-
Notifications
You must be signed in to change notification settings - Fork 3
/
h0w_t0_n4sm.txt
207 lines (195 loc) · 5.75 KB
/
h0w_t0_n4sm.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# Simple NOTES for anyone who want to read it ! #
#################################################
|Allocating!!
----------------------------
|DB allocates 1 byte.
|
|DW allocates 2 bytes.
|
|DD allocates 4 bytes.
|
|DQ allocates 8 bytes.
|----------------------------
|
|RESB 1 allocates 1 byte.
|
|RESW 1 allocates 2 bytes.
|
|RESD 1 allocates 4 bytes.
|
|RESQ 1 allocates 8 bytes.
|
|
'....> B=1 bytes
-> W=2 bytes
-> D=4 bytes
-> Q=8 bytes
|-=Registers=-
*16 bits registers class ( MAX 2 bytes ):
|ax -> 0xdead|
|bx -> 0xbeef|
|cx -> 0xcafe|
|dx -> 0xbabe|
|..... |
*32 bits registers class ( MAX 4 bytes ):
|eax -> 0xdeadbeef|
|ebx -> 0xcafebabe|
|ecx -> 0xbebecafe|
|edx -> 0xbeefbebe|
|..... |
*64 bits register class ( MAX 16 bytes ):
Maybe you want to try some ASLR bruteforce on it ;P
Yes offcorse this registers can hold 8 bytes, that lenght is used on your normal usage.. no worries,
if you want some address bruteforce, it's more easy because you only need to bruteforce 4^64 possibilities!!! :D sounds good right?
just kidding.... haha!!
| |
|rax -> 0xdeadbeefcafebabebebecafe|
|rbx -> 0xbebecafebeefbebedeadbeef|
|rcx -> 0xcafebabedeadbeefbeefbebe|
|rdx -> 0xdeadbeefcafebabebeefbebe|
|..... |
------------------------------------------
Little endian---> The register EIP for example, only will understand this format if you are tryng to execute some ROP Attack
\xef\xbe\xad\xde
Big endian---> Normal human visualization
0xdeadbeef
------------------------------------------
Register lengths!
Undestanting high bytes and lower bytes!!
Big endian:
|
'-> (8bits) 1 byte (8bits) 1 byte (8bits) 1 byte (8bits) 1 byte
| |------------------------------------------------------------------------------.
| | 0xde | 0xad | 0xbe | 0xef |
| '------------------------------------------------------------------------------|
| |
| |-> Converting to litte endian bytes!
'-> (8bits) 1 byte (8bits) 1 byte (8bits) 1 byte (8bits) 1 byte |
.------------------------------------------------------------------------------|
| \xef | \xbe | \xad | \xde |
'------------------------------------------------------------------------------|
| | | |
V <----------------V--------------------' |
Lower Byte High byte <--------------------------------'
| |
V V
AL,BL,CL,DL... -> AH,BH,CH,DL -> This rule are applicable for the all other bytes
'---------|--------'
V
AX,BX,CX,DX... -> (16bits) 2 bytes registers
-----------------------------------------------------------------------------------------
--=Tricks=--
*-push 1
*-pop eax
|
*-push 2
*-pop ebx
|
'-> eax=1 -> (EAX = 4 bytes -> eax=0x00000001)
'-> ebx=2 -> (EBX = 4 bytes -> ebx=0x00000002)
|
'-> xor ebx,ebx---> Clear register
'-> eax=1
'-> ebx=0
|
'-> add eax,20---> Add
'-> add ebx, 30
|
'-> eax=0x21
'-> ebx=0x30
|
'-> xor eax,ebx---> Store the result on EAX register (Attention! it will only store at the left register e.g : xor <EAX>, ebx)
'-> eax=0x11
'-> ebx=0
|
'-> sub eax, ebx---> Substract registers
'-> eax=0x11
'-> ebx=0
|
'-> inc ebx---> Increment +1
'-> inc eax
|
'-> eax=0x12
'-> ebx=0x01
|
'-> dec eax---> Decrement -1
'-> dec ebx
|
'-> eax=0x11
'-> ebx=0
|
'-> xor eax, eax---> Clear register eax
'-> push 1
'-> pop al---> (AL = 1 byte -> 0x01)
|
'-> eax=0x01
'-> ebx=0x00
|
'-> cmp eax, ebx -> RET FALSE
'-> jne exit -> if not equal jump to exit
'-> ret -> else, RET ( return to main on the most cases )
------------------------------------------------------------------
-=Simple loop-=
_main:
xor ecx, ecx -> Clear register to 0x00
add ecx, 0x100 -> add 0x100 value to ecx register
loop:
dec ecx -> decrement -1 from ecx register
jnz loop -> if not zero back to loop
ret -> else, return to the main function
------------------------------------------------------------------
PTR -> pointer to string contained on that address!
|
'-> eax=0
| mov eax, 0xdeadbeef---> Address containing kernel32.virtualprotect
|
'-> eax=0xdeadbeef
| mov eax, DWORD PTR DS:[EAX] -> make a pointer to kernel32.virtualprotect string, and move to eax
|
'-> eax="kernel32.virtualprotect"
'-> ebx=0|
'-> ecx=0|
'-> edx=0| register values
'-> esi=0|
'-> edi=0|
|
'-> ret
|
|----------immunity debugger pseudo-OUTPUT--------
|0xffxxxxxx| .-lpflOldProtect=0 |
|0xffxxxxxx| '-flNewProtect=0 |
|0xffxxxxxx| '-dwSize=0 |
|0xffxxxxxx| '-lpAddress=0 |
|0xffxxxxxx| '-kernel32.virtualprotect |
.....
------------------------------------------------------------------------
push DWORD -> Used on many WinAPIs for insert 4 bytes on stack e.g:
messagebox_function:
push dword MB_OK
push dword title
push dword msg_box
push dword NULL
call MessageBoxA ;; launch MessageBox
ret
Calling MessageBoxA Windows API with reverse parameters order!
Compare your self!
**********************************
...
section .text
msg_box: db "Hello world",0
title: db "Title box", 0
messagebox_asm_function:
push dword MB_OK
push dword title
push dword msg_box
push dword NULL
call MessageBoxA
ret
VS
int MessageBox(
HWND hWnd,
LPCTSTR lpText,
LPCTSTR lpCaption,
UINT uType
);
*********************************