# To install and run Jupyter Notebook
```
$ apt install virtualenv
$ virtualenv -p python2 env
$ source env/bin/activate
$ pip install pwntools jupyter r2pipe
$ export PWNLIB_NOTERM=true
$ jupyter notebook
```

# Creating an executable from assembly code

In [4]:
from pwn import *
context.arch = "amd64"
context.bits = 64

s = "".join([chr(ord(i)-10) for i in "itusiberguvenlikveteknolojilerikulubu"])
ss = [u64(s[i:i+8].ljust(8, '\x00')) for i in range(0, len(s), 8)]
print("The pieces: {}, len: {}".format([hex(i) for i in ss], len(ss)))

The pieces: ['0x685b585f696b6a5f', '0x615f62645b6c6b5d', '0x626564615b6a5b6c', '0x615f685b625f6065', '0x6b586b626b'], len: 5


In [5]:
from pwn import *
context.arch = "amd64"
context.bits = 64

asmcode = """
MAIN:
    mov rax, {}
    push rax
    mov rax, {}
    push rax
    mov rax, {}
    push rax
    mov rax, {}
    push rax
    mov rax, {}
    push rax
    mov rdx, rsp
    mov rcx, 0
    
CHECK:
    cmp rcx, {}
    je END
    
    mov al, BYTE PTR[rdx]
    add al, 10
    mov BYTE PTR[rdx], al
    inc rdx
    inc rcx
    jmp CHECK

END:
    mov rax, 60 # exit syscall
    syscall
    ret
""".format(ss[4], ss[3], ss[2], ss[1], ss[0], len(s))

print(disasm(asm(asmcode)))
with open("runme", "wb") as f:
    f.write(make_elf(asm(asmcode)))

   0:   48 b8 6b 62 6b 58 6b    movabs rax,0x6b586b626b
   7:   00 00 00 
   a:   50                      push   rax
   b:   48 b8 65 60 5f 62 5b    movabs rax,0x615f685b625f6065
  12:   68 5f 61 
  15:   50                      push   rax
  16:   48 b8 6c 5b 6a 5b 61    movabs rax,0x626564615b6a5b6c
  1d:   64 65 62 
  20:   50                      push   rax
  21:   48 b8 5d 6b 6c 5b 64    movabs rax,0x615f62645b6c6b5d
  28:   62 5f 61 
  2b:   50                      push   rax
  2c:   48 b8 5f 6a 6b 69 5f    movabs rax,0x685b585f696b6a5f
  33:   58 5b 68 
  36:   50                      push   rax
  37:   48 89 e2                mov    rdx,rsp
  3a:   48 c7 c1 00 00 00 00    mov    rcx,0x0
  41:   48 83 f9 25             cmp    rcx,0x25
  45:   74 0e                   je     0x55
  47:   8a 02                   mov    al,BYTE PTR [rdx]
  49:   04 0a                   add    al,0xa
  4b:   88 02                   mov    BYTE PTR [rdx],al
  4d:   48 ff c2                inc    rdx
  

# Analyzing an executable with Radare2
_Requires Radare2 to be installed_

In [6]:
import r2pipe
import json

r2 = r2pipe.open("runme")
r2.cmd("e asm.comments=false")
r2.cmd("e scr.utf8=false")
# aa: basic analysis
r2.cmd("aa")

# iej: entrypoint(json output)
entry = json.loads(r2.cmd("iej"))[0]["vaddr"]
print("Entrypoint: 0x{:0x}".format(entry))

# aflq: function list(quiet output)
for f in r2.cmd("aflq").split():
    # pdf: disassemble function
    print(r2.cmd("pdf @{}".format(f)))

r2.quit()

Entrypoint: 0x401000
            ;-- section..shellcode:
            ;-- segment.LOAD0:
            ;-- segment.ehdr:
            ;-- rip:
/ (fcn) entry0 95
|   entry0 ();
|           0x00401000      48b86b626b58.  movabs rax, 0x6b586b626b
|           0x0040100a      50             push rax
|           0x0040100b      48b865605f62.  movabs rax, 0x615f685b625f6065
|           0x00401015      50             push rax
|           0x00401016      48b86c5b6a5b.  movabs rax, 0x626564615b6a5b6c
|           0x00401020      50             push rax
|           0x00401021      48b85d6b6c5b.  movabs rax, 0x615f62645b6c6b5d
|           0x0040102b      50             push rax
|           0x0040102c      48b85f6a6b69.  movabs rax, 0x685b585f696b6a5f
|           0x00401036      50             push rax
|           0x00401037      4889e2         mov rdx, rsp
|           0x0040103a      48c7c1000000.  mov rcx, 0
|       .-> 0x00401041      4883f925       cmp rcx, 0x25
|      ,==< 0x00401045      740e     

# Concepts we've gone through

* CPU - Memory
* Assembly
* Machine Code
* Register
* Stack frame
* Calling convention
* Disassembler
* Debugger

# Reference Links

### x86 assembly
- http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
- https://www.felixcloutier.com/x86/

### Stack Frame
- https://en.wikipedia.org/wiki/Call_stack

### Calling Convention
- https://en.wikipedia.org/wiki/Calling_convention
- https://en.wikipedia.org/wiki/X86_calling_conventions

### Disassembler
- https://www.hex-rays.com/products/ida/support/download_freeware.shtml
- https://ghidra-sre.org/
- https://rada.re/r/

### Debugger
- https://github.com/longld/peda

# GDB(GNU Debugger) cheatsheet

```$ gdb runme```

### Breakpoints

Using an address (eg: 0x40080):

```$ break *0x40080```

Using a function name:

```$ break main```

### Running and stepping through instructions

Run the executable:

```$ run```

Step through instructions (without going into the function):

```$ nexti```

Step through instructions (with going into the function):

```$ stepi```

Note: Hitting ```enter``` will execute the last command.

### Analyzing a function

Using peda:

```$ pdisass main```

```$ pdisass 0x40080```

```$ pdisass 0x40080 0x40100``` (Disassemble everything between two addresses)

```$ pdisass 0x40080 /20``` (Disassemble 20 instructions starting from 0x40080)

Without peda:

```$ x/<number>i 0x40080``` (Disassemble <number> instructions starting from 0x40080)