-
Vm0wd2Qy
This article will be about 2 encodings/interpretations of binary; ASCII and Base64. ASCII is an 8-bit (debatable I know, but go with it) character encoding, and Base64 is a 6-bit character encoding. Conversions can be made between them: Not too interesting. This post is more about a string like "Vm0wd2Qy": [2nd command is just there to add a graceful newline] The decoded version is smaller, but that's it, this transformation was not as dramatic as the first example. Continue reading →
-
Assembly is Too High Level - Subtracting by Comparing - Propeller
If you're familiar with x86, you'd know that a CMP (compare) instruction is the same as a SUB (subtract) instruction, with exception to the destination operand being written to. In other words, CMP is like a subtract, it just doesn't write the value when done (but it does set all of the flags that a subtract would. so CMP is used preceding conditional jmps; as conditional jumps base their conditions on the flags. Continue reading →
-
Assembly is Too High-Level - AAD-AAM, Even the Math is Too High-Level
Oh boy, I love seeing words like these! Even though this post will focus on the AAD instruction, this applies to the below two instructions: I particularly love this one; because we get to see an illustration of abstractions being misleading on a few levels (assembly being too abstract, and even a mathematical formula being used too abstractly). I'm about to get all kinds of philosophical up in here! Continue reading →
-
Assembly is Too High Level - Propeller NOPs, like if never
This post is not about x86/64, as the title goes, this is about the Propeller architecture. But first, here's some x86 (hahaha): Note that if you encode the XCHG instruction with EAX, EAX, it would just be 0x90; the exact same machine code as: Sorry to have to put everyone though so much x86 for a Propeller post, but I think there's a very strong likeness here; the propeller chip also does not have dedicated machine-code for the NOP. Continue reading →
-
Obscure FISTing
In the realms of assembly obfuscations, this isn't extremely high in complexity. This is me finding an excuse to use the "FIST" instruction. In the context of the PoC, it is being used as a decoder for some encoded shellcode. Before going into the super technical details, below is a video of the PoC in action. [www.youtube.com/watch](https://www.youtube.com/watch?v=e-14WFLCl-M) Floaters: Let's talk about floating point numbers (as it applies to x86). Continue reading →
-
Assembly Is Too High Level - Undocumented Code Exploration
With an assembler, your code gets assembled into machine code. All valid assembly instructions should be translated to corresponding machine code bytes. But in reverse, not every possible byte sequence is something that can be produced from assembly source. There a few categories of reasons for this: Reason 1: Simple redundancies. XOR EAX, EAX can easily be represented as bytes 31c0 or 33c0. Both are equally valid, it only exists because of some redundancy of the ModR/M byte. Continue reading →
-
Assembly Is Too High-Level - Full Offsets
This is one of those times were I get kind of annoyed that what I tell my 'high-level' language gets 'interpreted' for me, because it knows better. I feel this post may be slightly less arbitrary than the rest; in the sense that the machine-level hack covers something that you should be able to use, but depending on your assembler, may not be able to. Be prepared for a deep dive into ModR/M + SIB with all the Mod and gratuitous binary. Continue reading →
-
Assembly Is Too High-Level - OP REG,imm redundancies
About a week ago I came accross one of Ange's pages (https://code.google.com/p/corkami/wiki/x86oddities?wl=en). Before that point I only knew him as a major contributor to my favorite zine (PoC||GTFO) and author of some very useful technical info-graphics; his ELF diagram jump started my ability to create my m2elf.pl script. Looking at his x86 oddities page, it looks like we have independently crossed streams on some of our research. There are a couple of nuggets on his page that slipped past my radar when reading the Intel manual. Continue reading →
-
Assembly Is Too High-Level - Better Call SAL
When it comes down to it, this is logically true. But it seems like everything tries to sweep SAL under the rug, therefore: I WANT! I get it, it's the same thing. And for the record, I verified that they operate exactly the same down to the eflags being set identically. Lets try to use a SAL instruction: Now we verify everything works identically by looking at this in a debugger: Continue reading →
-
How to Machine
I've been making a few posts on how I find situations where assembly language would be too high-level, almost to the point of evangelizing it. However, I realized that I have not yet gone into any kind of explanation on exactly what tricks I am using to directly code in machine code. There are actually a few ways this can be done. I will explain 2 of them. There are pros and cons to each. Continue reading →
-
Bass + Computer
Summary: While I was at the NYC 2600 this month (September), I was talking with someone involved in chiptunes and it reminded me of one of my 'secret' projects that I somehow forgot to mention more publicly. This was a project that I put together all the way back in 2008/2009 (hardware/software respectively). Pretty much all of my friends know that I did this, but I still never really made it 'public. Continue reading →
-
Assembly Is Too High-Level - Consistent Instruction Sizes
YES! I want that. I want ALL my instructionz to be 15 bytes. Forget that this part of the manual is talking about AVX instructions, I don't care about that; I just want 15 byte instructions, so when I look at machine code in a debugger, it doesn't look all jagged and ugly. What do I mean by ugly? The below code is just a PoC that launches /bin/sh with the execve() syscall (like a lot of my weird PoC's). Continue reading →
-
8ball can now speedball
As I'm preparing to give a talk on automated regular expression denial of service methods and defenses at DefCon 23 this week, I beefed up part of8ball (a tool demonstrated at DefCon 22 last year) to be able to incorporate RE:DoS. 8ball is a script that parses a txt file list of snort/suricata rules and makes a corresponding packet for each rule (of which it sends at a target host). The piece of this script that just got updated was the pcre parser. Continue reading →
-
Assembly Is Too High-Level - Shell with 178 ADDs and 1 JMP
While the discussion that will follow can all be done exclusively in assembly language, the fun stuff is happening with an understanding of the machine language component. Also, this general obfuscation trick is not completely a new one, it's just my flavor of it. AddShell: I wrote a program that I called "AddShell". It is very simple; when run, you are in /bin/sh. The below screenshot shows me first checking that I am currently in the bash shell; I run 'ps -p $$' to see what shell I am in. Continue reading →
-
I GOTO
I wrote code with a GOTO in it. It has been multiple decades since the last time I did this; when I was stuck using 'lined-BASIC' in the early to mid 90's. And you know what, I don't care. I could have done this code without a goto if I refactored it a little bit, but I don't care. I think even the anti-goto code hipsters would agree that the argument isn't about performance. Continue reading →
-
2K of RAM
Background: This is an old picture I found from around early 2001. In the 2nd semester of my degree we were given lot's of components in our 'lab kit.' One of these components was a static 2k RAM chip. I later found out that we were never intended to actually use this chip for class...too little time for such a complicated chip or something... But to me, this was the most interesting chip (maybe because it had the most pins, who knows). Continue reading →
-
Unimpressive Presentation Software
I call it unimpress. It's terminal-only presentation software. It's a perl script that uses ncurses. So it has "window borders," "colors," "text formatting," "animations," "slide transitions," and many other things I could put in "quotes." Continue reading →
-
Assembly Is Too High-Level - Fences
I like to find any opportunity that I can to write completely valid machine code that would not be produced by an assembler. When it comes down to it, that's mostly the theme of what I'm trying to capture in this series of "Assembly Is Too High-Level" posts. This post is no exception. Let's talk about fences: lfence (image could not be found) Keep that machine code in mind while we write these instructions in assembly and view it in the debugger: Continue reading →
-
Assembly Is Too High-Level - Redundant Machine-Code - Adventures of ModR-M, SIB, and REX
There are many ways in which an assembly instruction can be encoded into different machine code. Though I can see this as being a multipart post, this one will focus on some weird (redundant) effects of the ModR/M and SIB bytes. For this post we will focus on the XOR instruction, but note that the following principles would apply to most instructions that use the ModR/M encoding. How 30 c0 can be the same as 32 c0 For reference, here is a screenshot of the opcodes from the Intel Manual Continue reading →
-
'One or more' is ambiguous - The limit of the '+' regex metacharacter
TLDR: /a+/ means "see if there are one or more a's...but not too many" I find stupid things interesting. I will explain shortly, but I find the below series of commands to be interesting: Let's take this step by step now. The below screenshot shows me creating a file (file1.txt) with the contents of "baaaaaaaaaab". We then run a perl one-liner to see if the regular expression of a+ has a match in our file (of which it would). Continue reading →
