Feeds:
Posts
Comments

Archive for the ‘Programming-Assembly’ Category

What is shellcode?
Shellcode is a set of instruction written in machine code which is generally used as payload in the exploitation of software vunerability. Since it starts with command shell that’s why it is named as Shellcode.

It’s the sampel of shellcode:
“\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0a”

It stands for ‘Hello World!’.

For writing shellcode, you must familiar with Assembly Language programming and target hardware architecture. You can’t write shellcode for 32bit architecture and run in it 64bit architecture because the instruction codes that are loaded into the memory layout is also different.
If you write a program with c language, run it in 32bit architecture, the instruction codes will be loaded above stack but in 64bit it will be loaded above the heap.
It depend also on Operating System used. That’s why shellcode is designed for specific target system that take advantages its vulnerability.

Efficiency is needed when you wrote shellcode because it related with the size of buffer.

In this tutorial, I run the shellcode under Linux Ubuntu 18.04.4 LTS 32 bit in docker container. My hardware architecture is AMD ryzen 64bit. For programming I use gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 for compiling c code, NASM version 2.13.02 for compiling assembly code and GNU objdump (GNU Binutils for Ubuntu) 2.30 for display machine code.

Writing shellcode also a bit tricky.

I give you an example.
Below is the assembly code to display “hello word!”.
Assembly code 1 (hello1)

1 section .text
2 global _start
3
4 _start:
5
6  ;Display Message
7  mov eax,4 ;syswrite=4
8  mov ebx,1 ;stdout=1
9  mov ecx,msg
10 mov edx,lenmsg
11 int 0x80 ;System Call
12
13 ;Exit
14 mov eax,1
15 mov ebx,0
16 int 0x80
17
18 section .data
19 msg db 'Hello World!',0xa
20 lenmsg equ $ - msg
I compile and run this code.
root@fc9fca692021:/home/darklinux# nasm -f elf32 hello1.asm -o hello1.o
root@fc9fca692021:/home/darklinux# ld hello1.o -o hello1
root@fc9fca692021:/home/darklinux# ./hello1
Hello World!
root@fc9fca692021:/home/darklinux#

It runs perfect.

(more…)

Read Full Post »

What is Little Endian?
It’s a way of bytes are stored in Computer Memory.

Then what is Little Endian? It’s bytes stored in computer memory where the least significant byte byte occupies the lower memory address.

It will be easier if I show you the sample below:

For Example I have data: abcdefgh or 61,62,63,64,65,66,67,68 in hexadecimal number (a=61 in Ascii table). If it’s loaded in memory, it the order will be:

 d, c, b,a      h, g, f,e
64,63,62,61    68,67,66,65

The easier way, read from right to left per 4 bytes.
endian-mem

(more…)

Read Full Post »

I try to make comparison about Memory Layout between x86-32 bit and x86-64 bit in Linux.

I run 3 different programs, code written in Assembly, C language and python to see how they are loaded into the memory. Then each program I make another 2 copy. So, each language will represent 3 programs.

I use tmux in Linux Terminal, so we can see all programs run together.

Before we start, you have to know the concept behind memory layout in Linux so you will understand what I’m going to explain in this article.

Memory Layout in Linux
For Architecture 32 bit, at the time a program is loaded into memory, all sections of the programs are loaded into each part of the memory. All codes and data which are declared all brought together, even if the source code is separated. The instruction in .text section is loaded into address 0x0804800. Followed by .data section and .bss section. The last address of linux is 0xbFFFFFF.

See the picture below:
memlayout00

In this tutorial, I use AMD processor (Intel compatible). Since the byte order use Little Endian which is start with LSB (lowest significant byte), we have to read the memory from bottom to up.

Virtual Memory Organized
If all programs are loaded in the same location in the memory, why it never over lap each other?
It’s because the program only access the Virtual Memory.
Physical Memory is RAM chip of your computer.
Virtual Memory is the way program think about the memory.
Before a program is loaded in a memory, Linux will search for the empty physical memory that big enough to hold the program. Then it will tell processor to pretend that this memory address is real address of 0x08048000 for the program to stay. After that each program will have it’s own sandbox to play.

Every program will believe that they are stand alone and enjoy all they memory that they have.
So, the address that program believe to use is named Virtual Address meanwhile the real address in the memory chip is named Physical Address.
Process that pointed virtual address to physical address is named Mapping.

Multi tasking in Linux
The Core of Linux is a Block Code that is name Kernel. Memory System is marked as Kernel Space and User Space. Communication in between is handled by System Call. Access to Hardware is limited in software that is run in Kernel Space and only can be done via Kernel Mode Device Drivers.

VDSO (Virtual Dynamically Linked Share Object).
VDSO is memory area allocated in user space for kernel functionalities purpose. It’s kernel mechanism that is used for program to call Kernel Space routines. VDSO use standard mechanism for linking and loading ELF format (Executable and Linkable Format).

(more…)

Read Full Post »

The basic idea of using debugger is that you can stop the program and continue the process before it terminates so you examine and identify if there is a problem with program.

In this tutorial, I will show few stepping process after breakpoints.

  1. Continue or c
  2. Next or n
  3. Step or s
  4. Nexti or ni
  5. Stepi or si

To check if the program has already run or not, type: info program.

(gdb) info program
The program being debugged is not being run.

1. Continue
It will resume the program execution until complete or stop at next breakpoint.

Before we start, type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 call do_nothing1
8 call do_nothing2
9 call do_nothing3
10 mov ecx,3333
11 mov edx,4444
12 call exit
13
14
15 do_nothing1:
16 nop
17 nop
18 ret
19
20 do_nothing2:
21 nop
22 nop
23 ret
24
25 do_nothing3:
26 nop
27 nop
28 ret
29
30 exit:
31 mov eax,1
32 int 0x80

Compile the program without debug function.

$ nasm -f elf32 break.asm -o break.o
$ ld break.o -o break
$ gdb ./break --silent
Reading symbols from /home/darklinux/break...(no debugging symbols found)...done.

(more…)

Read Full Post »

Reverse the program process is very useful when you are debugging and realize that you need to go backward. Instead of re-run the whole process, starting GDB version 7, you can go to the previous process.

There are few reverse that you can do:

  1. reverse-continue or rc
  2. reverse-step or reverse-step count
  3. reverse-stepi
  4. next or reverse-next count
  5. reverse-nexti

Before you use ‘reverse’ command, you need to activate the recording process otherwise you will get an error below:
“Target child does not support this command”.

Let’s try.
Type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 call do_nothing1
8 call do_nothing2
9 call do_nothing3
10 mov ecx,3333
11 mov edx,4444
12 call exit
13
14
15 do_nothing1:
16 nop
17 nop
18 ret
19
20 do_nothing2:
21 nop
22 nop
23 ret
24
25 do_nothing3:
26 nop
27 nop
28 ret
29
30 exit:
31 mov eax,1
32 int 0x80

reverse01
(more…)

Read Full Post »

In this tutorial, I will show you how to set break point in gnu debugger. Break point is very useful if you want to observe a program flow, find a debug in it or do reverse engineering. Using break point, you can jump the process directly to your pointer and stop the program.

Let’s find out more details about it.
Type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 mov ecx,3333
8 mov edx,4444
9
10 push eax
11 push ebx
12 push ecx
13 push edx
14
15
16 mov eax,1
17 int 0x80

To activate the debugging function, you have to add option -gstabs when you compile a program.

$ nasm -f elf32 -gstabs break.asm -o break.o && ld break.o -o break
$

Run with program with gdb (gnu debugger).

$ gdb ./break
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/darklinux/break...done.
(gdb)

Display the source code from line 1 to 20.

(gdb) list 1,20
1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 mov ecx,3333
8 mov edx,4444
9
10 push eax
11 push ebx
12 push ecx
13 push edx
14
15
16 mov eax,1
17 int 0x80
(gdb)

(more…)

Read Full Post »

To get input from user, we can use sys_call no.3 with file descriptor in ebx which is 0 (stdin).
Type the code below, save to input.asm, assemble, link and run.

1 section .text
2 global _start
3 _start:
4 %macro printmsg 2
5 mov eax,4
6 mov ebx,1
7 mov ecx,%1
8 mov edx,%2
9 int 0x80
10 %endmacro
11 %macro getinput 1
12 mov eax,3
13 mov ebx,0
14 mov ecx,name
15 mov edx,10
16 int 0x80
17 %endmacro
18
19 printmsg msg1,lengmsg1 ;enter name
20 getinput name ;get input
21 printmsg msg2,lenmsg2 ;print hello
22 printmsg name,6 ;print name
23 printmsg newline,1 ;new line
24 printmsg msg3,lenmsg3 ;print welcome
25
26 mov eax,1 ;exit
27 int 0x80
28
29 section .data
30 msg1 db 'Please, enter your name (6 chars)?',0xA
31 lengmsg1 equ $ - msg1
32 msg2 db 'Hello '
33 lenmsg2 equ $ - msg2
34 msg3 db 'Welcome to assembly programming',0xA
35 lenmsg3 equ $ - msg3
36 newline db 0xA
37 section .bss
38 name resb 0

Compile and run the program

$ nasm -f elf32 input.asm -o input.o && ld input.o -o input
$ ./input
Please, enter your name (6 chars)?
Taufan
Hello Taufan
Welcome to assembly programming
$

Read Full Post »

Older Posts »