Reverse engineering & Linux Flashcards
What type of architecture is x86-64 (amd64, i64)?
64-bit CISC
What are some properties of CISC?
A single instruction can do multiple things at once (mem access, register read, etc.)
Variable length instruction set
What is the x86-64 architecture?
CISC
The registers used extend an extra 32-bit on the Intel’s x86 architecture
What is a property of x86-64?
The architecture allows for a multi-sized register access, meaning you can access certain parts of a register which are different sizes.
How can multi-sized access be done?
The RAX register can have it’s lower 32-bits accessed using EAX.
The lower 16 bits can be accessed using AX.
The lower 8-bits can be accessed using AL.
How is the x86-64 registers structured?
What is the RAX register in x86-64?
64-bit “long” register
What is the EAX register in x86-64?
32-bit “int” register
Name 3 special registers in x86
RIP: Instruction pointer
RSP: Stack pointer
RBP: Base pointer
How are instructions executed in x86?
Fetch instruction at address in RIP
decode it
run it
Explain the following instruction:
mov rax, 0xdeadbeef
Mov the immediate “0xdeadbeef” into register rax
Explain the following instruction:
mov rax, [0xdeadbeef + rbx * 4]
Move the data at address “0xdeadbeef + rbx * 4” into rax
How are conditionals used in x86?
Use jumps and jump if the provided conditional is true:
- jnz <address>
- je <address>
- jge <address>
- jle <address>
- etc.
What does the conditional jump-flags check?
Checking EFLAGS
What are EFLAGS?
Special registers that stores flags on certain instructions.
Give an example of flags that EFLAGS store
The instruction “add rax, rbx” sets the o flag (overflow) if the sum is greater than what the 64-bit register can hold, and wraps around.
This flag is used to jump by the jo instruction
What instruction is often used in combination with jumps?
cmp
Example:
cmp rax, rbx
jle error
Name 4 vulnerable C-functions
gets
strcpy
strcat
strcmp
What C-functions can cause buffer overflows?
gets
strcpy
strcat
What C-function can cause timing attacks?
strcmp
What is a disassembler?
A tool that breaks down a compiled program into machine code
What is IDA?
Industry standard for binary disassembly
What is IDA’s Hex Rays decompiler?
A feature in IDA which can convert assembly code back into a pseudo code like format
What is pwndb?
A GDB plug-in that solves a lot of problems with vanilla GDB obscuring a lot of information and being unintuitive.
How can you get the dissassembly of a program using gdb?
gdb program
Display disassembly of frame/function:
(gdb) disassemble [address/symbol]
Display disassembly of main:
(gdb) disas main
What is the gdb command:
display/[# of instructions]i $pc [± offset]
Display: shows data with each step
/[#]i: shows how much data in the format i for instruction
$pc: means the pc register
What does the DGB command “display/10i $pc - 0x5” do?
Displays the 10 instructions on screen with an offset from the next instruction of 5
When listing processes using ps -o stat, what does the different stats mean?
T: suspended
S: sleeping while waiting for input
R: Running
+: Process is in the foreground
What does it mean that a process is running in the foreground?
What does it mean that a process is running in the background?
What does a file type “c” mean?
The file is a “character device” meaning interacting with it results in changes to the display output rather than changes to disk storage (as for a normal file)
What does rwx permissions allow for directories?
r: List the directory
w: Create/delete files in directory
x: Enter the directory using cd
What is the shell variable PATH?
Stores directory paths in which the shell will search for programs corresponding to commands.
