In these series I will try to explain the basics of assembly programming on windows (x86). I will start by explaining how to set up a good work environment (lab) and the basics of assembly, then I will fork these series to virus writing, software cracking, exploit writing and advanced assembly concepts.
So we will start by setting up our lab environment. I recommend you to set up a windows(win xp or win7) virtual machine on VMware or VirtualBox. We will write and run our assembly code on that box.
After starting our windows box, we will fill it with the tools we’ll need:
Masm or Microsoft macro assembler. Masm is a high level assembler created by microsoft, available for download here http://www.masm32.com for free. We have chosen MASM because it’s easy, small and works good with the other tools we’ll be using here.
MASM is easy to install, we just have to download it from it’s website and simply run the installer:
We just have to select the install dir and the wizard will do all the work.
I’m sure most of you know this baby, specially those who have been working in the field of vuln discovery & exploit writing. Olly debugger is an excellent debugger for windows programs. It will allow us to see what’s exactly happening inside of the cpu during the execution of a certain program. Ollydbg works on ring3.
This software has the feature of working with various plugins and there are a couple of interesting ones out there, we will work with it in the future. All the plugins must be placed in the “plugins” directory(lelz).
Ollydbg can be downloaded from http://www.ollydbg.de/ for free. We don’t have to install nothing here, just download the software and save it to the hard drive.
For the better understanding of the software on how it works and what it does, we will test it’s main features on a sample .exe file.
file -> open -> some .exe file
And then the main window will look like:
Don’t panic, in a few days all will look clear and easy P-). GDB’s main window is composed by four sections, each section show’s a different part of the program execution.
The first section is the disassembly
Here we can see the disassembled code of the executable we have just opened. As it’s easy to see, the code we have in this window is win assembly. The main goal of this window is to allow us to see what is the program doing at every moment. In future posts we will see that we can run a program in gdb “step by step” and see wich instruction is running in every step and what is that instruction doing.
The next section is the registers window
In this window we can see the state of the CPU registers at every moment. Programs store information in the registers for many purposes like doing math operations, controlling the exectuion flow of the program, storing addresses, etc.
At the bottom of the registers section, the stack section
This section contains the program call stack . When our program is running, it can eventualy call functions or sub-routines to perfom certain tasks, the program uses the stack to store the memory addresses to return on when certain function or sub-routine ends.
And finally on the bottom left window, the memory dump section
This section shows the dump for all memory addresses is the program. In the left we can see the memory address, then the content at the hex dump and finally the raw ascii data of the content.
Next thing we will do is to set up our Ollydbg for working easily with assembly. I suggest highlighting jmps and calls for making it more easy to trace our programs. Just right click on the code window and follow the instructions. Jmp’s and calls are used to branch the execution of the program, jmp’s are used to literally jump to another memory address and execute it’s content, and calls are commonly used to run a function or a subroutine. We will see how they work in the future
I consider tracing jumps and calls an important part in software debugging, so we will do one more thing to make it more clear for us. Options -> CPU -> show jump path
This will do exactly what it says. Will show where the code is jumping. If the jump is a conditional jump it will show if it will or no be executed.
And the last thing we will see from OllyDbg in this post is the tool box
L: Log data, contains shows what is exactly ollydbg doing at the moment.
E: Shows all executable modules that the program uses, you know, like libraries etc
M: Shows the program memory map, show’s exactly where our program is inside of the memory
T: Threads, shows the execution threads of our program
W: Shows opened windows of the program
H: Shows the program handles
C: Shows the main window of ollydbg (CPU)
/: Shows the patches that have been applied to the program
K: Call stack of main thread, shows all the calls that the program is entering
B: Breakpoints, shows all the program breakpoints. We can set breakpoints to our program to control it’s execution flow and stop at a certain instruction. We will see it very soon
R: Shows us the references when we perform a search
…: Run trace, shows the result of a tracing progress
S: Shows the source of the program, only if the .exe contains debugging information in borland format
Our next and last tool at the moment will be radASM
radASM is an integrated development environment oriented on windows assembly programming. It comes with a lot of interesting tools, like a compiller, a debugger, etc). We will install and adapt radASM to work with MASM.
First step is go to radasm.com and download the following:
. RadASM IDE pack
. RadASM Assembly programming
. Win32 help file
The first we have to do here is is to unzip RadAsm.zip into C:\ in a folder called radasm. Then we will unzip the assembly.zip file in C:\radasm\assembly. We’ll work with masm, so we have to copy masm.ini and all the mams folder inside of C:\radasm\. And at last we have to unzip win32.zip file inside of C:\radasm too.
At the end the directory structure will look like this
Next step is to configure radasm IDE for working with MASM. Go to options -> programming languages and select MASM
And finally, if you have radasm or masm installed in a different directory, you can go to options -> select paths to solve that.
In the next post we will write our first assembly program with masm and radasm P-)
If you want to run the extra mile, you can try to write a hello world masm program for youself, or try to search, download and run “immunity debugger” to see how it works.