IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [assembly]

Assembly language is a low-level programming language whose instructions map almost 1-to-1 to a computer's machine code.

Assembly language is a low-level programming language whose instructions map almost 1-to-1 to a computer's machine code.

When analyzing an executable whose source code is unknown (e.g. the payload of an attack), the analyst can use a tool called a disassembler. A disassembler translates the machine code instructions (the numbers that form the unknown code) to assembly language, helping the analyst to better understand what the code is doing.

Below is a simple example of what assembly code looks like. Although assembly code looks quite cryptic, all the words are names or abbreviations. The example is for the x86 family of processors.

CLC
MOV  AX, 5   
ADD  AX, [SI]
MOV  [SI], AX
82 questions
1
vote
2 answers

Why is this shellcode execution considered an exploit?

I found the following "exploit" on Twitter: https://www.exploit-db.com/exploits/43550/?rss Blogpost about it:…
Daniel W.
  • 267
  • 2
  • 10
1
vote
2 answers

Segmentation fault error when calling user defined function in shellcode

I am getting the segmentation fault error when I called function "target" in my shellcode. Here's the C code of program: #include #include #include #include #define AMOUNT_OF_STUFF 50 void target(){ …
Rakesh Mane
  • 113
  • 8
1
vote
1 answer

Large header/footer of shellcode bytes when going from x86 asm to exe?

I coded a simple bash shell in x86 and compiled it via nasm and ld into an exe. When I do this I can see the 31 bytes of instructions that I actually made but there are 100's of bytes before and after my code that get added to the executable. It…
Nitro
  • 189
  • 1
  • 8
1
vote
2 answers

Shellcode doesn't execute despite correct address on EIP

I need to produce a presentation on buffer overflows for a college class. I managed to create a simple buffer overflow where i inject the address of a specific function on the EIP and the function gets executed as expected. Then, i want to show the…
Loïc N.
  • 111
  • 3
0
votes
1 answer

Is there a solution for runing processes in encrypted mode on runtime?

Is there any solution for securely running encrypted processes on an untrusted machine over the WAN? In public clouding, you can split your processes and send process request over the WAN, but you can not detect whether machine who wants to run your…
X-Virus
  • 1
0
votes
3 answers

Why does Assembly seem so important in IT security?

As I watch a lot of tutorials, read answers, and just in general interact with the IT security community I find that a high percentage of them know assembly. I'm wondering why this percentage is so much higher than everywhere else and why it is so…
Griffin Nowak
  • 1,190
  • 1
  • 12
  • 19
0
votes
0 answers

Linux x86_64 Assembly works standalone, but Segfaults when ran as shellcode in C

I wrote a NASM program that uses the execve system call to run wget inside a newly spawned shell and execute the retrieved page: [bits 64] global _start section .text _start: xor rcx, rcx push rcx ; first 4 mov rcx, "/bin//sh" …
Vilius Povilaika
  • 972
  • 8
  • 20
0
votes
0 answers

_libc_csu_init address is getting corrupted in x86_64

I am trying to bypass the ASLR using the returntoplt attack for this I have to use a gadget pop rdi; ret I was able to find this gadget in __libc_csu_inint but for some reason whenever I use this address it gets corrupted in the stack. I can use…
DeathNet123
  • 1
  • 2
0
votes
1 answer

ROP - ret VS ret 0

I'm doing a binary challenge from pwnable.kr and I'm examining a some ROP gadget. Until now I've always used gadget ending with ret or syscall/int 0x80, but now ROPgadget gave me a gadget ending with ret 0. What's the difference wrt ret?
Marco Balo
  • 103
  • 2
0
votes
1 answer

How to use pwntools to generate a relative jump?

I want to use pwntools to generate a relative jump 0x20 bytes forward. It isn't described in the documentation how to do that. What's the command for doing a JMP SHORT 0x20 in pwntools?
user3207874
  • 225
  • 2
  • 11
0
votes
1 answer

Some introductory reverse engineering help on finding a string

I understand the crackme I am researching is from 2007, however this was the point in my life when I initially became interested in reverse engineering and wish to complete it for nostalgia sake. Following on from this question, I intend to pursue…
questioner
  • 171
  • 2
  • 11
0
votes
1 answer

Instead of JMP ESP can we use it's opcodes?

In a buffer overflow exploit, when we use a JMP ESP instruction to jump to the ESP, instead of using the address of the JMP ESP, can't we use the opcodes of it?. I generated the opcodes of the JMP ESP instruction with mona in Immunity…
Kavishka Gihan
  • 1
0
votes
2 answers

Shellcode not executing despite EIP being overwritten properly

Here is my exploit: junk = b'A' * 1032 ​ eip = b"\xf5\x93\x4a\x00" # some address where 'jmp esp' lives shellcode = b"" shellcode += b"\x33\xc0" # xor eax, eax shellcode += b"\x50" # push eax shellcode +=…
Toma
  • 121
  • 3
0
votes
1 answer

What is source of bad characters exist in buffer overflows

I'm new to exploit development and while watching a tutorial I came across the topic of "Bad character identification". I'm referring to the process of sending all possible characters to the vulnerable process to see if there are characters which…
Anton.P
  • 141
  • 6
0
votes
1 answer

Esp changes to different (incorrect) value when overwritten

I am attempting to overwrite the eip of a binary (in order to perform a ret2libc attack). The program has full relro, PIE and NX. Here's my thought process. First I try this, I input "C"*260 + "system address" + "bbbb" + "bin/sh address" and get…
elmuscovado
  • 3
  • 3
1 2 3 4
5
6