X86 Assembly Language, Part 2

Hi Guys, Hi Megabyte, let’s get the ball rolling.

In this chapter, I provide a brief introduction to Assembly language programming tools. This chapter is intended for beginners; therefore, experienced programmers can skip it.

To program in Assembly, you will need some software, namely an assembler and a code editor as we have seen in chapter 1. An assembler takes the written assembly code and converts it into machine code, it will come with a linker that links the assembled files and produces a executable from it (.exe extension).

Sometimes, a crash may happen when the program cannot normally continue its execution or even run because of a programming bug; fortunately, there is a program called the debugger that runs other programs, allowing its user to exercise some degree of control over the program, and to examine them when things go amiss.

Another tool you may have guessed is the disassembler, which
translates executable code into assembly language—the inverse operation to that of an assembler. In fact, it is impossible to recover 100 % original source code through the assembly code.

Finally, there is a tool called a resource compiler, I’m going to explain it later in this saga.

In each tool, there is quite a good selection that can do the job very well.

• Code Editor: (Notepad++, UltraEdit, VIM, …)
  
• Assemblers: (JWasm, GoAsm, yASM, Fasm, …)
  
• Linker: (JWlink,  Link, PoLink, …)
  
• Resource Compiler: (Microsoft RC, PoRC, GoRC, …)
  
• Debugger: (OllyDBG, Immunity Debugger, WinDBG, SoftICE, …)
  
• Disassembler: (IDA Pro, Win32Dasm, HDasm, …)
  

There are some people who like the old fashion style and use each software separately. And others, who prefer something we call the IDE.

An Integrated Development Environment (IDE) is a toolkit, an All-In-One utility that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of a:

[highlight color=”eg. yellow, black”]Source Code Editor +  [Assembler + Linker + Resource Compiler][/highlight]

For each tool, there are a lot of choices around, so pick the one you like. For me, I’ve highlighted in “red”
the one that concern this saga and I’m going to tell you why. You don’t have to stick with my choices if you know what you are doing and you don’t have to pay anything since all of them are free.

Assembler / Linker :

It goes without saying that MASM, originally by Microsoft, is the king of the hill when it comes to the sheer volume of books describing how to program in assembly language. There are literally dozens and dozens of books available that use MASM as their assembler of choice for teaching assembly language.

The real problem with MASM is the restrictions about its license, and also that it’s not constantly updated but only on an as-needed basis by Microsoft. Some others will say that MASM is not a true low level assembler because it substantially hides the beauty of the Assembly language and its capabilities. And using macro  makes you forget that programming for many individuals is an art.

In my humble opinion, this is criticism, this is a flattering idea but not true! Because no one forces you to use MACROS, UNIONS or any sort of high level structures in your coding style. Anyway, this stuff often comes into conflict. However, this relates to specific philosophical aspects; therefore, this topic will not be covered in this saga.

JWasm fixes it all, takes MASM, and more:

• JWasm is free, has no artificial license restrictions,  and can be used to create binaries for any OS.
  
• JWasm’s source is open. Hence JWasm is able to run – natively – on Windows, DOS, Linux, FreeBSD and OS/2.
  
• More output formats supported (Bin, ELF).
  
• Optionally very small object modules can be created.
  
• Better support for Open Watcom, for example the register-based calling convention.
  
• JWasm is faster than MASM.
  

We will use PoLink as a linker, we can use ML (Microsoft Linker) too, there is only one difference between them: PoLink accept RES files for resources, whereas ML wants an OBJ file. Another difference is that PoLink can make smaller EXE’s although, with the right switches, and it is more up to date.

If you need more information about JWasm, visit the official link. You should download it from here. Also, you need to download the MASM32 package that contains all the import libraries and includes for building Win32 applications or DLLs (Dynamic Link Libraries).

It is possible to use the WinInc: a set of include files for Masm, created by h2incx. Be aware that WinInc is intended for people being familiar with the command line interface and experienced in programming (not necessarily Assembler, however). There is also no installer supplied, just a compressed package of directories and files together with a simple README.TXT trying to explain things. That’s why we gotta omit it but it’s also an excellent choice of headers – Taken from the JWasm website.

Debugger/Disassembler

Now, we will look at some of the differences between several of the most widely used Debuggers/Disassembles. This is by no means exhaustive.  Consider it as a brief overview to give people new to assembly/reversing a “quick start” guide.

Before we look at IDA Pro (Free), Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG). We must first fully understand the differences between a debugger and a disassembler. I have heard these terms used interchangeably, but they are two separate tools. A disassembler will take a binary and break it down into human readable assembly. With a disassembler you can take a binary and see exactly how it functions (static analysis). Whereas with a debugger we can step through, break and edit the assembly while it is executing (dynamic analysis).

IDA Pro (Free)

Honestly, IDA Pro should be in a category by itself. It is an interactive, extensible disassembler and debugger. IDA is also programmable with a complete development environment. This allows users to build plug-ins and scripts to assist them in their research. The standard version of IDA is too expensive and gives you support for over 50 families of processors. But for someone who is new to reversing/disassembling, the free version will do just fine.

One of the main advantages you’ll notice that IDA has over Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG) is its platform support.  IDA is available for Windows and Linux as well as Mac OS X. You can download it here.

Olly Debugger (OllyDBG)

OllyDBG is a user-friendly, very small and portable 32-bit user-mode debugger with intuitive interface. As you get experience, you’ll able to discover how powerful OllyDBG is. OllyDBG knows most of the Windows APIs when you’re examining your binary. OllyDBG will show you what each register parameter means. Unfortunately, it does not understand Microsoft’s symbol file format or debug information.

Immunity Debugger (ImmDBG)

Immunity Debugger is very similar to OllyDBG, the only new features ImmDbg offers over Olly is Python scripting and function graphing, both of which are already supported in Olly through plug-ins. There are also plug-ins to fix the numerous bugs Olly has as well. This is what it’s all about.

• Official version of OllyDBG is available to download from here.
  
• Official version of Immunity Debugger, is available to download from here.
  

Personally, I’m going to choose ImmDebugger; nevertheless, you know sometimes you get bored and you feel that you need to change and you switch to Olly :). When I do some cracking sessions, it’s in OllyDBG, when I do exploitation sessions, it’s in ImmDebugger, it is a question of taste.

Integrated Development Environment

In this case, there are also a thousand IDEs, all of them are quite awesome, I made a screenshot of the most famous ones:

IDE

Again, to avoid putting images of all of them, here is a quick album you can look at. Choose what you get a good feel for. There is not really a significant difference between them.

MASM32

If you don’t want to bother yourself, follow me, we will set up EasyCode, it’s very suitable for beginners, made in an easy way as was never possible before. You can download it from here – (MASM version).

Once you have the JWasm Assembler, the MASM32 SDK, and the EasyCode IDE, extract them in a default folder in your hard disk. You don’t actually need the other tools for this part, keep them for later.

Unzip the package and run install.exe. Then, a series of message boxes will pop up, keep hitting OK till it asks to start extracting the package. Again, click OK till it says that the installation has proceeded to its completion and appears to have run correctly.

• Unzip the EasyCode.zip file and the ‘EasyCode.Ms‘ folder will be created.
  
• Place the whole EasyCode.Ms folder anywhere you like in one of your hard disks. If the folder already exists, overwrite it.
  
• Close all applications, open the EasyCode.Ms folder and run the ‘Settings.exe’ program (if possible, as an Administrator). Choose the desired options and press the ‘OK’ button.
  

• Now extract the JWasm archive, locate ‘JWasm.exe’, and copy it in the ‘C:masm32bin’ directory.
  

• Run the ‘EasyCode.exe’ file (located in the ‘EasyCode.MsBin’ folder) or in the desktop and set the paths for Masm32 files. To do so, use the ‘Tools–>Settings’ menu. Go to the Compiler/Link Tab and set up paths as below:
  

Apply the changes, then press OK. Now that we have our tools working like a charm, let’s begin programming! This is the most commonly written program in the world, the “Hello World!” program. Click CTRL+N for a new project, choose classic executable file, and uncheck all the options:

Copy and paste the following code in your IDE:

;—————————————————————————-

; MessageBox.asm — Displays “Don’t learn …” in a message box

; (c) Ayoub Faouzi aka Lord Noteworthy / i753CURi7Y Team – 2012

; ————————————————————————–

.386

.Data

MsgBoxCaption     DB     “Simple Message Box”,0

MsgBoxText     DB     “Hello, 0ld W0rld !”,0

.Code

start:

push MB_OK +MB_ICONASTERISK

push offset MsgBoxCaption

push offset MsgBoxText

push NULL

call MessageBox

invoke ExitProcess, NULL

End start

Click F7 for building the project, you’ll be asked to save it. First of all, I recommend you create a new folder called ‘Projects” in EasyCode.Ms and save all your projects in it. Afterward, create a new folder in the “Projects” directory and call it: myFirstProgram, save all files:

• myFirstProgram.ecp
  (The Project File).
  
• myFirstProgram.asm (The Assembly code file).
  

Press CTRL+F5 to run it:

Congratulations, you have just run your first assembly code ! Take your time to discover your favorite IDE and its features. Also, you should take into consideration that IDA Pro alone requires a book or a whole chapter to fully present it as it is worth, and this also goes for OllyDBG & ImmDBG. But don’t worry, I’ll teach you things on-demand, I mean when you really need it. As an additional note, I didn’t describe each IDE and I didn’t explain the main ideas and origins of why we still see some new assemblers appear and others die.

In the first hand, because you don’t have enough knowledge to handle it, and in the other hand because let’s assume for the sake of argument that you picked up an *assembler* that is capable of making your code the most effective optimization possible, that’s awesome! However, It doesn’t mean that you can write shitty code and expect the assembler to do its magic.

All in all, I want you to go straight forward to Assembly as a language and I don’t want you to waste your time; these things are just tools. What you need to master is the assembly language itself, the Intel x86 instruction set and how to write great code beyond any assembler product. This is a general programming advice.

Don’t believe that because something is trendy that it’s good. I see some people doing something against their own inner guidance because they think the community wants them to do it that way, so people are working on some subject even they aren’t terribly interested in it, because they think that they will get more prestige. This is ridiculous. Seek good science instead of popular science because it’s the most beneficial to the world. Sorry if I was out of the subject!

The last thing you need to own is the Win32 Help Library (Win32.hlp file) if you don’t have access to Internet, otherwise you should navigate through the MSDN (Microsoft Developer Network) so we can look up APIs definitions and prototypes.

In this chapter, the primary goal was to get you familiar with some assembly and debugging/disassembling  tools. I assume you understand that the syntax of assembly code differs slightly from an assembler to another; nevertheless, different assemblers will generate in the end the same machine code. I hope you understood everything fine.