Assembly Language for Beginners

5.1. IDENTIFICATION OF EXECUTABLE FILES Marketing ver. Internal ver. CL.EXE ver. DLLs imported Release date 6 6.0 12.00 msvcrt.d ...

5.1. IDENTIFICATION OF EXECUTABLE FILES W?method$_class$n__v 5.1.5 Borland. Here is an example of Borland Delphi’s and C++Builde ...

5.2 Communication with outer world (function level) 000005e0 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff |....F.System....| ...

5.3. COMMUNICATION WITH THE OUTER WORLD (WIN32) If we are talking about a video game and we’re interested in which events are mo ...

5.4 Strings For example, let’s see, what does the uptime utility from cygwin use: tracer -l:uptime.exe --one-time-INT3-bp:cygwin ...

5.4. STRINGS Borland Delphi The string in Pascal and Borland Delphi is preceded by an 8-bit or 32-bit string length. For example ...

5.4. STRINGS Figure 5.2:FAR: UTF-8 As you can see, the English language string looks the same as it is in ASCII. The Hungarian l ...

5.4. STRINGS We can see this often inWindows NTsystem files: Figure 5.4:Hiew Strings with characters that occupy exactly 2 bytes ...

5.4. STRINGS Figure 5.6:FAR: UTF-16LE Here we can also see theBOMat the beginning. All Latin characters are interleaved with a z ...

5.4. STRINGS Base64 is often used when binary data needs to be stored in XML. “Armored” (i.e., in text form) PGP keys and signat ...

5.4. STRINGS diffie-hellman-group-exchange-sha256 digests D$iPV direct-streamlocal [email protected] FFFFFFFFFFFFFF ...

5.5 Calls to assert(). Sometimes, such strings are encoded using base64. So it’s a good idea to decode them all and to scan them ...

5.6. CONSTANTS That may help to distinguish some signal from a signal where all bits are turned on (0b1111 ...) or off (0b0000 . ...

5.6. CONSTANTS Stuxnet uses the number “19790509” (not as 32-bit number, but as string, though), and this led to spec- ulation t ...

5.7 Finding the right instructions 5.6.2 Specific constants. Sometimes, there is a specific constant for some type of code. For ...

5.8 Suspicious code patterns. PID=32852|TID=36488|(0) 0x2f40e91b (Excel.exe!BASE+0x11e91b) EAX=0x00598006 EBX=0x00598018 ECX=0x0 ...

5.8. SUSPICIOUS CODE PATTERNS This operation is rare in common programming, but widespread in cryptography, including amateur on ...

5.9 Using magic numbers while tracing. 5.9 Using magic numbers while tracing Often, our main goal is to understand how the progr ...

5.10. LOOPS 0x45a70d e= 258 [MOV EDX, [EBP-18h]] [EBP-18h]=0..5 (248 items skipped) 0xfd..0x101 0x45a710 e= 258 [MOVZX EAX, [EAX ...

5.10. LOOPS Arrays Sometimes, we can clearly spot an array of 16/32/64-bit values visually, in hex editor. Here is an example of ...