If you need to download one, go to
https://www.offensive-security.com/kali-linux-vmware-arm-image-download/
Download the latest "Kali Linux 64 bit VM". When I did it (March, 2017) it was version 2016.2.
Unzip the .7z file and run it in VMware Player or Fusion.
cd /tmp
wget http://http.us.debian.org/debian/pool/main/y/yasm/yasm_1.2.0-2_amd64.deb
dpkg -i yasm_1.2.0-2_amd64.deb
So to write text to the console, we must do these things:
In a Terminal window, execute this command:
nano abc1.asm
Enter this code in the editor.
section .text
global _start
_start:
mov rax, 0x4142434445464748 ; 'ABCDEFGH'
push rax
mov rdx, 0x8 ; length of string is 8 bytes
mov rsi, rsp ; Address of string is RSP because string is on the stack
mov rax, 0x1 ; syscall 1 is write
mov rdi, 0x1 ; stdout has a file descriptor of 1
syscall ; make the system call
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 abc1.asm
ld -o abc1.out abc1.o
./abc1.out
The program prints out the letters
in reverse order, and then crashes
with a "Segmentation fault" message,
as shown below.
The Linux Syscall Table, specifies the "exit" call as:
So to exit, we must do these things:
cp abc1.asm abc2.asm
nano abc2.asm
Add these lines at the bottom of the
program:
mov rax, 0x3c ; syscall 3c is exit
syscall ; make the system call
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 abc2.asm
ld -o abc2.out abc2.o
./abc2.out
The program prints out the letters
in reverse order, and then exits
normally,
as shown below.
cp abc2.asm abc3.asm
nano abc3.asm
The 5th line of the program is:
mov rax, 0x4142434445464748 ; 'ABCDEFGH'
Change it to:
mov rax, 0x4847464544434241 ; 'ABCDEFGH' reversed
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 abc3.asm
ld -o abc3.out abc3.o
./abc3.out
The program prints out the letters
in the correct order, and then exits
normally,
as shown below.
Save a whole-desktop image with a filename of "Proj 12a from YOUR NAME".
In a Terminal window, execute this command:
nano hello.asm
Enter this code in the editor.
section .data
string1 db "Hello World!",10 ; '10' at end is line feed
section .text
global _start
_start:
mov rdx, 0xd ; length of string is 13 bytes
mov rsi, dword string1 ; set rsi to pointer to string
mov rax, 0x1 ; syscall 1 is write
mov rdi, 0x1 ; stdout has a file descriptor of 1
syscall ; make the system call
mov rax, 0x3c ; syscall 3c is exit
syscall ; make the system call
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 hello.asm
ld -o hello.out hello.o
./hello.out
The program prints out the message,
as shown below.
In a Terminal window, execute this command:
nano read.asm
Enter this code in the editor.
section .data
string1 db "AAAABBBBCCX" ; Reserve space for 10 characters
section .text
global _start
_start:
mov rdx, 0xa ; length of string is 10 bytes
mov rsi, dword string1 ; set rsi to pointer to string
mov rax, 0x0 ; syscall 0 is read
mov rdi, 0x0 ; stdin has a file descriptor of 0
syscall ; make the system call
mov rdx, 0xa ; length of string is 10 bytes
mov rsi, dword string1 ; set rsi to pointer to string
mov rax, 0x1 ; syscall 1 is write
mov rdi, 0x1 ; stdout has a file descriptor of 1
syscall ; make the system call
mov rax, 0x3c ; syscall 3c is exit
syscall ; make the system call
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 read.asm
ld -o read.out read.o
./read.out
The program waits for input. Type
APPLE and press Enter.
The program prints out "APPLE", followed by some extra characters, as shown below.
If we were programming students, the next step would be to clean this thing up and get rid of the extra characters, make it calculate the string length automatically, etc.
But we have a different goal--to criticize code and its exploitable weaknesses--so we'll move on to other things.
In a Terminal window, execute this command:
nano caesar.asm
Enter this code in the editor.
section .data
string1 db "AAAABBBB" ; Reserve space for 8 characters
section .text
global _start
_start:
mov rdx, 0x8 ; length of string is 8 bytes
mov rsi, dword string1 ; set rsi to pointer to string
mov rax, 0x0 ; syscall 1 is read
mov rdi, 0x0 ; stdin has a file descriptor of 0
syscall ; make the system call
mov rbx, dword string1 ; set rbx to pointer to string
mov rcx, [rbx] ; Put string value into rcx
add rcx, 0x0101010101010101 ; Add 1 to each byte, not fixing rollover
mov [rbx], rcx ; Put modified byte on string
mov rdx, 0x8 ; length of string is 8 bytes
mov rsi, dword string1 ; set rsi to pointer to string
mov rax, 0x1 ; syscall 1 is write
mov rdi, 0x1 ; stdout has a file descriptor of 1
syscall ; make the system call
mov rax, 0x3c ; syscall 3c is exit
syscall ; make the system call
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 caesar.asm
ld -o caesar.out caesar.o
./caesar.out
There's a warning message saying a value is
too large to fit into a 32-bit field,
but the program compiles.
The program waits for input. Type HELLO and press Enter.
The program prints out "IFMMO", followed by some extra characters, as shown below.
The program encrypted the first 4 letters, but not the "O".
Let's see what the compiler actually did.
objdump -d caesar.out
As shown below, the compiler changed
the "add" instruction to one that
only adds a 32-bit value to rcx, not
the 64-bit value we wanted.
Consulting the Intel 64 and IA-32 Architectures Software Developer's Manual, I found these ADD instructions:
That's hard to understand, but I think it means we can do a 64-bit add, but not with an immediate value. We need to use a register.
cp caesar.asm caesar2.asm
nano caesar2.asm
In the editor, change this line:
add rcx, 0x0101010101010101 ; Add 1 to each byte, not fixing rollover
To this:
mov r8, 0x0101010101010101 ; Put value in r8
add rcx, r8 ; Add using registers
Save the file with Ctrl+X, Y, Enter.
Execute these commands to compile, link, and run the program:
yasm -f elf64 caesar2.asm
ld -o caesar2.out caesar2.o
./caesar2.out
There's a warning message saying a value is
too large to fit into a 32-bit field,
but the program compiles.
The program waits for input. Type HELLO and press Enter.
The program prints out "IFMMP", as it should!
Save a whole-desktop image with a filename of "Proj 12b from YOUR NAME".
Email the images to cnit.127sam@gmail.com with a subject of "Project 12 from YOUR NAME".
Intel 64 and IA-32 Architectures
Software Developer's Manual