*Intro to x86-64

TryHackMe – Intro to x86-64 Write-Up

topics: assembly language, binary files

1. x86-64 Background

2. If Statements

3. Loops

4. Cracking Binary Files

new tools: radere2

tools:

hierarchy of program execution

x86-64 Background

x86-64 is the 64-bit version of the x86 CPU instruction set. Computers execute machine code, which is encoded as bytes, to carry out tasks on a computer. Since different computers have different processors, the machine code executed on these computers is specific to the processor. Intel x86-64 instruction set architecture is the most commonly found today. Machine code is usually represented by a more readable form of the code called assembly code. This machine is code is usually produced by a compiler, which takes the source code of a file, and after going through some intermediate stages, produces machine code that can be executed by a computer.

32-bit registers. 64-bit registers have similar syntax

64-bit vs 32-bit notation

register illustration 32 bit notation

memory stack illustration

basic syntax

This room uses AT&T syntax opposed to Intel Syntax

In order to inspect assembly code, this room uses radare2 to do this - radare2 is a framework for reverse engineering and analyzing binaries. It can be used to disassemble binaries (translate machine code to assembly, making it readable) and debug binaries (by allowing a user to step through the execution and view the state of the program)

Introduction

This room uses a sample C program as an introduction

This program creates two variables and switches their values, we can inspect the code execution instructions and debug with radare2.

rd -2 intro

starting commands

In the above picture we are running the most common analysis command, it analyzes all symbols and entry points in the executable file. We also se the disassembly syntax to AT&T. The analysis in this case involves extracting function names, flow control information etc.

pdf @main meaning print disassembly function, the function main in this case

I referred to this useful cheatsheet throughout this room. The values in the left column are memory addresses of the instructions, stored in the stack.The middle column contains the instructions encoded in bytes (the machine code), and the last column are the human readable instructions.

The first command subq $8, %rsp means to allocate 8 bytes of space on the stack (%rsp meaning stack pointer, topmost element and most recent address)

general knowledge and syntax of 64-bit disassembly

additional syntax

If Statements

In this example we'll be analyzing jump instructions in assembly.

Analyze the program, list the functions and disassembles the main function

Next we'll set a break point at the jge and jmp instructions using db <memory address>

explanation of execution before break point

the dr command views the contents of the registers

further explanation of the jmp instruction example

Analyzing the if2 binary: cheatsheets in b.o folder

Loops

Cracking Binary Files

crackme1

crackme2

ww