Basic Assembly

Question 1

What is NASM?

Answer 1

NASM and LD are used for linking and assembling of binaries.

Question 2

How do system calls work?

Answer 2

During program execution, a system call may be used for tasks such as printing text to the console. The IA-32 mechanism for invoking system calls is int 0x80, at which point the system call handlers are referenced by the list of interrupt handlers associated with the program.

Question 3

Where are system calls defined?

Answer 3

/usr/include/i386-linux-gnu/asm/unistd_32.h

Question 4

Invoking System Call with 0x80

Answer 4

EAX - System Call Number (e.g. 4 for write to screen)
EBX - First Argument
ECX - Second Argument (Hello World string)
EDX - Third Argument
ESI - Fourth Argument
EDI - Fifth Argument

Question 5

Stepping through Assembly files

Answer 5

Start by setting a breakpoint on the ‘_start’ element of code.

Question 6

What are the fundamental data types?

Answer 6

Byte - 8 bits
Word - 16 bits
Double Word - 32 bits
Quad Word - 64 bits
Double Quad Word - 128 bits

Question 7

What is Signed and Unsigned?

Answer 7

Unsigned - all 32 bits are dedicated to storing the value

Signed - 31 bits are dedicated to storing the value, with the last bit designating the sign (+ or -).

Question 8

Declare Uninitialized Data

Answer 8

db

Question 9

Special Tokens

Answer 9

$ - evaluates to current line

$$ - evaluates to the beginning of current section

Question 10

Figuring out the startpoint of a binary

Answer 10

shell readelf -h [BINARY_NAME]

Question 11

Variable information

Answer 11

info variables

x/xb [VARIABLE_ADDRESS]
x/xb &[VARIABLE_NAME]

Question 12

Instruction breakdown

Answer 12

Instructions may be broken down into Labels, Instructions and Operands.

Question 13

MOV instruction

Answer 13

The most common instruction in ASM. Responsible for moving data in the following ways:

• Between registers
• Memory to Register and Register to Memory
• Immediate Data to Register
• Immediate Data to Memory

Question 14

LEA instruction

Answer 14

Load Effective Address - load pointer values

• LEA EAX, [label] (loads the pointer inside EAX.

Question 15

XCHG instruction

Answer 15

Exchanges (swaps) values

• XCHG Register, Register
• XCHG Register, Memory

Question 16

gdb hooking

Answer 16

GDB to complete commands as you step through a program. For example:

define hook-stop

>print/x $eax
>print/x $ebx
>print/x $ecx
>print/x $edx
>x/8xb &sample
>disassemble $eip,+10
>end

The above hook prints the contents of the eax, ebx, ecx and edx registers, the contents of sample, and disassemble the program from the current $eip value (current instruction) for the next 10 instructions.

Question 17

Displaying Values after runs

Answer 17

display /x [REGISTER/MEMORY]

and then hook to disassmble eip:

define hook-stop
disassemble $eip,+10

Question 18

How does the Stack work?

Answer 18

The Stack is a LIFO - Last In First Out data structure. Goes from high memory to low memory. As the stack builds up, ESP points to lower and lower and lower addresses.

ESP - extended stack pointer - always points to the top of the stack.

PUSH instruction (to push 32-bit values to the top of the stack) automatically pushes values to the top of the stack and adjusts ESP accordingly.

POP instruction removes the value from the top of the stack, and automatically adjusts ESP accordingly.