Learn Assembly in 50 minutes - Matthew Miller

take

picture all right prove that people actually came in my talk this is 4:00 in the afternoon so um if you ever run a long race this is like you know the last 400 races all right so today I'm going to talk about assembly I was hoping to do a live demo but of course the demil God said no um so I couldn't actually connect to uh AWS so good thing I repaired my flights so does anybody know why you might want to learn assembly understand how programs work understand how programs work yes very much that's why I always taught my computer science students it V to yourself possibly torture yourself yeah for ma performance reverse

engineering possibly performance compilers these days are actually awfully good um so they tend to really good that what all the CRA actually means yeah so if you're reverse engineering right and you're going to look at some binary code and you want to know what it is um that's a great way the last thing is probably if you want to write Shell Code you might need to know a su all right so a few Basics on computer architecture um I am not a computer engineer I am by trade a computer scientist um so I learned a little bit of assembly um when I was in college but then I got a job where I needed to

actually R engineer so uh quote unquote Mal word what the government wrote um and so I had to um I had to do that as well teach some of my courses right so binary instructions will run on the computer right they are the lowest level that is accessible by the user we're not going to talk about Micro Ops Micro Ops are actually what runs on the computer so we talk about F decode execute and store those are actually done by Micro Ops and they're basically the same on all computers regardless of which architecture use except for the sort of decode piece um so example here um there is some binary I don't know how many of

you would like to read that probably not very many a little bit better is hexad decimal and then a little bit better will be assembly right so assembly is a lot easier to read so hex is actually pretty simple so every um every heximal digit which you need two hexadecimal digits to get a bite anybody know what half of a bite is called nibble a nibble very good thank you right so each of these hex digits or nibbles represents four bits right and the nice part about that is that we can represent with the numbers 0 through n and then a through f um and so when you get to reading assembly you're going to

have to sort of be able to do that translation um if you need to figure out what the BDS exactly are we also have a couple other representations so we've got um two's complement which is used for positive and then negative numbers um floating point which we'll talk about later um everything can be represented as bytes so btes are actually the lowest accessible thing that you could do inside of a computer and then we've got sort of our principal characters so we got aski which is seven or eight bits depending on your definition and then we got Unicode which is between two and five bits depending on your um language right and that supports all

of the characters sort of outside outside of you know our Latin character set that we have so in a computer right we have these registers they are as fast as you can go on the clock right so if your clock is running at 3 GHz that means you can do 3 gahz times the number of instructions per second if your computer is operating as fast as they can they are very expensive they are very limited we only have between 10 and 15 20 of them uh depending on your architecture uh here are a few examples e evx um the reason for their funny names is because they date back to the old eight or 16bit

computers that use registers Like A and B um so we extended these are actually 32-bit examples and then your computer basically moves data from memory either your hard disk or Ram into the processor executes that and then it might need to store some data and it might go back and forth as far down as you can covered all right and then memory layout so if we talk about Ram or maybe a cache that's sitting in between um I think it's easiest to think about at the lowest address being on the lower right and sort of going up so if you move a dword into this memory location and your d-word is Cafe babe right be is actually at the lowest

address now if you did that as bites your lowest bite would be ca because we have little Indian which is a little bit different than big Indian so little Indian means that the um lowest bit uh comes on the right side as opposed to on the left um not everybody wants a job memory like this but I think when you're first coming into it right the sort of confusion between like Oh I thought I move this into it and didn't really um sort of jive with what she thought and then in addition we have the stack which we'll talk about it in a little bit I like to think of it as a stag Tite some of you will see that

people think of it as a stag M right we find about that but memory is actually allocated in Pages anybody know why it's allocated in Pages that's just what the M can address so it's allocated in Pages because you actually can take a page in memory and write it back to disk and put something else in for it right that's how your computer you guys ever use the page file or if you ever ran out of the page file I've done that before Moon killer Max Max aree especially awful at managing the page P I've had I have 64 gigs of ram in my computer and it will literally have 30 gigs free and a six gig page file what

the heck are you doing Ma come on back in the ring um but Pages allow the OS to switch these in and out so that a different program can be loaded or one program can be paused that needs more man all right so a computer basically runs by the instruction pointer says hey do this instruction does that instruction right and then it might need to store some data it might need to load some data right that's what the new Ops will do right they'll actually load the data do the operation and then store the data and there's a whole scheduler if you want to see there's lots of really good talks about that um and then once it's

done with that execution by the way x86 is variable length instructions right so some instructions take one bite some instructions take two or four I think five or six of seven is the max I don't see that a lot um so then the instruction pointer has to add whatever the size of the instruction is to figure out what the next instruction is we can actually contrast that with arm so arm is fix fixed size instructions so thumb mode I think is two bytes and then regular is four bytes for arm for to execute and thumb is the whole thing and again we're not going to talk about that because there's lots of details all right so Assembly Language

is represented by whichever architecture we have I put up here three of them R x86 x64 and you typically if you have x64 right you get x86 sort of included in the package I didn't put here risk five that's another one um somebody likes that one right and so we take our program that's written in C or whatever our hard Lang language is and we boil it down to a bunch of binary that gets run on a computer well the beauty about assembly is we could pull it up one level and say oh I know what these instructions are right I can take that binary and say oh that's a push operation even though right I don't see

push in C right there is no push in C and so with our assembly we basically have lumonics or instructions talk about those you can have a hardware address and then I already mentioned that's why right so you can't address a vent right everything has to be a bite or

bigger sorry I just got over a cold where I couldn't talk for four days so I'm getting better at that all right so our pneumonics which is the term you'll see in assembly so that is what the instruction is or we can call it an operation right and it describes what we're going to do here's a couple examples push EVP right or move eax one so move E1 means I'm going to take the number one and I'm going to move it into the register eax and eax has anybody know how many bits 32 right so I get one bit in there that's set to a one and all the other 31 bits are going to get set to zeros okay

and then our operands sort of um they customize right so we have the operation and then we have the operant so the operant are like your function argument right so they customize how that instruction runs so the number one is going to say I'm going to put the number one into the register now if you ever do programming like I totally recommend I don't know how you say it I'm going say it wrong G I think is how he says Jeff I think he says in Jeff but it's basically a GDB plugin that adds it's really hard for you guys maybe it's a little better for you it's hard for me to see back there so it

breaks us into different sections representing what's on the stack what's in our code if you look at the top you can see all the registers that are in there and so this breaks up so you can as you're stepping through it and if I could have connected to my server I would have shown you guys a stepping through a program right but needless to say I can watch as this goes through and I can see okay here's what happened at this instruction I can compare what I what I had before to what I have now so it's it's a really nice plugin so I recommend it a lot all right so what are the things

that we can do we can move data do math we can Implement comparisons or conditional execution right which if you guys program in Python or C or C++ or Visual Basic God forbid right right you got like if statements right so we can do those we can call functions right you guys write functions if you write something in a high level language and then we got the sort of biggest thing which is possibly interacting with the operating system right so not everything runs in userland some of it you have to go and execute on there and then we do have variable number arguments there's a couple that have zero arguments so like the clear Direction flag has zero

arguments um but a lot of them have one or more you guys read this I thought the screen was if you can't read it you should come sit with seats the front perfect for seeing all right so this on the razor pointer nope it does not all right so if we look on the top we can see that we have an include statement so you can actually write libraries um if you need to um online pre I Define a string right and you have to Define sort of it gives you a couple nice things right so there it says hello um if you look in there there's a 10 anybody know the for 10 what is

that it's a new line right so it'll print off a couple new lines for us if you look at my output you can see there's a new two new lines after it and then zero that means it's a n terminated string like we have in C so we can see that we are doing some stuff I put again kind of hard to read but I put some nice comments in here saying okay I'm moving Cafe babe into DX and then loading this um variable high so high is on line three I'm loading the address of it and putting it in E I'm then changing the bite at the very first index what's the very first bite

is uppercase H right so I change that uppercase H to a lowercase h i then go in and take eax which is an address and I add five to it so if you count five hello has four letters okay so it's going to take that space and it's going to turn it into a comma right so these are all things that you might do in C right but we can see that we can actually do them in assembly and then the very bottom I'm calling a function right Grint string which is actually in the library that I helped right I actually so when I taught assembly um I was looking for a book at first tried to

type teach assembly on Windows that was a nightmare trying to get all of my students to install visual studio and then be able to run it and I said screw that I want to do Source right so I actually ran it on Linux there's a guy named Paul Carter who sold a book at one point um you can buy it on one of those print print on demand services for like5 or $10 um and he had a library and I actually updated it so that it was a little bit simpler and easier for my students to use so for example you can see that um I'm calling print string it's actually included in the library on

line one um and so that's just a nice way to print it we'll show another example later so again math right we got all of our sort of basic things that we can do add subtract multiply divide we got bit manipulation so we can rotate bits around right so rotate is you move it over and then the thing that falls off the end sort of goes back to the beginning a shift you rotate but the thing that falls off falls off just just disappears and then we got our binary operations that we do on binary numbers so and or exor anybody know what exor what do we use that for well we use it for encryption we use

it for encryption right yeah and if you again sorry you can't read it so I actually in here I am I'm exloring eax and ebx twice and if you look at the bottom evx so it changed from uh Cafe V to this F uh or sorry CA so it's a different value because it's eax and ebx ebx exor together but then I exor it one more time and I get back the original thing right so the beauty of exor is it allows us to do encryption um if you have a random text right which is generated by some key Either symmetric or symmetric all right so then we have Flags so Flags tell us about it says the current state

but it's really like what happened in the previous state so I did some operation and it might have set a flat right so I did a subtract oh by the way when I subtracted them the zero like the actual value is zero so then we get this thing called a zero flag zent so the zero flag means the result of the previous operation was zero and the nice thing about about the flags is they allow us to do this conditional execution so I can either do the next instruction or I can like jump over here and do some other instruction right and that's how you get your ifs and your ws and your dos and

all those fancy things right so those are built out of that and typically we don't actually just use it on a math operation typically we use it on either a compare a test compare takes the two things and subtracts them right if you get a zero guess what zero flag gets set it's what I use a lot um test actually does a binary and so it will and them together right and if you and two things and you get a zero guess what they don't have any bits that match right so we use these when we write things like loops and we do that by using jumping right so there's two types of jumps one

is called a unconditional jump or would you guess that would mean jump no matter what jump no matter what perfect right so that means always I'm going to jump to this spot as opposed to a conditional jump which means only jump when Simon says right and if Simon doesn't say you keep doing the next thing that's in there right so a couple examples you can see jump zero jump carry jump not zero jump below jump above jum above equal there is a whole list of them you can do inside the x86 and then the one that sort of makes all of your functions possible is calling functions right so you know even if you're calling a function in some

interpreted language like python eventually it has to boil down to something actually calling a function on the back end all right so the thing that is always confusing to students right is we're going to use the stack talk about the stack we'll talk about that later but what it does is it says oh I need to go do this function so what I'm going to do is you know executing instructions one at a time I need to go do that other thing but the next thing I need to do is this next instruction so it takes the add that next instruction that address and it says I'm going to put that onto the stack okay so it puts on the stack and

then you go do the function right so do all this right save my stuff and it comes back and it says oh I need to go do that instruction that you said right so the function that gets called then Pops that thing off and says oh that's my next instruction right and if you mess this up your program will say call I guarantee it the students do it all the time right so you know the biggest rule is whatever you put onto the stack you got to take off right because if you don't it's going to go and jump to some location and it's probably some memory that you do not have access to right

because we have computers that are segmented right different portions of memory are allocated for different user programs some might be kernel some may not be mapped at all into memory right so the computer can pick out of all those addresses right I don't know what is two does a 64 it's a really big number you don't have that much RAM in your computer right but the address space is 2 to the 64 and then so the again the application binary interface is how programs are supposed to run on particular operating systems so for example Microsoft used to do one way and Linux would do another one um actually Microsoft now they they kind of use the standard for

x64 but the ABI or application binary interface says who saves the data and typically it's the function being called is going to save the data because then you're not wasting data being saved and where do we save all that data oh we'll see we're going to save it to the second all right the last part is so again if you go and look at Shell Code you'll probably see system calls right so a system call is a way for a user land program to say hey operating system I need you to do something for me okay so this one is the system call is 80 which is a write um right is going to go to

standard out um if you tell it that right so the arguments that you put on there right each OS is going to find them differently right I mean the system calls might have similar numbers between different versions of Linux right so that you don't have to rewrite stuff but for example in 80 with um eax being four and evx being one is going to be right to stand it out ECX is going to have the address of the thing you want to print out and edx is going to say how many bytes is it going to actually do on that right okay so that's a system goal that's how you interact with the so again if you look at Shell Code you're

probably going to see system call all right okay stack so I like to think of the stack as a SL tight so it grows from the top right and comes down so that's tight if you remember the acronym tight means tight to the ceiling like m is on the floor if you look at every single other person in the world I don't know why they do they draw it the other way because it's like a stack of plates right if you keep putting plates on you got to take the plates off from the top um but the problem with that is that your memory addresses start here and they get bigger as you go down to me

that doesn't make sense but the world has uh decided that I'm wrong so I guess different so the operations that we have on the stack are either push or pop so push means I'm going to put something on top of the stack pop means I'm going to take it off and take it off as logically take it off what I really do is I take my stack pointer and I say go up one the pop actually copies the data into the register that data is still there on the stack right it hasn't gone anywhere right that's just useless for the the OS to do anything with them and so we're going to use this stack in order to call

functions right I talked about we'll talk about it more a little bit but the stack is essential for being able to recursively call functions or call functions over and over again um and keep track of where was the previous one at where am I at and oh I've only got 10 registers like oh it's need 10 registers and I only got 10 registers like how are we all going to how are we all going to get along all right so I put in lots of comments here so this is one example that I had real right here all right so in this example actually in the in the demo I would show you guys how this works but we actually

got this Loop instruction so anybody any assembly programs in here anybody know what the loop instruction does probably not so the loop instruction is going to go jump to the label listed in it so top if ECX is greater than zero if ECX is zero it will not do that so here I put eight into ECX I'm then pushing ECX on top of the stack right so ECX has eight so I push that onto the stack I go here oh I forgot to mention Loop decrements ECX by one and then does the check it's going to say eight seven six or depending on which way you want to grow the stack so perod is in G so I haveo I have

set of break points is B and then the name of the label right so the nice thing about assembly is all I have to do is say some name in a colon and it's a label which means I can put a break point in it so as you can see here it actually lists it it says this is label top or function as it might think this is label B which was in my program before um and it says plus some offset um for that instruction so and then if we look up here we can see the stack and say see it says ESP and it's pointing to 00 0 I think you guys can read that so good

thing I did all these slides beforehand so now we can see that it pushed eight and then seven and then six again this stack grows the wrong way whatever I can't do anything about it so right now ESP is pointing to one so if I do a pop evx what's going to be in ebx what's on top of the stack uh one right and then I pop ECX what's going to be on top of the static two two very good so if we look clear at the top right it says evx is one ECX is 2 right poof you guys all understand the stack perfect right you guys are expert assembly programmers yeah we're working we're

working our way there all right so we talked about the stack so what is it used for so it's used for either arguments to a function I should have put this on here or local variables so arguments to the function so what happens is I'm going to go call a function and let's say it takes two arguments I have to push those onto the stack right and then what did I say it does when you call that function when I call the function it puts the uh current circum pointer on the SE put the next instruction pointer on top of this deck so I got arguments I got my return instruction and I'm going to do a little bit more magic and then I

got local variables right so those are all going to be on the stack they're all on the stack because we're going to use this thing so typical program design we use the extended base poter and this is actually because it's easy for people to understand H my EVP is right here I know where my function arguments are I know where my local variables are and I can use that to understand how my stuff works okay and then the beauty of the stack frame is when I'm done with that function call right I basically get rid of all of the things that I had on the stack right so we basically destroy it really we just like move the pointer up

and then logically it is destroyed but we don't actually do anything again if you don't clean it up guess what seg right anybody know why it's called sigall segmentation segmentation it's a has to do with like stepping outside like your segment of memory and then yeah so all programs right have a certain area of memory that they can execute in if you want to look at it you're on Linux go look in the proc directory all right right so the proc directory shows you all the info about every process on a system and if you have access to it you can look at where what memory does each process point to are those second something that were

created at the OS or FAL level for security reasons or is that a feature of the physical x86 architecture it's both okay so um early days they had a bunch of different segment registers so they had CS for code segment DS for data segment SS for stack segment but now the OS manages all of that and it is created for security purposes right so if your program tries to write to memory that doesn't belong to it your program crashes not the thing that it tried to write memory to okay so that's why we do that just score security y all right so we can see here that I have we have to push so if I if I

start with my arguments I had to push argument three and then push argument two and then push argument one and then call my function so my return address gets there and then what we do is because we're going to use EVP we need to save it so the AI application binary interface on 32-bit system says Thou shalt not destroy any register except eax eax is used for the return value so you may destroy eax so if you're going to call a function and you got something useful on eax guess what you better put it somewhere else that function can and will destroy eax so what we do is inside the function we push EVP we save it and say okay

I'm going to mess with EVP I need to save that and then our first local variable is that EVP and you can see addresses go down EVP minus 4 but if we do the calculation right each one of these is four bytes on a 32-bit operating system so our first argument is at EVP Plus 8 and I guarantee this is probably really hard to read but so this is a a website I put the link down there so godbolt org let you type in any c program or function that you want and you can pick any compiler that you want to look at you want to look at Linux you want to look at Linux with 86 you want

to look at arm and it will show you your C code and what that breaks down to in assembly so you can be like even if you don't have a Linux computer lying around you don't want to buy Raspberry Pi right you can look at the code that's related to this so again I know it's hard to see but um here is where we're calling our function we're calling it if you look at there there's four arguments so the last push is 97 which is an A in asy 98 is a b 99 is a c and then this push negative 8 billion I don't know something something something so that is my string up there is Cafe big right

anybody know where Cafe big comol so isn't it the magic number for some binary format it is for Java bik Co app is is speed face except for when they switch Indian this they got all scrandle yeah so each one has a different one yeah we got magic bites for that to know the file hor actually don't know the next I think it says yeah yeah so when they when they jumped up to 64 bit they changed R so and I have one slide talking about some of those um so we have sort of r with the extension so RX RBX rcx uh then they got smart and like the next one they called R8 after they got past the first

seven so R8 through R15 and actually the next ones you have right so they increased it those are the 64 bit there's also 12 V and some of them so if you look at some of the extensions like ABX so you got xmm which is um had it on my computer I think it's 128 bits okay um so there are bigger ones and you can do lots more complicated things we probably don't have time to talk about but if you want you can talk about them later thank you yep all right so here is my example of calling a function with many arguments again you can see the push in the opposite order so the function is called

of 1 2 3 we push 3 2 1 right so that shows you push them in the opposite order and then if we look on the stack we can see that ESP when I get to the function before it pushes EVP we have them in one two three again stack fast Awards order and we can see that that's how that works any

questions so then you know we we went from 32-bit which sort of had that type of calling convention now a 64-bit like I mentioned before now we have 16 general purpose registers that we can use so what they said is we're going to allow the first argument to go into RDI the second one into RSI RDX rcx R8 and R9 and then if you have more than that then you push them on with SEC anybody want to guess why we we're using AR we're using registers to throw those arguments instead of pushing along them stack speed speed right so your processor is orders of magnitude faster than the ram that you're writing to right your processor is doing all it can

to keep that processor full of instructions because it's running up here and your RAM is like and then your hard disk is like it hasn't moved right since 1980 right like it's moving really slow so if we can put arguments into registers it's going to run faster than if we have to push them onto the stack and then hopefully they get cash by our level one cash or level two cash or level three cash so that's why they they did that right it was for performance but now we're sort of feeling the pain for that if you guys look at some of the you know clearly was Spectre and meltdown which were issues with with caching and the new one with

the Maxs about the oh what is they have they have a a lookup table that looks them up and like oh this looks like an ADD I'm going to go fetch that memory literally what it is anyway what could possibly go this all right and then I really love these diagrams this person who makes them right they're really excellent diagrams like this is a diagram showing what is the simplest executable on Windows that you could have right and you can see all of the bites related to this now is this related to assembly yeah kind of but I think it's really interesting because if you're interested in assembly right you're probably interested how these different things work

question who's what's the handle of the guy that makes these he does like uh like like file container formats so it's clear up in the in the right hand top Corner cork corkman docomond corkman ck.com anyway if you search for him he's got he's got ones for you know Linux and a bunch of different ones and I really like because you can sort of understand oh where does that MZ come from and this binary yeah actually I just coached that J to compile G Z's I haven't gotten the the here to work well so I can't I can only do a single Source fi right now but I got GCC 6 compiling dos yeah all

right so um like I mentioned before right like doing this assembly right seems really hard and when I taught a course back in uh I think it 2012 or 2013 right I I had well 2012 I had to use Windows because I didn't know any better and then I think in 2013 I said screw that I'm just GNA like do my own thing right so I actually made a bunch of scripts that I put together so that we could um be able to put them together so when you're doing assembly right you're going to use at the top level you're going to use an assembler to create what we call an object file like on it's called a file um so that is sort

of a packaged version that like is self-contained but GCC knows how to interpret that right and put it into sort of bigger package um and so I typically use GCC as both my my Linker um and sort of the thing to build the sort of final output um and what happens with the output of your GCC depends on what your target is right so a lot of times right you're just targeting whatever your OS is um but like for example my Mac right an arm Mac can both compile x86 and compile arm code at the same time or you can download across compiler so you can compile for some other one do you have a

question oh well you mentioned you put PE on your slide and obviously no one uses that anymore are you like a Mac OG well PE is is Windows oh that's pe oh no PF is Apple's old one F yeah Mo would be new one yeah yeah yeah sorry right Y and then you can also use it to build shared libraries right so a shared Library might be used in some other code on Windows you know a dll would be your shared library on Linux it would be AO that's also a shared Library so this is the project that I made again I did um use a lot of the stuff from Paul Carter's book in order

to build it um so I did build it uh for students it does have one issue where it gives you a warning about position independent code right so nowadays um you're not supposed to assume where your binary is in in memory right and so there's a couple fixes I need to do to make sure that that works on there um so it is built for students but anybody can download it and uh and you're as able to run it so the sort of basic structure of the program is there is a script called um genm make. sh you give it a name of a project so in the projects folder it will create whatever the name you type

in there is if it already exists it will not destroy your stuff so that's good um but it copies all the files renames it so that the name of the executable in this case Hello is the exact same as the name of the project so all of your binaries have a different name um and then it makes a make file so make file allows you to you make changes you just type make right and whatever files changed it's a really cool program um it will just build those changes right and then you're up to date um and you got to pay attention if it fails guess what it didn't make a binary for you right so

it's not going to work and then it includes in here a a program called driver. C you can put whatever C code you want in there but in your hello. ASM there's a function called asmore main which the normal hello program is going to call um and just doing its process you want to change it great I just made it so that way students could write their stuff in assembly and say hey go and it goes ahead and does that also the nice thing is all of the stuff that's built into GCC or the standard C library like printf scan F you know all of those puts right are included because we're using GCC as well and I found that really

useful because students needed some help right sort of getting from zero to um so at the end of my classes my stud that actually make a game that I called super Asos so it buy the keys and you could move your little guy and then you when he hit up he was supposed to jump up and if there's a block above him he's supposed to not go through it and then I had kids that did Goombas and everything else because they didn't have time they had lots of time they also did colors and so colors right so students had a lot of fun with doing that um plus it was a final project that they would get

to do so again here is a example so we can see that I defined a string called high on line five we then either call the print string function which was built in um to the libraries that we wrote or I can actually call Print again you got to know where the arguments go so in printf um this is just printing a string and so the first argument has to be on top of the stack which is the string you want to use for print out and I put that address into eax and then I went ahead and printed it and then it prints twice right and of course my spelling is terrible so hello

starts okay I'm real good at

that all right so I did use Shell Code in my project because I thought that would be fun um and I actually didn't do it on a Mac because Mac disables uh rde execute Pages now which made me mad because I thought it used it used to do it um but sh is just like a bunch of binary code right you can think of it in HEX right it's usually part of a program not a real executable that's typically how it is right um and if you use some different things you know it excludes things called like bad bites right so if you're executing a Shell Code and it's doing a c copy of it and if you have

null in your shell code then it's going to stop right there right so you might have to exclude or work around having those bites inside of your shell code and then it will do things like looking up functions on the flly right so I did a talk about how you know the FBI would de anonymize people um on on uh windows and they basically had to go through a table inside of Windows right process and look up the functions that it needed to call right because it wasn't a real executable it was shell Cod it didn't have access to hey where is my network connection how can I make a connection out to the Internet so shell code is going to have

to do things sort of unconventionally because it's living in a constrained environment and it's kind of hostile to what it wants to do um and then either right so for example the FBI right they were phoning home just to get somebody's IP address um but attackers like you guys might want to actually launch a shell so you can have access to that that system the FBI did not want to have that ability for a variety of different reason I can talk to later anybody talks about so what I did is I used msf Venom right so that's the sort of evolved version of generating a payload and encoding it so that's what msf venom does um and then

there is a guy that wrote a really nice shell code tester that just um executes some Shell Code so I used that to test it and so this is my example so I'm going to use actually floating Point um so I'll try get done here in time but basically floating point we have a couple of different pieces we have a sign bit we have an exponent and then we have a bunch of data right and a double is 64 bits in length so I have like plenty of room to write say four byes inside of it so what I did is I took my shell code which is here as my input and then I took a number 1980 it's

a very special near to me um and I took that number and I basically figured out what is the difference between 1980 and if I substitute my bites in here for part of that number what's the difference that gives me a number right it's a floating Point number okay do that for each one of them all my way down and then when I go to decode it I just do all that in the reverse order so the first part is to generate what the difference is between the old input and what currently have calculate that difference save it then I have all my save stuff it's going to print off a little thing there but

what does that look like move dword move dword oh so that's assembly right and I talked about xmm right so xmm are the 128 bit registers so I can use those um to load my data in so I'm telling it to load a quad word in um and then doing the math so what happens is I took the output of that and I shoved it in here right so this is the actual assembly and it loads that value that's at the very bottom into these registers and then it says oh which what's my offset okay I'm going to subtract This Much from it well yep subtract and then I'm going to store the data and then I

to subtract RBP so I'm going to the next one the next one the next one right so I'm going up in data so then my main function here right line 14 is like C hackery um so casting a memory address into a function is a pain in the butt and see in assembly it's just like move and you got your function and he gets like call right and just do it but I didn't want to do that so we did that um and then in here anybody know what M protect does that's memory protections I set my page to read write execute because I wanted to just be able to run it right and then down here I call my awesome

function well I called that function Fu which put the data in Array it made it into the Shell Code that I wanted to execute so what it does is here it prints off when it decoded right because I was going through testing it wanted to make sure it works then it executed the Shell Code Shell Code this is generated by msfm yes how' you make your XX um that's just oh never mind I'll ask I think it's uh zsh M I think is the what I use so it does the colorate all right so cool story right I ran this through binary ninja and it's like I don't know what this is like you're doing a floating point like I I

don't know right so it it had no idea G on the other hand did a little better right it actually figured it out so if you look and you compare the bytes in this to the bytes over there guess what they match right so G did that knows how to do that execution right that oh I see it's taking a constant and it's adding to that constant it's running into memory I'm going to figure out what that is right and figured out all the data that's in there now you can make this harder I actually was working on this today right so instead of just saying I'm just going to do one operation I'm like I'm going to

do a whole bunch like seven billion 70,000 704 million right so if the symbolic execution doesn't know how long it's going to take it's going to be like I don't know what that is right and so this is totally something you can do if you want to off youate what your code is doing and if you're using floating Point like no hacker like they're not using that's why vinary ninja just doesn't even try because it doesn't care because nobody uses it so if you want to use it there you go and then you run this through G and it's like yeah I don't know what local C is it's like it's some value right so so it's totally doable to

Aus skate your code by using the Point registers right because the the disassemblers won't figure it out oh look at that I got one minute Perfect all right any questions comments dad jok do you usually do any embedded uh this myed assembly or do you may just do assembly on on desktops yeah so normally I'm doing it on desktops you know as a for fun right I actually program in Python um in my role as a CSO but you know each company's different right we're really small company so I spend most of my time programming um so this is something that I do for fun um I also like writing challenges for uh you know

different uh ctfs right and so it's fun to do some different things like use use AES to encrypt your payload and then you got to provide the key to figure it out right so there's some AES libraries you can use or doing stuff like making self- modifying code so as the code is executing it's actually modifying the instructions in front of it oh wow and so then your disassembler is like I don't know what you're doing here but when you execute it right there's some you're just sort of manipulating it as you go and then at some point you get to the actual thing that you wanted to execute so I just do it as uh

I'm going to guess from the fact that you said CSO don't be anym um when you were I taught at Dakota State University which has a cyber security program and then um University of Nebraska is for our last talk I'm not a

car anybody else thanks for making it look easy right my my uh the last talk I gave was like this was assembly so easy and AI can't do it because when I first tried doing it I'm like hey you know ch gbg right can you do uh print F in assembly and it's like assembly assembly assembly print just like it was C I'm like okay that's not right at all you just don't know right and it it does okay but and it can help you with lots of things like copilot will help lots of things but it doesn't sort of understand that things change like for example my Mac I wanted to be able to compile x86 code on it and

it just kept running me in circles with trying things that didn't work um so you know it's got some sort of data knowledge um but yeah try to make it easy all right thanks for staying guys I appreciate