No Slide Title

Similar documents
hlogin2

INTRO Basic architecture of modern computers Basic and most used assembly instructions on x86 Installing an assembly compiler and RE tools Practice co

Deok9_Exploit Technique

Microsoft PowerPoint - a8a.ppt [호환 모드]

IDA 5.x Manual hwp

Microsoft Word - FunctionCall

Microsoft PowerPoint - a10.ppt [호환 모드]

강의10

02( ) CSTV11-22.hwp

Microsoft PowerPoint - hy2-12.pptx

Microsoft Word - ExecutionStack

MPLAB C18 C

PowerPoint 프레젠테이션

The_IDA_Pro_Book

구문 분석

hlogin7

임베디드시스템설계강의자료 6 system call 2/2 (2014 년도 1 학기 ) 김영진 아주대학교전자공학과

금오공대 컴퓨터공학전공 강의자료

Microsoft PowerPoint - additional01.ppt [호환 모드]

2. GCC Assembler와 AVR Assembler의차이 A. GCC Assembler 를사용하는경우 i. Assembly Language Program은.S Extension 을갖는다. ii. C Language Program은.c Extension 을갖는다.

PRO1_02E [읽기 전용]

PowerPoint 프레젠테이션

No Slide Title

Microsoft Word - Reversing Engineering Code with IDA Pro-4-1.doc

Microsoft PowerPoint - 15-MARS


BMP 파일 처리

Microsoft PowerPoint APUE(Intro).ppt

LXR 설치 및 사용법.doc

02.Create a shellcode that executes "/bin/sh" Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C

설계란 무엇인가?

초보자를 위한 C++

Microsoft Word - Heap_Spray.doc

Microsoft PowerPoint - chap06-5 [호환 모드]

C# Programming Guide - Types

C++-¿Ïº®Çؼ³10Àå

Interstage5 SOAP서비스 설정 가이드

Microsoft PowerPoint - a5a.ppt [호환 모드]

Microsoft PowerPoint - o8.pptx

PowerPoint 프레젠테이션

Microsoft PowerPoint - a2.ppt [호환 모드]

DE1-SoC Board

제 14 장포인터활용 유준범 (JUNBEOM YOO) Ver 본강의자료는생능출판사의 PPT 강의자료 를기반으로제작되었습니다.

슬라이드 1

2002년 2학기 자료구조

#KM-235(110222)

28 THE ASIAN JOURNAL OF TEX [2] ko.tex [5]

untitled

=

Microsoft Word - building the win32 shellcode 01.doc

#KM560

쉽게 풀어쓴 C 프로그래밍

Chapter 4. LISTS

Deok9_PE Structure

PRO1_09E [읽기 전용]

MAX+plus II Getting Started - 무작정따라하기

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3

untitled

4.18.국가직 9급_전산직_컴퓨터일반_손경희_ver.1.hwp

(Microsoft PowerPoint - 1-2\300\345)

PCServerMgmt7

01.ROP(Return Oriented Programming)-x86 Excuse the ads! We need some help to keep our site up. List Return Oriented Programming(ROP) -x86 Gadgets - PO

FMX M JPG 15MB 320x240 30fps, 160Kbps 11MB View operation,, seek seek Random Access Average Read Sequential Read 12 FMX () 2

(Asynchronous Mode) ( 1, 5~8, 1~2) & (Parity) 1 ; * S erial Port (BIOS INT 14H) - 1 -

JVM 메모리구조

<BEEEBCC0BAEDB8AEBEEEC1A4B8AE2E687770>

9

Microsoft PowerPoint - 00_(C_Programming)_(Korean)_Computer_Systems

CKKeyPro 적용가이드

1

Reusing Dynamic Linker For Exploitation Author : Date : 2012 / 05 / 13 Contact : Facebook : fb.me/kwonpwn

Microsoft PowerPoint - a9.ppt [호환 모드]

Microsoft PowerPoint - 제11장 포인터(강의)

1217 WebTrafMon II

11강-힙정렬.ppt

PRO1_04E [읽기 전용]

untitled

Microsoft Word - Reverse Engineering Code with IDA Pro-2-1.doc

Microsoft PowerPoint - PL_03-04.pptx

API 매뉴얼

11장 포인터

Mentor_PCB설계입문

chap 5: Trees

PowerPoint 프레젠테이션

Analytics > Log & Crash Search > Unity ios SDK [Deprecated] Log & Crash Unity ios SDK. TOAST SDK. Log & Crash Unity SDK Log & Crash Search. Log & Cras

Microsoft PowerPoint - ch07 - 포인터 pm0415

[ 마이크로프로세서 1] 2 주차 3 차시. 포인터와구조체 2 주차 3 차시포인터와구조체 학습목표 1. C 언어에서가장어려운포인터와구조체를설명할수있다. 2. Call By Value 와 Call By Reference 를구분할수있다. 학습내용 1 : 함수 (Functi

IoT FND8 7-SEGMENT api

#KLZ-371(PB)

Microsoft PowerPoint - ch07 - 포인터 pm0415

Microsoft PowerPoint - 제11장 포인터

목 차 1. 개요 취약점분석추진배경 취약점요약 취약점정보 취약점대상시스템목록 분석 공격기법및기본개념 시나리오 공격코드

Microsoft Word - 1. ARM Assembly 실습_xp2.doc

PowerPoint 프레젠테이션

목차 1. 소개... 3 가. BOF란?... 3 나. 윈도우 BOF 개발환경및사용툴 Shellcode 작성하기... 4 가. cmd 쉘 ) 소스코드작성 ) 디스어셈블리 ) 어셈블리코드편집 간단

6주차.key

Multi Channel Analysis. Multi Channel Analytics :!! - (Ad network ) Report! -! -!. Valuepotion Multi Channel Analytics! (1) Install! (2) 3 (4 ~ 6 Page

Microsoft PowerPoint - 8ÀÏ°_Æ÷ÀÎÅÍ.ppt

Something that can be seen, touched or otherwise sensed

Microsoft PowerPoint - chap-11.pptx

Transcription:

Copyright, 2017 Multimedia Lab., UOS 시스템프로그래밍 (Assembly Code and Calling Convention) Seong Jong Choi chois@uos.ac.kr Multimedia Lab. Dept. of Electrical and Computer Eng. University of Seoul Seoul, Korea

MS VS++ Integrated Development Environment Language Sensitive Text Editor Preprocessor Compiler Linker Wizard Project (.dsp) A collection of all the necessary information to build a binary excutibles (.exe.dll) Files (source, header) Compile options Link options Work Space (.dsw) A collection of projects 2017-09-15 Seong Jong Choi Assembly Language-2

Build Process Editor hello.cpp Source Makefile Header files iostream.h Preprocessor Compiler 개발툴 By MS VC++ 사용자정의 Object file hello.obj Object files Linker Libraries mlibcewq.lib Debug Ver. hello.exe Release Ver hello.exe 2017-09-15 Seong Jong Choi Assembly Language-3

Assembly Code Project Setting -> C/C++ -> Category -> Listing files -> Listing file type -> Assembly, Machine Code, and Source Then, compile You ll see xxx.cod file in the debug directory 2017-09-15 Seong Jong Choi Assembly Language-4

Intel 80386 Registers 2017-09-15 Seong Jong Choi Assembly Language-5

Intel Fundamental Data Type 2017-09-15 Seong Jong Choi Assembly Language-6

Assembly code Instruction := operation [operand] [, operand] Examples Data movement: mov destaddr, eax Stack operation: pop eax Arithmetic, logic, comparison, etc 2017-09-15 Seong Jong Choi Assembly Language-7

Operand: Addressing Mode Immediate: Instruction에포함 Register Direct: Register의내용 Register indirect: Register 내용을메모리주소로사용 Memory Direct: Memory의내용 Memory indirect: Memory 내용을주소로사용 Index: address +- 2017-09-15 Seong Jong Choi Assembly Language-8

Data Movement Instruction mov destination, source _a$ = -4 mov dword ptr _a$[ebp], OAh Above two lines are equivalent to: mov dword ptr [ebp-4], 0Ah operation Operand: Immediate addressing Operand: index + register indirect addressing 2017-09-15 Seong Jong Choi Assembly Language-9

Stack Instructions PUSH 1. Decrement the stack pointer (ESP) 2. Then, transfer source to the stack indicated by ESP Ex) Push eax POP 1. Transfer data at the current top of stack (ESP) 2. Then, increment ESP Ex) Pop eax Stack Pointer(ESP) == POP 할데이터를가리킨다. FF F 번지 0 번지 2017-09-15 Seong Jong Choi Assembly Language-10

Stack Instructions 2017-09-15 Seong Jong Choi Assembly Language-11

Assembly Debugging View -> Debug windows 에서 Register Memory Disassembly 2017-09-15 Seong Jong Choi Assembly Language-12

An Example /* simple.cpp demonstrating assembly language code generated by the compiler */ #include <windows.h> int sum(int x, int y); int WINAPI wsum(int x, int y); void main() { int a, b, c; a = 10; b = 20; c = a + b; c = sum(a,b); c = wsum(a,b); } int sum(int x, int y) { int z; z = x + y; return z; } int WINAPI wsum(int x, int y) { // 모든 Windows API 는 WINAPI 형식의함수이다. int z; z = x + y; return z; } 2017-09-15 Seong Jong Choi Assembly Language-13

Simple.cod File: 0 번지부터시작 ; 11 : a = 10; C source code 00018 c7 45 fc 0a 00 00 00 Translated machine code mov DWORD PTR _a$[ebp], 10; 0000000aH Memory address for machine code Translated assembly code 2017-09-15 Seong Jong Choi Assembly Language-14

Disassembly Window: 실행시기계어의위치 (relocated) 11: a = 10; C source code 00401048 mov dword ptr [ebp-4],0ah Memory address for machine code (Relocated) Translated assembly code (Disassemble) 2017-09-15 Seong Jong Choi Assembly Language-15

Function Call Caller ; 14 : c = sum(a,b); mov ecx, DWORD PTR _b$[ebp] push ecx mov edx, DWORD PTR _a$[ebp] push edx call?sum@@yahhh@z ; sum add esp, 8 mov DWORD PTR _c$[ebp], eax Callee ; COMDAT?sum@@YAHHH@Z _TEXT SEGMENT _x$ = 8 _y$ = 12 _z$ = -4?sum@@YAHHH@Z PROC NEAR ; sum, COMDAT ; 19 : int sum(int x, int y) { push mov sub push push push lea mov mov rep stosd ; 20 : int z; ; 21 : z = x + y; ebp ebp, esp esp, 68 ; 00000044H ebx esi edi edi, DWORD PTR [ebp-68] ecx, 17 ; 00000011H eax, -858993460 ; cccccccch mov add mov eax, DWORD PTR _x$[ebp] eax, DWORD PTR _y$[ebp] DWORD PTR _z$[ebp], eax ; 22 : return z; mov eax, DWORD PTR _z$[ebp] ; 23 : } pop edi pop esi pop ebx mov esp, ebp pop ebp ret 0?sum@@YAHHH@Z ENDP ; sum _TEXT ENDS 2017-09-15 Seong Jong Choi Assembly Language-16

Before Function Call Assume: esp = n + 4 ebp = bbpp edi = ddii esi = ssii ebx = bbxx The above registers are used in the callee. 2017-09-15 Seong Jong Choi Assembly Language-17

Function Call Caller ; 14 : c = sum(a,b); //esp = n+4 2 번째매개변수를 Stack 에저장 mov push mov push call ecx, DWORD PTR _b$[ebp] ecx edx, DWORD PTR _a$[ebp] edx?sum@@yahhh@z ; sum ESP b n n-4 n-8 n-12 add esp, 8 mov DWORD PTR _c$[ebp], eax 2017-09-15 Seong Jong Choi Assembly Language-18

Function Call - Caller ; 14 : c = sum(a,b); 1 번째매개변수를 Stack 에저장 mov ecx, DWORD PTR _b$[ebp] push ecx mov edx, DWORD PTR _a$[ebp] push edx call?sum@@yahhh@z ; sum add esp, 8 mov DWORD PTR _c$[ebp], eax ESP b n a n-4 n-8 n-12 2017-09-15 Seong Jong Choi Assembly Language-19

Function Call - Caller return addr: ; 14 : c = sum(a,b); mov ecx, DWORD PTR _b$[ebp] push ecx mov edx, DWORD PTR _a$[ebp] push edx call?sum@@yahhh@z ; sum add esp, 8 mov DWORD PTR _c$[ebp], eax Return address 를 Stack 에저장 1. Push returnaddr: 2. eip?sum@@yahh@z ESP b n a n-4 return addr n-8 n-12 2017-09-15 Seong Jong Choi Assembly Language-20

Function Call - Callee ; 19 : int sum(int x, int y) { push ebp; [ebp] = bbpp mov ebp, esp sub esp, 68 ;00000044H push ebx push esi push edi lea edi, DWORD PTR [ebp-68] movecx, 17 ; 00000011H moveax, -858993460; cccccccch rep stosd 함수안에서 ebp 를사용하기때문에, 우선 ebp 를 Stack 에저장 ESP b n a n-4 return addr n-8 bbpp n-12 2017-09-15 Seong Jong Choi Assembly Language-21

Function Call - Callee ; 19 : int sum(int x, int y) { push ebp; [ebp] = bbpp mov ebp, esp sub esp, 68 ;00000044H push ebx push esi push edi lea edi, DWORD PTR [ebp-68] mov ecx, 17 ; 00000011H mov eax, -858993460; cccccccch rep stosd Ebp 의값을현재의 esp 값으로지정 ebp = n-12 EBP ESP b n a n-4 return addr n-8 bbpp n-12 2017-09-15 Seong Jong Choi Assembly Language-22

Function Call - Callee ; 19 : int sum(int x, int y) { push ebp; [ebp] = bbpp mov ebp, esp sub esp, 68 ;00000044H push ebx push esi push edi lea edi, DWORD PTR [ebp-68] mov ecx, 17 ; 00000011H mov eax, -858993460; cccccccch rep stosd 함수내의지역변수를위한공간 (17 DWORD) 을 stack 에마련 esp = n-80 EBP ESP b n a n-4 return addr n-8 bbpp n-12 n-16 n-80 2017-09-15 Seong Jong Choi Assembly Language-23

Function Call - Callee ; 19 : int sum(int x, int y) { push ebp; [ebp] = bbpp mov ebp, esp sub esp, 68 ;00000044H push ebx push esi push edi lea edi, DWORD PTR [ebp-68] mov ecx, 17 ; 00000011H mov eax, -858993460; cccccccch rep stosd 함수에서사용할 Register 의내용을 Stack 에저장 EBP b n a n-4 return addr n-8 bbpp n-12 n-16 n-80 bbxx n-84 ssii n-88 2017-09-15 Seong Jong Choi Assembly Language-24 ESP ddii n-92

Function Call - Callee ; 19 : int sum(int x, int y) { push ebp; [ebp] = bbpp move bp, esp sub esp, 68 ;00000044H push ebx push esi push edi lea edi, DWORD PTR [ebp-68] mov ecx, 17 ; 00000011H mov eax, -858993460; cccccccch rep stosd for(i=0; i<ecx; i++) mov [edi + 4*i], eax for(i=0; i<17; i++) mov[(n-80) + 4*i], cccccccch 지역변수를위해확보한 Stack 의내용을모두 cccccccch 로저장 4 x 17 = 68 2017-09-15 Seong Jong Choi Assembly Language-25 EBP EDI ESP b n a n-4 return addr n-8 bbpp n-12 cccccccch n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 ddii n-92

Function Call - Callee _x$ = 8 _y$ = 12 _z$ = -4 ; 21 : z = x + y; a 와 b 를더해 [ebp-4] 에저장 EBP+12 EBP+8 b n a n-4 mov eax, DWORD PTR _x$[ebp] add eax, DWORD PTR _y$[ebp] mov DWORD PTR _z$[ebp], eax EBP EBP-4 return addr n-8 bbpp n-12 z = a+b n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 2017-09-15 Seong Jong Choi Assembly Language-26 ESP ddii n-92

Function Call - Callee ; 22 : return z; mov eax, DWORD PTR _z$[ebp] Return 할값을 eax 에저장 eax = a+b EBP+12 b n EBP+8 EBP EBP-4 a n-4 return addr n-8 bbpp n-12 z = a+b n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 2017-09-15 Seong Jong Choi Assembly Language-27 ESP ddii n-92

Function Call - Callee ; 23 : } 함수에서사용하기전 Register 값복원 pop edi pop esi pop ebx mov esp, ebp pop ebp ret 0 EBP ESP b n a n-4 return addr n-8 bbpp n-12 z = ssssssssh n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 ddii n-92 2017-09-15 Seong Jong Choi Assembly Language-28

Function Call - Callee ; 23 : } pop edi pop esi pop ebx mov esp, ebp pop ebp ret 0 지역변수를위해확보한공간을소멸 esp = ebp EBP ESP b n a n-4 return addr n-8 bbpp n-12 z = ssssssssh n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 ddii n-92 2017-09-15 Seong Jong Choi Assembly Language-29

Function Call - Callee ; 23 : } ebp 값을복원 ebp = bbpp pop edi pop esi pop ebx mov esp, ebp pop ebp ret 0 ESP b n a n-4 return addr n-8 bbpp n-12 z = ssssssssh n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 ddii n-92 2017-09-15 Seong Jong Choi Assembly Language-30

Function Call - Callee ; 23 : } caller 로다시가기위해 eip 값설정 1. pop eip; //eip return addr 2. esp = esp + 0 pop edi pop esi pop ebx mov esp, ebp pop ebp ret 0 ESP b n a n-4 return addr n-8 bbpp n-12 z = ssssssssh n-16 cccccccch cccccccch n-80 bbxx n-84 ssii n-88 ddii n-92 2017-09-15 Seong Jong Choi Assembly Language-31

Function Call - Caller ; 14 : c = sum(a,b); esp 를원래대로복원 return addr: mov ecx, DWORD PTR _b$[ebp] push ecx mov edx, DWORD PTR _a$[ebp] push edx call?sum@@yahhh@z ; sum add esp, 8 mov DWORD PTR _c$[ebp], eax ESP n+4 b n a n-4 return addr n-8 n-12 2017-09-15 Seong Jong Choi Assembly Language-32

Function Call - Caller ; 14 : c = sum(a,b); eax 에저장된계산결과를 c 로저장 return addr: mov ecx, DWORD PTR _b$[ebp] push ecx mov edx, DWORD PTR _a$[ebp] push edx call?sum@@yahhh@z ; sum add esp, 8 mov DWORD PTR _c$[ebp], eax ESP n+4 b n a n-4 return addr n-8 n-12 2017-09-15 Seong Jong Choi Assembly Language-33

Function Call: Summary 스택공간의용도 매개변수를위한공간으로사용. 오른쪽매개변수부터스택에 push 된다. 함수내의지역변수를위한공간으로사용 ebp 의용도 함수내에서의모든매개변수와지역변수는 ebp 와인덱스를사용하여접근한다. ebp 는함수내지역변수를위한 stack 공간의맨위를가리킨다. 함수시작전스택에 push 하고종료후 pop 하는레지스터 ebp, edi, esi, ebx int 형반환데이터는 eax 에저장된다. 함수호출측은함수종료후, 매개변수를위해사용한스택공간을재조정한다. (add esp, 8) 2017-09-15 Seong Jong Choi Assembly Language-34

Return Instruction sum() 과 wsum() 함수의차이는함수종료후누가 ( 호출측 or 함수측 ) 매개변수를위한스택공간을정리하는가이다. sum() return instruction: ret 0 wsum() return instruction: ret 8 ret n RET transfers control to a return address located on the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL. The optional numeric parameter to RET gives the number of stack bytes to be released after the return address is popped. These items are typically used as input parameters to the procedure called. 2017-09-15 Seong Jong Choi Assembly Language-35

Calling Convention Keyword Stack cleanup Parameter passing cdecl (C default) Caller Pushes parameters on the stack, in reverse order (right to left) stdcall (#define WINAPI stdcall) Callee Pushes parameters on the stack, in reverse order (right to left) fastcall Callee Stored in registers, then pushed on stack thiscall (not a keyword) Callee Pushed on stack; this pointer stored in ECX 2017-09-15 Seong Jong Choi Assembly Language-36

2024 © docsplayer.org 개인정보보호 | 약관 | 지원