Welcome!
$> whoami
Nikhil Kumar
I research on random things
I make random things and then test
them on myself!
Also, learning security concepts
day by day
@dumbomason
@nk521
SYSTEM WIDE BUG
It worked on other devices too!
Thanks to these communities
What you'll learn today
- x86
- Basic Instructions
- Writing ASM
- How to reverse engineer?
But, Why RE ?
- Curiosity
- Keygen/Trainers/Cracks
- Exploit Development
- Propriety Applications
Let's talk about memory!
A byte == 0 - 255
== 0x00 - 0xff
== 0b00000000 - 0b11111111
2**32 bytes of addressable memory space
== 4 Gibibytes ≈ 4 Gigabytes
0x00000000 - 0xffffffff
2**64 bytes of addressable memory space
== 16 Exbibytes ≈ 16 Exabytes
0x0000000000000000 - 0xffffffffffffffff
Memory Layout
- Why 0x7fffffff and not 0xffffffff?
- INT32 signed is two's complement!
So, hex((2**(32-1))-1) == 0x7fffffff!
The CODE/TEXT segment stores the executable address space and is generally read-only and of fixed size.
RODATA/DATA/BSS in next slide!
HEAP - You all know about this!
STACK - LIFO/Higher region in memory.
.BSS segment - uninitialized data and ZERO initialized data
int x;
un/signed int x;
un/signed int x[2];
int x = 0x0;
un/signed int x = 0x0;
un/signed int x[2] = {0x0,0x0};
.data segment - initialized data
int x = 0x1;
un/signed int x = 0x1;
un/signed int x[2] = {0x1,0x2};
.rodata segment - constant data
const int x;
const un/signed int x;
const un/signed int x[2];
const int x = 0x0;
const un/signed int x = 0x0;
const un/signed int x[2] = {0x0,0x0};
REGISTERS
The fastest memory
General Purpose:
AL/AH/AX/EAX/RAX - Accumulator - stores intermediate arithmetic/logic values and return values
BL/BH/BX/EBX/RBX - stores base index (arrays)
CL/CH/CX/ECX/RCX - loop counter
DL/DH/DX/EDX/RDX - extends the precision of Accumulator (EAX/RAX)
IP/EIP/RIP - Instruction Pointer
SIL/SI/ESI/RSI - Source Index - for string operations
DIL/DI/EDI/RDI - Destination Index - for string operations
SPL/SP/ESP/RSP - Stack Pointer - points
the top address of stack
BPL/BP/EBP/RBP - Base Pointer - points the
base address (stack address) of current stack frame
NOTE : SIL/DIL/SPL/BPL are only available in 64bit mode
Other Registers:
r8-r15 (64bit only), EFLAGS/RFLAGS(ZF/PF/CF/etc)
et cetra (Check out the wikipedia page)
Syscalls: (What is this?)
syscall number -> EAX/RAX
arg0 -> EBX/RDI
arg1 - ECX/RSI
arg2 - EDX/RDX
arg3 - ESI/R10
arg4 - EDI/R8
arg5 - EBP/R9
0x1122334455667788
|----------------| -> R* (64bit)
|--------| -> E* (32bit)
|----| -> *X/*S/*P/*I/IP (16bit)
|--| -> *H (upper 8bits of ^)
|--| -> *L (rest of the bits)
Assembly
Compiler
Converts high-level code (source) to
ELF/machine code (1 || 0/hex)
Example : GCC/G++ (C/C++), GHC (haskell),
Delphi (pascal), etc
⥣
AT&T format <inst> <src>, <dst>
Hello World
INTEL format <inst> <dst>, <src>
⥥
Instructions
PUSH/POP/MOV
PUSH -> pushes a value to the top of the stack!
PULL -> pops the topmost value from stack!
MOV -> sets a value to specified register/memory
ADD/SUB/MUL/DIV/INC/DEC
Common arithmetic instructions
INC -> Increment by 1
DEC -> Decrement by 1
ADD/OR/XOR/NOT/SHL/SHR
Common logical instructions
SHL/SHR -> Shift Left/Right -> Byte shifters
JMP and conditions/CMP
JMP -> rewrites the RIP to preferred address
JE -> jump when equal
JNE -> jump when not equal
JZ -> jump when last result was zero
JG -> jump when greater than
JGE -> jump when greater than or equal to
JL -> jump when less than
JLE -> jump when less than or equal to
CMP -> (brother of SUB) compares and changes ZF
DEMO TIME
f i n
Thank You! :D