Feeds:
Posts
Comments

Archive for the ‘Programming-Assembly’ Category

You can set breakpoint with a condition. This is very useful if want to observe a certain location and stop it if the condition is reach.

In this tutorial I use:
-Xubuntu 18.04
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
-NASM version 2.13.02
-GNU ld (GNU Binutils for Ubuntu) 2.30

Use the simple assembly code below:

1  section .text
2  global _start
3
4  _start:
5
6      mov rax,3
7      mov rbx,2
8      add rax,rbx
9      sub rbx,1
10
11     ;Exit
12     mov eax,1
13     mov ebx,0
14     int 0x80

(more…)

Read Full Post »

This is one of my favorite function in gdb. It will make your life easier instead of typing repetition commands. Hook is a user defined command but you have to combine with a pseudo-command that already exist.

For example, you want to disassemble a program code and display the value of the program register every time you stop the process. Instead of typing 2 commands every time its stop, you can define it into one command with hook.

(gdb) define hook-stop

Type commands for definition of “hook-stop”.
End with a line saying just “end”.
>disassemble _start
>info reg $rax $rbx
>end

Let’s try.
In this tutorial I use:
-Xubuntu 18.04
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
-NASM version 2.13.02
-GNU ld (GNU Binutils for Ubuntu) 2.30

Use the simple assembly code below:

1 section .text
2 global _start
3
4 _start:
5
6      mov rax,3
7      mov rbx,2
8      add rax,rbx
9      sub rbx,1
10
11     ;Exit
12     mov eax,1
13     mov ebx,0
14     int 0x80

Compile it with nasm.

darklinux@darklinuxpc:~$ nasm -f elf64 -g reg.asm -o reg.o
darklinux@darklinuxpc:~$ ld reg.o -o reg
darklinux@darklinuxpc:~$ gdb -silent reg

Reading symbols from reg…done.

(gdb) break _start
Breakpoint 1 at 0x400080
(gdb) set disassembly-flavor intel

Define the hook-stop with 2 commands, disassemble _start and info reg $rax $rbx, close with ‘end’.
(gdb) define hook-stop
Type commands for definition of “hook-stop”.
End with a line saying just “end”.
>disassemble _start
>info reg $rax $rbx
>end

(more…)

Read Full Post »

You can use Watchpoint to watch variable’s value changes by single stepping your program.
In this tutorial I use:
-Xubuntu 18.04
-GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
-NASM version 2.13.02
-GNU ld (GNU Binutils for Ubuntu) 2.30

Let’s try with a simple assembly code.

1 section .text
2 global _start
3
4 _start:
5
6      mov rax,3
7      mov rbx,2
8      add rax,rbx
9      sub rbx,1
10
11     ;Exit
12     mov eax,1
13     mov ebx,0
14     int 0x80

This program will add 3 to rax register, 2 to rbx register, so rax value will be 3 and rax value will be 2.

Then add rbx register value to rax register value, mean 2+3 =5. The rax register value will be 5.

Subtract rabx register with 1. The rbx register value will be 1 (2-1=1).
Finally, exit the program normally.

Compile it with nasm.

darklinux@darklinuxpc:~$ nasm -f elf64 -g reg.asm -o reg.o
darklinux@darklinuxpc:~$ ld reg.o -o reg

(more…)

Read Full Post »

What is shellcode?
Shellcode is a set of instruction written in machine code which is generally used as payload in the exploitation of software vunerability. Since it starts with command shell that’s why it is named as Shellcode.

It’s the sampel of shellcode:
“\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0a”

It stands for ‘Hello World!’.

For writing shellcode, you must familiar with Assembly Language programming and target hardware architecture. You can’t write shellcode for 32bit architecture and run in it 64bit architecture because the instruction codes that are loaded into the memory layout is also different.
If you write a program with c language, run it in 32bit architecture, the instruction codes will be loaded above stack but in 64bit it will be loaded above the heap.
It depend also on Operating System used. That’s why shellcode is designed for specific target system that take advantages its vulnerability.

Efficiency is needed when you wrote shellcode because it related with the size of buffer.

In this tutorial, I run the shellcode under Linux Ubuntu 18.04.4 LTS 32 bit in docker container. My hardware architecture is AMD ryzen 64bit. For programming I use gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 for compiling c code, NASM version 2.13.02 for compiling assembly code and GNU objdump (GNU Binutils for Ubuntu) 2.30 for display machine code.

Writing shellcode also a bit tricky.

I give you an example.
Below is the assembly code to display “hello word!”.
Assembly code 1 (hello1)

1 section .text
2 global _start
3
4 _start:
5
6  ;Display Message
7  mov eax,4 ;syswrite=4
8  mov ebx,1 ;stdout=1
9  mov ecx,msg
10 mov edx,lenmsg
11 int 0x80 ;System Call
12
13 ;Exit
14 mov eax,1
15 mov ebx,0
16 int 0x80
17
18 section .data
19 msg db 'Hello World!',0xa
20 lenmsg equ $ - msg
I compile and run this code.
root@fc9fca692021:/home/darklinux# nasm -f elf32 hello1.asm -o hello1.o
root@fc9fca692021:/home/darklinux# ld hello1.o -o hello1
root@fc9fca692021:/home/darklinux# ./hello1
Hello World!
root@fc9fca692021:/home/darklinux#

It runs perfect.

(more…)

Read Full Post »

What is Little Endian?
It’s a way of bytes are stored in Computer Memory.

Then what is Little Endian? It’s bytes stored in computer memory where the least significant byte byte occupies the lower memory address.

It will be easier if I show you the sample below:

For Example I have data: abcdefgh or 61,62,63,64,65,66,67,68 in hexadecimal number (a=61 in Ascii table). If it’s loaded in memory, it the order will be:

 d, c, b,a      h, g, f,e
64,63,62,61    68,67,66,65

The easier way, read from right to left per 4 bytes.
endian-mem

(more…)

Read Full Post »

I try to make comparison about Memory Layout between x86-32 bit and x86-64 bit in Linux.

I run 3 different programs, code written in Assembly, C language and python to see how they are loaded into the memory. Then each program I make another 2 copy. So, each language will represent 3 programs.

I use tmux in Linux Terminal, so we can see all programs run together.

Before we start, you have to know the concept behind memory layout in Linux so you will understand what I’m going to explain in this article.

Memory Layout in Linux
For Architecture 32 bit, at the time a program is loaded into memory, all sections of the programs are loaded into each part of the memory. All codes and data which are declared all brought together, even if the source code is separated. The instruction in .text section is loaded into address 0x0804800. Followed by .data section and .bss section. The last address of linux is 0xbFFFFFF.

See the picture below:
memlayout00

In this tutorial, I use AMD processor (Intel compatible). Since the byte order use Little Endian which is start with LSB (lowest significant byte), we have to read the memory from bottom to up.

Virtual Memory Organized
If all programs are loaded in the same location in the memory, why it never over lap each other?
It’s because the program only access the Virtual Memory.
Physical Memory is RAM chip of your computer.
Virtual Memory is the way program think about the memory.
Before a program is loaded in a memory, Linux will search for the empty physical memory that big enough to hold the program. Then it will tell processor to pretend that this memory address is real address of 0x08048000 for the program to stay. After that each program will have it’s own sandbox to play.

Every program will believe that they are stand alone and enjoy all they memory that they have.
So, the address that program believe to use is named Virtual Address meanwhile the real address in the memory chip is named Physical Address.
Process that pointed virtual address to physical address is named Mapping.

Multi tasking in Linux
The Core of Linux is a Block Code that is name Kernel. Memory System is marked as Kernel Space and User Space. Communication in between is handled by System Call. Access to Hardware is limited in software that is run in Kernel Space and only can be done via Kernel Mode Device Drivers.

VDSO (Virtual Dynamically Linked Share Object).
VDSO is memory area allocated in user space for kernel functionalities purpose. It’s kernel mechanism that is used for program to call Kernel Space routines. VDSO use standard mechanism for linking and loading ELF format (Executable and Linkable Format).

(more…)

Read Full Post »

The basic idea of using debugger is that you can stop the program and continue the process before it terminates so you examine and identify if there is a problem with program.

In this tutorial, I will show few stepping process after breakpoints.

  1. Continue or c
  2. Next or n
  3. Step or s
  4. Nexti or ni
  5. Stepi or si

To check if the program has already run or not, type: info program.

(gdb) info program
The program being debugged is not being run.

1. Continue
It will resume the program execution until complete or stop at next breakpoint.

Before we start, type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 call do_nothing1
8 call do_nothing2
9 call do_nothing3
10 mov ecx,3333
11 mov edx,4444
12 call exit
13
14
15 do_nothing1:
16 nop
17 nop
18 ret
19
20 do_nothing2:
21 nop
22 nop
23 ret
24
25 do_nothing3:
26 nop
27 nop
28 ret
29
30 exit:
31 mov eax,1
32 int 0x80

Compile the program without debug function.

$ nasm -f elf32 break.asm -o break.o
$ ld break.o -o break
$ gdb ./break --silent
Reading symbols from /home/darklinux/break...(no debugging symbols found)...done.

(more…)

Read Full Post »

Reverse the program process is very useful when you are debugging and realize that you need to go backward. Instead of re-run the whole process, starting GDB version 7, you can go to the previous process.

There are few reverse that you can do:

  1. reverse-continue or rc
  2. reverse-step or reverse-step count
  3. reverse-stepi
  4. next or reverse-next count
  5. reverse-nexti

Before you use ‘reverse’ command, you need to activate the recording process otherwise you will get an error below:
“Target child does not support this command”.

Let’s try.
Type the code below and save it to ‘break.asm’.

1 section .text
2 global _start
3 _start:
4
5 mov eax,1111
6 mov ebx,2222
7 call do_nothing1
8 call do_nothing2
9 call do_nothing3
10 mov ecx,3333
11 mov edx,4444
12 call exit
13
14
15 do_nothing1:
16 nop
17 nop
18 ret
19
20 do_nothing2:
21 nop
22 nop
23 ret
24
25 do_nothing3:
26 nop
27 nop
28 ret
29
30 exit:
31 mov eax,1
32 int 0x80

reverse01
(more…)

Read Full Post »

Older Posts »