Security Summer School

User Tools

Site Tools

session:02

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:02 [2018/06/18 20:10]
Cristian-Florin DONE (78332) [03. Call secret function] 		session:02 [2020/07/19 12:49] (current)
Line 1: Line 1:
-0x02. Assembly Language+====== Refresher. Assembly Language ======
  
-== Slides+===== Resources =====
  
-[[https://security.cs.pub.ro/summer-school/res/slides/02-assembly-language.pdf|Session slides]]+[[https://security.cs.pub.ro/summer-school/res/slides/02-assembly-language.pdf|Session slides]]
  
-== Tutorials+[[https://security.cs.pub.ro/summer-school/res/arc/02-assembly-language-skel.zip|Session's tutorials and challenges archive]] 
 + 
 +[[https://security.cs.pub.ro/summer-school/res/arc/02-assembly-language-full.zip|Session's solutions]] 
 + 
 +===== Tutorials =====
  
 This session will serve as a quick **refresher** of basic computer architecture and assembly language. For the sake of brevity, we are going to focus on x86. Also, people are generally more familiar with this one. This session will serve as a quick **refresher** of basic computer architecture and assembly language. For the sake of brevity, we are going to focus on x86. Also, people are generally more familiar with this one.
Line 12: Line 16:
  
 Let's get our hands dirty! Let's get our hands dirty!
-=== Computer Architecture: A Blistering Approach+==== Computer Architecture: A Blistering Approach ====
  
 A microprocessor executes, one by one, **logical**, **arithmetic**, **control**, and **input/output (I/O)** operations specified by the instructions of a computer program that was previously loaded in the system's memory. An instruction is just a set of bytes that specify the operation or opcode (e.g., addition, multiplication, memory read/write) and the operands (e.g. numbers, memory locations). The list of supported operations is specified by an **Instruction Set Architecture (ISA)**. ISAs can be classified into types such as [[http://en.wikipedia.org/wiki/Complex_instruction_set_computing|CISC]], [[http://en.wikipedia.org/wiki/Reduced_instruction_set_computer|RISC]], [[http://en.wikipedia.org/wiki/Very_long_instruction_word|VLIW]] and others. Particular processors implement this specification in different ways - this is called a microarchitecture, and allows the same program to be compatible with processors produced by different vendors. For example, both Intel 80386, and AMD K7 Athlon implement the same x86 ISA. Moreover, newer ISAs tend to be backward-compatible with older ones (e.g., x86 is still supported on newer 64-bit ISAs). A microprocessor executes, one by one, **logical**, **arithmetic**, **control**, and **input/output (I/O)** operations specified by the instructions of a computer program that was previously loaded in the system's memory. An instruction is just a set of bytes that specify the operation or opcode (e.g., addition, multiplication, memory read/write) and the operands (e.g. numbers, memory locations). The list of supported operations is specified by an **Instruction Set Architecture (ISA)**. ISAs can be classified into types such as [[http://en.wikipedia.org/wiki/Complex_instruction_set_computing|CISC]], [[http://en.wikipedia.org/wiki/Reduced_instruction_set_computer|RISC]], [[http://en.wikipedia.org/wiki/Very_long_instruction_word|VLIW]] and others. Particular processors implement this specification in different ways - this is called a microarchitecture, and allows the same program to be compatible with processors produced by different vendors. For example, both Intel 80386, and AMD K7 Athlon implement the same x86 ISA. Moreover, newer ISAs tend to be backward-compatible with older ones (e.g., x86 is still supported on newer 64-bit ISAs).
Line 51: Line 55:
 </note> </note>
  
-=== Hello (Assembly) World+==== Hello (Assembly) World ====
  
 We can get right down to business and see what happens when we compile a very simple program written in C. We can get right down to business and see what happens when we compile a very simple program written in C.
Line 171: Line 175:
 </note> </note>
  
-=== Basics+==== Basics ====
  
 As new versions of the x86 processors appeared, new features where introduced and, in order to maintain backward compatibility, the processors had to provide different operation **modes**. For example, the original 8086 allowed access to 1MB of memory, with no protection and no support for virtual memory, thus newer versions (80286, 80386) were introduced and had to be switched to **protected mode** which overcame the limitations of the older **real mode**. Other, even newer processors, also introduced the **virtual 8086 mode**, and the **long mode**. All x86 processors start in real mode and most operating systems (e.g. Linux) will switch to 80386 protected mode at boot time. As new versions of the x86 processors appeared, new features where introduced and, in order to maintain backward compatibility, the processors had to provide different operation **modes**. For example, the original 8086 allowed access to 1MB of memory, with no protection and no support for virtual memory, thus newer versions (80286, 80386) were introduced and had to be switched to **protected mode** which overcame the limitations of the older **real mode**. Other, even newer processors, also introduced the **virtual 8086 mode**, and the **long mode**. All x86 processors start in real mode and most operating systems (e.g. Linux) will switch to 80386 protected mode at boot time.
Line 212: Line 216:
 </note> </note>
  
-=== Data Transfer+==== Data Transfer ====
  
 Data transfer instructions move bytes between memory-register, register-register, and register-memory. Memory to memory data transfers are not possible. The most common such instructions are: Data transfer instructions move bytes between memory-register, register-register, and register-memory. Memory to memory data transfers are not possible. The most common such instructions are:
Line 235: Line 239:
 </note> </note>
  
-=== Control Flow+==== Control Flow ====
  
 As a program executes, the address of the next instruction is stored in the ''eip'' register. Changing the value of this register allows control of the execution flow. Instructions directly influencing ''eip'' are: As a program executes, the address of the next instruction is stored in the ''eip'' register. Changing the value of this register allows control of the execution flow. Instructions directly influencing ''eip'' are:
Line 257: Line 261:
 </note> </note>
  
-=== Arithmetic/Logic+==== Arithmetic/Logic ====
  
 Arithmetic instructions (NASM/Intel syntax): Arithmetic instructions (NASM/Intel syntax):
Line 274: Line 278:
 Logical instructions: ''and'', ''or'', ''xor'', ''not''. Logical instructions: ''and'', ''or'', ''xor'', ''not''.
  
-=== Function Calls+==== Function Calls ====
  
 Function (subroutines) calls are nothing more that a convention on how parameters are passed, how the return value is passed back to the caller, and how the registers can be modified by the callee. The addresses to which a function needs to return after execution are stored in a stack data structure. Other values such as frame base pointer, and the functions local variables are also placed on the stack. Each function will thus have a corresponding **stack frame** that it allocates immediately after it is called (function prologue), and deallocates just before returning (function epilogue). The size of this allocation (changing the ''esp'' register) is establishes at compile time, and its based on the size of the function's local variables. Function (subroutines) calls are nothing more that a convention on how parameters are passed, how the return value is passed back to the caller, and how the registers can be modified by the callee. The addresses to which a function needs to return after execution are stored in a stack data structure. Other values such as frame base pointer, and the functions local variables are also placed on the stack. Each function will thus have a corresponding **stack frame** that it allocates immediately after it is called (function prologue), and deallocates just before returning (function epilogue). The size of this allocation (changing the ''esp'' register) is establishes at compile time, and its based on the size of the function's local variables.
Line 298: Line 302:
 The default convention used by GCC is ''cdecl''. Using the ''stdcall'' or ''fastcall'' [[https://gcc.gnu.org/onlinedocs/gcc-4.7.2/gcc/Function-Attributes.html|function attributes]] will force GCC to use the specified convention. The default convention used by GCC is ''cdecl''. Using the ''stdcall'' or ''fastcall'' [[https://gcc.gnu.org/onlinedocs/gcc-4.7.2/gcc/Function-Attributes.html|function attributes]] will force GCC to use the specified convention.
 </note> </note>
-==== cdecl+=== cdecl ===
  
 <code c> <code c>
Line 355: Line 359:
 </note> </note>
  
-==== stdcall+=== stdcall ===
  
 <code c> <code c>
Line 411: Line 415:
 </note> </note>
  
-==== fastcall+=== fastcall ===
  
 <code c> <code c>
Line 462: Line 466:
 </note> </note>
  
-=== System calls+==== System calls ====
  
 Syscalls are the interface that allows user applications to request services from the OS kernel, such as reading the disk, starting new processes, or managing existing ones. Just like function calls, syscalls are just a set of conventions on how to pass arguments to a kernel function. The mechanism is invoked by triggering an interrupt (**''int 0x80''**) which will call the kernel's syscall dispatcher, which, in turn, will call the syscall based on the ''eax'' register. The conventions for invoking a syscall on Linux are: Syscalls are the interface that allows user applications to request services from the OS kernel, such as reading the disk, starting new processes, or managing existing ones. Just like function calls, syscalls are just a set of conventions on how to pass arguments to a kernel function. The mechanism is invoked by triggering an interrupt (**''int 0x80''**) which will call the kernel's syscall dispatcher, which, in turn, will call the syscall based on the ''eax'' register. The conventions for invoking a syscall on Linux are:
Line 475: Line 479:
 <note important> <note important>
 **Other useful references:** **Other useful references:**
-  * [[https://www.informatik.htw-dresden.de/~beck/ASM/syscall_list.html|Linux syscall table]] with ID, source code, and parameters.+  * [[https://syscalls.kernelgrok.com/|Linux syscall table]] with ID, source code, and parameters.
   * [[http://ocw.cs.pub.ro/courses/so2/cursuri/curs02|Operation Systems lecture (Romanian)]] discussing syscalls theory and Linux implementation.   * [[http://ocw.cs.pub.ro/courses/so2/cursuri/curs02|Operation Systems lecture (Romanian)]] discussing syscalls theory and Linux implementation.
   * [[http://www.linuxjournal.com/article/3326|Implementing Linux syscalls]]   * [[http://www.linuxjournal.com/article/3326|Implementing Linux syscalls]]
  
 </note> </note>
-=== Compiler Patterns+==== Compiler Patterns ====
  
 In the end, let's take a look at some common C language constructs, and how they are compiled into machine code by GCC. You are encouraged to try other constructs too. In the end, let's take a look at some common C language constructs, and how they are compiled into machine code by GCC. You are encouraged to try other constructs too.
  
  
-==== Compiler Explorer+=== Compiler Explorer ===
  
 You can try out the Compiler explorer at http://gcc.godbolt.org/ to see how each line is translated into instructions. You can try out the Compiler explorer at http://gcc.godbolt.org/ to see how each line is translated into instructions.
Line 493: Line 497:
 </note> </note>
 */ */
-==== function prologue+=== function prologue ===
  
 <code objdump> <code objdump>
Line 501: Line 505:
 </code> </code>
  
-==== function epiloque+=== function epiloque ===
  
 <code objdump> <code objdump>
Line 508: Line 512:
 </code> </code>
  
-==== for loop+=== for loop ===
  
 <code c> <code c>
Line 538: Line 542:
 </code> </code>
  
-==== while loop+=== while loop ===
  
 <code c> <code c>
Line 568: Line 572:
 </code> </code>
  
-==== nested fors with break and continue+=== nested fors with break and continue ===
  
 <code c> <code c>
Line 614: Line 618:
  
  
-== Tasks+===== Challenges =====
  
-=== 01. Execve+==== 01. Execve ====
  
-==== Simple printing+=== Simple printing ===
  
 Use assembly to write a program that receives N command line parameters. If the 1st parameter starts with ''.'' (//dot//) (such as ''./ping 8.8.8.8'') the program prints the message ''FAILED''. If the first parameter **doesn't** start with ''.'' (//dot//) (such as ''/bin/ping 8.8.8.8'') the program prints the message ''WORKS''. Use assembly to write a program that receives N command line parameters. If the 1st parameter starts with ''.'' (//dot//) (such as ''./ping 8.8.8.8'') the program prints the message ''FAILED''. If the first parameter **doesn't** start with ''.'' (//dot//) (such as ''/bin/ping 8.8.8.8'') the program prints the message ''WORKS''.
Line 635: Line 639:
 </code> </code>
  
-==== Simple syscall+=== Simple syscall ===
  
 Update the above program and use assembly to write a program that receives N command line parameters, and dispatches them to the ''execve'' syscall. If the 1st parameter starts with ''.'' (//dot//) (such as ''./ping 8.8.8.8'') the program should NOT call ''execve'' and instead print an error message. Update the above program and use assembly to write a program that receives N command line parameters, and dispatches them to the ''execve'' syscall. If the 1st parameter starts with ''.'' (//dot//) (such as ''./ping 8.8.8.8'') the program should NOT call ''execve'' and instead print an error message.
Line 652: Line 656:
 The syscall number for ''execve'' is ''11''. Check the [[http://man7.org/linux/man-pages/man2/execve.2.html|man page]] for the other arguments. The syscall number for ''execve'' is ''11''. Check the [[http://man7.org/linux/man-pages/man2/execve.2.html|man page]] for the other arguments.
 </note> </note>
-=== 02. Looping math+==== 02. Looping math ====
  
 Use assembly to write a program that iterates through a statically allocated string (use the ''.data'' section), and calls a function that replaces each letter based on the following formula: ''NEW_LETTER = 33 + ((OLD_LETTER * 42 / 3 + 13) % 94)''. Print the new string at the end. Use assembly to write a program that iterates through a statically allocated string (use the ''.data'' section), and calls a function that replaces each letter based on the following formula: ''NEW_LETTER = 33 + ((OLD_LETTER * 42 / 3 + 13) % 94)''. Print the new string at the end.
Line 667: Line 671:
 If the string you use it ''call denied!'' the result is ''tX66v$2Rj2$&''. If the string you use it ''call denied!'' the result is ''tX66v$2Rj2$&''.
 </note> </note>
-=== 03. Call secret function+==== 03. Call secret function ====
  
-The binary ''03-challenge-call-secret/src/call-secret'' needs to call a specific function. However, because of a nasty "voice", the specific function doesn't get called. Please fix it and find out the flag.+The binary file ''03-challenge-call-secret/src/call-secret'' needs to call a specific function. However, because of a nasty "voice", the specific function doesn't get called. Please fix it and find out the flag.
  
 <note tip> <note tip>
Line 676: Line 680:
  
 <note tip> <note tip>
-For more graphically available hex editor, you mai use [[http://home.gna.org/bless/|Bless]]. Install it using +To edit binary, you can use [[https://vim.fandom.com/wiki/Hex_dump#Editing_binary_files|vim + xxd]] or [[https://www.forensicswiki.org/wiki/Bless|Bless]]. 
-<code> +
-apt-get install bless +
-</code>+
 </note> </note>
-=== 04. No exit+==== 04. No exit ====
  
 The binary file ''04-challenge-no-exit/src/no-exit'' needs to call a specific function. However, because of a nasty exit, the specific function doesn't get called. Please fix it and find out the flag. The binary file ''04-challenge-no-exit/src/no-exit'' needs to call a specific function. However, because of a nasty exit, the specific function doesn't get called. Please fix it and find out the flag.
Line 691: Line 693:
 The ''secret()'' function will use the argument that has been "appropriately" provided to the ''exit()'' call. The ''secret()'' function will use the argument that has been "appropriately" provided to the ''exit()'' call.
 </note> </note>
-=== 05. Funny convention+==== 05. Funny convention ====
  
-This {{:session:funny.tar.gz|binary}} is already dynamically linked with a missing library (''libfunny.so''), that you'll have to recreate in assembly. The library contains a wrapper for the ''write'' syscall called ''leet_write()''. The original library was using a funny calling convention, slightly different from the standard one. Figure out the convention, write the wrapper in NASM, and compile the library. Test by running the provided binary.+The binary ''05-challenge-funny-convention/src/funny'' is already dynamically linked with a missing library (''libfunny.so''), that you'll have to recreate in assembly. The library should contain a wrapper for the ''write'' syscall called ''leet_write()''. The original library was using a funny calling convention, slightly different from the standard one. Figure out the convention, write the wrapper in NASM, and compile the library. Test by running the provided binary.
  
-The library is position independent, and exposes 2 symbols: the function, and some global variable. This is the skeleton+The library is position independent, and exposes 2 symbols: the function, and some global variable. You can find the skeleton for this task in the directory ''05-challenge-funny-convention/src''.
- +
-<code asm> +
-extern _GLOBAL_OFFSET_TABLE_ +
-extern puts +
- +
-; export a library function and a global var +
-global count_param:data 4 +
-global leet_write:function +
- +
-section .data +
-  leet: db "executing leet_write()",+
-  count_param: dd 0 +
- +
-section .text +
-leet_write: +
-  ; debugging purpose +
-  push leet +
-  call puts +
- +
-  ; write your code here -------------------------------------------- +
-  ; TODO +
-  ; ----------------------------------------------------------------- +
- +
-  add esp, 4 ; leet from above +
-  ret +
-</code> +
- +
-To assemble, and create the ''.so'' file run: +
- +
-<code text> +
-$ nasm -f elf32 libfunny.asm +
-$ ld -shared -lc -m elf_i386 libfunny.o -o libfunny.so +
-</code>+
  
 You should be able to run the provided binary as long as the correct library is in ''./''. You should be able to run the provided binary as long as the correct library is in ''./''.
  
 <note important> <note important>
-The ''count_param'' symbol is in the caller's address space, even if it is exported by the library. You'll have to use ''count_param wrt ..sym'' instead of ''count_param'' within the program (when accessing the variable).+The library exports the ''count_param'' as a global symbol, thus it will reside inside the caller's address space as opposed to the .data section of the library. Because of this the library cannot access the data by using ''count_param'and needs to use ''count_param wrt ..sym'' instead. 
 +A more detailed explaination can be found [[https://www.nasm.us/doc/nasmdoc9.html#section-9.2.4|here]]
 </note> </note>
-=== Extra: 06. Obfuscation+==== Extra: 06. Obfuscation ====
  
 Write a program that does a completely different thing than what ''objdump'' will show by jumping into the middle of an instruction. After the jump, the processor will "see" another stream of valid instructions. Write a program that does a completely different thing than what ''objdump'' will show by jumping into the middle of an instruction. After the jump, the processor will "see" another stream of valid instructions.
 +
 +
 +<note tip>
 +You can find the skeleton for this task in the directory ''06-challenge-obfuscation/src''.
 +</note>
  
 <note important> <note important>
session/02.1529341847.txt.gz · Last modified: 2018/06/18 20:10 by Cristian-Florin DONE (78332)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki