution Understanding Stack (2/21) 15/110
16 Day 1 Background From source to x86 Execution Understanding Stack (3/21) 16/110
17 Day 1 Background From source to x86 Execution Understanding Stack (4/21) 17/110
18 Day 1 Background From source to x86 Execution Understanding Stack (5/21) 18/110
19 Day 1 Background From source to x86 Execution Understanding Stack (6/21) 19/110
20 Day 1 Background From source to x86 Execution Understanding Stack (7/21) push %next_address 20/110
21 Day 1 Background From source to x86 Execution Understanding Stack (8/21) 21/110
22 Day 1 Background From source to x86 Execution Understanding Stack (9/21) 22/110
23 Day 1 Background From source to x86 Execution Understanding Stack (10/21) 23/110
24 Day 1 Background From source to x86 Execution Understanding Stack (11/21) 24/110
25 Day 1 Background From source to x86 Execution Understanding Stack (12/21) 25/110
26 Day 1 Background From source to x86 Execution Understanding Stack (13/21) 26/110
27 Day 1 Background From source to x86 Execution Understanding Stack (14/21) 27/110
28 Day 1 Background From source to x86 Execution Understanding Stack (15/21) 28/110
29 Day 1 Background From source to x86 Execution Understanding Stack (16/21) 29/110
30 Day 1 Background From source to x86 Execution Understanding Stack (17/21) 30/110
31 Day 1 Background From source to x86 Execution Understanding Stack (18/21) 31/110
32 Day 1 Background From source to x86 Execution Understanding Stack (19/21) 32/110
33 Day 1 Background From source to x86 Execution Understanding Stack (20/21) 33/110
34 Day 1 Background From source to x86 Execution Understanding Stack (21/21) 34/110
35 Day 1 Background From source to x86 Execution Stack Frame Low address Stack int Func2(a, b) { return a*b; } Func2() int Func1(a, b) { return b + Func2(a, b); } main() {... int a, b, c; c = Func1(a, b);... } Func2() EBP Func1() EBP Func1() main() main() EBP High address 35/110
36 Day 1 Background From source to x86 Execution Calling Conventions (1/3) 32-bit Function calling conventions Calling convention Parameters in registers Parameter order on stack Stack cleanup by Comments cdecl X Right Left Caller default stdcall X Right Left Callee pascal X Left Right Callee fastcall (MS) fastcall (Gnu) fastcall (Borland) thiscall (MS) ecx, edx Right Left Callee ecx, edx Right Left Callee eax,edx, ecx Left Right Callee ecx Right Left Callee Return point on stack if not member function Default for member functions 36/110
37 Day 1 Background From source to x86 Execution Calling Conventions (2/3) cdecl #include stdio.h int add(int a, int b) { return (a + b); } int main(int argc, char* argv[]) { return add(1, 2); } add: PUSH EBP MOV EBP, ESP MOV EAX, DWORD PTR SS:[EBP+8] ADD EAX, DWORD PTR SS:[EBP+C] POP EBP RETN main: PUSH EBP MOV EBP, ESP PUSH 2 PUSH 1 CALL add ADD ESP, 8 POP EBP RETN?? 37/110
38 Day 1 Background From source to x86 Execution Calling Conventions (3/3) stdcall #include stdio.h int _stdcall add(int a, int b) { return (a + b); } int main(int argc, char* argv[]) { return add(1, 2); } add: PUSH EBP MOV EBP, ESP MOV EAX, DWORD PTR SS:[EBP+8] ADD EAX, DWORD PTR SS:[EBP+C] POP EBP RETN 8 main: PUSH EBP MOV EBP, ESP PUSH 2 PUSH 1 CALL add ADD ESP, 8 POP EBP RETN 38/110
39 Software Reversing - Day 1: Background (Assembly Patterns) -
40 Day 1 Background (Assembly Language) Intel vs. AT&T Style Intel AT&T Operator dest, src Operator src, dest mov eax, 1 movl $1, %eax Prefix mov ebx, 0ffh movl $0xff, %ebx int 80h int $0x80 Direction mov eax, [ecx] movl (%ecx),%eax Memory Operand mov eax, [ebx+3] movl 3(%ebx), %eax segreg:[base+index*scale+disp] %segreg:disp(base,index,scale) mov al, bl movb bl, al Suffix mov mov ax, bx eax, ebx movw movl bx, ax ebx, eax mov eax, dword ptr [ebx] movl (ebx), eax 40/110
41 Day 1 Background (Assembly Language) Instruction Format Operator vs. Operand Operator 1 Operand 2 Operand MOV EBP, ESP OP-code (Operation code) 41/110
42 Day 1 Background (Assembly Language) Instruction Format Addressing mode Instruction Prefixes Opcode Mod R/M SIB Displacement Immediate Addressing mode Conditions Immediate Register Displacement Base Register Base Register + Displacement Scale Index + Displacement Base + Index + Displacement Base + Scale + Displacement Constant value Register [Register + Displacement] [Register + Base] [Register + Base + Displacement] [Register + Index * Scale + Displacement] [Register + Base + Index + Displacement] [Register + Index * Scale + Base + Displacement] 42/110
43 Day 1 Background (Assembly Language) Memory Addressing Modes Register addressing Immediate addressing Direct addressing Register indirect addressing Base-Index addressing Base-Index with displacement addressing 43/110
44 Day 1 Background (Assembly Language) Memory Addressing Modes Register addressing Only using register Example INC MOV MOV AX CX, DX CH, CL Immediate addressing Using immediate value Example MOV MOV BL, 0x44 EAX, 0x72091BAC EBX EAX 0x12091E44 0x12091EF1 0x x72091BAC 44/110
45 Day 1 Background (Assembly Language) Memory Addressing Modes Direct addressing Using immediate address Example MOV AL, [0x12091EF4] EAX 0x ? 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x01 0x02 0x03 0x04 45/110
46 Day 1 Background (Assembly Language) Memory Addressing Modes Register indirect addressing Using address in register Example MOV AX, [EBX] EAX EBX 0x ? 0x12091EF3 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x01 0x02 0x03 0x04 46/110
47 Day 1 Background (Assembly Language) Memory Addressing Modes Based-Index addressing Simply combinations of the register indirect addressing mode Example MOV MOV AL, [ECX] AX, [ECX AL] EAX 0x EBX 0x12091EF0 ECX 0x12091FF4 0x12091EF0 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x00 0x01 0x02 0x03 0x x12091F56 0x12091F57 0x12091F58 0x12091F59 0x12091F5A 0x12091F5B 0x01 0x23 0x45 0x67 0x89 0xAB... 0x12091FF4 0x9B 47/110
48 Day 1 Background (Assembly Language) Memory Addressing Modes Based-Index with displacement addressing Using based-index addressing with 2 bytes immediate values Example MOV AL, [ECX 0x9B] EAX EBX ECX 0x x12091EF1 0x12091FF4 48/110 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x12091F56 0x12091F57 0x12091F58 0x12091F59 0x12091F5A 0x12091F5B 0x12091FF4 0x01 0x02 0x03 0x x01 0x23 0x45 0x67 0x89 0xAB... 0x9B
49 Day 1 Background (Assembly Language) Basic Instructions Arithmetic operation instructions INC, DEC, ADD, SUB, MUL, DIV Logical operation instructions AND, OR, XOR, NOT, NEG, SHL, SHR, Data move instructions MOV, LEA, XCHG, LDS Comparison operations instructions CMP, TEST Flow control instructions JMP, JZ, JNZ, JG, JL, JGE, 49/110
50 Day 1 Background (Assembly Language) Basic Instructions Data move instructions MOV (move) vs. LEA (Load effective address) Example EAX EBX ECX 0x x12091EF1 0x12091FF4 MOV EAX, EBX MOV EAX, [EBX] MOV AX, [EBX + 2] LEA EAX, EBX LEA EAX, [EBX] LEA EAX, [ECX + EBX] 0x12091EF1 0x12091EF2 0x12091EF3 0x12091EF4 0x12091F56 0x12091F57 0x12091F58 0x12091F59 0x12091F5A 0x12091F5B 0x12091FF4 0x01 0x02 0x03 0x x01 0x23 0x45 0x67 0x89 0xAB... 0x9B 50/110
51 Day 1 Background (Assembly Language) Basic Instructions Flow control instructions (1/2) Instruction Description Flag set JA Jump if (unsigned) above CF == 0 and ZF == 0 JAE Jump if (unsigned) above or equal CF == 0 JB Jump if (unsigned) below CF == 1 JBE Jump if (unsigned) below or equal CF == 1 or ZF == 1 JC Jump if carry flag set CF == 1 JCXZ Jump if CX is 0 CX == 0 JE Jump if equal ZF == 1 JECXZ Jump if ECX is 0 ECX == 0 JG Jump if (signed) greater ZF == 0 and SF == 0 JGE Jump if (signed) greater or equal SF == OF JL Jump if (signed) less SF!= OF JLE Jump if (signed) less or equal ZF == 1 and SF!= OF JNA Jump if (unsigned) not above CF == 1 or ZF == 1 JNAE Jump if (unsigned) not above or equal CF == 1 JNB Jump if (unsigned) not below CF == 0 JNBE Jump if (unsigned) not below or equal CF == 0 and ZF == 0 51/110
52 Day 1 Background (Assembly Language) Basic Instructions Flow control instructions (2/2) Instruction Description Flag set JNC Jump if carry flag not set CF == 0 JNE Jump if not equal ZF == 0 JNG Jump if (signed) not greater ZF == 1 or SF!= OF JNGE Jump if (signed) not greater or equal SF!= OF JNL Jump if (signed) not less SF == OF JNLE Jump if (signed) not less or equal ZF == 0 and SF == OF JNO Jump if overflow flag not set OF == 0 JNP Jump if parity flag not set PF == 0 JNS Jump if sign flag not set SF == 0 JNZ Jump if zero flag not set ZF == 0 JO Jump if overflow flag is set OF == 1 JP Jump if parity flag set PF == 1 JPE Jump if parity is equal PF == 1 JS Jump if sign flag is set SF == 1 JZ Jump if zero flag is set ZF == 1 52/110
53 Day 1 Background (Assembly Language) Basic Instructions Comparison Instructions CMP dest, src Modifies flags : AF, CF, OF, PF, SF, ZF dest src = result # not save result if (result == 0) ZF = 1 # equal if (result!= 0) ZF = 0 # not equal if (result < 0) CF = 1 # dest < src if (result > 0) CF = 0 # dest > src result ZF CF dest < src 0 1 dest > src 0 0 dest == src /110
54 Day 1 Background (Assembly Language) Basic Instructions Comparison Instructions TEST dest, src Modifies flags : CF, OF, PF, SF, ZF dest!= src bit pattern? dest == src true? false? dest & src = result # not save result if (result == 0) ZF = 1 # TRUE if (result!= 0) ZF = 0 # FALSE Example TURE? or FALSE? if (ZF == 1) exit FILE *fp; fp = fopen(path, r ); if (!fp) exit();... push eax; call fopen test eax, eax jz exit... 54/110
55 Day 1 Background (Assembly Language) EBP-Based Framing Traditional Recent OS DLLs push ebp mov ebp, esp sub esp, 0x100 mov edi, edi push ebp mov ebp, esp Optimized compiles may omit the frame pointer In which case, local variable are referenced from ESP mov edi, edi Effectively a 2-byte NOP Why didn t they just use NOP, NOP? Ref URL 55/110
56 Day 1 Background (Assembly Language) Return values Sample code push esi push edi push ecx call sub_ mov esi, eax add esp, 8 Value type Address type : Pointer, Array, Structure, 56/110
57 Day 1 Background (Assembly Language) Variable and Parameters of Procedure Local variable vs. Parameters, and Global variables [EBP + values] are typically arguments on the stack [EBP values] are typically local variables Really? Example C:\Reversing\Demos\Variable_Parameters_O2.exe C:\Reversing\Demos\Variable_Parameters_Od.exe C:\Reversing\Docs\Compiler Options in VS.pdf 57/110
58 Day 1 Background (Assembly Language) Variable and Parameters of Procedure Structure access Sample code push ebp mov ebp, esp mov eax, off_deadbeef push ebx mov ebx, [ebp + arg_0] push esi cmp ebx, [eax + 14h] push edi ja short loc_ cmp [eax + 8], ebx sbb esi, esi EAX is loaded from a global variable Also, [ ] is used with EAX, which means this global variable is a pointer 58/110
59 Day 1 Background (Assembly Language) Inline memcpy ( ) / strcpy ( ) Inline code memcpy ( ) / strcpy ( ) mov esi, source mov edi, [ebp-64] mov ebx, ecx shr ecx, 2 rep movsd mov ecx, ebx and ecx, 3 rep movsb rep movsd copies ECX dwords from ESI to EDI rep movsd copies the remainder of the bytes 59/110
60 Software Reversing - Day 1: Basic Analysis (PE Format) -
61 Day 1 Basic Analysis (PE File Format) PE (Portable Executable) History Microsoft based the PE file format on the Unix COFF file format As such it is sometimes referred to as PE / COFF Portable in PE means Supports both 32bit and 64bit Supports MIPS, DEC Alpha, PowerPC, and ARM File Extension EXE, DLL, OCX, SYS, LIB, 61/110
62 Day 1 Basic Analysis (PE File Format) PE (Portable Executable) PE Layout C:\Reversing\Docs\PE_Format_Layout.pdf 62/110
63 Day 1 Basic Analysis (PE File Format) PE (Portable Executable) Basic structure (notepad.exe) 63/110
64 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (1/30) DOS and NT Headers Overview Contain the very basic information to process PE files DOS stub This program cannot be run in DOS mode Contain the bulk of the information about the PE file Different set for headers will be present depending on the type of data the PE file represents 64/110
65 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (2/30) IMAGE_DOS_HEADER (size : 0x40) DOS reference : Mark Zbikowski ( 65/110
66 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (3/30) MyTiny_PE.exe DOS header & DOS stub DOS header e_magic : 0x00005A4D e_lfanew : 0x DOS stub ellipsis 66/110
67 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (4/30) PE (NT) headers : File header It s the first of the NT Headers and File Header follows immediately after the PE signature Contain some interesting fields Machine indicates the target architecture for this file NumberOfSections, the number of sections in the PE file. This value is needed when exploring the section headers TimeDataStamp is not of a critical importance, but some malware actually seems not to zero it so it might give some insight on the approximate release time but easily faked SizeofOptionalHeader is an important element. Provides the exact size of the Optional Header which is needed in order to properly parse the PE file 67/110
68 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (5/30) IMAGE_NT_HEADERS (size: 0xE0) 68/110
69 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (6/30) IMAGE_FILE_HEADER Machine Type 69/110
70 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (7/30) MyTiny_PE.exe NT Header (1/4) IMAGE_NT_HEADER signature : 0x IMAGE_FILE_HEADER Machine : 0x014C NumberOfSections : 0x0003 TimeDataStamp, PointerToSymbolTable, NumberOfSymbols : 0x00 SizeOfOptionalHeader : 0x00E0 Characteristics : 0x010F 70/110
71 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (8/30) PE (NT) headers : Optional header view (1/2) Magic : 0x10B AddressOfEntryPoint is where execution of the executable code will begin (it s possible for other code within the executable to gain control before the entry point) ImageBase. All relative address based on this one. It s also usually possible to find the PE header of the executable at this address in memory (unless it has been intentionally deleted) SectionAlignment is the alignment of the sections in memory FileAlignment is the alignment on disk 71/110
72 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (9/30) PE (NT) headers : Optional header view (2/2) Operating system related fields containing version specific information NumberofRvaAndSize is the number of directory entries in the following array. Depending on how many there are the size of the Option Header will vary, something that some tools sometimes forget (assuming a constant default size) RVA (Relative Virtual Address) DataDirectory is an array of structures pointing to additional information such as the Imports and Exports tables 72/110
73 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (10/30) IMAGE_OPTIONAL_HEADER32 (size : 0xE0) 73/110
74 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (11/30) MyTiny_PE.exe PE (NT) Header (1/2) DWORD Magic; 0x010B BYTE MajorLinkerVersion, MinorLinkerVersion; 0x00 DWORD SizeOfCode; 0x DWORD SizeOfInitialzedData, SizeOfUnintializedData; 0x DWORD AddressOfEntryPoint; 0x DWORD BaseOfCode; 0x DWORD BaseOfData; 0x DWORD ImageBase; 0x DWORD SectionAlignment; 0x DWORD FileAlignment; 0x WORD MajorOperatingSystemVersion ~ MinorSubsystemVersion; 0x0000 DWORD Win32VersionValue; 0x DWORD SizeOfImage; 0x DWORD SizeOfHeaders; 0x DWORD Checksum; 0x WORD Subsystem; 0x0002 WORD DllCharacteristics; 0x0000 DWORD SizeOfStackReserve, SizeOfHeapReserve; 0x DWORD SizeOfStackCommit, SizeOfHeapCommit; 0x DWORD LoaderFlags; 0x DWORD NumberOfRvaAndSizes; 0x /110
75 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (12/30) MyTiny_PE.exe PE (NT) Header (2/2) 75/110
76 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (13/30) IMAGE_DATA_DIRECTORY 0x00 IMAGE_DIRECTORY_ENTRY_EXPORT 0x01 IMAGE_DIRECTORY_ENTRY_IMPORT 0x02 IMAGE_DIRECTORY_ENTRY_RESOURCE 0x03 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x04 IMAGE_DIRECTORY_ENTRY_SECURITY 0x05 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x06 IMAGE_DIRECTORY_ENTRY_DEBUG 0x07 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x08 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x09 IMAGE_DIRECTORY_ENTRY_TLS 0x0A IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0B IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0C IMAGE_DIRECTORY_ENTRY_IAT 0x0D IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0E IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0F RESERVED 76/110
77 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (14/30) MyTiny_PE.exe PE (NT) Header IMAGE_DATA_DIRECTORY 8 bytes ⅹ 16 entry = 128 (0x80) bytes Fill with 0x00 77/110
78 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (15/30) Section Header view VirtualSize is the size of the section once loaded in memory (can be bigger than SizeofRawData, in that case it s zero padded) VirtualAddress is the address of the section in memory, relative to the ImageBase SizeofRawData is the size of the section on disk (can be bigger than VirtualSize due that it s size is rounded at a FileAlignment multiple) PointerToRawData is the offset within the file to contents to be loaded in memory (should be a multiple of VirtualSize) Characteristics contains flags with information such as whether the section can be executed, read, written into, etc 78/110
79 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (16/30) IMAGE_SECTION_HEADER (size : 0x28) 79/110
80 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (17/30) MyTiny_PE.exe Section Header (1/3) tinytext section BYTE Name[8]; tinytext DWORD VirtualSize; 0x DWORD VirtualAddress; 0x DWORD SizeOfRawData; 0x DWORD PointerToRawData; 0x DWORD Characteristics; 0x /110
81 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (18/30) MyTiny_PE.exe Section Header (2/3) tinydata section BYTE Name[8]; tinydata DWORD VirtualSize; 0x DWORD VirtualAddress; 0x DWORD SizeOfRawData; 0x DWORD PointerToRawData; 0x DWORD Characteristics; 0xC /110
82 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (19/30) MyTiny_PE.exe Section Header (3/3) tinyrdat section BYTE Name[8]; tinyrdat DWORD VirtualSize; 0x DWORD VirtualAddress; 0x DWORD SizeOfRawData; 0x DWORD PointerToRawData; 0x DWORD Characteristics; 0x /110
83 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (20/30) MyTiny_PE.exe tinytext section tinytext section 55 PUSH EBP 8B EC MOV EBP, ESP 6A 30 PUSH 0x30 // Style PUSH 0x // Caption PUSH 0x // Text 6A 00 PUSH 0x00 // hwnd E CALL 0x A // User32.MessageBox 8B E5 MOV ESP, EBP 5D POP EBP C3 RETN FF JMP DWORD PTR DS:[0x403030] 83/110
84 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (21/30) MyTiny_PE.exe tinydata section tinydata section 0x Reverse Engineering 0x My First PE!!! 84/110
85 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (22/30) Overview of the Import Address Table (IAT) The primary function of the Import Table is provide enough information to the loader the API function and other symbols needed by the executable It also provides us with a summary of the range of actions used by the executable Therefore hiding / obfuscating the IAT is a common technique in order to deprive analysts of a quick outlook The IAT can be rebuilt by different packers / obfuscators with varying degrees of complexity 85/110
86 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (23/30) Dynamic Linked Library (DLL) Not DLL in 16bit DOS Explicit linking declspec (dllimport) declspec (dllexport) Implicit linking LoadLibrary ( ) GetProcAddress ( ) FreeLibrary ( ) 86/110
87 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (24/30) IMAGE_IMPORT_DESCRIPTOR typedef struct _IMAGE_IMPORT_DESCRIPTOR { union { DWORD Characteristics; DWORD OriginalFirstThunk; }; // RVA to original unbound IAT (IMAGE_THUNK_DATA) DWORD TimeDataStamp; DWORD ForwarderChain; DWORD Name; // library name string address (RVA) DWORD FirstThunk; // IAT (Import Address Table) address (RVA) } IMAGE_IMPORT_DESCRIPTOR; typedef struct _IMAGE_THUNK_DATA { union { DWORD ForwarderString; DWORD Function; DWORD Ordinal; DWORD AddressOfData; }; // IMAGE_IMPORT_BY_NAME } IMAGE_THUNK_DATA; typedef struct _IMAGE_IMPORT_BY_NAME { WORD Hint; // ordinal BYTE Name[1]; // function name string } IMAGE_IMPORT_BY_NAME; 87/110
88 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (25/30) IMAGE_IMPORT_DESCRIPTOR Before binding After binding 88/110
89 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (26/30) Example (notepad.exe) (1/2) IMAGE_OPTIONAL_HEADER DataDirectory[1] VirtualAddress Where is import table on file (notepad.exe)? RVA (Relative Virtual Address) RAW (File Offset) RVA (0x7604) VOffset(0x1000) = RAW(?) ROffset(0x400) RAW = RVA(0x7604) VOffset(0x1000) + ROffset(0x400) RAW = 0x6A04 89/110
90 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (27/30) Example (notepad.exe) (2/2) Structure IMAGE_OPTIONAL_HEADER IMAGE_IMPORT_DESCRIPTOR RVA RAW OriginalFirstThunk (INT) 0x7990 0x6D90 TimeDataStamp 0xFFFF FFFF ForwarderChain 0xFFFF FFFF Name 0x7AAC 0x6EAC FirstThunk (IAT) 0x12C4 0x06C4 90/110
91 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (28/30) MyTiny_PE.exe IAT (Import Address Table) tinyrdat section RAW (0x600) = RVA (0x3000) VOffset (0x3000) + ROffset (0x600) In memory A B C D E F 0x x x x OriginalFirstChunk (0x ) FirstChunk (0x ) IAT (0x ) ILT (0x ) Name (0x ) 0x x u s e r 3 2. d l l M e s s a g e B o x A 91/110
92 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (29/30) MyTiny_PE.exe IMAGE_DATA_DIRECTORY IMAGE_DIRECTORY_IMPORT_ENTRY RVA 0x Size 0x /110
93 Day 1 Basic Analysis (PE File Format) Understanding and Making PE (30/30) MyTiny_PE.exe 93/110
94 Software Reversing - Day 2: Basic Analysis (Packing/Unpacking) -
95 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Encoding of code in section Compressed, Encrypt, Inserting decode code in section Uncompressed, Decrypt, Modifying entry-point in optional header Addressing decode in section Modifying characteristics in section header Writable in section 95/110
96 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Encoding of code in section (1/2) XOR encoding (with 0x4E) 96/110
97 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Encoding of code in section (2/2) XOR encoding (with 0x4E) 97/110
98 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Inserting decode code in section XOR decoding (with 0x4E) 98/110
99 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Modifying entry-point in optional header (1/2) 99/110
100 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Modifying entry-point in optional header (2/2) Editor Tools LoadPE 100/110
101 Day 2 Basic Analysis (Packing and Unpacking) Packing MyTiny_PE.exe Modifying characteristics in section header 101/110
102 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking notepad.exe vs. notepad_upx.exe 102/110
103 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking notepad.exe vs. notepad_upx.exe on file offset 0x x x000000E0 0x000001D8 0x x notepad.exe DOS Header DOS Stub NT Header Section Header (.text) Section Header (.data) Section Header (.rsrc) notepad_upx.exe DOS Header DOS Stub NT Header Section Header (UPX0) Section Header (UPX1) Section Header (.rsrc) offset 0x x x000000E0 0x000001D8 0x x x x00007C00 0x NULL Section (.text) 0x7800 NULL Section (.data) 0x800 NULL Section (.rsrc) 0x8400 NULL Section (UPX0) 0x0000 Section Header (UPX1) 0x4600 NULL Section (.rsrc) 0x7200 NULL 0x x x00004A00 0x0000BC00 0x NULL 103/110
104 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking notepad.exe vs. notepad_upx.exe on memory address 0x x x010000E0 0x010001D8 0x x Memory DOS Header DOS Stub NT Header Section Header (.text) Section Header (.data) Section Header (.rsrc) notepad_upx.exe DOS Header DOS Stub NT Header Section Header (UPX0) Section Header (UPX1) Section Header (.rsrc) address 0x x x010000E0 0x010001D8 0x x x NULL NULL 0x Entry Point 0x D 0x x0100B000 0x Section (.text) 0x7748 NULL Section (.data) 0x1B48 NULL Section (.rsrc) 0x8314 NULL Section (UPX0) 0x10000 Section Header (UPX1) 0x4600 NULL Section (.rsrc) 0x7200 NULL 0x x x Entry Point 0x /110
105 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Tracing of decompressed code 105/110
106 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking IAT Table Recovery kernel32 GetProcAddress() 106/110
107 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Finding OEP (Original Entry-Point) in notepad_upx.exe Step-Over (F8) 107/110
108 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Process Dump (plugin ollydump) OllyDump Disable 108/110
109 Day 2 Basic Analysis (Packing and Unpacking) Exercise Manual Unpacking Recovery of IAT (C:\Reversing\Tools\ImportREC) /110
110 Reverse Engineering kkyoup (A) gmail.com 110/110
Reverse Engineering III: PE Format
Reverse Engineering III: PE Format Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Introduction to PE PE stands for Portable Executable Microsoft introduced
More informationYATES` PE NOTES ===============
YATES` PE NOTES =============== 1...Header Details 2...Section Details 3...Full PEHeader listing 4...Import details 5...Export Details 6...Reloc Details 01/FEB/04 ;------------------------.COMMON.HEADER.-----------------------------
More informationEXPERIMENT WRITE UP. LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM
EXPERIMENT WRITE UP AIM: Assembly language program to search a number in given array. LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM
More informationIntroduction to 8086 Assembly
Introduction to 8086 Assembly Lecture 5 Jump, Conditional Jump, Looping, Compare instructions Labels and jumping (the jmp instruction) mov eax, 1 add eax, eax jmp label1 xor eax, eax label1: sub eax, 303
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationBAHAR DÖNEMİ MİKROİŞLEMCİLER LAB4 FÖYÜ
LAB4 RELATED INSTRUCTIONS: Compare, division and jump instructions CMP REG, memory memory, REG REG, REG memory, immediate REG, immediate operand1 - operand2 Result is not stored anywhere, flags are set
More informationLABORATORY WORK NO. 7 FLOW CONTROL INSTRUCTIONS
LABORATORY WORK NO. 7 FLOW CONTROL INSTRUCTIONS 1. Object of laboratory The x86 microprocessor family has a large variety of instructions that allow instruction flow control. We have 4 categories: jump,
More informationSelection and Iteration. Chapter 7 S. Dandamudi
Selection and Iteration Chapter 7 S. Dandamudi Outline Unconditional jump Compare instruction Conditional jumps Single flags Unsigned comparisons Signed comparisons Loop instructions Implementing high-level
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationIntel Instruction Set (gas)
Intel Instruction Set (gas) These slides provide the gas format for a subset of the Intel processor instruction set, including: Operation Mnemonic Name of Operation Syntax Operation Examples Effect on
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationT Reverse Engineering Malware: Static Analysis I
T-110.6220 Reverse Engineering Malware: Static Analysis I Antti Tikkanen, F-Secure Corporation Protecting the irreplaceable f-secure.com Representing Data 2 Binary Numbers 1 0 1 1 Nibble B 1 0 1 1 1 1
More informationBasic Execution Environment
Basic Execution Environment 3 CHAPTER 3 BASIC EXECUTION ENVIRONMENT This chapter describes the basic execution environment of an Intel Architecture processor as seen by assembly-language programmers.
More informationJump instructions. Unconditional jumps Direct jump. do not change flags. jmp label
do not change flags Unconditional jumps Direct jump jmp label Jump instructions jmp Continue xor eax,eax Continue: xor ecx,ecx Machine code: 0040340A EB 02 0040340C 33 C0 0040340E 33 C9 displacement =
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationIFE: Course in Low Level Programing. Lecture 6
IFE: Course in Low Level Programing Lecture 6 Instruction Set of Intel x86 Microprocessors Conditional jumps Jcc jump on condition cc, JMP jump always, CALL call a procedure, RET return from procedure,
More informationEx: Write a piece of code that transfers a block of 256 bytes stored at locations starting at 34000H to locations starting at 36000H. Ans.
INSTRUCTOR: ABDULMUTTALIB A H ALDOURI Conditional Jump Cond Unsigned Signed = JE : Jump Equal JE : Jump Equal ZF = 1 JZ : Jump Zero JZ : Jump Zero ZF = 1 JNZ : Jump Not Zero JNZ : Jump Not Zero ZF = 0
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationLab 6: Conditional Processing
COE 205 Lab Manual Lab 6: Conditional Processing Page 56 Lab 6: Conditional Processing Contents 6.1. Unconditional Jump 6.2. The Compare Instruction 6.3. Conditional Jump Instructions 6.4. Finding the
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationComputer Architecture..Second Year (Sem.2).Lecture(4) مدرس المادة : م. سندس العزاوي... قسم / الحاسبات
مدرس المادة : م. سندس العزاوي... قسم / الحاسبات... - 26 27 Assembly Level Machine Organization Usage of AND, OR, XOR, NOT AND : X Y X AND Y USE : to chick any bit by change ( to ) or ( to ) EX : AX = FF5
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More information8086 INSTRUCTION SET
8086 INSTRUCTION SET Complete 8086 instruction set Quick reference: AAA AAD AAM AAS ADC ADD AND CALL CBW CLC CLD CLI CMC CMP CMPSB CMPSW CWD DAA DAS DEC DIV HLT IDIV IMUL IN INC INT INTO I JA JAE JB JBE
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationAssembler Programming. Lecture 2
Assembler Programming Lecture 2 Lecture 2 8086 family architecture. From 8086 to Pentium4. Registers, flags, memory organization. Logical, physical, effective address. Addressing modes. Processor Processor
More informationLecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee
Lecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee ١ INTERNAL MICROPROCESSOR ARCHITECTURE Before a program is written or instruction investigated, internal configuration of the
More informationCMSC 313 Lecture 05 [draft]
CMSC 313 Lecture 05 [draft] More on Conditional Jump Instructions Short Jumps vs Near Jumps Using Jump Instructions Logical (bit manipulation) Instructions AND, OR, NOT, SHL, SHR, SAL, SAR, ROL, ROR, RCL,
More informationStatic Analysis I PAOLO PALUMBO, F-SECURE CORPORATION
Static Analysis I PAOLO PALUMBO, F-SECURE CORPORATION Representing Data Binary numbers 1 0 1 1 NIBBLE 0xB 1 0 1 1 1 1 0 1 0xBD 1 0 1 1 1 1 0 1 0 0 1 1 1 0 0 1 BYTE WORD 0xBD 0x39 Endianness c9 33 41 03
More informationConditional Processing
١ Conditional Processing Computer Organization & Assembly Language Programming Dr Adnan Gutub aagutub at uqu.edu.sa Presentation Outline [Adapted from slides of Dr. Kip Irvine: Assembly Language for Intel-Based
More informationAn Introduction to x86 ASM
An Introduction to x86 ASM Malware Analysis Seminar Meeting 1 Cody Cutler, Anton Burtsev Registers General purpose EAX, EBX, ECX, EDX ESI, EDI (index registers, but used as general in 32-bit protected
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More information6/17/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:
Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Introduction This chapter presents the microprocessor
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationThe Microprocessor and its Architecture
The Microprocessor and its Architecture Contents Internal architecture of the Microprocessor: The programmer s model, i.e. The registers model The processor model (organization) Real mode memory addressing
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationmith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut dthiebaut@smith.edu 2 Videos to Watch at a Later Time https://www.youtube.com/watch?v=fdmzngwchdk https://www.youtube.com/watch?v=k2iz1qsx4cm
More informationChapter 2: The Microprocessor and its Architecture
Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Introduction This chapter presents the microprocessor
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationx86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
More informationWeek /8086 Microprocessor Programming
Week 5 8088/8086 Microprocessor Programming Multiplication and Division Multiplication Multiplicant Operand Result (MUL or IMUL) (Multiplier) Byte * Byte AL Register or memory Word * Word AX Register or
More informationCSE351 Spring 2018, Midterm Exam April 27, 2018
CSE351 Spring 2018, Midterm Exam April 27, 2018 Please do not turn the page until 11:30. Last Name: First Name: Student ID Number: Name of person to your left: Name of person to your right: Signature indicating:
More informationEXPERIMENT WRITE UP. LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM
EXPERIMENT WRITE UP AIM: Assembly language program for 16 bit BCD addition LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM TOOLS/SOFTWARE
More informationEEM336 Microprocessors I. The Microprocessor and Its Architecture
EEM336 Microprocessors I The Microprocessor and Its Architecture Introduction This chapter presents the microprocessor as a programmable device by first looking at its internal programming model and then
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationSPRING TERM BM 310E MICROPROCESSORS LABORATORY PRELIMINARY STUDY
BACKGROUND 8086 CPU has 8 general purpose registers listed below: AX - the accumulator register (divided into AH / AL): 1. Generates shortest machine code 2. Arithmetic, logic and data transfer 3. One
More informationSee notes for citation. Rise & Fall of Binaries Part 2 Adir Abraham
See notes for citation Rise & Fall of Binaries Part 2 Adir Abraham adir@computer.org 1 All materials are licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationPESIT Bangalore South Campus
INTERNAL ASSESSMENT TEST 2 Date : 02/04/2018 Max Marks: 40 Subject & Code : Microprocessor (15CS44) Section : IV A and B Name of faculty: Deepti.C Time : 8:30 am-10:00 am Note: Note: Answer any five complete
More informationBasic Assembly Instructions
Basic Assembly Instructions Ned Nedialkov McMaster University Canada SE 3F03 January 2013 Outline Multiplication Division FLAGS register Branch Instructions If statements Loop instructions 2/21 Multiplication
More informationID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:17:42 Date: 12/04/2018 Version:
ID: 54295 Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:1:42 Date: 12/04/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationIntroduction to IA-32. Jo, Heeseung
Introduction to IA-32 Jo, Heeseung IA-32 Processors Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More informationINTRODUCTION TO IA-32. Jo, Heeseung
INTRODUCTION TO IA-32 Jo, Heeseung IA-32 PROCESSORS Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More informationx64 Cheat Sheet Fall 2014
CS 33 Intro Computer Systems Doeppner x64 Cheat Sheet Fall 2014 1 x64 Registers x64 assembly code uses sixteen 64-bit registers. Additionally, the lower bytes of some of these registers may be accessed
More informationMarking Scheme. Examination Paper Department of CE. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 02/06/2018 Section 1 Weighting 40% of
More informationAPPENDIX C INSTRUCTION SET DESCRIPTIONS
APPENDIX C INSTRUCTION SET DESCRIPTIONS This appendix provides reference information for the 80C186 Modular Core family instruction set. Tables C-1 through C-3 define the variables used in Table C-4, which
More informationAssembly II: Control Flow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly II: Control Flow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Processor State (x86-64) RAX 63 31 EAX 0 RBX EBX RCX RDX ECX EDX General-purpose
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationDr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationAssembly Language: IA-32 Instructions
Assembly Language: IA-32 Instructions 1 Goals of this Lecture Help you learn how to: Manipulate data of various sizes Leverage more sophisticated addressing modes Use condition codes and jumps to change
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationECE 498 Linux Assembly Language Lecture 3
ECE 498 Linux Assembly Language Lecture 3 Vince Weaver http://www.eece.maine.edu/ vweaver vincent.weaver@maine.edu 20 November 2012 Statically Linked C Hello-World Disassembly of section.text : 08048320
More informationBinghamton University. CS-220 Spring x86 Assembler. Computer Systems: Sections
x86 Assembler Computer Systems: Sections 3.1-3.5 Disclaimer I am not an x86 assembler expert. I have never written an x86 assembler program. (I am proficient in IBM S/360 Assembler and LC3 Assembler.)
More informationDo not turn the page until 5:10.
University of Washington Computer Science & Engineering Autumn 2018 Instructor: Justin Hsia 2018-10-29 Last Name: First Name: Student ID Number: Name of person to your Left Right All work is my own. I
More informationAssembly II: Control Flow
Assembly II: Control Flow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationPython and Machine Learning: How to use algorithms to create yara rules with a malware zoo for hunting. PassTheSalt 2018
Python and Machine Learning: How to use algorithms to create yara rules with a malware zoo for hunting PassTheSalt 2018 Who s who Sebastien Larinier (ceo of SCTIF) @sebdraven, slarinier@gmail.com DFIR,
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 5
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 5 LAST TIME Began exploring x86-64 instruction set architecture 16 general-purpose registers Also: All registers are 64 bits wide rax-rdx are
More informationfrom WRITE GREAT CODE Volume 2: Thinking Low-Level, Writing High-Level ONLINE APPENDIX A The Minimal 80x86 Instruction Set by Randall Hyde
from WRITE GREAT CODE Volume 2: Thinking Low-Level, Writing High-Level ONLINE APPENDIX A The Minimal 80x86 Set by Randall Hyde San Francisco WRITE GREAT CODE, Volume 2. Copyright 2006 by Randall Hyde.
More informationIt is possible to define a number using a character or multiple numbers (see instruction DB) by using a string.
1 od 5 17. 12. 2017 23:53 (https://github.com/schweigi/assembler-simulator) Introduction This simulator provides a simplified assembler syntax (based on NASM (http://www.nasm.us)) and is simulating a x86
More informationCSE 351 Midterm Exam
University of Washington Computer Science & Engineering Winter 2018 Instructor: Mark Wyse February 5, 2018 CSE 351 Midterm Exam Last Name: First Name: SOLUTIONS UW Student ID Number: UW NetID (username):
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationCS241 Computer Organization Spring 2015 IA
CS241 Computer Organization Spring 2015 IA-32 2-10 2015 Outline! Review HW#3 and Quiz#1! More on Assembly (IA32) move instruction (mov) memory address computation arithmetic & logic instructions (add,
More informationInline Assembler. Willi-Hans Steeb and Yorick Hardy. International School for Scientific Computing
Inline Assembler Willi-Hans Steeb and Yorick Hardy International School for Scientific Computing e-mail: steebwilli@gmail.com Abstract We provide a collection of inline assembler programs. 1 Using the
More informationComplex Instruction Set Computer (CISC)
Introduction ti to IA-32 IA-32 Processors Evolutionary design Starting in 1978 with 886 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market
More informationSYSC3601 Microprocessor Systems. Unit 2: The Intel 8086 Architecture and Programming Model
SYSC3601 Microprocessor Systems Unit 2: The Intel 8086 Architecture and Programming Model Topics/Reading SYSC3601 2 Microprocessor Systems 1. Registers and internal architecture (Ch 2) 2. Address generation
More informationComputer Systems C S Cynthia Lee
Computer Systems C S 1 0 7 Cynthia Lee 2 Today s Topics LECTURE: More assembly code! NEXT TIME: More control flow Some misc. instructions you might see in your assign5 binary bomb Details of function call
More informationInside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
More informationRichard Johnson
x86 Disassembler Internals Toorcon 7 September 2005 Richard Johnson rjohnson@idefense.com Welcome Who am I? Richard Johnson Senior Security Engineer, idefense Labs Other Research: nologin.org / uninformed.org
More informationA CRASH COURSE IN X86 DISASSEMBLY
A CRASH COURSE IN X86 DISASSEMBLY As discussed in previous chapters, basic static and dynamic malware analysis methods are good for initial triage, but they do not provide enough information to analyze
More informationCSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1
CSE P 501 Compilers x86 Lite for Compiler Writers Hal Perkins Autumn 2011 10/25/2011 2002-11 Hal Perkins & UW CSE J-1 Agenda Learn/review x86 architecture Core 32-bit part only for now Ignore crufty, backward-compatible
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationBasic exploitation techniques
Basic exploitation techniques 20180118 Outline A primer on x86 assembly Memory segments Stack-based buffer overflows Heap-based overflow Format strings 1 A primer on x86 assembly Introduction Verily, when
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2016 Lecture 12 CS24 MIDTERM Midterm format: 6 hour overall time limit, multiple sittings (If you are focused on midterm, clock should be running.) Open book
More informationMarking Scheme. Examination Paper. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 12/06/2017 Section 1 Weighting 40% of
More informationSOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
More informationLecture (08) x86 programming 7
Lecture (08) x86 programming 7 By: Dr. Ahmed ElShafee 1 Conditional jump: Conditional jumps are executed only if the specified conditions are true. Usually the condition specified by a conditional jump
More informationWe can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...
COMPUTER ARCHITECTURE II: MICROPROCESSOR PROGRAMMING We can study computer architectures by starting with the basic building blocks Transistors and logic gates To build more complex circuits Adders, decoders,
More informationComputer Processors. Part 2. Components of a Processor. Execution Unit The ALU. Execution Unit. The Brains of the Box. Processors. Execution Unit (EU)
Part 2 Computer Processors Processors The Brains of the Box Computer Processors Components of a Processor The Central Processing Unit (CPU) is the most complex part of a computer In fact, it is the computer
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationCode segment Stack segment
Registers Most of the registers contain data/instruction offsets within 64 KB memory segment. There are four different 64 KB segments for instructions, stack, data and extra data. To specify where in 1
More information