Xathrya Sabertooth

Windows Assembly Language Primer – Video Tutorial
OllyDbg Quick Start – Commands Table
Comparison of Intel (nasm) and AT&T (gas) Assembler Format

Windows Assembly Language Primer – Video Tutorial

Posted: 20 Aug 2013 08:53 AM PDT

If previous article provide video tutorial for assembly programming in Linux, in this occasion we will cover about assembly in Windows.

Programming in Assembly is not as easy as higher level language. The main factor is because you can’t find syntax such as if, while, etc.

However one of our kind heart friend from SecurityTube has made us a very interesting video for learning Assembly. Here the list of video. Please bear in mind that I don’t made these and I have no claim over it. As stated in other page, this site and NEST is originally serve a purpose as personal documentation.

These videos are actually good starter for anyone who want to dive deeper in computer field, especially who have interest in cracking, exploitation, etc.

The tutorials consists of nine modules. For some modules, there are source code accompanying. You can either download each file individually or download it as a pack. Note that this series is continuation of previous series, therefore please read and at least know assembly before go to this page.

Module 1 – Processor Mode

we will look at the different processor modes – Real, Protected, Virtual 8086, SMM etc., then we will understand the different memory models – Flat and Segmented, and how they apply to Real and Protected mode. We will then look at the key differences between the AT&T and Intel syntax for assembly. Once we have understood all these basics, we will code a “Hello World” program which will run in real mode, using 16 bit assembly and assemble it using the Debug program which ships by default with Windows.

Download: EmbedUpload | MirrorCreator

Module 2 – Protected Mode Assembly

In this video, we will understand the basics of Protected mode operation and then look at Windows assembly basics. It is important to note that Windows runs in Protected mode. We then look at how to compile and link assembly language programs using MASM and LINK. We go on to create a HelloWorld program in 32-bit assembly.

Download: EmbedUpload | MirrorCreator

Module 3 – Win32 Assembly Using Masm32

In this video, you will be introduced to MASM32 and why it’s runtime library is a good choice. We will install and use MASM32 to program 3 examples in this video – Console mode HelloWorld, Windows HelloWorld and a simple program to print user input. These will teach you how to use the MASM32 library effectively.

Download: EmbedUpload | MirrorCreator

Files for this module: HelloMasm32.asm | HelloWindows.asm | Reflect.asm

Module 4 – Masm Data Types

In this video, we will look at different data types which can be defined in MASM – byte, word, dword, qword, fword, sbyte, sword etc. and also how to declare and initialize variables with them. Then we will learn about more complicated data types – arrays and strings. Finally, we will code a simple calculator program for addition and subtraction in assembly. The inputs will be read from the user.

Download: EmbedUpload | MirrorCreator

File for this Module: Numbers.asm

Module 5 – Procedures

In this video, we will understand how to write procedures in Assembly language. The whole idea is to first create a prototype definiation for the procedure, then the define it and finally call in in code.

Download: EmbedUpload | MirrorCreator

File for this Module: Concat.asm | InputProc.asm

Module 6 – Macros

In this video, we will understand how to write Macros in Assembly language. Most of you may have already used Macros in high level languages like C, and the assembly macro writing is almost similar.

Download: EmbedUpload | MirrorCreator

File for this Module: MacroDemo.asm

Module 7 – Program Control Using Jmp

In this video, we will learn how to change the program flow using JMP family of instructions – both conditional and unconditional.

Download: EmbedUpload | MirrorCreator

File for this Module: StringReverse.asm | MultiPrint.asm

Module 8 – Decision Directives

In this video, we will learn how to use conditional statements such as If, Else and Elseif to write code in assembly.

Download: EmbedUpload | MirrorCreator

File for this Module: IfDemo.asm

Module 9 – Loops

In this video, we will learn how to use loops in assembly. We will touch upon the basic LOOP mnemonic, its variations such as LOOPE, LOOPZ etc. based on processor flags, along with WHILE and REPEAT loops. An interesting fact is the use of the IF statement with the BREAK and CONTINUE ones, to change how a loop executes.

Download: EmbedUpload | MirrorCreator

File for this Module: LoopDemo.asm and WhileDemo.asm

OllyDbg Quick Start – Commands Table

Posted: 20 Aug 2013 08:49 AM PDT

Read this for quick start. Consult help file for details and more features.

The OllyDbg version used here is OllyDbg version 1.10

Frequently used menu functions

Function	Window	Menu command	Shortcut
Edit memory as binary, ASCII or UNICODE string	Disassembler, Stack Dump	Binary\|Edit	Ctrl+E
Undo changes	Disassembler, Dump Registers	Undo selection Undo	Alt+BkSp
Run application	Main	Debug\|Run	F9
Run to selection	Disassembler	Breakpoint\|Run to selection	F4
Execute till return	Main	Debug\|Execute till return	Ctrl+F9
Execute till user code	Main	Debug\|Execute till user code	Alt+F9
Set/reset INT3 breakpoint	Disassembler Names, Source	Breakpoint\|Toggle Toggle breakpoint	F2
Set/edit conditional INT3 breakpoint	Disassembler Names, Source	Breakpoint\|Conditional Conditional breakpoint	Shift+F2
Set/edit conditional logging breakpoint (logs into the Log window)	Disassembler Names, Source	Breakpoint\|Conditional log Conditional log breakpoint	Shift+F4
Temporarily disable/restore INT3 breakpoint	Breakpoints	Disable Enable	Space
Set memory breakpoint (only one is allowed)	Disassembler, Dump	Breakpoint\|Memory, on access Breakpoint\|Memory, on write
Remove memory breakpoint	Disassembler, Dump	Breakpoint\|Remove memory breakpoint
Set hardware breakpoint (ME/NT/2000 only)	Disassembler, Dump	Breakpoint\|Hardware (select type and size!)
Remove hardware breakpoint	Main	Debug\|Hardware breakpoints
Set single-short break on access to memory block (NT/2000 only)	Memory	Set break-on-access	F2
Set break on module, thread, debug string	Options	Events
Set new origin	Disassembler	New origin here
Display list of all symbolic names	Disassembler, Dump Modules	Search for\|Name (label) View names	Ctrl+N
Context-sensitive help (requires external help file!)	Disassembler, Names	Help on symbolic name	Ctrl+F1
Find all references in code to selected address range	Disassembler Dump	Find references to\|Command Find references	Ctrl+R
Find all references in code to the constant	Disassembler	Find references to\|Constant Search for\|All constants
Search whole allocated memory	Memory	Search Search next	Ctrl+L
Go to address or value of expression	Disassembler Dump	Go to\|Expression Go to expression	Ctrl+G
Go to previous address/run trace item	Disassembler	Go to\|Previous	Minus
Go to next address/run trace item	Disassembler	Go to\|Next	Plus
Go to previous procedure	Disassembler	Go to\|Previous procedure	Ctrl+Minus
Go to next procedure	Disassembler	Go to\|Next procedure	Ctrl+Plus
View executable file	Disassembler, Dump, Modules	View\|Executable file
Copy changes to executable file	Disassembler	Copy to executable file
Analyse executable code	Disassembler	Analysis\|Analyse code	Ctrl+A
Scan object files and libraries	Disassembler	Scan object files	Ctrl+O
View resources	Modules, Memory	View all resources View resource strings
Suspend/resume thread	Threads	Suspend Resume
Display relative addresses	Disassembler, Dump, Stack	Doubleclick address
Copy	Most of windows	Copy to clipboard	Ctrl+C

Frequently used global shortcuts

Ctrl+F2	Restart program
Alt+F2	Close program
F3	Open new program
F5	Maximize/restore active window
Alt+F5	Make OllyDbg topmost
F7	Step into (entering functions)
Ctrl+F7	Animate into (entering functions)
F8	Step over (executing function calls at once)
Ctrl+F8	Animate over (executing function calls at once)
F9	Run
Shift+F9	Pass exception to standard handler and run
Ctrl+F9	Execute till return
Alt+F9	Execute till user code
Ctrl+F11	Trace into
F12	Pause
Ctrl+F12	Trace over
Alt+B	Open Breakpoints window
Alt+C	Open CPU window
Alt+E	Open Modules window
Alt+L	Open Log window
Alt+M	Open Memory window
Alt+O	Open Options dialog
Ctrl+T	Set condition to pause Run trace
Alt+X	Close OllyDbg

Frequently used Disassembler shortcuts

F2	Toggle breakpoint
Shift+F2	Set conditional breakpoint
F4	Run to selection
Alt+F7	Go to previous reference
Alt+F8	Go to next reference
Ctrl+A	Analyse code
Ctrl+B	Start binary search
Ctrl+C	Copy selection to clipboard
Ctrl+E	Edit selection in binary format
Ctrl+F	Search for a command
Ctrl+G	Follow expression
Ctrl+J	Show list of jumps to selected line
Ctrl+K	View call tree
Ctrl+L	Repeat last search
Ctrl+N	Open list of labels (names)
Ctrl+O	Scan object files
Ctrl+R	Find references to selected command
Ctrl+S	Search for a sequence of commands
Asterisk (*)	Origin
Enter	Follow jump or call
Plus (+)	Go to next location/next run trace item
Minus (-)	Go to previous location/previous run trace item
Space ( )	Assemble
Colon (:)	Add label
Semicolon (;)	Add comment

Comparison of Intel (nasm) and AT&T (gas) Assembler Format

Posted: 20 Aug 2013 08:46 AM PDT

This article will explains some of the more important syntactic and semantic differences between two different assembler style: Intel and AT&T. The AT&T style is used by GNU Assembler (GAS) and the Intel style used by Netwide Assembler (NASM).

Although the goal of this article would be specifically show the differences between syntax, the source codes provided here has been tested on Linux machine using corresponding assembler. This article is written in purpose to help you more easily convert from one flavor of assembler to another.

Building the Program

When there is a source code involved, you can use following command to build the example. Do assembling and linking, depend on your compiler.

Assembling

ELF (Executable and Linkable Format) is executable format used by Linux.

nasm -f elf -o program.o program.asm

as -o program.o program.s

Linking

ld -o program program.o

Linking when an external C library used

ld --dynamic-linker /lib/ld-linux.so.2 -lc -o program program.o

Basic Structure

The structure of a program is at least consists of a section for code, heap, and stack.

; Intel format    ; Text segment begins  section .text       global _start    ; Program entry point     _start:    ; codes are written here

# AT&T format    # Text segment begins  .section .text       .globl _start    # Program entry point     _start:    # codes are written here

1. Operands Order

One of the noticeable difference between the AT&T and Intel formats is the way they refer to source and destination operands within an instruction. The order of source and destination operand are swapped each other.

Under Intel format, after the instruction come destination followed by a comma and the source operand (the first operand is the destination). Under the AT&T these roles are reversed: the source comes before the comma and the destination (the first operand is source).

; Intel format    PUSH EBP  MOV EBP, ESP  SUB ESP, 48  CMP [EBP+4], 10

# AT&amp;T format    pushl %ebp  movl %esp, %ebp  subl $0X48, %esp

At first glance, AT&T is likely more natural as we read and write from left to right. However, this lead to some flaw and inconsistencies (won’t be discussed here).

The primary reason of AT&T source-operand order is due to the VAX assembly format for which the AT&T was originally invented. The Motorola 68000 and its descendents were heavily influenced by the VAX. Likewise, their assembly language format moves in this direction as well.

2. Naming

2.1 Value & Register Naming

AT&T is quite famous for it’s heavy use of prefixes. In AT&T, registers are prefixed with a ‘%’ and immediate value are prefixed with a ‘$’. Intel in other hand, use plain naming for registers and immediate value.

Intel syntax sure doesn’t use prefix for writing register. However it uses a suffix to distinguish hexadecimal and binary number from decimal. The ‘h’ suffix used for hexadecimal number and the ‘b’ suffix used for binary number. Also, Intel use 0 in front of the hexadecimal number, while AT&T use 0x.

; Intel format    MOV EAX, 1  MOV EBX, 0FFh  INT 80h

# AT&T format    movl $1, %eax  movl $0xFF, %ebx  int $0x80

2.2 Instruction Naming

AT&T format use slightly different names than the Intel format. They differ in keeping with VAX and Motorola traditions where instruction names include a suffix which describes the size of the data they modify. Under Intel format, these data size directives are normally described using the ‘BYTE PTR’, ‘WORD PTR’, ‘DWORD PTR’, prefix phrases.

; Intel format    MOVZX EAX, BYTE PTR [ESI+5]  SUB EAX, 30  DEC WORD PTR [EBX]  INC CX  CMP AL,5

# AT&T format    movzbl 0x5(%esi), %eax  subl $0x30, %eax  decw (%ebx)  incw %cx  cmpb $0x5, %al

Under AT&T format, instruction suffixes are “b” for byte size operations (8-bits), “w” for word size operations (16-bits), “l” for double-word operations (32-bits), and “q” for quad-word operations (64-bits). As you may notice in the ‘movzbl’ (Move with zero-extend) instruction, more than one suffix letter is used when an instruction’s source and destination operand differ in size. The first suffix letter describes the source operand while the second letter describes the destination.

3. Memory Addressing

Under Intel format, memory addressing is simple calculation of address enclosed by ‘[' and ']‘. The AT&T format in other hand use ‘(‘ and ‘)’ to enclose it.

3.1 Indirect Addressing Mode

Recall to x86 assembly language, there are five indirect addressing modes when writing an instruction:

immediate indirect
register indirect
base register + offset indirect
index register * width + offset indirect
and base register + index register * width + offset indirect.

; Intel format    ; Immediate  MOV EAX, [0100]    ; Register  MOV EAX, [ESI]    ; Register + Offset  MOV EAX, [EBP-8]    ; Register * Width + Offset  MOV EAX, [EBX*4 + 0100]    ; Base + Register*Width + Offset  MOV EAX, [EDX + EBX*4 + 8]

# Intel format    # Immediate  movl 0x0100, %eax    # Register  movl (%esi), %eax    # Register + Offset  movl -8(%ebp), %eax    # Register * Width + Offset  movl 0x100(,%ebx,4), %eax    # Base + Register*Width + Offset  movl 0x8(%edx, %ebx,4), %eax

Under AT&T format, indirect addressing mode are written to the general form of “OFFSET(BASE, INDEX, WIDTH)”. OFFSET, if present, must be a constant integer. BASE and INDEX, if either is present, must be registers. WIDTH, if present, applies to the register named in Index, and must be the constant 1,2, 4, 8. If width is not specified, the default constant 1 is taken.

Under Intel, indirect addressing is as simple as math formula “[BASE + INDEX*WIDTH + OFFSET] using the same terminology as used by AT&T format.

Under AT&T, all immediate addresses are written simply as an OFFSET with a missing BASE, INDEX, and WIDTH parameter. The immediate indirect address is written by itself with no special prefix or suffix characters.

Proyek Teknologi

Rabu, 21 Agustus 2013