Feeds:
Posts
Comments

Archive for the ‘Nasm – Netwide Assembler’ Category

You can set breakpoint with a condition. This is very useful if want to observe a certain location and stop it if the condition is reach.

In this tutorial I use:
-Xubuntu 18.04
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
-NASM version 2.13.02
-GNU ld (GNU Binutils for Ubuntu) 2.30

Use the simple assembly code below:

1  section .text
2  global _start
3
4  _start:
5
6      mov rax,3
7      mov rbx,2
8      add rax,rbx
9      sub rbx,1
10
11     ;Exit
12     mov eax,1
13     mov ebx,0
14     int 0x80

(more…)

Read Full Post »

This is one of my favorite function in gdb. It will make your life easier instead of typing repetition commands. Hook is a user defined command but you have to combine with a pseudo-command that already exist.

For example, you want to disassemble a program code and display the value of the program register every time you stop the process. Instead of typing 2 commands every time its stop, you can define it into one command with hook.

(gdb) define hook-stop

Type commands for definition of “hook-stop”.
End with a line saying just “end”.
>disassemble _start
>info reg $rax $rbx
>end

Let’s try.
In this tutorial I use:
-Xubuntu 18.04
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
-NASM version 2.13.02
-GNU ld (GNU Binutils for Ubuntu) 2.30

Use the simple assembly code below:

1 section .text
2 global _start
3
4 _start:
5
6      mov rax,3
7      mov rbx,2
8      add rax,rbx
9      sub rbx,1
10
11     ;Exit
12     mov eax,1
13     mov ebx,0
14     int 0x80

Compile it with nasm.

darklinux@darklinuxpc:~$ nasm -f elf64 -g reg.asm -o reg.o
darklinux@darklinuxpc:~$ ld reg.o -o reg
darklinux@darklinuxpc:~$ gdb -silent reg

Reading symbols from reg…done.

(gdb) break _start
Breakpoint 1 at 0x400080
(gdb) set disassembly-flavor intel

Define the hook-stop with 2 commands, disassemble _start and info reg $rax $rbx, close with ‘end’.
(gdb) define hook-stop
Type commands for definition of “hook-stop”.
End with a line saying just “end”.
>disassemble _start
>info reg $rax $rbx
>end

(more…)

Read Full Post »

You can use Watchpoint to watch variable’s value changes by single stepping your program.
In this tutorial I use:
-Xubuntu 18.04
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
-NASM version 2.13.02
-GNU ld (GNU Binutils for Ubuntu) 2.30

Let’s try with a simple assembly code.

1 section .text
2 global _start
3
4 _start:
5
6      mov rax,3
7      mov rbx,2
8      add rax,rbx
9      sub rbx,1
10
11     ;Exit
12     mov eax,1
13     mov ebx,0
14     int 0x80

This program will add 3 to rax register, 2 to rbx register, so rax value will be 3 and rax value will be 2.

Then add rbx register value to rax register value, mean 2+3 =5. The rax register value will be 5.

Subtract rabx register with 1. The rbx register value will be 1 (2-1=1).
Finally, exit the program normally.

Compile it with nasm.

darklinux@darklinuxpc:~$ nasm -f elf64 -g reg.asm -o reg.o
darklinux@darklinuxpc:~$ ld reg.o -o reg

(more…)

Read Full Post »

What is shellcode?
Shellcode is a set of instruction written in machine code which is generally used as payload in the exploitation of software vunerability. Since it starts with command shell that’s why it is named as Shellcode.

It’s the sampel of shellcode:
“\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0a”

It stands for ‘Hello World!’.

For writing shellcode, you must familiar with Assembly Language programming and target hardware architecture. You can’t write shellcode for 32bit architecture and run in it 64bit architecture because the instruction codes that are loaded into the memory layout is also different.
If you write a program with c language, run it in 32bit architecture, the instruction codes will be loaded above stack but in 64bit it will be loaded above the heap.
It depend also on Operating System used. That’s why shellcode is designed for specific target system that take advantages its vulnerability.

Efficiency is needed when you wrote shellcode because it related with the size of buffer.

In this tutorial, I run the shellcode under Linux Ubuntu 18.04.4 LTS 32 bit in docker container. My hardware architecture is AMD ryzen 64bit. For programming I use gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 for compiling c code, NASM version 2.13.02 for compiling assembly code and GNU objdump (GNU Binutils for Ubuntu) 2.30 for display machine code.

Writing shellcode also a bit tricky.

I give you an example.
Below is the assembly code to display “hello word!”.
Assembly code 1 (hello1)

1 section .text
2 global _start
3
4 _start:
5
6  ;Display Message
7  mov eax,4 ;syswrite=4
8  mov ebx,1 ;stdout=1
9  mov ecx,msg
10 mov edx,lenmsg
11 int 0x80 ;System Call
12
13 ;Exit
14 mov eax,1
15 mov ebx,0
16 int 0x80
17
18 section .data
19 msg db 'Hello World!',0xa
20 lenmsg equ $ - msg
I compile and run this code.
root@fc9fca692021:/home/darklinux# nasm -f elf32 hello1.asm -o hello1.o
root@fc9fca692021:/home/darklinux# ld hello1.o -o hello1
root@fc9fca692021:/home/darklinux# ./hello1
Hello World!
root@fc9fca692021:/home/darklinux#

It runs perfect.

(more…)

Read Full Post »

The other function of GDB is Text User Interface (TUI). GDB use curses library to show the source file, assembly output, program registers and gdb command in separate windows. The TUI mode is supported only where version of the curses library is available.

Before we start, type the code below and save it to ‘mycode.asm’.

1 section .text
2
3 global _start
4
5 _start:
6
7 mov eax,10
8 mov ebx,20
9 mov ecx,30
10 mov edx,40
11
12 ;exit
13 mov eax,0
14 int 0x80

Then compile with debugger function (-gstab)

$ nasm -f elf32 -gstab mycode.asm -o mycode.o
$ ld mycode.o -o mycode
$

There are few ways to activate TUI.

First you when you open gdb and start TUI directly.

$ gdb -tui

tui03
(more…)

Read Full Post »

Although I prefer the command line interface if I work with gdb, but gdb can be operated in GUI (graphical user interface) mode via front end application DDD (Data Display Debugger).

To install DDD, open your linux terminal and type the command below:

$ sudo apt-get install ddd
[sudo] password for darklinux:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
ddd-doc pydb glibc-doc gnuplot
The following NEW packages will be installed:
ddd
0 upgraded, 1 newly installed, 0 to remove and 310 not upgraded.
Need to get 1,428 kB of archives.
After this operation, 3,920 kB of additional disk space will be used.
Get:1 http://old-releases.ubuntu.com/ubuntu/ oneiric/universe ddd i386 1:3.3.12-2.1 [1,428 kB]
Fetched 1,428 kB in 5s (270 kB/s)
Selecting previously deselected package ddd.
(Reading database ... 152578 files and directories currently installed.)
Unpacking ddd (from .../ddd_1%3a3.3.12-2.1_i386.deb) ...
Processing triggers for man-db ...
Processing triggers for doc-base ...
Processing 2 added doc-base files...
Registering documents with scrollkeeper...
Processing triggers for install-info ...
Processing triggers for gnome-menus ...
Processing triggers for desktop-file-utils ...
Setting up ddd (1:3.3.12-2.1) ...
$

To run the program, type ddd.

$ddd

If installation is correct, you will get this welcome screen.


(more…)

Read Full Post »

The basic idea of using debugger is that you can stop the program and continue the process before it terminates so you examine and identify if there is a problem with program.

In this tutorial, I will show few stepping process after breakpoints.

  1. Continue or c
  2. Next or n
  3. Step or s
  4. Nexti or ni
  5. Stepi or si

To check if the program has already run or not, type: info program.

(gdb) info program
The program being debugged is not being run.

1. Continue
It will resume the program execution until complete or stop at next breakpoint.

Before we start, type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 call do_nothing1
8 call do_nothing2
9 call do_nothing3
10 mov ecx,3333
11 mov edx,4444
12 call exit
13
14
15 do_nothing1:
16 nop
17 nop
18 ret
19
20 do_nothing2:
21 nop
22 nop
23 ret
24
25 do_nothing3:
26 nop
27 nop
28 ret
29
30 exit:
31 mov eax,1
32 int 0x80

Compile the program without debug function.

$ nasm -f elf32 break.asm -o break.o
$ ld break.o -o break
$ gdb ./break --silent
Reading symbols from /home/darklinux/break...(no debugging symbols found)...done.

(more…)

Read Full Post »

Reverse the program process is very useful when you are debugging and realize that you need to go backward. Instead of re-run the whole process, starting GDB version 7, you can go to the previous process.

There are few reverse that you can do:

  1. reverse-continue or rc
  2. reverse-step or reverse-step count
  3. reverse-stepi
  4. next or reverse-next count
  5. reverse-nexti

Before you use ‘reverse’ command, you need to activate the recording process otherwise you will get an error below:
“Target child does not support this command”.

Let’s try.
Type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 call do_nothing1
8 call do_nothing2
9 call do_nothing3
10 mov ecx,3333
11 mov edx,4444
12 call exit
13
14
15 do_nothing1:
16 nop
17 nop
18 ret
19
20 do_nothing2:
21 nop
22 nop
23 ret
24
25 do_nothing3:
26 nop
27 nop
28 ret
29
30 exit:
31 mov eax,1
32 int 0x80

reverse01
(more…)

Read Full Post »

Older Posts »