Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RE:HACK 2023 - Reverse Engineering and Binary Exploitation: Intel x86/x86-x64 Assembly

January 04, 2024

RE:HACK 2023 - Reverse Engineering and Binary Exploitation: Intel x86/x86-x64 Assembly

Workshop series links :

Part 1: https://www.youtube.com/watch?v=8dGDYRWwawQ
Part 2: https://www.youtube.com/watch?v=vWOSPK8p1wE
Part 3: https://www.youtube.com/watch?v=xx62TN7NFIY

This workshop content draws upon valuable resources from a variety of contributors. Their expertise and insights are gratefully acknowledged


January 04, 2024

More Decks by Fatah

Other Decks in Education


  1. About Fatah Hashim (发达奇拉 ) • Fat |发达奇拉 | C00K13SX

    | x86cookies • Blogging at https://www.cookiesec.blog/ • Contact me on https://www.linkedin.com/in/fatah-iix/ • Focusing on Vulnerability/Malware Research & Dev, Reverse Engineering, OS Internal, AppSec, CTF. (I don’t do Web ) • Global Cybersecurity Camp (GCC) 2023 Singapore Alumni • https://cybercamp.my/ • Malaysia Cybersecurity Camp(MCC) 2022 First Edition Alumni • https://gcc.ac/gcc_2023/ GLOBAL CYBER CAMP (SINGAPORE)
  2. 3 Disclaimer The views and opinions expressed in this content

    are my own and do not necessarily reflect the views and opinions of any company or organization that I am affiliated with.
  3. 4 TOC 1. Why Assembly? 2. Curve Learning 3. Legal

    Aspects 4. Legal Activity 5. Illegal Activity 6. Static Analysis 7. Dynamic Analysis 8. Practical Setup Environment (Practical) 9. Introduction to Assembly 10. Binary and Hexadecimal Number Systems (Practical) 11. Low-level languages 12. High-level languages 13. Interpreted languages 14. Compiling 15. Disassembly & Decompiler 16. Debugger Overview (Practical) 17. Debugger Overview (Extra:Graph) (Practical) 18. Debugger Overview (Extra: View Trace) (Practical) 19. Debugger Overview (Extra: Mnemonic Brief) (Practical) 20. Prologue & Epilogue (Practical) 20. Hollow Out Lab (Practical) 21. Fun Fact: Hollowed VT Trojan Detection 22. Data Storage Size 23. Registers x86 & x64 24. 64-bit lower portions register 25. Assembly Language Instructions 26. Instructions: MOV (Practical) 27. Instructions: Addition using Full Register and Partial Register (Practi 28. Instructions: SUB (Practical) 29. Instructions: INC & DEC (Practical) 30. Instructions: NOP (Practical) 31. Method: Dropper Code Cave (Practical) 32. EIP 33. Important Flags 34. Endianness 35. Segment Registers 36. Calling Conventions 37. Memory Hierarchy 38. Architecture Overview 39. x86 Architecture 40. CPU Components 41. Main Memory (RAM) 42. RAM Debugger (Practical) 43. The Stack ! 44. Extra: NASM (ELF) (Practical) 45. User Space VS Kernel Space 46. Resource for further study
  4. 5 Why I need to learn Assembly? • Become a

    better programmer- When you really want to get the most of your processor, writing in raw Assembly is needed. • Tool is just a tool. Having foundation in your brain is a way to survive • You are the kind of person who really likes to know how things work. In this course you are going to get solid understanding on how computer programs work from the inside. • You want to become a Reverse Engineer or a security researcher, read the code of viruses or look for software vulnerabilities. As most of the time the original source code will not be available to you, solid understanding of x86 Assembly Language is mandatory. • There are a lot of jobs out there to do this work, with not a lot of people to do the work https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2F5tt3y49vplv21.jpg
  5. 7 Legal Aspects • Reverse engineering legality governed copyright laws

    • Different country will have different copyright laws • Legal only in specific cases
  6. 8 Legal Activity • Recovery own lost source code •

    Recovery of data from legacy formats • Malware analysis and research • Security and Vulnerability research
  7. 9 Illegal Activity • Reverse engineering competing product and sell

    it • Crack copy protections • Distribute crack / registration for copyrighted software • Gained unauthorized access to any computer
  8. 10 Static Analysis • Read disassembly code • Search for

    strings • Analyzing without executing the program • Basically, it’s all about “strings”
  9. 11 Dynamic Analysis • Debug the code • Step thru

    the code, study how it executes and what it does • Fast results and accurate • Executing code either on physical machine or emulator • Tracing the code that gets executed • Analyzed code execution
  10. 12 Practical Setup Environment 1/7 • Bare metal, Virtual Box,

    Virtual Player, VMware, etc. • x32/x64 Debugger(Windows) • https://x64dbg.com/ • Windows OS – x86 & x64 • Ubuntu OS (Optional) Practical
  11. 13 Practical Setup Environment 2/7 1. Download x32/x64 Debugger •

    https://x64dbg.com/ 2. options>preferences>Events uncheck TLS callback and System Brekpoint Tick check on Graph zoom mode Practical
  12. 15 Practical Setup Environment 4/7 Practical • Open your window

    OS virtual machine settings and change network adapter to Host-only
  13. 16 Practical Setup Environment 5/7 Practical • Make a snapshot,

    Just in case anything unintended happen, you can revert to previous state
  14. 17 Practical Setup Environment 6/7 Practical • Curious to explore

    further? Download the binary for hands-on testing: https://drive.google.com/drive/folders/1sqbsqUgdiihcx_obuJZcNMT3rbbfQPsB?usp=sharing • Compiling it by yourself? You can use Visual Studio to compile it in C program • Here’s the source code of the binary:
  15. 18 Practical Setup Environment 7/7 Practical • What's the best

    way to transfer a binary from my bare metal OS to a virtual machine, given that I downloaded it on the bare metal system due to internet access restrictions? Answer: You can use either python server, drag-drop, vm-share folder, depends on your preferences. There’s a lot method out there to transfer the file. Do explore on it https://www.freecodecamp.org/news/simplehttpserver-explained-how-to-send-files-using-python/
  16. 20 Introduction to Assembly • There is a lot of

    documentation and source code out there, but it can be difficult to learn without a guide • Different versions for each type of processor • We will go tru all with Intel syntax • x32-bit Intel (most common) • x64-bit Intel • SPARC, PowerPC, MIPS, ARM - others • You don't need to have everything here memorized before moving on, and parts of it will make more sense when you actually see it in action.
  17. 21 Binary and Hexadecimal Number Systems 1/4 • Base 10

    (Decimal): • 0,1,2,3,4,5,6,7,8,9 to represent numbers • Base-2 (Binary): • 0 and 1 computers only understand • 0=low voltage and 1=high voltage • Base-16 (Hex): 16 Digits to represent numbers • 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F • A=10, B=11, C=12, D=13, E=14, F=15
  18. 22 Binary and Hexadecimal Number Systems 2/4 Way to convert

    number with Windows calculator : Changing to Programmer Calc Selection Practical
  19. 23 Binary and Hexadecimal Number Systems 3/4 Way to convert

    number inside debugger : Signed = negative value Unsigned = positive value Practical
  20. 24 Binary and Hexadecimal Number Systems 4/4 Way to convert

    number inside debugger : Wait but why we need to play with Hex ?? why not just use decimal format ? Answer: Because base-16(hex) save space In this hex format 2 digit represent 1 byte Practical
  21. 25 Low-level languages • Human-readable version of the processor’s instruction

    set • Assembly language • PUSH, POP, NOP, MOV, JMP … • Disassembler generates assembly language • This is the highest-level language that can be reliably recovered from malware when source code is unavailable
  22. 26 High-level languages • Most programmers use these • C,

    C++, C#, etc. • Converted to machine code by a compiler
  23. 27 Interpreted languages • Highest level • Java, C#, Perl,

    .NET, Python • Code is not compiled into machine code • It is translated into bytecode • An intermediate representation • Independent of hardware and OS • Bytecode executes in an interpreter, which translates bytecode into machine language on the fly at runtime • Ex: Java Virtual Machine https://www.youtube.com/watch?v=G1ubVOl9IBw
  24. 28 Compiling 1/3 • Assembly code is the code that

    actually runs on your computer by the processor • The purpose of languages like C, is that we can program without having to really deal with assembly code https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-4-2048.jpg?cb=1667939942
  25. 29 Compiling 2/3 https://i.ytimg.com/vi/LOWQg8BNQJ4/maxresdefault.jpg • There are a lot of

    different architectures. • Different types of processors can run different types of assembly code architectures. • In this crash course, We’re dealing with the most 64-bit, and 32-bit ELF (Executable and Linkable Format) and EXE (Portable Executable)
  26. 30 Compiling 3/3 • We have tools such as Ghidra

    that will take compiled assembly code and give us a view of what it thinks the C code that the code was compiled from looks like, so we don't need to read endless lines of assembly code. • Downside: - Decompiling it is not always accurate • It’s better to understand it from the assembly itself
  27. 33 Disassembly • Converts the binary form to assembly language

    • Disassembly can be used to analyze and understand how software works, even if the source code is not available • Software is proprietary or the source code is not publicly available • bit: Represented by 0’s and 1’s • Byte: Represented by eight bits put together Decompiler Decompiler HIEW HT-Editor
  28. 34 • Sometimes, xdbg wrongly intrepreted the hex to assembly.

    always keep on eye also on the hex. • Common Example: • ret= C3 • push ebp= 55 • call=E8 Debugger Overview 1/6 Practical
  29. 35 • CPU windows that show register • There’s also

    Flag Register. Zero Flag ZF important to know certain jump to take place or not. Debugger Overview 2/6 Practical
  30. 38 • Stack, %tmp% area in memory, store function parameter

    for any function call Debugger Overview 5/6 Practical
  31. 39 Debugger Overview 6/6 • https://x64dbg.com/blog/ => all techniques x64

    debugger blogs • https://x64dbg.com/blog/2016/07/27/Control-flow-graph.html => Control flow analysis and graphing Practical
  32. 40 Debugger Overview (Extra:Graph) Practical • Graph View feature from

    x32/x64 Debugger ! • Right click & Choose Graph OR • Shortcut Key = G, how to go back normal view? Click G again
  33. 42 Debugger Overview (Extra: Mnemonic Brief) Practical • Right click

    and choose show mnemonic brief • OR Ctrl+Shift+F1
  34. 44 For now, just understand that Prolog contains the instructions

    that prepare the registers and stack space for the function before it starts execution and Epilog contains instructions that help in restoring the stack and registers to their previous state, that is before the function was called. For a more details explanation, do look this up! • https://www.youtube.com/watch?v=F58WAnf2gr0&ab_channel=YoungSlothLearning => Prologue: Intel x86 Assembly Att Stack Prologue. You will encounter this a lot in the practical part later, it will make more sense when you actually see it in action. Prologue & Epilogue Practical
  35. 45 Hollow Out Lab 1/12 Practical You have two options

    here : 1. Either compile by yourself the code (codeblocks, gcc, visual studio, etc) 2. OR use binary template provided in google drive (decompile the binary if you want more information) https://drive.google.com/drive/folders/1sqbsqUgdiihcx_obuJZcNMT3rbbfQPsB?usp=sharing Password: winter-assembly 1. Raw code 2. Binary File
  36. 51 Hollow Out Lab 6/12 Practical Hollow up at the

    right function, don't hollow all of this. Just empty the content of the function. Plus, we need to know where useful item/call located
  37. 53 Hollow Out Lab 8/12 Practical Next, We will need

    to leave any useful part, example like “putchar” will print new line.
  38. 59 Data Storage Size X86-64 supported storage sizes : C/C++

    declarations are mapped as follows: 32b 64b
  39. 62 Registers x86 & x64 • 32-bit known as x86

    or IA-32 • 64-bit known as x86-64, AMD64 and Intel 64 • Registers are essentially places where the processor can store memory • These typical sizes we will be dealing with are 8 bytes, 4 bytes, 2 bytes, and 1. The reason for these different sizes is due to the advancement of technology, we can store more data in a register. • Word [ 2 Bytes ] , Dword [ 4 Bytes ] , Qword [ 8 Bytes ] https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/x64- architecture
  40. 67 Instructions: MOV • MOV Destination, Source • Copies data

    from Source to Destination • Can move: • Register to register • Memory to register, register to memory • Immediate to register, immediate to memory • Never! Memory to memory • MOV example: Practical
  41. 68 Instructions: Addition using Full Register and Partial Register •

    ADD destination, source Practical https://www.cs.virginia.edu/~evans/cs216/guides/x86-registers.png
  42. 69 Instructions: SUB • SUB destination, source • make sure

    take note on partial register return value Practical
  43. 73 END - Instructions Practical • There’s still lot more

    instructions/method we can cover, but it takes time to prepare. If you'd like to learn more in a future session, let me know on the feedback form ☺ • MUL/DIV - Arithmetic • Accessing memory • PUSH & POP - The stack • CALL - Functions call • Input/Output Strings/Integer Functions • Flags Register • Unconditional & Conditional Jumps • Structured Branching • CMP • Signed & Unsigned • etc
  44. 78 Little Endian • Offset value: 78 56 34 12

    • Actual value: 0x12345678 Big Endian • Offset value: 12 34 56 78 • Actual value: 0x12345678
  45. 80 Segment Registers Code Segment: The Code Segment (CS )

    register points to the Code section in the memory. Stack Segment: The Stack Segment (SS) register points to the program's Stack in the memory. Data Segment: The Data Segment (DS) register points to the program's data section in the memory. Extra Segments (ES, FS, and GS): These extra segment registers point to different data sections. These and the DS register divide the program's memory into four distinct data sections.
  46. 81 • Specify how arguments are passed to a function,

    how return values are passed back out of a function, how the function is called, and how the function manages the stack and its stack frame. In short, the calling convention specifies how a function call in C or C++ is converted into assembly language. • two of them are commmonly used in most programming languages: • cdecl - the default call type for C functions. The caller is responsible of cleaning the stack frame. • stdcall - the default call type for Win32 APIs. The callee is responsible of cleaning the stack frame. Calling Conventions
  47. 84 • CPU (Central Processing Unit) executes code • RAM

    contains/stored all the code and data for a program to run • The Memory, also called Main Memory or Random Access Memory (RAM) • I/O system interfaces with hard disk, keyboard, monitor, etc. https://www.oreilly.com/api/v2/epubs/9781593272906/files/httpatomoreillycomsourcenostarchimages2150771.png.jpg x86 Architecture
  48. 85 Control Unit • gets instructions to execute from RAM

    using a register - the instruction pointer, which stores the address of the instruction to execute. • Fetches instructions from RAM using a register named the “instruction pointer” • The address to the next instruction to execute is stored in a register called the Instruction Pointer or IP. In 32-bit systems, this register is called EIP, and in 64-bit systems, it is called RIP. Register • Registers are the CPU's storage, stores small amounts of data • Faster than RAM but limited size (has to be used effectively) ALU (Arithmetic Logic Unit) • Executes an instruction and places results in registers or RAM https://www.oreilly.com/api/v2/epubs/9781593272906/files/httpatomoreillycomsourcenostarchimages2150771.png.jpg CPU Components
  49. 86 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-18-2048.jpg?cb=1667939942 • Values placed in RAM when a program

    loads • Sometimes these values are called static • They may not change while the program is running • Sometimes these values are called global • Available to any part of the program
  50. 92 The Stack! • The Stack is a part of

    a program's memory that contains the arguments passed to the program, the local variables, and the program's control flow. • The stack is a Last In First Out (LIFO) memory. This means that the last element pushed onto the stack is the first one to be popped out. For example, if we push A, B, and C onto the stack, when we pop out these elements, the first to pop out will be C, B, and then A. The CPU uses two registers to keep track of the stack. One is the Stack Pointer (the ESP or RSP), and the other is the Base Pointer (the EBP or RBP).
  51. 93 The Stack! The Stack Pointer(ESP/RSP): The Stack Pointer points

    to the top of the stack. When any new element is pushed on the stack, the location of the Stack Pointer changes to consider the new element that was pushed on the stack. Similarly, when an element is popped off the stack, the stack pointer adjusts itself to reflect that change. The Base Pointer(EBP/RBP): The Base Pointer for any program remains constant. This is the reference address where the current program stack tracks its local variables and arguments. Old Base Pointer and Return Address: Below the Base Pointer lies the old Base Pointer of the calling program (the program that calls the current program). And below the old Base Pointer lies the Return Address, where the Instruction Pointer will return once the current program's execution ends.
  52. 94 The Stack! Arguments: The Arguments being passed to a

    function are pushed to the stack before the function starts execution. These arguments are present right below the Return Address on the stack.
  53. 102 This crash course has covered a lot, but it's

    just the beginning! There are still many more topics that we could cover, but this is a good foundation for you to start with.