Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
|
|
- Ethan Watts
- 6 years ago
- Views:
Transcription
1 1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
2 Machine code 2
3 3 Machine code Assembly compile Machine Code disassemble
4 4 Machine code Assembly compile Directly mappable Not directly mappable Machine Code disassemble
5 5 Computer Architecture CPU Control Unit Registers Main memory (RAM) ALU Disk I/O
6 6 Computer Architecture Handles control logic CPU Control Unit Registers Main memory (RAM) ALU Disk I/O
7 7 Computer Architecture CPU Control Unit Registers Main memory (RAM) ALU Disk I/O Handles arithmetic
8 8 Computer Architecture CPU Control Unit Registers Main memory (RAM) ALU Disk I/O Short-term storage FAST access!
9 9 Computer Architecture External storage (longer term storage) Higher latency than registers CPU Control Unit Registers Main memory (RAM) ALU Disk I/O
10 10 Our Focus CPU Control Unit Registers Lower Memory Main Memory Text Data ALU Higher Memory Heap Stack
11 11 Our Focus Contains program instructions CPU Control Unit Registers Lower Memory Main Memory Text Data ALU Higher Memory Heap Stack
12 12 Low-level Instruction Sets Instruction set architecture Set of low-level instructions defined by the architecture vendor Map directly to machine code/digital logic in hardware e.g., mov ECX, = 0xB916 =
13 13 Low-level Instruction Sets Instruction set architecture Set of low-level instructions defined by the architecture vendor Map directly to machine code/digital logic in hardware e.g., mov ECX, = 0xB916 = Limited set of registers corresponding to hw components
14 14 Low-Level Perspectives High-level (C code) Low-level steps 1. Store current state prior to executing function code 2. Allocate memory for z 3. Load parameters x and y from memory to registers 4. Multiple x and y, store result into register 5. Copy result into memory allocated for z 6. Restore state from (1) 7. Return to caller and send back z as return value
15 15 Low-Level Perspectives High-level (C code) Low-level steps 1. Store current state prior to executing function code 2. Allocate memory for z 3. Load parameters x and y from memory to registers 4. Multiple x and y, store result into register 5. Copy result into memory allocated for z 6. Restore state from (1) 7. Return to caller and send back z as return value
16 16 Low-Level Perspectives High-level (C code) Low-level steps 1. Store current state prior to executing function code 2. Allocate memory for z 3. Load parameters x and y from memory to registers 4. Multiple x and y, store result into register 5. Copy result into memory allocated for z 6. Restore state from (1) 7. Return to caller and send back z as return value
17 17 Low-Level Perspectives High-level (C code) Low-level steps 1. Store current state prior to executing function code 2. Allocate memory for z 3. Load parameters x and y from memory to registers 4. Multiple x and y, store result into register 5. Copy result into memory allocated for z 6. Restore state from (1) 7. Return to caller and send back z as return value
18 18 Low-Level Perspectives High-level (C code) Low-level steps 1. Store current state prior to executing function code 2. Allocate memory for z 3. Load parameters x and y from memory to registers 4. Multiple x and y, store result into register 5. Copy result into memory allocated for z 6. Restore state from (1) 7. Return to caller and send back z as return value
19 19 Computer Architecture CPU Control Unit Registers Lower Memory Main Memory Text Data ALU Higher Memory Heap Stack
20 20 Low-Level Data Management Registers Small memory that reside within the processor Little or no performance penalty Very few (8 32-bit generic registers in IA-32) Used in conjunction with external memory These issues are managed in assembly code
21 21 Low-Level Perspectives Low-level pseudo code 1. Store current state prior to executing function code 2. Allocate memory for z 3. Load parameters x and y from memory to registers 4. Multiple x and y, store result into register 5. Copy result into memory allocated for z 6. Restore state from (1) 7. Return to caller and send back z as return value May also multiply values directly from data memory
22 22 Computer Architecture CPU Control Unit Registers Lower Memory Main Memory Text Data ALU Higher Memory Heap Stack
23 23 Low-Level Data Management Stack Non-register memory Used for short-term secondary storage LIFO Uses of the stack Temporarily saved register values Local variables Function parameters and return addresses
24 24 Low-Level Data Management Stack 32-bits (DWORD) ESP EBP Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Previously Stored Value Lower Memory Address Higher Memory Address
25 25 Low-Level Data Management Stack 32-bits ESP EBP Unknown Data (unused) Unknown Data (unused) Value 3 Value 2 Value 1 Previously Stored Value Push Direction Lower Memory Address Higher Memory Address
26 26 Low-Level Data Management Stack EAX EBX ECX 32-bits ESP EBP Unknown Data (unused) Unknown Data (unused) Value 3 Value 2 Value 1 Previously Stored Value Lower Memory Address Higher Memory Address
27 27 Low-Level Data Management Stack EAX EBX ECX Value 3 Value 2 Value 1 32-bits ESP EBP Unknown Data (unused) Unknown Data (unused) Value 3 Value 2 Value 1 Previously Stored Value Lower Memory Address Higher Memory Address
28 28 Computer Architecture CPU Control Unit Registers Lower Memory Main Memory Text Data ALU Higher Memory Heap Stack
29 29 Low-Level Data Management Heap Variable sized memory allocation/de-allocation Program requests, gets a pointer/reference to allocated block (new, malloc, calloc, ) Used for objects that are too big for the stack Data section char szwelcome[] = Hello. ; Global variables Long-term storage
30 30 IA-32 Assembly Language Intel Architecture, 32-bit (AKA: i386) Used for most Intel compatible CPUS AMD, VIA, x86 Two notations (semantically equivalent) AT&T assembly for GNU (unix) Intel notation (windows)
31 31 IA-32 Assembly Language Intel Architecture, 32-bit (AKA: i386) Used for most Intel compatible CPUS AMD, VIA, x86 Two notations (semantically equivalent) AT&T assembly for GNU (unix) Intel notation (windows) In this class
32 32 Some IA-32 Registers 8 general registers 6 segment registers 1 FLAGS register 1 Instruction pointer
33 33 Some IA-32 Registers 8 general registers Used for any purpose, but some good practices 6 segment registers Points to areas in memory for efficiency 1 FLAGS register Maintains some state Set according to results of instruction execution 1 Instruction pointer Contains the memory address to the next instruction that will be executed
34 34 IA-32 General Registers Common usage
35 35 IA-32 General Registers Common usage General Purpose -EAX usually holds function return values -ECX usually holds iterator Points to the top of the stack Indicies for efficient memory copies Points to the base of the stack
36 36 Flags Register Special register (not directly modifiable) Contains flags to hold status and other information Record current logical state Updated by logical/integer instructions to record outcomes Later instructions may depend on these outcomes e.g., bit 0 is CF is set when result is out of range bit 6 is ZF: set when result of an operation is 0
37 37 Instruction Pointer Register Labeled as EIP Contains the address of the next instruction to execute tells the processor what to do next
38 38 Instruction Format I II III Instruction Name(opcode) Destination Operand, Source Operand Example: MOV eax, 2 ADD eax, 1 MOV ebx, eax EAX EBX
39 39 Instruction Format I II III Instruction Name(opcode) Destination Operand, Source Operand Example: MOV eax, 2 ADD eax, 1 MOV ebx, eax 2 EAX EBX
40 40 Instruction Format I II III Instruction Name(opcode) Destination Operand, Source Operand Example: MOV eax, 2 ADD eax, 1 MOV ebx, eax 3 EAX EBX
41 41 Instruction Format I II III Instruction Name(opcode) Destination Operand, Source Operand Example: MOV eax, 2 ADD eax, 1 MOV ebx, eax 3 EAX 3 EBX
42 42 Instruction Format I II III Instruction Name(opcode) Destination Operand, Source Operand Example: MOV eax, 2 ADD eax, 1 MOV ebx, eax 3 EAX 3 EBX mov is really a copy
43 43 Instruction Format Usually instructions consist of: Opcode (operation code) and one or two operands function name and parameters Operands come in three forms: Register name Immediate (constant value) Memory address move(a, b)"
44 44 Operands Type Example Operand Description Register EAX Access EAX register for reading/writing Immediate 6, 0x e, <label>* Memory Address [0x e], [EAX], <label>* A constant value A memory address * With some exceptions, control flow instructions (jmp, call, etc.) treat labels as immediate while non-control flow instructions treat them as memory addresses (more on this later).
45 45 Common Arithmetic Operations Instruction 1. ADD A, B 2. SUB A, B 3. MUL A 4. DIV A 5. IMUL A 6. IDIV A Note: Some opcodes have more than one signature
46 46 Common Arithmetic Operations Instruction 1. ADD A, B A = A + B (unsigned) 2. SUB A, B A = A B (unsigned) 3. MUL A 4. DIV A 5. IMUL A 6. IDIV A Note: Some opcodes have more than one signature
47 47 Common Arithmetic Operations Instruction 1. ADD A, B A = A + B (unsigned) 2. SUB A, B A = A B (unsigned) 3. MUL A EDX:EAX = EAX * A (unsigned) 4. DIV A EAX=EDX:EAX/A EDX=EDX:EAX%A (unsigned) 5. IMUL A 6. IDIV A Note: Some opcodes have more than one signature
48 48 Common Arithmetic Operations Instruction 1. ADD A, B A = A + B (unsigned) 2. SUB A, B A = A B (unsigned) 3. MUL A EDX:EAX = EAX * A (unsigned) 4. DIV A EAX=EDX:EAX/A EDX=EDX:EAX%A (unsigned) 5. IMUL A Same as 3. except signed 6. IDIV A Same as 4. except signed Note: Some opcodes have more than one signature
49 49 Common Conditional Instructions Instruction 1. CMP A, B A B A<B CF=?? ZF=?? A=B CF=?? ZF=?? A>B CF=?? ZF=?? 2. TEST A, B
50 50 Common Conditional Instructions Instruction 1. CMP A, B A B A<B CF=1 ZF=0 A=B CF=?? ZF=?? A>B CF=?? ZF=?? 2. TEST A, B
51 51 Common Conditional Instructions Instruction 1. CMP A, B A B A<B CF=1 ZF=0 A=B CF=0 ZF=1 A>B CF=?? ZF=?? 2. TEST A, B
52 52 Common Conditional Instructions Instruction 1. CMP A, B A B A<B CF=1 ZF=0 A=B CF=0 ZF=1 A>B CF=0 ZF=0 2. TEST A, B
53 53 Common Conditional Instructions Instruction 1. CMP A, B A B A<B CF=1 ZF=0 A=B CF=0 ZF=1 A>B CF=0 ZF=0 2. TEST A, B A AND B If A == 0 OR B==0 {??} Else {??}
54 54 Common Conditional Instructions Instruction 1. CMP A, B A B A<B CF=1 ZF=0 A=B CF=0 ZF=1 A>B CF=0 ZF=0 2. TEST A, B A AND B If A == 0 OR B==0 {ZF=1; CF=0} Else {ZF=0, CF=0}
55 55 Function Call Instructions Instruction 1. CALL ADDR 1. Push address of the instruction after CALL onto stack i. Adjust stack pointer (ESP) 2. Place ADDR into EIP 2. Leave 1. Set top of the stack to previous top (MOV ESP, EBP) 2. Set EBP to old EBP (POP EBP) 3. RET/RETN 1. Pop return address from stack and place into EIP i. Adjust ESP
56 56 Function Calls FuncA: PUSH EAX CALL FuncA ADD ESP, 4 <do something> RET Steps: 1. Push parameters 2. Push current state 3. Process FuncA 4. Pop previous state and parameters 5. Adjust stack 6. Continue processing ESP EBP current state data Value in EAX Previously Stored Value
57 57 Function Calls FuncA: PUSH EAX CALL FuncA ADD ESP, 4 <do something> RET Steps: 1. Push parameters 2. Push current state 3. Process FuncA 4. Pop previous state and parameters 5. Adjust stack 6. Continue processing ESP EBP current state data Value in EAX Previously Stored Value
58 58 Common Jumping Instructions Instruction Based on results from previous instructions, flags are set. Conditional jumps will use the flags to determine control. 1. jz/je target Jump if zero (zero flag is 1 or set) 2. jnz/jne target Jump if not zero (zero flag not set) 3. ja target Jump if above (zero flag not set and carry not set) (unsigned) 4. jb target Jump if below (carry is set) (unsigned) 5. jg Jump if greater (signed) 6. jl Jump if less (signed) 7. jge Jump if greater or equal (signed) 8. jmp target Just jump
59 59 Other Common Instructions Instruction 1. SHR A, B 2. SHL A, B 3. ROR A, B 4. ROL A, B 5. XOR A, B
60 60 Other Common Instructions Instruction 1. SHR A, B Shift right (divide by 2) store in A 2. SHL A, B Shift left (multiply by 2) store in A 3. ROR A, B Rotate right (1001 -> 1100) store in A 4. ROL A, B Rotate left (1100 -> 1001) store in A 5. XOR A, B Xor A B Result (stored in A)
61 61 Example 1 1. cmp ebx,0xf jnz 0x If EBX == 0xf020 ->??
62 62 Example 1 1. cmp ebx,0xf jnz 0x If EBX == 0xf020 -> don t jump
63 63 Example 1 1. cmp ebx,0xf jnz 0x If EBX == 0x0000 -> jump
64 64 Example 2 1. mov edi,[ecx+0xb0] 2. nop 3. mov ebx,[ecx+0xb8] 4. mul edi,ebx No operation does nothing
65 65 Example 2 1. mov edi,[ecx+0xb0] 2. nop 3. mov ebx,[ecx+0xb8] 4. mul edi,ebx Probably accessing some data structure
66 66 Example 3 1. push eax 2. push ebx 3. push ecx 4. push esi 5. call 0x10026eeb
67 67 Example 3 1. push eax 2. push ebx 3. push ecx 4. push esi 5. call 0x10026eeb Pushing parameters onto the stack and then calling a function.
68 68 Example 4a Register Operands 1. mov eax, ebx
69 69 Example 4a Register Operands 1. mov eax, ebx EAX 0x00B3 0040
70 70 Example 4b Indirect Addressing 1. mov eax, [ebx+8]
71 71 Example 4b Indirect Addressing 1. mov eax, [ebx+8] EAX 0x
72 72 Example 4c Load Effective Address 1. lea eax, [ebx+8]
73 73 Example 4c Load Effective Address 1. lea eax, [ebx+8] EAX 0x00B3 0048
74 74 Example 4d Offset and Code Labels 1. push offset loc_b30048 Stack loc_b30048 Previously Stored Value
75 75 Example 4d Offset and Code Labels 1. push offset loc_b30048 Stack loc_b x00B Previously Stored Value
76 76 Label usage examples Control flow jmp <label> -jump to the memory address <label> (here treated as an immediate operand) <label>
77 77 Label usage examples Control flow jmp <label> -jump to the memory address <label> (here treated as an immediate operand) <label>
78 78 Label usage examples Non-control flow mov EAX, <label> -store value contained at memory address<label> (here treated as memory operand) <label>
79 79 Label usage examples Non-control flow mov EAX, <label> -store value contained at memory address<label> (here treated as memory operand) <label>
80 80 Label usage examples Non-control flow mov EAX, offset <label> -store memory address<label> (here treated as immediate operand) <label>
81 81 Example 5 1. mov ecx, esi 2. mov eax, [edx+ecx*4] 3. push eax 4. add ecx, 1 5. mov eax, [edx+ecx*4] 6. push eax 7. call 0x10026eeb
82 82 Example 5 1. mov ecx, esi 2. mov eax, [edx+ecx*4] 3. push eax 4. add ecx, 1 5. mov eax, [edx+ecx*4] 6. push eax 7. call 0x10026eeb
83 Size directives 83
84 84 Example 6 1. movzx eax, byte ptr [eax] 2. cmp al, mychar
85 85 Example 6 1. movzx eax, byte ptr [eax] 2. cmp al, mychar Compare a single byte at [eax] with a byte at mychar
86 86 Example 6 1. movzx eax, byte ptr [eax] 2. cmp al, [mychar] Compare a single byte at [eax] with a byte at??
87 87 Example 6 1. movzx eax, byte ptr [eax] 2. cmp al, [mychar] Compare a single byte at [eax] with a byte at the address inside of mychar
88 88 Some Things to Keep in Mind Endianness x86 is little endian (lsb in lowest mem) 0x42 = 0x IP data and others use big endian (lsb in highest mem) 0x42 = 0x Some compiler optimizations Loop unrolling Redundancy elimination Instruction reordering
89 89 Keep in Mind What if you encounter an unfamiliar instruction? rchitectures-software-developer-manuals.html Volume I: Basic Architecture Volume II: Instruction Set Reference A-M, N-Z Volume III: System Programming Guide The x86 assembly guide ml#memory
90 90 Software Execution Environments - Bytecodes Bytecode execution High-level code compile Bytecode Compile/interpret Native execution High-level code compile Machine code/assembly Machine code/assembly CPU Execution
91 91 Software Execution Environments - Bytecodes Platform isolation Runs on any OS where the VM can execute Avoid compatibility issues Facilitates baseline software distribution Enhanced functionality Monitors not available on hardware Manage resources Type safety
92 92 Software Execution Environments - Bytecodes Drawbacks
93 93 Software Execution Environments - Bytecodes Drawbacks Performance! Alleviations: Just in time compilation Easier to reverse because of metadata used by the interpreter/vm/runtime Obfuscation can be used to make reversing more difficult
94 Exercise 94
Practical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationBasic Pentium Instructions. October 18
Basic Pentium Instructions October 18 CSC201 Section 002 Fall, 2000 The EFLAGS Register Bit 11 = Overflow Flag Bit 7 = Sign Flag Bit 6 = Zero Flag Bit 0 = Carry Flag "Sets the flags" means sets OF, ZF,
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationSOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationCSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1
CSE P 501 Compilers x86 Lite for Compiler Writers Hal Perkins Autumn 2011 10/25/2011 2002-11 Hal Perkins & UW CSE J-1 Agenda Learn/review x86 architecture Core 32-bit part only for now Ignore crufty, backward-compatible
More informationA CRASH COURSE IN X86 DISASSEMBLY
A CRASH COURSE IN X86 DISASSEMBLY As discussed in previous chapters, basic static and dynamic malware analysis methods are good for initial triage, but they do not provide enough information to analyze
More informationDigital Forensics Lecture 3 - Reverse Engineering
Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017 Reverse Engineering High-Level Software Low-level aspects of software are often the
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 9 Integer Arithmetic and Bit Manipulation April, 2014 1 Assembly Language LAB Bitwise
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2016 Lecture 12 CS24 MIDTERM Midterm format: 6 hour overall time limit, multiple sittings (If you are focused on midterm, clock should be running.) Open book
More informationLecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
More informationAssembly Language: IA-32 Instructions
Assembly Language: IA-32 Instructions 1 Goals of this Lecture Help you learn how to: Manipulate data of various sizes Leverage more sophisticated addressing modes Use condition codes and jumps to change
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationAn Introduction to x86 ASM
An Introduction to x86 ASM Malware Analysis Seminar Meeting 1 Cody Cutler, Anton Burtsev Registers General purpose EAX, EBX, ECX, EDX ESI, EDI (index registers, but used as general in 32-bit protected
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationCS241 Computer Organization Spring 2015 IA
CS241 Computer Organization Spring 2015 IA-32 2-10 2015 Outline! Review HW#3 and Quiz#1! More on Assembly (IA32) move instruction (mov) memory address computation arithmetic & logic instructions (add,
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More information22 Assembly Language for Intel-Based Computers, 4th Edition. 3. Each edge is a transition from one state to another, caused by some input.
22 Assembly Language for Intel-Based Computers, 4th Edition 6.6 Application: Finite-State Machines 1. A directed graph (also known as a diagraph). 2. Each node is a state. 3. Each edge is a transition
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More information3.1 DATA MOVEMENT INSTRUCTIONS 45
3.1.1 General-Purpose Data Movement s 45 3.1.2 Stack Manipulation... 46 3.1.3 Type Conversion... 48 3.2.1 Addition and Subtraction... 51 3.1 DATA MOVEMENT INSTRUCTIONS 45 MOV (Move) transfers a byte, word,
More informationSecond Part of the Course
CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationComputer Architecture and System Programming Laboratory. TA Session 3
Computer Architecture and System Programming Laboratory TA Session 3 Stack - LIFO word-size data structure STACK is temporary storage memory area register points on top of stack (by default, it is highest
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationmith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu Back to Conditional Jumps Review sub eax, 10 jz there xxx xxx there:yyy yyy Review cmp eax, 10 jz
More informationComputer Architecture and Assembly Language. Practical Session 3
Computer Architecture and Assembly Language Practical Session 3 Advanced Instructions division DIV r/m - unsigned integer division IDIV r/m - signed integer division Dividend Divisor Quotient Remainder
More informationCOMPUTER ENGINEERING DEPARTMENT
Page 1 of 14 COMPUTER ENGINEERING DEPARTMENT Jan. 7, 2010 COE 205 COMPUTER ORGANIZATION & ASSEMBLY PROGRAMMING Major Exam II First Semester (091) Time: 3:30 PM-6:00 PM Student Name : KEY Student ID. :
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 5
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 5 LAST TIME Began exploring x86-64 instruction set architecture 16 general-purpose registers Also: All registers are 64 bits wide rax-rdx are
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationadministrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?
administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming
More informationQ1: Multiple choice / 20 Q2: Protected mode memory accesses
16.317: Microprocessor-Based Systems I Summer 2012 Exam 2 August 1, 2012 Name: ID #: For this exam, you may use a calculator and one 8.5 x 11 double-sided page of notes. All other electronic devices (e.g.,
More informationECOM Computer Organization and Assembly Language. Computer Engineering Department CHAPTER 7. Integer Arithmetic
ECOM 2325 Computer Organization and Assembly Language Computer Engineering Department CHAPTER 7 Integer Arithmetic Presentation Outline Shift and Rotate Instructions Shift and Rotate Applications Multiplication
More informationComputer Science Final Examination Wednesday December 13 th 2006
Computer Science 03-60-266 Final Examination Wednesday December 13 th 2006 Dr. Alioune Ngom Last Name: First Name: Student Number: INSTRUCTIONS EXAM DURATION IS 3 hours. OPEN NOTES EXAM: lecture notes,
More informationLow-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
More informationBasic Assembly Instructions
Basic Assembly Instructions Ned Nedialkov McMaster University Canada SE 3F03 January 2013 Outline Multiplication Division FLAGS register Branch Instructions If statements Loop instructions 2/21 Multiplication
More informationSistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T
Sistemi Operativi Lez. 16 Elementi del linguaggio Assembler AT&T Data Sizes Three main data sizes Byte (b): 1 byte Word (w): 2 bytes Long (l): 4 bytes Separate assembly-language instructions E.g., addb,
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationCMSC 313 Lecture 07. Short vs Near Jumps Logical (bit manipulation) Instructions AND, OR, NOT, SHL, SHR, SAL, SAR, ROL, ROR, RCL, RCR
CMSC 313 Lecture 07 Short vs Near Jumps Logical (bit manipulation) Instructions AND, OR, NOT, SHL, SHR, SAL, SAR, ROL, ROR, RCL, RCR More Arithmetic Instructions NEG, MUL, IMUL, DIV Indexed Addressing:
More informationDr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationCSE351 Spring 2018, Midterm Exam April 27, 2018
CSE351 Spring 2018, Midterm Exam April 27, 2018 Please do not turn the page until 11:30. Last Name: First Name: Student ID Number: Name of person to your left: Name of person to your right: Signature indicating:
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationMachine and Assembly Language Principles
Machine and Assembly Language Principles Assembly language instruction is synonymous with a machine instruction. Therefore, need to understand machine instructions and on what they operate - the architecture.
More informationChapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary
Chapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary 1 Outline Introduction to assembly programing Introduction to Y86 Y86 instructions,
More informationCSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature
CSE2421 FINAL EXAM SPRING 2013 Name KEY Instructions: This is a closed-book, closed-notes, closed-neighbor exam. Only a writing utensil is needed for this exam. No calculators allowed. If you need to go
More informationInline Assembler. Willi-Hans Steeb and Yorick Hardy. International School for Scientific Computing
Inline Assembler Willi-Hans Steeb and Yorick Hardy International School for Scientific Computing e-mail: steebwilli@gmail.com Abstract We provide a collection of inline assembler programs. 1 Using the
More informationSummary: Direct Code Generation
Summary: Direct Code Generation 1 Direct Code Generation Code generation involves the generation of the target representation (object code) from the annotated parse tree (or Abstract Syntactic Tree, AST)
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationEx: Write a piece of code that transfers a block of 256 bytes stored at locations starting at 34000H to locations starting at 36000H. Ans.
INSTRUCTOR: ABDULMUTTALIB A H ALDOURI Conditional Jump Cond Unsigned Signed = JE : Jump Equal JE : Jump Equal ZF = 1 JZ : Jump Zero JZ : Jump Zero ZF = 1 JNZ : Jump Not Zero JNZ : Jump Not Zero ZF = 0
More informationLecture (08) x86 programming 7
Lecture (08) x86 programming 7 By: Dr. Ahmed ElShafee 1 Conditional jump: Conditional jumps are executed only if the specified conditions are true. Usually the condition specified by a conditional jump
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 12
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 12 CS24 MIDTERM Midterm format: 6 hour overall time limit, multiple sittings (If you are focused on midterm, clock should be running.) Open book
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationTowards the Hardware"
CSC 2400: Computer Systems Towards the Hardware Chapter 2 Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 High-Level Language Make programming
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationCompiler construction. x86 architecture. This lecture. Lecture 6: Code generation for x86. x86: assembly for a real machine.
This lecture Compiler construction Lecture 6: Code generation for x86 Magnus Myreen Spring 2018 Chalmers University of Technology Gothenburg University x86 architecture s Some x86 instructions From LLVM
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationInstructions moving data
do not affect flags. Instructions moving data mov register/mem, register/mem/number (move data) The difference between the value and the address of a variable mov al,sum; value 56h al mov ebx,offset Sum;
More informationIntel x86-64 and Y86-64 Instruction Set Architecture
CSE 2421: Systems I Low-Level Programming and Computer Organization Intel x86-64 and Y86-64 Instruction Set Architecture Presentation J Read/Study: Bryant 3.1 3.5, 4.1 Gojko Babić 03-07-2018 Intel x86
More informationDefining and Using Simple Data Types
85 CHAPTER 4 Defining and Using Simple Data Types This chapter covers the concepts essential for working with simple data types in assembly-language programs The first section shows how to declare integer
More informationControl flow. Condition codes Conditional and unconditional jumps Loops Switch statements
Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1 Conditionals and Control Flow Familiar C constructs l l l l l l if else while do while for break continue Two
More informationWe will first study the basic instructions for doing multiplications and divisions
MULTIPLICATION, DIVISION AND NUMERICAL CONVERSIONS We will first study the basic instructions for doing multiplications and divisions We then use these instructions to 1. Convert a string of ASCII digits
More informationAssembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall
Assembly Language Programming: Procedures EECE416 uc Charles Kim Howard University Fall 2013 www.mwftr.com Before we start Schedule of the next few weeks T Nov 19: Procedure and Calls (continued) R Nov
More informationIntel 8086: Instruction Set
IUST-EE (Chapter 6) Intel 8086: Instruction Set 1 Outline Instruction Set Data Transfer Instructions Arithmetic Instructions Bit Manipulation Instructions String Instructions Unconditional Transfer Instruction
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
More informationCompiler Construction D7011E
Compiler Construction D7011E Lecture 8: Introduction to code generation Viktor Leijon Slides largely by Johan Nordlander with material generously provided by Mark P. Jones. 1 What is a Compiler? Compilers
More informationx86 Assembly Crash Course Don Porter
x86 Assembly Crash Course Don Porter Registers ò Only variables available in assembly ò General Purpose Registers: ò EAX, EBX, ECX, EDX (32 bit) ò Can be addressed by 8 and 16 bit subsets AL AH AX EAX
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 10 Advanced Procedures May, 2014 1 Assembly Language LAB Stack Parameters There are
More informationInside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationQ1: Multiple choice / 20 Q2: Memory addressing / 40 Q3: Assembly language / 40 TOTAL SCORE / 100
16.317: Microprocessor-Based Systems I Summer 2012 Exam 1 July 20, 2012 Name: ID #: For this exam, you may use a calculator and one 8.5 x 11 double-sided page of notes. All other electronic devices (e.g.,
More informationCOMPUTER ENGINEERING DEPARTMENT
Page 1 of 11 COMPUTER ENGINEERING DEPARTMENT December 31, 2007 COE 205 COMPUTER ORGANIZATION & ASSEMBLY PROGRAMMING Major Exam II First Semester (071) Time: 7:00 PM-9:30 PM Student Name : KEY Student ID.
More informationmith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut dthiebaut@smith.edu 2 Videos to Watch at a Later Time https://www.youtube.com/watch?v=fdmzngwchdk https://www.youtube.com/watch?v=k2iz1qsx4cm
More informationCSCI 2121 Computer Organization and Assembly Language PRACTICE QUESTION BANK
CSCI 2121 Computer Organization and Assembly Language PRACTICE QUESTION BANK Question 1: Choose the most appropriate answer 1. In which of the following gates the output is 1 if and only if all the inputs
More informationStatic Analysis I PAOLO PALUMBO, F-SECURE CORPORATION
Static Analysis I PAOLO PALUMBO, F-SECURE CORPORATION Representing Data Binary numbers 1 0 1 1 NIBBLE 0xB 1 0 1 1 1 1 0 1 0xBD 1 0 1 1 1 1 0 1 0 0 1 1 1 0 0 1 BYTE WORD 0xBD 0x39 Endianness c9 33 41 03
More information16.317: Microprocessor Systems Design I Spring 2015
16.317: Microprocessor Systems Design I Spring 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationIntel Instruction Set (gas)
Intel Instruction Set (gas) These slides provide the gas format for a subset of the Intel processor instruction set, including: Operation Mnemonic Name of Operation Syntax Operation Examples Effect on
More informationProcedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27
Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure
More informationLanguage of x86 processor family
Assembler lecture 2 S.Šimoňák, DCI FEEI TU of Košice Language of x86 processor family Assembler commands: instructions (processor, instructions of machine language) directives (compiler translation control,
More information