Assembly

Course
Time
13 hours 15 minutes
Difficulty
Beginner
CEU/CPE
14

Video Transcription

00:01
Hello. This is Dr Miller in this is episode 11.6 of Assembly.
00:06
Today we're gonna talk about memory offsets and then debugging and disassembly
00:12
memory offsets.
00:14
So when we have registers, as we've noted before, load and store are how we get ***, tough from memory into a register.
00:23
And so
00:25
the
00:27
assembler can Onley load a bite on and then do some shifting on on that bite.
00:33
It can't do math operations, and they're only certain values that can actually be loaded. And so here's this from the specification.
00:43
So if we have a move operation, it can only have values from zero to,
00:50
um four efs. So we can only move up to two bites into a register, given an immediate
00:57
um and so if we have a 32 bit value that we want to load into a register, we actually have to do it,
01:03
um, through multiple operations. So we basically have to load an offset that will then allow it to read more data than
01:10
a 16 bit number.
01:11
And this is because each arm instruction is 32 bits long and so therefore, there is no way for you to load a 32 bit number when you have to have part of the instruction has to be the op code to say what data operation am I going to do?
01:26
And so when we do that, when we went toe Lodha register from memory, we basically have to,
01:32
um, sort of jump off of a location that has where we want to get that data from.
01:38
And so, for example, if we do a load register are zero and then we put an equal sign and then this number here, it will actually generate some code saying there's going to be some data here, and that data is gonna be zero x 11223344
01:56
And then you notice that it's it's actually converted this from load register of the Equal sign
02:01
two. It has a PC, and then a um it has a negative there, but it's not really negative rate,
02:07
zero additional bites.
02:09
And this is because in arm, the instruction pointer actually points a couple bites ahead.
02:15
And so it is actually pointing to bites ahead. And so that is this location down here. So it's that offset zero from the program counter and the program counter actually points to here when it's executing this instruction,
02:30
so it's a little bit odd, but that's the way the assembler works now. It'll be a little bit easier to see him in our next example.
02:37
So here we have several bites that we defined. So we got our half words in our words. So half word is 16 bits
02:44
and a full word is 32 bits,
02:46
and we can see here inside. Of the code that we're loading are zero gets the value of a well, it's gonna jump down here at the end to an offset that points to a or an offset that points to B or C or D,
03:00
and then the half words these air going to take up
03:01
two bites and these words will take up four bites, so we'll see those differences in the addresses that get generated.
03:08
So what I've done here is I've taken the original code and then compared it to the disassembly, the disassembly I got from
03:15
using object dumps, object dump and in the minus T is disassembly. And then this is the binary that we want,
03:22
and then it generates a lot of source code. And so I used grab to filter it and only look for the text main with a bracket.
03:30
And so I will give me all of the code that is in here, which is why this is highlighted. And then a 30 means print 30 lines after you find that match
03:39
and so we can see here that,
03:42
um, the dis assembler figures out what this offset is. So it says main plus zero x to see for both of these.
03:49
But if you look at the program counter again, it's relative to the program counter. So this is 28 bites away. Is this offset down here?
03:58
I mean, if we take to see if we take 10470 and add to see, we end up with 1049 c
04:04
and so that is this location down here.
04:08
And then these air gonna be pointers to the actual memory addresses.
04:12
And so when it does, a load register is is bouncing down here and getting this value and copying it in,
04:17
we can see that the 1st 1 was a word. And so we see that it takes up addresses C and D,
04:24
and then the next one takes up E and F
04:26
and then the next one, which I think it's see it takes up 012 and three because it's four bites on. This one will take up 456 and seven.
04:36
And so we can see how these these addresses keep going down. And these two are the same right main plus to see.
04:45
But the programmer is the program counter is relative. It's pointing eight by eight bytes forward for the program counter
04:54
and then, in order to another way to visualize this. So in the previous example, I used Object Dump.
04:59
But additionally, there are professional tools that can allow you to basically look at the code.
05:04
And so when I compiled my code, I have debugging symbols in. And so the dis assembler actually knows the names of the variables that I used.
05:14
If we were to remove those the bugging symbols, it wouldn't actually have a name here.
05:17
It would just have this data offset
05:20
and again we can see that it automatically goes and calculates that for us and says, OK, this is data 1049 See this one is also the same. But again, those air relative program counters
05:31
and then we can see the same thing in Ida Pro.
05:34
So binary ninjas. A fairly inexpensive one eyed a pro is Ah, it's a much more expensive dis assembler that you can purchase for commercial purposes.
05:45
But again, it shows us what we writing code versus what we actually get from the binary.
05:51
And so it's going to again have these these relative offsets in there.
05:57
All right, the bugging.
05:59
So a lot of the times will probably basically want to use the same debugging tools on,
06:03
um, the raspberry pi that would be used on regular Linux. So, for example, when I go into bug something, I'll make sure that I install GEF
06:12
Um, and GDP should be installed.
06:15
Um, one issue that I've run into is that G B does not pick up on the transition from regular mode to thumb mood, and we'll talk about some mood,
06:24
and so are the bugger Has a bug in it.
06:26
Um, so as long as you're not doing that, the but do bugger works in the same way.
06:30
And additionally, we have programs like S trace.
06:33
This will work on X 86 to, but it'll trace system calls and signals, and we'll see some examples here.
06:40
So, for example, all of the system calls related to just printing off the number 42
06:46
we can see that it's it's calling all of these system calls that allow us to have our user name were running the exact command, which is what the shell will dio. And then it gets down to the system Call of right and we'll see that that prints off the number 42.
07:03
But there's a lot of information that can be gained by that. If you have a binary that you don't understand and you're trying to look at the assembly for it
07:15
and then with Judy Bee, we're going again have the same commands will notice that in again the GEF is installed here.
07:23
We can see that it lists the registers and so you can see the regular name for these. So R zero through our 12 are 13 is our stack pointer, so it points to the stack. Are 14 is the link register. AR 15 is the program counter
07:39
and so we can see all of those and the typical names that they're given, you can see the value that it has, and then you can see
07:46
well, if that's a point or what is the 0.0.2? So, for example, when you start a program
07:49
are zero is how many arguments you have are One is a listing of those and then are two is the pointer to the environment, and so are one has gotten changed here in the last instruction that I executed.
08:03
You can also see exactly where you are assed faras the stack. So we have, ah, a pointer to the stack
08:11
and then our disassembly showing which line is the next line that's going to get executed. And again it'll show things like programmer counter and then number 20. So it means plus 20
08:22
from that location is where it's loading that data from.
08:26
And so you can see all of that in the disassembly, just as we had before
08:31
some additional commands. So if you are interested in virtual memory, you can use VM EP to see what memory addresses are are mapped to our binary
08:41
Um, what libraries are loaded, you can use X files and then there's also a process memory map on and that's the info Prock map.
08:50
No spaces in between. And so those are some commands you can run. Once you've started a process that's running,
08:56
you can get information about the virtual memory map and the loaded files in the process memory.
09:03
Additionally, we can do the dis *** of a function and will show us all of the assembly for a particular,
09:09
um, function that we might have defined or you might want to look at.
09:16
And then if you're starting off and you have a C program and you want to figure out exactly how it works, well, you can generate a listing for that, um, c program.
09:28
And so basically, this will show you
09:31
the high level code and then what low level code gets created
09:35
and you can see, for example, we got some locations here that are defined, and those are probably not as useful. But
09:39
you can see commands like, you know, push these registers and then move this register into this register
09:46
and eventually a branch with a link for print f right. It ends up getting called because we're printing off something, and then these registers get set
09:54
are zero R one and R two.
09:58
And so the benefit of this is that allows you to instead of trying to reinvent the wheel of how do I call printer for How do I call this? If you know how to do it in a high level language, then you can reverse engineer and figure out how you would do it in raw assembly.
10:13
And so it kind of gives you a little link between What would the high level code be in what would some low level code B?
10:20
All right, so today, in our lecture, we talked about memory offsets and then some debugging and disassembly commands
10:28
and the future. We're going to talk about saving registers and an arm array indexing.
10:33
So why can't armload a 32 bit address?
10:39
Because there's no room in a four by top code to load a four byte memory adjusts.
10:46
If you have questions, you can email me Miller MJ at you and Kate I e. To you, and you can find me on Twitter at Milhouse, 30

Up Next

Assembly

This course will provide background and information related to programming in assembly. Assembly is the lowest level programming language which is useful in reverse engineering and malware analysis.

Instructed By

Instructor Profile Image
Matthew Miller
Assistant Professor at the University of Nebraska at Kearney
Instructor