Skip to content

Happy Reunion – Here’s the answers


It was so so good to see you guys again – you’re all amazing, and I can’t wait until we meet again. I also have to say a massive thank you to  the special person who asked me lots of questions on privacy and surveillance… a giant “thank you”.   You’re now my hero.  To keep my promise, here are the answers of the books that I recommend if you’d like to learn Assembly the fun way.

Step 1 – Triangulate your code

A great way to learn Assembly is to cross reference a program written in C, against Assembly using Ida Pro. Here’s an example of what we’re aiming for: assembly levels of abstraction We’re looking for what’s happening across the 3 layers.  What you “think” is happening in C, may not be what is actually happening in a low level language.  Assembly and machine code are a delight to work with – which is surprising to everyone on the course.  We all got to really think that Assembly was one of the best languages out there.

Ida Pro will produce flow charts like these – which link up all the jumps being made in the code.

rpcrt4 lprc send request diagram from ida

ida pro red deleted code blocks in cve 3222 patch

The best tutorials out there for cracking are “The Legend of Random” which I’ve linked in later on.  Random takes you through the flags and assembly jumps, in order to crack license codes, so that the license is seen as valid.  It’s great fun… but we warned, you’ll get addicted.  Even if you do the first 7 tutorials, you’ll be cracking in no time, by reading the assembly code.  By reading and seeing these jumps – you’ll get a real feel for assembly coding – and how to hack the assembly code into doing things it shouldn’t.

Ollydgb – often used to crack serial licenses.  olly patch cve entry for rpcrt4 jpg

The awesome “LEGEND OF RANDOM” Tutorials for Ollydbg **Amazing Stuff***   Download a couple of these and you’ll be given practical examples to work on.


Flags – it’s a good idea to learn the capacity of the registers and the flags.  If you have an old AL register that allows 8 bits.  If you have a newer register it may take 32 bits.  It’s easier to overflow certain registers.


The buffers, registers and flags can all be manipulated to make a program do unexpected things.  Ida pro is more powerful than Olldydbg – but then it’s an expensive product.

Ida pro will show you how  the machine code is being attacked – and if you run an exploit – what is happening in machine code.

ida on LRPC

Practical Malware Analysis – the “Alien Baby” book

x86 Disassembly

This is the £6 book I mentioned… but its out of print.  Basically it was a little gem for Vulnerability Development, and worth it’s weight in gold.

Hacking and the Art of Exploitation.

**Amazing book Learning the architecture and the flags used is really important.  This is best “experienced” from cracking the code in the exercises by Random.

Step 2 – Best Disassembly/Debuggers

The best programs are

1. Ida Pro (there’s a free and an advanced version).  Ida is really visual, which makes it so easy to use. rpcrt4 check security cookie in rpc if needed ida ida pro yellow amended patch code block assign

2. Ollydgb – often used to crack serial licenses.  Olly is a crackers delight and free. WOOHOO!!

3. The awesome “LEGEND OF RANDOM” Tutorials for Ollydbg

4. Immunicity – written in Python and Free – Yay! immuninty of lrpc exploit

5 Darun grimm diffing tool – useful for comparing Microsoft patches when they’re released, so that you can see the code that’s been patched. Yellow means code has been altered and red blocks means code has been deleted.

6. Windbg – Windows Only

Now, this tool is totally weird, but can be mastered.  In the end, even as a novice of some 6 weeks, new Windows vulnerabilities can be located.  When you find a new vulnerability, you’ll think that you’ve misunderstood the code, rather than you’ve just found a new bug. It’s like having a winning lottery ticket.. you have it, but don’t believe it and keep checking. The best book for Windbg is:

Make sure that you’ve updated all your symbols – as that’s the key to Windbg.

7. Buffer Overflow Attacks

This really old book is a great primer for the stack, registers, EIP and shellcode.  It’s cheap as chips to buy, but real quality. It’s dedicated to buffer overflows, but much of what you’ll come across is literally pushing onto the stack, to trigger an overflow.  The basics are as valid today, as ever.

Hope to see you again VERY soon.  Happy hacking!

From → Uncategorized

  1. It was good to see you guys again also. A couple of things to add: 1) One of the appendices in the Shellcoder’s Handbook lists C constructs with their assembler equivalents, so you can recognise things like loops, branching, etc. 2) I’ve been sticking to command line disassemblers such as HT(E) for large executables, as they tend to crash the graphical ones in Linux.


    • Yeah, you get brownie points here…the Shell coders handbook is fab.
      It also brings to mind another point.

      Intel and AT&T syntax are totally different.
      When you write shellcode for Intel you have to “reverse in” the shellcode,ie write it going backwards. This sounds so weird, but it’s easier to do.

      Basically if you want Intel to output a1 b2 c3 d4 e5
      you shell code would be written to inject
      e5 d4 c3 b2 a1.
      This would come out of the stack as a1 b2 c3 etc.

      it’s like reversing in a car to a garage – so that the car pulls out forward facing the right direction.
      Strange to initially get your head around this concept.. but if you compare it to pull into a parking space. If you back out – then you’re getting the wrong code being output.. so you have to reverse it in – so that the code comes out right.

      So top marks Batman.. you nailed this point, as I’d totally forgotten to mention that little hiccup.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: