lördag 21 december 2013

SensePost crash course in x86 assembly

I wrote a crash course in x86 assembly for the malware analysis workshop that we gave during 44con 2013. It can be downloaded from here. The table of contents is as follows:

1.1  Introduction
1.2  Bits, bytes, words, double words
1.3  Registers
1.3.1  General purpose registers
1.3.2  Segment registers
1.3.3  Status flag registers
1.3.4  EIP - Extended Instruction Pointer
1.4  Segments & offsets
1.4.1  The stack
1.4.2  Stack frames
1.4.3  The Heap
1.5  Instructions
1.5.1  Arithmetic operations - ADD , SUB, MUL, IMUL, DIV, IDIV
1.5.2  Bitwise operations – AND, OR, XOR, NOT
1.5.3  Branching – JMP, JE, JLE, JNZ, JZ, JBE, JGE
1.5.4  Data moving – MOV, MOVS, MOVSB, MOVSW, MOVZX, MOVSX, LEA
1.5.5  Loops – LOOP, REP
1.5.6  Stack management – POP, PUSH
1.5.7  Functions – CALL, RET
1.5.8  Interrupts, Debugger traps – INT, trap flag
1.6  Calling conventions
1.6.1  stdcall
1.6.2  cdecl
1.6.3  pascal
1.6.4  fastcall
1.6.5  Others calling conventions
1.7  C to x86 assembly
1.7.1  Single-Branch Conditionals
1.7.2  Two-way Conditionals
1.7.3  Logical operations - AND
1.7.4  Logical operations - OR
1.7.5  Loops
1.7.6  Function calls
1.8  Reverse engineering tools
1.8.1  OllyDBG tutorials
1.8.2  IDA Pro tutorials

1.1 Introduction

The hardest part of learning x86 assembly in 2013 is finding good tutorials. As the popularity of low level languages decreases the incitement to create fresh up to date tutorials is limited. At the same time x86 assembly is critical in many security related fields such as malware analysis, vulnerability research and exploit development. 

This document was created to address the lack of tutorials in a fast, pedagogical and cheap manner. While it is not a complete introduction, it addresses enough to prepare careful readers with the necessary knowledgebase to be able to decipher non-obfuscated assembly. And it does so within less than thirty pages. 

For pedagogical reasons focus is kept to what the reader assumedly knows about C or C-based languages (like Java or C#). Hopefully this minimizes the confusion that usually appears when people are trying to learn a stack based language for the first time.


Enjoy and let me know if you have any questions.
// Ani

söndag 17 februari 2013

Reading instructions to learn x86 assembly in 2013


To be able to recognize C code structures in assembly you need to know assembly. The hardest part of learning assembly in 2013 is actually to find good reading material. I know because I spent two years teaching myself assembly and I read a lot of utterly useless books, for example the 1.700 page long book from Randal Hyde called “The Art of assembly”. Below I present a handpicked list of reading material, starting from beginner to advance.


1.     Lena151 assembly guide. This is actually one thing that is good with Lena’s tutorials as it shows you the most basic parts and is only 20 pages long!

2.     The 200 first pages of the old book “Assembly Language Step-by-Step: Programming with DOS and Linux” by Jeff Duntemann. This is a must read. If you don’t read this, you’ll extend the learning curve by years. The way Duntemann ties assembly programming to the inner workings of computer systems and CPUs is just amazing.

3.     The following chapters in Eldad Eilams book “Reversing – Secrets of Reverse Engineering”. Read these chapters in the order I present them
1.       Appendix A – Deciphering Code Structures
2.       Appendix B – Understanding Compiled Arithmetic
3.       Chapter 2 – Low Level Software
4.       Chapter 3 – Windows Fundamentals

That makes about 250 pages in Eldad’s book and you should quite honestly never waste your time by reading the rest of his book as he dives into hands on approaches but uses terrible reverse engineering examples.

4.     All chapters in “Part 2 – Advanced Static Analysis” from the book “Practical Malware Analysis” by No Starch Press.
1.       Chapter 4 – A Crash Course in x86 Disassemby
2.       Chapter 5 – IDA Pro
3.       Chapter 6 – Recognize C Code Constructs in Assembly
4.       Chapter 7 – Analyze Malicious Windows programs

The four mentioned chapters take up less than 100 pages of the book. Practical Malware Analysis is however a great book written by some of the best in the industry and should be read cover to cover later on but for a beginner these chapters are enough.

That is the reading suggested for newbies in both reverse engineering and assembly. If you want to be a more advanced reverser there is some more reading that really needs to be done.

5.     Wrox Professional Assembly Language - A great book. Covers most features you already read about a little deeper. Great to read for repeating and fortifying your knowledge base.

6.     Intel Software developers manual is around 4000 pages of which the majority is must read. I have read the following parts
1.     Volume 1, “Basic architecture” explains the basics of Intel CPU’s. It lets you know more about features such as MMX instruction set extensions. This part is a little more than 500 pages and contains 15 chapters. Again, it is an introduction and basics volume, the more advanced version is Volume 3, “System Programming Guide”.
2.     Volume 3, “System Programming Guide” is an absolute must, especially for reversers. It is critical for a reverser to know the protection system (ring 0 to 4), Interrupt and exception handling, Debugging instructions, Virtual Machine control instructions and so on. This volume is around 1600 and it is very good to read it cover to cover at least once.

No doubt you will find very skilled reverse engineers or programmers who will tell you they never read any of these documents and especially not Intel Software Developers Manual. Most reversers only use it when they need to look up opcodes or which flags are set by which instruction.
But many of these people have picked up the same knowledge from other sources during a lifetime of programming, or they simply lack this knowledge.
These days the rapid development of IT forces newbies to take shortcuts. The world needs more and better reverse engineers now, not in twenty years. If you follow these reading suggestions, you decrease your learning time into 1-1,5 years.

Happy hacking!
/Ani