# NCS Lab 7 - Understanding Assembly ### Mariia Charikova, BS17-SB https://hackmd.io/@XsGV1RJ6STGl3obcJTPDxQ/rJgl2AdrU - link to HackMD if any of screenshots is not readable in pdf. ## Preparation I have done this assignment on Ubuntu 18.04.3 Virtual Machine. I have choosen **radare2** disassembler because it requires no GUI and it is faster to work on console VM rather than on VirtualBox. ## Theory ### What is ASLR, and why do we need it? ASLR - Address Space Layout Randomization - is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process's address space. </br> The random mixing of memory addresses performed by ASLR means that an attack no longer knows at what address the required code is actually located. ASLR attempts to make it more challenging to exploit existing vulnerabilities.
 ### How can the debugger insert a breakpoint in the debugged binary/application? Debugger modifies the program in the RAM. It inserts special instructions at the points which were marked as breakpoints and when this instruction is executed, the debugger intercepts the program execution and stops it. ## Reversing #### Disable ASLR using the following command “sudo sysctl -w kernel.randomize_va_space=0” ``` ubuntu@ip-172-31-37-110:~$ sudo sysctl -w kernel.randomize_va_space=0 ``` Output: ``` kernel.randomize_va_space = 0 ``` #### Load the binaries into a disassembler/debugger ``` r2 -A sample32 ```  ``` r2 -A sample64 ```  ``` r2 -A sample64-2 ```  #### Does the function prologue and epilogue differ in 32bit and 64bit? Both prologue and epilogue are differ in 32bit and 64bit: x32 prologue  x64 prologue  x32 epilogue  x64 epilogie  #### Does function calls differ in 32bit and 64bit? What about argument passing? ##### 32Bit: CDECL is the common calling convention which states: * Function arguments are passed on the stack, in right-to-left order. * Function result is stored in **EAX/AX/AL** * Floating point return values will be returned in **ST0** There are others calling conventions: STDCALL, FASTCALL, THISCALL, but CDECL is the standard. ##### 64Bit: Calling conventions are different for each platform, but they are similar to FASTCALL - arguments are passed using registers if they can, and only after that the stack is using. Registers that are used in arguments passing: **%rdi, %rsi, %rdx, %rcx, %r8, %r9** (integers) **%xmm0 - %xmm7** (floats) - AMD64 **%rcx, %rdx, %r8, %r9** (integers) **%xmm0 - %xmm3** (floats) - Windows #### What does the command ​ldd ​do? “ldd BINARY-NAME” **ldd <file>** prints the shared objects (shared libraries) required by each program or shared object specified on the command line. In other words, it shows executable dependencies. #### Why in the “sample64-2“ binary, the value of ​i​ didn’t change even if our input was very long? Here is the assembly code from its **sample_function**:  Function **gets** (which is called in this code) is unsafe because it does not check the size of the input. In case that the input is too long, this will cause *stack overflow error*. If I run *sample64* and input a string equal to some length which is bigger than buffer size, it will be overwritten because of stack overflow - the reason is that this variable is declared after the buffer.  If I run *sample64-2* and input a string equal to some length which is bigger than buffer size, it will not be overwritten because it is declared before the buffer.  ## References * manual * https://readthedocs.org/projects/radare2s-website/downloads/pdf/latest/ * https://blog.morphisec.com/aslr-what-it-is-and-what-it-isnt/ * https://en.wikipedia.org/wiki/X86_calling_conventions#x86-64_calling_conventions * https://en.wikibooks.org/wiki/X86_Assembly/High-Level_Languages#STDCALL