Wednesday, January 9, 2013

Right to disassemble.

In the last article, I talked about looking at programs and disassembling them. What is that really all about. Let us take the very simple program hw and run it.

$ ./hw
Hello world!
$

The program hw printed out the famous Hello world. We can understand that, but let's look at what the computer sees to do that program.

$ cat hw
� �̀Hello world! ( ���� �����
.shstrtab.text.data
� eddie@oedt01:~$ ��" ���

Obviously garbage. At this point we can not really use that output for our needs. Remember I talked about a disassembler?  It changed that gobbletygoop in to something that a programmer might use.  Let's try it.

$ objdump -D hw

hw:     file format elf32-i386


Disassembly of section .text:

08048080 <.text>:
 8048080:    b8 04 00 00 00           mov    $0x4,%eax
 8048085:    bb 01 00 00 00           mov    $0x1,%ebx
 804808a:    b9 a4 90 04 08           mov    $0x80490a4,%ecx
 804808f:    ba 0d 00 00 00           mov    $0xd,%edx
 8048094:    cd 80                    int    $0x80
 8048096:    b8 01 00 00 00           mov    $0x1,%eax
 804809b:    bb 00 00 00 00           mov    $0x0,%ebx
 80480a0:    cd 80                    int    $0x80

Disassembly of section .data:

080490a4 <.data>:
 80490a4:    48                       dec    %eax
 80490a5:    65                       gs
 80490a6:    6c                       insb   (%dx),%es:(%edi)
 80490a7:    6c                       insb   (%dx),%es:(%edi)
 80490a8:    6f                       outsl  %ds:(%esi),(%dx)
 80490a9:    20 77 6f                 and    %dh,0x6f(%edi)
 80490ac:    72 6c                    jb     0x804911a
 80490ae:    64 21 0a                 and    %ecx,%fs:(%edx)


It still seems kind of cryptic, but you can see some what might be computer instructions there. So the text is the program and the data is what we want to print out. Wait a minute do you say as you do not see hello world. No problem. Hello world! is translated into ascii in hexadecimal format. Talked about that before where the computer encodes the characters. How can we prove those are the right characters? We can use a bit of code to manually translate the characters into hexadecimal. With the data, you can ignore the commands on the right hand side for now.

$ echo -n "Hello world\!" | od -A n -t x1 |sed 's/ /\\x/g'
\x48\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x5c\x21

Notice the hexadecimal numbers are the same from the print out left hand side to the conversion we made. So the data is there. Maybe one of these days, I will go into more detail, but that is all for now.


Update: Windows RT limitations overcome with the knowledge of assembly language. Apparently Microsoft is a company that only wants you to use equipment they way they want you to, not the way you want to.
More details:
http://hackaday.com/2013/01/09/unsigned-code-running-on-windows-rt/. \
https://surfsec.wordpress.com/2013/01/06/circumventing-windows-rts-code-integrity-mechanism/.

No comments:

Post a Comment