My_Partner's : Zer03s | Nofia | Myw1sd0m | IT-Rc |
-------------------------------------------------------------------------------------------------------------------------------

Inline Assembly in C programning languange

now we will share how to inline assembly programing language in C programing . This tutorial's made by Mywisdom,  so let's see the example here : 

code :
#include <stdio.h>
#v3n0m.c
#coding by: mywisdom
int main()
{
__asm__ ("xor %eax, %eax\n\t"
        "mov $0x1,%al\n\t"
        "xor %ebx,%ebx\n\t"
        "int $0x80");
}
 example, suppose there is assembly code using the syscall number 1 (exit function):

code : 
[SECTION .text]
global _start
_start:
        xor eax, eax
        mov al,1
        xor ebx,ebx
        int 0x80
  explanation of the asm code above :
xor eax, eax  : means exclusive or eax eax with the result eax is 0 (zero) -> syscall exit requirement.

mov al, 1  : move 1 to the register al is a condition called syscall number 1 (exit) .

xor ebx, ebx  : exclusive or ebx with the result becomes zero -> the terms exit syscall .

int 80h  : is the interrupt number in the typical linux syscall to execute (eg. if the DDoS int 21h).

for gcc inline, asm code must be convert first from intel asm to asm AT&T as follows:
AT&T;


code :
 xor %eax, %eax
        mov $0x1,%al
        xor %ebx,%ebx
        int $0x80
 then for make the inline asm code should start from this syntax:

code :
__asm__ ( "type asm code here"); 
 in this bellow are example insertion asm AT&T above to the C programing language eg. name v3n0m.c

code :
#include <stdio.h>
#v3n0m.c
#coding by: mywisdom
int main()
{
__asm__ ("xor %eax, %eax\n\t"
        "mov $0x1,%al\n\t"
        "xor %ebx,%ebx\n\t"
        "int $0x80");
}
 then compile the code above :

code : 
gcc -o v3n0m v3n0m.c
Testing program :
run dg:
./v3n0m
(immediate exit, because call syscall exit) 

reverse engineering - introduction to assembly program languange

lets continue our tutorial on reverse engineering. Today i will share to you assembly language basic that are necessary for learning reverse engineering. As we all know assembly language is very important for reverse engineering and we must know, what are registers and which register serves for what. How the assembly language instruction work and how can we relate them with normal high language coding( C, JAVA, VB, etc.)  to hack any software. So friends, lets start our reverse engineering part 2.



What is Assembly language?

Assembly language is a low level or simply called machine language made up of machineinstructions. Assembly language is specific to processor architecture example different for x86 architecture than for SPARC architecture. Assembly language consist of assembly instructions and CPU registers. i means I will explain my tutorial considering x86 architecture... Ahhha... From where i start explaining to you ... assembly language is too big topic... I think i have to tell only what you need for reverse engineering.. So i start from CPU registers.



CPU registers - Brief Introduction:



First of all what are registers? Most of Computer Engineering and Electronics Engineering guys knows about them but for others, Registers are small segments of memory inside CPU that are used for storing temporary data. Some registers have specific functions, others are just use for some generaldata storage. I am considering that you all are using x86 machines. There are two types of processors32 bit and 64 bit processors. In a 32 bit processor, each register can hold 32 bits of data. On the other hand 64 bit register can hold 64 bit data. I am explaining this tutorial considering that we are using 32 bit processors.
There are several registers but for Reverse engineering we are only interested in general purpose registers. We are interested in only 9 General purpose registers namely:

  • EAX
  • EBX
  • ECX
  • EDX
  • ESI
  • EDI
  • ESP
  • EBP
  • EIP

All these registers serves for different purposes. So I will start explaining all of them one by one for a more clear and accurate understanding of register concepts. I am putting more strain on these because these registers are called heart of reverse engineering.

EAX register is accumulator register which is used to store results of calculations. If any function returns a value its stored into EAX register. We can access EAX register using functions to retrieve the value of EAX register.
Note: EAX register can also be used for holding normal values regardless of calculations too.


The EDX is the data register. It’s basically an extension of EAX to assist it in storing extra data for complex operations. It can also be used for general purpose data storage.

The ECX, also called the count register, is used for looping operations. The repeated operations could be storing a string or counting numbers.

The ESI and EDI relied upon by loops that process data. The ESI register is the source index for data operation and holds the location of the input data stream. The EDI points to the location where the result of data operation is stored, or the destination index.

ESP is the stack pointer, and EBP is the base pointer. These registers are used for managing function calls and stack operations. When a function is called, the function’s arguments are pushed on the stack and are followed by a return address. The ESP register points to the very top of the stack, so it will point to the return address. EBP is used to point to the bottom of the call stack.

EBX is the only register that was not designed for anything specific. It can be used for extra storage.
EIP is the register that points to the current instruction being executed. As the CPU moves through the binary executing code, EIP is updated to reflect the location where the execution is occurring.
The 'E' at the beginning of each register name stands for Extended. When a register is referred to by its extended name, it indicates that all 32 bits of the register are being addressed.  An interesting thing about registers is that they can be broken down into smaller subsets of themselves; the first sixteen bits of each register can be referenced by simply removing the 'E' from the name. For example, if you wanted to only manipulate the first sixteen bits of the EAX register, you would refer to it as the AX register. Additionally, registers AX through DX can be further broken down into two eight bit parts. So, if you wanted to manipulate only the first eight bits (bits 0-7) of the AX register, you would refer to the register as AL; if you wanted to manipulate the last eight bits (bits 8-15) of the AX register, you would refer to the register as AH ('L' standing for Low and 'H' standing for High).

Introduction to Memory and Stacks:

There are three main sections of memory:

1. Stack Section - Where the stack is located, stores local variables and function arguments.

2. Data Section - Where the heap is located, stores static and dynamic variables.

3. Code Section - Where the actual program instructions are located.

The stack section starts at the high memory addresses and grows downwards, towards the lower memory addresses; conversely, the data section (heap) starts at the lower memory addresses and grows upwards, towards the high memory addresses. Therefore, the stack and the heap grow towards each other as more variables are placed in each of those sections. I have shown that in below Figure..

 Some Essential Assembly Instructions for Reverse Engineering:



InstructionExample         Description
push    push eaxPushes the value stored in EAX onto the stack
poppop eaxPops a value off of the stack and stores it in EAX
callcall 0x08abcdefCalls a function located at 0x08abcdef
movmov eax,0x5Moves the value of 5 into the EAX register
subsub eax,0x4Subtracts 4 from the value in the EAX register
addadd eax,0x1Adds 1 to the value in the EAX register
incinc eaxIncreases the value stored in EAX by one
decdec eaxDecreases the value stored in EAX by one
cmpcmp eax,edxCompare values in EAX and EDX; if equal set the zero flag* to 1
testtest eax,edxPerforms an AND operation on the values in EAX and EDX; if the result is zero, sets the zero flag to 1
jmpjmp 0x08abcdeJump to the instruction located at 0x08abcde
jnzjnz 0x08ffff01Jump if the zero flag is set to 1
jnejne 0x08ffff01Jump to 0x08ffff01 if a comparison is not equal
andand eax,ebxPerforms a bit wise AND operation on the values stored in EAX and EBX; the result is saved in EAX
oror eax,ebxPerforms a bit wise OR operation on the values stored in EAX and EBX; the result is saved in EAX
xorxor eax,eaxPerforms a bit wise XOR operation on the values stored in EAX and EBX; the result is saved in EAX
leaveleaveRemove data from the stack before returning
retretReturn to a parent function
nopnopNo operation (a 'do nothing' instruction)

*The zero flag (ZF) is a 1 bit indicator which records the result of a cmp or test instruction



Each instruction performs one specific task, and can deal directly with registers, memory addresses, and the contents thereof. It is easiest to understand exactly what these functions are used for when seen in the context of a simple hello world program and try to relate assembly language with high level language such as C language.


Here is simple C program that displays Hello World:


int main(int argc, char *argv[])                    {                     printf("Hello World!\n");                 return 0;           }     
Save this program as helloworld.c and compile it with 'gcc -o helloworld helloworld.c'; run the resulting binary and it should print "Hello World!" on the screen and exit. Ahhah... It looks quite simple. Now let's look how it will look in assembly language.


0x8048384     push ebp                      <--- Save the EBP value on the stack
0x8048385     mov ebp,esp               <--- Create a new EBP value for this function
0x8048387     sub esp,0x8                 <---Allocate 8 bytes on the stack for local variables
0x804838a     and esp,0xfffffff0          <---Clear the last byte of the ESP register
0x804838d     mov eax,0x0                 <---Place a zero in the EAX register
0x8048392     sub esp,eax                  <---Subtract EAX (0) from the value in ESP
0x8048394     mov DWORD PTR [esp],0x80484c4     <---Place our argument for the printf() (at address 0x08048384) onto the stack
0x804839b     call 0x80482b0 <_init+56>                     <---Call printf()
0x80483a0     mov eax,0x0                 <---Put our return value (0) into EAX
0x80483a5     leave                              <---Clean up the local variables and restore the EBP value
0x80483a6     ret                                  <---Pop the saved EIP value back into the EIP register


As you can easily figure out these instructions are similar to that of C program. You can easily note that flow of program is same. Off course it will be same as its a assembly code of same binary (exe) obtained from executing above C program.

Learning Basic of reverse engineering


What is Reverse Engineering?

Have you ever noticed, Nokia or Iphone made an application and after few days you find that on Samsung or any other mobile device. Its nothing that difficult, its called reverse engineering. They decode their programs to get the basic structure of the original program and then following the structure codes their own and sometimes doesn't even happen just make some code changes and uses them.
According to Wikipedia "Reverse engineering is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation. It often involves taking something (e.g., a mechanical device, electronic component, biological, chemical or organic matter or software program) apart and analyzing its workings in detail to be used in maintenance, or to try to make a new device or program that does the same thing without using or simply duplicating (without understanding) the original".

Ahh.. more technology related. I will explain you in better way. As the name suggest reverse engineer means if have something already made, in computer field say exe installer file. Now what reverse engineering is, decoding the exe in such as fashion that we will get original source code or some what near to it. Consider an example, you have a wall made of bricks, here bricks are base material to build the wall. Now what we want to do is we want to obtain all the bricks from the wall. Similarly we have an executable or dll file and we know programs are made from coding only, so source codes are base material in building executable. So we want to obtain the source code from the executable or some what near to it. As when you break wall also to get the bricks some bricks are also got broken and that's all depend type of material used to fix or mend bricks to make the wall. Similarly the retrieval of source code from executable depends upon how securely software is being packed and type of cryptography or packer is used by its designer.

I hope now you have got what exactly reverse engineering is.



What is the use or benefit of Reverse Engineering?

I can guarantee most of internet users use cracks or keygens or patches. Have you ever tried to understand how they are made. Ahhh... I know you haven't. So let me give you clear information. All the keygens or cracks or patches of software's are made by technique called Reverse Engineering. Oops... I was going to tell the benefits.. what i am telling...negative features... But these are features of reverse engineering my friends and most commonly used by all famous organizations as its a part of their Program promoting methodolgy.

Other Beneficial Uses of Reverse Engineering:

  • Product analysis: To examine how a product works
  • Removal of copy protection, circumvention of access restrictions.
  • Security auditing.
  • Extremely useful when you lost documentation.
  • Academic/learning purposes.
  • Competitive technical intelligence (understand what your competitor is actually doing, versus what they say they are doing).
  • Last but not the least..Learning: learn from others' mistakes. Do not make the same mistakes that others have already made and subsequently corrected.

Common Terms Used in Reverse Engineering:

1. Debugger
2. Deassembler
3. Decompiler
4. Packers or Unpackers
5. Program Obfuscation
6. Hex Editing
7. Cryptography

I will explain these terms in detail in my next article. Till then you can explore these topics on internet so that you will have some prior knowledge of Reverse Engineering terms.

Note: Reverse Engineering articles will going to be more advanced and technology oriented which surely requires prior knowledge of Assembly language specially registers and accumulators and several reverse engineering commands like JMP, DCL etc..

Writing PolicyKit applications without D-Bus - Python Script

I'm always happy when more libraries get Python bindings, and today I've been especially excited by the fact that GObject introspection support for PolicyKit has finally appeared in Natty repositories. Basically it means, that PolicyKit is now accessible from Python through a native API without direct D-Bus communication. I've tried to port the querying example from PolicyKit manual and it did work!

The Python example below is an almost line-by-line port of the original, but it should give you a basic idea on how to use the API for your own scripts.
#! /usr/bin/env python

import sys, os
from gi.repository import GObject, Gio, Polkit

def on_tensec_timeout(loop):
  print("Ten seconds have passed. Now exiting.")
  loop.quit()
  return False

def check_authorization_cb(authority, res, loop):
    try:
        result = authority.check_authorization_finish(res)
        if result.get_is_authorized():
            print("Authorized")
        elif result.get_is_challenge():
            print("Challenge")
        else:
            print("Not authorized")
    except GObject.GError as error:
         print("Error checking authorization: %s" % error.message)
        
    print("Authorization check has been cancelled "
          "and the dialog should now be hidden.\n"
          "This process will exit in ten seconds.")
    GObject.timeout_add(10000, on_tensec_timeout, loop)

def do_cancel(cancellable):
    print("Timer has expired; cancelling authorization check")
    cancellable.cancel()
    return False

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("usage: %s " % sys.argv[0])
        sys.exit(1)
    action_id = sys.argv[1]

    mainloop = GObject.MainLoop()
    authority = Polkit.Authority.get()
    subject = Polkit.UnixProcess.new(os.getppid())

    cancellable = Gio.Cancellable()
    GObject.timeout_add(10 * 1000, do_cancel, cancellable)

    authority.check_authorization(subject,
        action_id, #"org.freedesktop.policykit.exec",
        None,
        Polkit.CheckAuthorizationFlags.ALLOW_USER_INTERACTION,
        cancellable,
        check_authorization_cb,
        mainloop)

    mainloop.run() 


In order to run this example, make sure you have the gir1.2-polkit-1.0 package installed and provide an action in the command line, for example:

./polkit-test org.freedesktop.policykit.exec

I suppose, the API is still a little rough on the edges, but it's already usable and I'm going to try it for an upcoming D-Bus service in indicator-cpufreq. Looks like it's perfect time to start moving things to GObject introspection already.

syn and Ping Flood Protect - Python Script



simple code to protect your system from syn flood and ping flood attack..
auth0r: JimmyR.D