lördag 21 december 2013

SensePost crash course in x86 assembly

I wrote a crash course in x86 assembly for the malware analysis workshop that we gave during 44con 2013. It can be downloaded from here. The table of contents is as follows:

1.1  Introduction
1.2  Bits, bytes, words, double words
1.3  Registers
1.3.1  General purpose registers
1.3.2  Segment registers
1.3.3  Status flag registers
1.3.4  EIP - Extended Instruction Pointer
1.4  Segments & offsets
1.4.1  The stack
1.4.2  Stack frames
1.4.3  The Heap
1.5  Instructions
1.5.1  Arithmetic operations - ADD , SUB, MUL, IMUL, DIV, IDIV
1.5.2  Bitwise operations – AND, OR, XOR, NOT
1.5.3  Branching – JMP, JE, JLE, JNZ, JZ, JBE, JGE
1.5.4  Data moving – MOV, MOVS, MOVSB, MOVSW, MOVZX, MOVSX, LEA
1.5.5  Loops – LOOP, REP
1.5.6  Stack management – POP, PUSH
1.5.7  Functions – CALL, RET
1.5.8  Interrupts, Debugger traps – INT, trap flag
1.6  Calling conventions
1.6.1  stdcall
1.6.2  cdecl
1.6.3  pascal
1.6.4  fastcall
1.6.5  Others calling conventions
1.7  C to x86 assembly
1.7.1  Single-Branch Conditionals
1.7.2  Two-way Conditionals
1.7.3  Logical operations - AND
1.7.4  Logical operations - OR
1.7.5  Loops
1.7.6  Function calls
1.8  Reverse engineering tools
1.8.1  OllyDBG tutorials
1.8.2  IDA Pro tutorials

1.1 Introduction

The hardest part of learning x86 assembly in 2013 is finding good tutorials. As the popularity of low level languages decreases the incitement to create fresh up to date tutorials is limited. At the same time x86 assembly is critical in many security related fields such as malware analysis, vulnerability research and exploit development. 

This document was created to address the lack of tutorials in a fast, pedagogical and cheap manner. While it is not a complete introduction, it addresses enough to prepare careful readers with the necessary knowledgebase to be able to decipher non-obfuscated assembly. And it does so within less than thirty pages. 

For pedagogical reasons focus is kept to what the reader assumedly knows about C or C-based languages (like Java or C#). Hopefully this minimizes the confusion that usually appears when people are trying to learn a stack based language for the first time.


Enjoy and let me know if you have any questions.
// Ani

4 kommentarer:

  1. At point "1.4.1 The stack", you say that the stack is "organized as a “First In First Out” data structure.", however my understanding and your description explains it as a LIFO (Last In First Out) structure. Misprint?

    Anyways, thanks so much for sharing.

    SvaraRadera
    Svar
    1. Michael: Misprint, will be corrected presently :) Thanks a lot for notifying me. If you find more similar issues, please let me know and I will make the necessary changes.

      Radera
  2. The link is not valid please upload it again. Thanks in advance.

    SvaraRadera
    Svar
    1. The link is valid, I just tried and it works great.

      Radera