Jump to content
phantomas90

Assembler : The Basics In Reversing

Recommended Posts

Posted
Tutorialul 2 de la lena Varianta 2 de rezolvare!

phantomas90, nu ai inteles nimic nici din acel crackme.

scopul crackme-urilor este de a te face mai bogat cu ceva cunostinte. nu de a te face fericit ca vezi mesaje goodboy

am urmarit tutorialul tau video.

dupa cuma am spus in unul din primele mele posturi din acest topic, tu urmaresti sa devi 'sclavul' jumpurilor

hai sa vin cu argumente:

createfile returneaza in eax un handle catre acel fisier keyfile.dat (in cazul crackme). este comparat rezultatul cu -1 (invalid_file_handle) pt a vedea daca acel fisier exista. ceea ce ai facut tu nu isi are nicio logica. daca prin absurd ai avea fisierul creat, iar windowsul i-ar atribui handleul 1, crackul tau ar da gres. deci spre binele tuturor, creaza un fisier 'keyfile.dat'

de asemenea eax-ul care zici tu ca e 0 va fi de fapt ffffffff (-1 dec) daca fisierul nu exista. cum poti atribui o valoare unui registru cand nici macar nu ai setat un breakpoint la acea adresa?!??!??????? eax=0 pt instructiunea de la adresa de memorie 401000 la care te afli cu eip cand ai incarcat crackme in olly

CreateFile Function (Windows)

mai departe: readfile iti intoarce 0 in eax pt ca nu poate sa citeasca din ceva ce nu exista

in crackme readfile are ca parametru bytes_to_read nr 70, deci incearca sa citeasca 70 bytes din fisier (46h = 70 dec)

ReadFile Function (Windows)

acel [ceva] din cmp [ceva] cu esi sunt de fapt bytes pe care readfile a putut sa-i citeasca (402173 este pasat ca parametru la readfile ca bytesread - bytes cititi)

apoi acel 'ceva' e comparat cu 10, ceea ce inseamna ca fisierul trebuie sa contina cel putin 10 bytes

apoi acel cmp al,0 in loop marcheaza finalul loop-ului

apoi acel cmp al,47 si inc esi au functia de a contoriza aparitiile caracterului 'G' (cod ascii 47) in fisier (mai bine zis in cei 70 sau mai putini bytes care au fost cititi). nr este retinut in esi

acel cmp esi,8 si jl xxx au rolul de a verifica daca aparitia caracterului 'G' sunt in nr mai mic de 8. daca sunt => mesaj de eroare. altfel, mesaj de succes

deci per total. fisierul keyfile.dat trebuie sa contina cel putin 10 bytes, dintre care cel putin 8 caractere 'G'

ceea ce ai facut tu schimbarea flagurilor este complet eronat

daca doreai intr-adevar un crack diferit, puteai spre exemplu sa inlaturi comparatia cu 'G'. in felul asta puteai avea orice in acel keyfile.dat

dar ceea ce faci tu chiar nu isi are rostul

probabil ai vrut sa demonstrezi ca ai inteles cum lucreaza flagurile

Posted (edited)

Mda, cum am presupus. Nici o miscare, nici o munca depusa sau un tutorial.

Aici aveti o lista completa a comenzilor ASM, cu explicatie la fiecare + intreruperile(cu tot cu explicatii).

Deschideti arhiva, rulati executabilul. Daca da vre-o eroare incercati cu File-> Open si din acelasi folder selectati un fisier( de ex ASM) si o sa le incarce pe toate. Enjoy it!

Revenind la crack: Nu are rost. Mereu se va gasi cineva sa spuna "cum trebuia sa faci". PM me cei care vreti mai multe materiale pt studiul ASM, reverse etc.

=========================================================

The elements of the assembly language and the format of the executable programs


Laboratory no. 4
The elements of the assembly language and the format of the executable programs
INTRODUCTION
The purpose of the paper is the presentation of the instruction format in assembly language, of the most important pseudo-instructions when working with segments and dates conservation and also the structure of the executable programs .COM and .EXE.
The elements of the assembly language TASM
The format of the instructions

An instruction may be represented on a line of maximum 128 characters, the general form being:
[<label>:] [<opcod>[<operatives>][;<comments>]]
where:
<label> is a name, maximum 31 characters (letters, numbers or special characters _,?,@,..), the first character being a letter or one of the special characters. Each label has a value attached and also a relative address in the segment where it belongs to.
<opcod> the mnemonic of the instruction.
<operatives> the operative (or operatives) associated with the instruction concordant to the syntax required for the instruction. It may be a constant, a symbol or expressions containing these.
<comments> a certain text forego of the character “;” .

The insertion of blank lines and of certain number of spaces is allowed. These facilities are used for assuring the legibility of the program.

The specification of constants

Numerical constants – are presented through a row of numbers, the first being between 0 and 9 (if for example the number is in hexadecimal and starts with a character, a 0 will be put in front of its). The basis of the number is specified through a letter at the end of the number (B for binary, Q for octal, D for decimal, H for hexadecimal; without an explicit specification, the number is considered decimal).
Examples: 010010100B, 26157Q (octal), 7362D (or 7362), 0AB3H.
Character constants or rows of characters are specified between quotation (“ “) or apostrophes (‘ ‘).
Examples: “row of characters”, ‘row of characters’

Symbols
The symbols represent memory positions. These can be: labels or variables. Any symbol has the next attributes:
- the segment where it is defined
- the offset (the relative address in the segment)
- the type of the symbol (belongs to definition)


Labels
The labels may be defined only in the zone program and then can be operatives to CALL or JMP instructions.
The attributes of labels are:
- the segment (generally CS) is the address of the paragraph where begins the segment which contains the label. When a reference is made to the label, the value is found in CS (the effective value is known only during running)
- the offset is the distance in octets of the label beside the beginning of the segment where it has been defined
- the type determines the reference manner of the label; there are two types: NEAR and FAR. The NEAR type reference is a segment (only the offset) and the FAR type reference specifies also the segment (segment: offset).
The labels are defined at the beginning of the source line. If after the label follows “:” character then there will be the NEAR type.

Variables
The definition of variables (date labels) may be made with space booking pseudo-instructions.
The purpose of variables are:
- segment and offset – similarly to labels with the distinction that there may be other ledger segments
- the type – is a constant, which shows the length (in octets) of the booked zone:
BYTE (1), WORD (2), DWORD (4), QWORD (8), TWORD (10), STRUC (defined by the user), RECORD (2).
Examples:
DAT DB 0FH, 07H ; occupies one octet each, totally 2
DATW LABEL WORD ; label for type conversion

MOV AL,DAT ; AL<-0FH
MOV AX,DATW ; AL<-0FH, AH<-07H
MOV AX,DAT ; type error

Expressions
The expressions are defined through constants, symbols, pseudo-operatives and operatives (for variables are considered only the address and not the content, because when compiling, only the address is known).

Operatives (in the order of priorities)
1. Brackets () []
. (dot) - structure_name.variable – serves for binding the name of a structure with its elements
LENGTH – number of zone element
SIZE – the zone length in octets
WIDTH – a fields width from RECORD
Example: if are declared
EXP DW 100 DUP (1)
Then:
LENGTH EXP has the value 100
TYPE EXP has the value 2
SIZE EXP has the value 200

2. segment name: - redefinition of segment
Example:
MOV AX, ES:[BX]

3. PTR – redefinition of variable type
Example:
DAT DB 03
MOV AX, WORD PTR DAT
OFFSET – furnishes the offset of a symbol
SEG – furnishes the segment of a symbol
TYPE – a zones type (length of elements)
THIS – creation of an attributed operative (segment, offset, type) date
Example:
SIRO EQU THIS BYTE
SIRC DW 100 DUP(?)
SIRC is a defined of 100 length; the variable SIRO has the same segment and offset as SIRC but it is BYTE type.

4. HIGH – addresses the high part of a word
LOW – addresses the low part of a word
Example:
DAT DW 2345H
MOV AH, HIGH DAT ; AH<-23

5. * / MOD
Example:
MOV CX, (TYPE EXP)*(LENGTH EXP)

6. + -
7. EQ, NE, LE, LT, GE, GT
8. NOT –logic operative
9. AND
10. or, xor
11. SHORT – forces the short appeal
Example:
JMP label ; direct jump
JMP SHORT label ; IP is relative

Pseudo instructions
Pseudo-instructions are commands (orders, instructions) for assembler, necessary for the proper translations of the program and for the facility of the computer programmer’s activity.
Will be presented only the pseudo-instructions indispensable writing the first programs.

Pseudo-instructions work with segments
Any segment is identified with a name and class, both specified by the user. When defined, the segments receive a series of attributes, which specifies for the assembler and for the link-editor the relations between segments.
The segments definition are made through:
segment_name SEGMENT [align_type] [combine type] [‘class’]
... ...
segment_name ENDS
where:
segment_name – is the segment’s name chosen by the user (the name is associated with a value, corresponding to the segment’s position in the memory).
align_type – is the segment’s alignment type (in memory). The values, which it may take, are:
PARA (paragraph alignment, 16 octets multiple)
BYTE (octet alignment)
WORD (word alignment)
PAGE (page alignment – 256 octets multiple)
combine_type – is actually the segment’s type and represents an information for the link-editor specifying the connection of segments with the same name. It may be: PUBLIC – specifies the concatenation
COMMON – specifies the overlap
AT expression – specifies the segment’s load having the address expression
*16
STACK – shows that the current segment makes part of pile segment
MEMORY – specifies the segment’s location as the last segment from the
program
‘class’ – is the segment’s class; the link-editor continually arranges the segments having the same class in order of its appearance. It is recommended to use the ‘code’, ‘data’, ‘constant’, ‘memory’, ‘stack’ classes.

The designation of the active segment
In a program may be defined more segments (code and date). The assembler verifies whether the dates or the instructions addressed may be reached with the segment register having a certain content. For a realization in proper conditions, the assembler of the active segment must be communicated, meaning that the segment register must contain the address of the loaded segment.
ASSUME <reg-seg>:<name-seg>, <reg-seg>:<name-seg> ...
reg-seg – the register segment
name-seg – the segment which will be active with the proper register segment
Example:
ASSUME CS:prg, DS:date1, ES:date2
Observations:
- the pseudo-instruction does not prepare the register segment but communicates to the assembler where the symbols must be looked for
- DS is recommended to be shown at the beginning of the assembler with a typical sequence:
ASSUME DS:name_seg_date
MOV AX, name_seg_date
MOV DS, AX
- CS must not be initialized but must be activated with ASSUME before the first label
- instead of name-seg from ASSUME the NOTHING identifier may be used if we don’t want to associate a segment to the register.

The preserving of a zone date
Usually the dates are defined in a data segment. The pseudo-instruction definition has the type:
<name> <type> [expression list] [<factor> DUP (<expression list>)]
where:
name – is the symbol’s name (of the date’s label)
type - is the symbol’s type:
DB – for octet reservation
DW – for word reservation (2 octets)
DD – for double word reservation (4 octets)
DQ – for quadruple word reservation (8 octets)
DT – for 10 octets reservation
expressions list – an expression whose result is initialized with the reserved zone; the “?” character is written only if the zone won’t be initialized
factor – a constant, which shows how many times the expression, is repeated after DUP:
Examples:
DAT db 45
dat1 db 45h, ‘a’, ‘A”, 85h
dat2 db ‘abcdefghi’ ; the text is generated
lg_dat2 db $-dat2 ; the length of the given row dat2 ($ is the local current
counter)
aa db 100 dup(56h) ; 100 octets having the value 56h
bb db 20 dup (?) ; 20 not initialized octets
ad dw dat1 ; contains the address (offset) of the given variable dat1
adr dd dat1 ; contains the address (offset + segment) of given
variable dat1

Other possibilities for defining symbols
- the definition of constants:
<name> EQU <expression>
The symbol “name” will be replaced with the value’s expression.
- labels declaration:
<name> LABEL <type>
<name> label will have the value of the segment where it is defined, the offset equal to the offset of the first instruction for date reserving or other instructions which follow and the type defined by the <type> which may be: BYTE, WORD, DWORD, QWORD, TBYTE, the name of a structure, NEAR or FAR.
If it’s put the “:” character after label this will be NEAR:
Example: if we have the definitions
ENTRY LABEL FAR
ENTRY1:
then:
JMP ENTRY ; is FAR type jump
JMP ENTRY1 ; is NEAR type jump


Position counter modification
ORG <expression> ; the position counter will be put to the value’s expression
Example:
ORG 100h ; counter at 100h
ORG $+2 ; skip 2 octets ($ is the local current counter)

The definition of the procedure
A procedure may be defined as a sequence of instructions which ends with RET instructions and is appealed with CALL. The definition is made with the sequence:
<procedure_name> PROC <[NEAR], FAR>
... the procedure’s instructions
< procedure_name > ENDP
Example:
; DBADD procedure, which at (DX:AX) adds (CX:BX) with the result in (DX:AX)
DBADD PROC NEAR
ADD AX,BX ; add word LOW
ADC DX,CX ; add word HIGH with CARRY
DBADD ENDP
The appeal is made with CALL DBADD from the same segment. From other segments the procedure is invisible.
Observations:
- the declaration of the procedure does not make any command; the user must assure the returning with RET.
- no appealing procedure may be defined both with FAR and NEAR. This function is established very carefully when projecting the programs (the solution for declaring FAR procedures apparently simple, is totally non-economic).
- There is a possibility of defining sheltered procedures
The program’s structure in assembly language
1. .COM programs
• The program contains only one segment, so the code and date may have, on the whole, maximum 64Ko; because of this the references are relatively made at the address from the beginning of the segment.
• The source program must begin with ORG 100H pseudo-instruction for reserving space for PSP.
• The dates may be put anywhere in the program, but it is recommended to be put at the beginning (great careful must be paid for not operating by mistake the zone date, meaning not skipping the jump instruction over date zone, otherwise these will be interpreted as instructions, the result being other than the expected one).
• It is not necessary the initialization of segment registers, them being loaded with the common value from CS.
• The end of the program may be made with RET or with the appeal of function system INT 21H having the parameter in AH 4CH.




Model for .COM programs

COMMENT *
the presentation of the program
*

CODE SEGMENET PARA PUBLIC ‘CODE’
ASSUME CS:CODE, DS:CODE, ES:CODE
ORG 100H
START:
JMP ENTRY
************** define zone date
ENTRY:
************** program’s instructions
MOV AH,4CH
INT 21H ; exit to operating system
CODE ENDS
END START

2. .EXE programs

• The programs may as larger as the disposing memory.
• For the correct execution, the user must explicitly initialize DS, ES and SS registers.
• It is recommended that the .EXE programs be conceived as a FAR type procedure (to make able the reversing of the context, so as, at the ending of the program the recovery is made correct, if the program has been appealed from another program). Because of this, at the beginning of the program, through the sequence:
push ds
mov ax,0
push ax
is saved a vector, which shows at PSP beginning and in these conditions the ending of an .EXE program may be made through RET in FAR context.

Model for .EXE program

COMMENT * identification information for the program, author, data, program’s
function, utilization *
;-----------------------------------------------------------------------------------------
; EXTERN section
; the declaration of extern variables
;-----------------------------------------------------------------------------------------

;-----------------------------------------------------------------------------------------
; PUBLIC section
; the list of GLOBALE’S variables defined in this file
----------------------------------------------------------------------------------------

;-----------------------------------------------------------------------------------------
; CONSTANTE’S section
; The definitions of constants, including INCLUDE instructions, which read
; constant definitions
;-----------------------------------------------------------------------------------------

;-----------------------------------------------------------------------------------------
; MACRO section
; Macro definitions, structures, recordings and/or INCLUDE instructions which
; read such definitions
;-----------------------------------------------------------------------------------------

;-----------------------------------------------------------------------------------------
; DATA section
; date definitions
;-----------------------------------------------------------------------------------------

DATA SEGMENT PARA PUBLIC ‘DATA’
... ... define date zone
DATA ENDS

... ... other date segment

;-----------------------------------------------------------------------------------------
; STACK section
;-----------------------------------------------------------------------------------------

STACK SEGMENT PARA STACK ‘STACK’
DW STACK_SIZE DUP (?) ; the pile will have 256 words
STACK_START LABEL WORD ; the top of the pile
STACK ENDS

;-----------------------------------------------------------------------------------------
; CODE section
;-----------------------------------------------------------------------------------------

CODE SEGMENT PARA PUBLIC ‘CODE’
START PROC FAR
ASSUME CS:CODE, DS:DATA
PUSH DS
XOR AX,AX
PUSH AX ; the initialization for the returning
MOV AX,DATA
MOV DS, AX ; the initialization of DS date segment
;-----------------------------------------------------------------------------------------
... ... the main program’s instructions
;-----------------------------------------------------------------------------------------
RET ; the ending of FAR type program
START ENDP
;-----------------------------------------------------------------------------------------
; PROCEDURES
; other procedures from the main program
;-----------------------------------------------------------------------------------------

CODE ENDS

... ... other code segment

;-----------------------------------------------------------------------------------------
; the memory’s segment section
;-----------------------------------------------------------------------------------------

MEMORY SEGMENT PARA MEMORY ‘MEMORY’
... ... programs at high addresses
... ... the definition of the memory’s margins of the program
MEMORY ENDS

END START

Example of written program in assembly language

The program calculates the sum of a row of numbers at SIR address and length specified in LGSIR variable; the result will be put in SUM location.
The first source program will be in the .COM type

CODE SEGMENT PARA PUBLIC ‘CODE’
ASSUME CS:CODE, DS:CODE
ORG 100H

START: JMP ENTRY

SIR DB 1,2,3,4
LGSIR DB $-SIR
SUM DB 0

ENTRY:
MOV CH,0
MOV CL,LGSIR ; in CX is the length’s row
MOV AL,0 ; the initialization of the register where the sum is
; calculated
MOV SI,0 ; the index’s initialization
NEXT:
ADD AL,SIR[SI] ; the add of the current element
INC SI ; passing at the next element in the row
LOOP NEXT ; CX decrementation and jump to next
; element if CX differs from 0
MOV SUM,AL
; end of program
MOV AH,4Ch
INT 21H
CODE ENDS
END START

Laboratory tasks
• The presented example will be studied.
• Will be written the program for calculating the sum of a row’s elements in .COM format, will be assembled, link-edited and fault traced with Turbo Debugger following the registers and memories content (SUM location).
• Will be rewritten the .EXE format program and will be fault traced.
• Will be modified the program in such a way to be able to add numbers written on word (2 octets, DW) and will be studied the case where the number’s sum does not enter on the same length with the numbers from the row.

Mai am cateva laboratoare de genu. Mai vreti?

Edited by phantomas90

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...