x86 Assembly Language, Part 2

[monstr]

To program in Assembly, you will need some software, namely an assembler and a code editor as we have seen in chapter 1. An assembler takes the written assembly code and converts it into machine code, it will come with a linker that links the assembled files and produces a executable from it (.exe extension).

Sometimes, a crash may happen when the program cannot normally continue its execution or even run because of a programming bug; fortunately, there is a program called the debugger that runs other programs, allowing its user to exercise some degree of control over the program, and to examine them when things go amiss.

Another tool you may have guessed is the disassembler, which translates executable code into assembly language—the inverse operation to that of an assembler.

Finally, there is a tool called a resource compiler, I’m going to explain it later in this saga.

In each tool, there is quite a good selection that can do the job very well.

Code Editor: (Notepad++, UltraEdit, VIM, …)

Assemblers: (JWasm, GoAsm, yASM, Fasm, …)

Linker: (JWlink, Link, PoLink, …)

Resource Compiler: (Microsoft RC, PoRC, GoRC, …)

Debugger: (OllyDBG,Immunity Debugger, WinDBG, SoftICE, …)

Disassembler: (IDA Pro, Win32Dasm, HDasm, …)

Integrated Development Environment (IDE): ( All-In-One utility, Source Code Editor + Assembler + Linker + Resource Compiler)

Assembler / Linker :

It goes without saying that MASM, originally by Microsoft, is the king of the hill. The real problem with MASM is the restrictions about its license, and also that it’s not constantly updated but only on an as-needed basis by Microsoft.

JWasm fixes it all:

JWasm is free, has no artificial license restrictions, and can be used to create binaries for any OS.

JWasm’s source is open. Hence JWasm is able to run – natively – on Windows, DOS, Linux, FreeBSD and OS/2.

More output formats supported (Bin, ELF).

Optionally very small object modules can be created.

Better support for Open Watcom, for example the register-based calling convention.

JWasm is faster than MASM.

We will use PoLink as a linker, we can use ML (Microsoft Linker) too, there is only one difference between them: PoLink accept RES files for resources, whereas ML wants an OBJ file. Another difference is that PoLink can make smaller EXE’s although, with the right switches, and it is more up to date.

Debugger/Disassembler:

Now, we will look at some of the differences between several of the most widely used Debuggers/Disassembles. This is by no means exhaustive. Consider it as a brief overview to give people new to assembly/reversing a “quick start” guide.

Before we look at IDA Pro (Free), Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG). We must first fully understand the differences between a debugger and a disassembler. I have heard these terms used interchangeably, but they are two separate tools. A disassembler will take a binary and break it down into human readable assembly. With a disassembler you can take a binary and see exactly how it functions (static analysis). Whereas with a debugger we can step through, break and edit the assembly while it is executing (dynamic analysis).

IDA Pro (proprietary software, free version available)

Honestly, IDA Pro should be in a category by itself. It is an interactive, extensible disassembler and debugger. IDA is also programmable with a complete development environment. This allows users to build plug-ins and scripts to assist them in their research. The standard version of IDA is too expensive and gives you support for over 50 families of processors. But for someone who is new to reversing/disassembling, the free version will do just fine.

One of the main advantages you’ll notice that IDA has over Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG) is its platform support. IDA is available for Windows and Linux as well as Mac OS X.

Olly Debugger (OllyDBG)

OllyDBG is a user-friendly, very small and portable 32-bit user-mode debugger with intuitive interface. As you get experience, you’ll able to discover how powerful OllyDBG is. OllyDBG knows most of the Windows APIs when you’re examining your binary. OllyDBG will show you what each register parameter means. Unfortunately, it does not understand Microsoft’s symbol file format or debug information.

Immunity Debugger (ImmDBG)

Immunity Debugger is very similar to OllyDBG, the only new features ImmDbg offers over Olly is Python scripting and function graphing, both of which are already supported in Olly through plug-ins. There are also plug-ins to fix the numerous bugs Olly has as well. This is what it’s all about.

Integrated Development Environment: There are also a thousand IDEs, all of them are quite awesome:

Once you have the JWasm Assembler, the MASM32 SDK, and the EasyCode IDE, extract them in a default folder in your hard disk. You don’t actually need the other tools for this part, keep them for later.

Unzip the package and run install.exe. Then, a series of message boxes will pop up, keep hitting OK till it asks to start extracting the package. Again, click OK till it says that the installation has proceeded to its completion and appears to have run correctly.

Unzip the EasyCode.zip file and the ‘EasyCode.Ms‘ folder will be created.

Place the whole EasyCode.Ms folder anywhere you like in one of your hard disks. If the folder already exists, overwrite it.

Close all applications, open the EasyCode.Ms folder and run the ‘Settings.exe’ program (if possible, as an Administrator). Choose the desired options and press the ‘OK’ button.

Now extract the JWasm archive, locate ‘JWasm.exe’, and copy it in the ‘C:masm32bin’ directory.

Run the ‘EasyCode.exe’ file (located in the ‘EasyCode.MsBin’ folder) or in the desktop and set the paths for Masm32 files. To do so, use the ‘Tools–>Settings’ menu. Go to the Compiler/Link Tab and set up paths as below:

Apply the changes, then press OK. Now that we have our tools working like a charm, let’s begin programming! This is the most commonly written program in the world, the “Hello World!” program. Click CTRL+N for a new project, choose classic executable file, and uncheck all the options:

Copy and paste the following code in your IDE:

;-----------------------------------------------

; MessageBox.asm — Displays “Don’t learn …” in a message box

; ----------------------------------------------

.386

.Data

MsgBoxCaption DB “Simple Message Box”,0

MsgBoxText DB “Hello, 0ld W0rld !”,0

.Code

start:

push MB_OK +MB_ICONASTERISK

push offset MsgBoxCaption

push offset MsgBoxText

push NULL

call MessageBox

invoke ExitProcess, NULL

End start

Click F7 for building the project, you’ll be asked to save it. First of all, I recommend you create a new folder called ‘Projects” in EasyCode.Ms and save all your projects in it. Afterward, create a new folder in the “Projects” directory and call it: myFirstProgram, save all files:

myFirstProgram.ecp (The Project File).

myFirstProgram.asm (The Assembly code file).

Press CTRL+F5 to run it:

Congratulations, you have just run your first assembly code ! Take your time to discover your favorite IDE and its features. Also, you should take into consideration that IDA Pro alone requires a book or a whole chapter to fully present it as it is worth, and this also goes for OllyDBG & ImmDBG. In this chapter, the primary goal was to get you familiar with some assembly and debugging/disassembling tools. I assume you understand that the syntax of assembly code differs slightly from an assembler to another; nevertheless, different assemblers will generate in the end the same machine code.