📔
eCPPTv2 Notes
  • About
  • 1-System Security
    • Architecture Fundamentals
      • Security Implementations
      • References
    • Assembler Debuggers and Tool Arsenal
      • Compiler
      • NASM
      • Tool Arsenal
      • References
    • Buffer Overflow
      • Finding Buffer Overflows
      • Exploiting Buffer Overflow
      • Security Implementations
      • References
    • Shellcoding
      • Types of Shellcode
      • Encoding of Shellcode
      • Debugging a Shellcode
      • Creating our First Shellcode
      • More Advanced Shellcode
      • Shellcode and Payload Generators
      • References
    • Cryptography and Password Cracking
      • Cryptography Hash Function
      • Public Key Infrastructure
      • Pretty Good Privacy (PGP)
      • Secure Shell (SSH)
      • Cryptographic Attack
      • Security Pitfalls
      • Windows 2000/XP/2k3/Vista/7/8 Passwords
      • References
    • MALWARE
      • Techniques Used by Malware
      • How Malware Spreads
      • Samples
      • References
  • 2-Network Security
    • Information Gathering
      • Search Engines
      • Social Media
      • Infrastructures
      • Tools
      • References
    • Scanning
      • Detect Live Hosts and Ports
      • Service and OS detection
      • Firewall/IDS Evasion
      • References
    • Enumeration
      • NetBIOS
      • SNMP
      • References
    • Sniffing and MitM Attacks
      • What is Sniffing
      • Sniffing in Action
      • Basic of ARP
      • Sniffing Tools
      • Man in the Middle Attacks
      • Attacking Tools
      • Intercepting SSL Traffic
      • References
    • Exploitation
      • Vulnerability Assessment
      • Low Hanging Fruits
      • Exploitation
      • References
    • Post Exploitation
      • Privilege Escalation and Maintaining Access
      • Pillaging / Data Harvesting
      • Mapping the internal network
      • Exploitation through Pivoting
      • References
    • Anonymity
      • Browsing Anonymously
      • Tunneling for Anonymity
      • References
    • Social Engineering
      • Types of Social Engineering
      • Samples of Social Engineering Attacks
      • Pretexting Samples
      • Tools
      • References
  • 3-Powershell for Pentesters
    • Introduction
      • Why PowerShell ?
      • References
    • PowerShell Fundamentals
      • Cmdlets
      • Modules
      • Scripts
      • Objects
      • References
    • Offensive PowerShell
      • Downloading & Execution
      • Obfuscation
      • Information Gathering & Recon
      • Post-Exploitation With Powershell
      • References
Powered by GitBook
On this page
  • 3. NASM
  • 3.2.5. LEAVE Instruction

Was this helpful?

  1. 1-System Security
  2. Assembler Debuggers and Tool Arsenal

NASM

PreviousCompilerNextTool Arsenal

Last updated 4 years ago

Was this helpful?

3. NASM

3.1 NASM

NASM is an assembler that we will use. To make things easier, we will use the project. It is a collection of macros, includes, and examples to help NASM programmers develop applications.

How to install:

  1. Download and extract it to C:\nasmx

  2. Add the bin to environment variables

  3. Run setpath.bat

To work with demos:

  1. Comment the following line in C:\nasmx\demos\windemos.inc

%include 'nasm.inc'

  1. Add directly below it the following code

%include 'C:\nasmx\inc\nasmx.inc'

  1. Open C:\nasmx\demos\win32\DEMO1

  2. To use the assembler, we run the following command:

nasm -f win32 demo1.asm -o demo1.obj

  1. To link the object files, use golink, which is located in the same package (NASMX) when NASM is downloaded:

golink /entry _main demo1.obj kernel32.dll user332.dll

  1. A prompt will show up if the operations are successful

3.2 ASM Basics

High-level functions such as strcpy() are made of multiple ASM instructions put together to perform the given operation (copy of 2 strings)

The simplest assembly instruction is MOV that moves data from one location to another in memory.

Most instructions have 2 operands and fall into one of the following classes:

Data Transfer

Arithmetic

Control Flow

Other

MOV

ADD

CALL

STI

XCMG

SUB

RET

CLI

PUSH

MUL

LCOP

IN

POP

XOR

Jcc

OUT

The following is an example of a simple assembly code that sums 2 numbers:

MOV EAX,2   ; store 2 in EAX
MOV EBX,5   ; store 5 in EBX
ADD EAX,EBX ; do EAX = EAX + EBX  operations
            : now EAX contains the result

3.2.1 Intel vs AT&T

Depending on the architectural syntax, instructions and rules may vary. For example, the source and the destination operands may be in different position.

example:

Intel (Windows)

AT&T(Linux)

Assembly

MOV EAX, 8

MOVL $8, %EAX

Syntax

<instruction><destination><source>

<instruction><source><destination>

In AT&T syntax, % is put before registers names and $ is put before numbers. Another thing to notice is that AT&T adds a suffix to t he instruction, which defines the operand size:

  • Q (quad - 64 bits)

  • L (long - 32 bits)

  • W (word - 16 bits)

  • B (byte - 8 bits)

3.2.2 PUSH Instruction

As it has been said before, PUSH stores a value to the top of the stack, causing the stack to be adjusted by -4 bytes (on 32 bit systems): -0x04

Operation : PUSH 0x12345678

| | Before PUSH | After PUSH | | |-|-------------|------------| | |Lower memory address|||| || | 12345678 |<- Top of the Stack| |Top of the Stack -> | 00000001 | 00000001 | | | | 00000001 | 00000001 | | | | 00000001 | 00000001 | | | | 00000001 | 00000001 | | |Higher memory address|||||

Another interesting fact: PUSH 0x123456789 can be analogous to some other operations, for example:

SUB ESP, 4            ; subtract 4 to ESP -> ESP=ESP-4
MOV [ESP], 0X12345678 ; store the value 0x12345678 to the location
                      ; pointed by ESP. Square brackets indicates to
                      ; address pointed by the registers

3.2.3 POP Instruction

As it has been said before, POP stores a value to the top of the stack, causing the stack to be adjusted by +4 bytes (on 32 bit systems): +0x04

Operation : POP reg

| | Before PUSH | After PUSH | | |-|-------------|------------| | |Lower memory address|||| |Top of the Stack -> | 12345678 | || || 00000001 | 00000001 | <- Top of the Stack | | | 00000001 | 00000001 | | | | 00000001 | 00000001 | | | | 00000001 | 00000001 | | |Higher memory address|||||

Another interesting fact: POP EAX can be analogous to some other operations, for example:

MOV EAX, [ESP]        ; store the value pointed by ESP to EAX
                      ; the value at the top of the stack
ADD ESP, 4            ; add 4 to ESP - adjust the top of the stack

3.2.4 CALL Instruction

Subroutines are implemented by using CALL and RET instruction pair.

The CALL instruction pushes the current instruction pointer (EIP) to the stack and jumps to the function address specified.

Whenever the function executes the RET instruction, the last element is popped from the stack, and the CPU jumps to the address.

Example of CALL in Assembly:

MOV EAX, 1      ; store 1 in EAX
MOV EBX, 2      ; store 2 in EBX
CALL ADD_sub    ; call the subroutine named 'ADD_SUB'
INC EAX         ; Increment EAX: now EAX holds "4"
                ; 2(EBX)+1(EAX)+1(INC)
JMP end_sample
ADD_sub:
ADD EAX, EBX
RETN            ; Function completed
                ; so return back to caller function
end_sample:

The following is an example of how to call a procedure. This example begins at proc_2:

proc proc_1
     Locals none
     MOV ECX, [EBP+8] ; ebp+8 is the function argument
     PUSH ECX
     POP ECX
end_proc
proc proc_2
     Locals none
     invoke proc_1, 5 ; invoke proc_1 proc
endproc

3.2.5. LEAVE Instruction

Is the same with

mov esp, ebp
pop ebp

You can learn more about assembly online by yourself.

NASM-X
NASMX