HI Folks , This Is 0xMrRobot , Really So Exited To Share With You Summary About Week 2 In My Workshop , Which Aim To Learn You The Basics Of Malware Analysis In Good Way..!
Session 3
In This Session We Continue What We Had Started In The Session 2 , Which I Was Talking About Programming Basics Concepts For Malware Analyst
I Talked About :-
1- What Is Assembly And What Is Its Instructions Operands
I Talked About Introduction In Assembly , Which Was About The Meaning Of Assembly And The Difference Between It And The High Level Language Like C Or C++ , And Give An Example For High Level Code In C++ Which Do Operations Like : Sum Two Numbers And Print The Result , And Then I Get The Equivalent Assembly Code For This High Level And Started Explaining The Difference Between Two Codes And The Difference Between Level Of The Abstraction In The Two Languages..
And These Are Codes Which I Had Explained :
This Is The C++ Code :
#include <iostream>
using namespace std;
int main() {
// Declare variables to store the inputs
int num1, num2;
// Prompt the user to enter the first number
cout << "Enter the first number: ";
cin >> num1;
// Prompt the user to enter the second number
cout << "Enter the second number: ";
cin >> num2;
// Add the two numbers
int sum = num1 + num2;
// Print the result
cout << "The sum of " << num1 << " and " << num2 << " is: " << sum << endl;
return 0;
}And This Is The Equivalent Assembly Code :
section .data
; Define messages to be displayed
prompt1 db "Enter the first number: ", 0
prompt2 db "Enter the second number: ", 0
result_msg db "The sum of %d and %d is: %d", 0
section .bss
; Reserve space to store the inputs
num1 resd 1 ; Reserve 1 doubleword (4 bytes)
num2 resd 1 ; Reserve 1 doubleword (4 bytes)
sum resd 1 ; Reserve space for the result
section .text
global _start
_start:
; Prompt the user to enter the first number
mov eax, 4 ; System call number for sys_write
mov ebx, 1 ; File descriptor 1 (stdout)
mov ecx, prompt1 ; Address of the prompt1 message
mov edx, 22 ; Length of prompt1 message
int 0x80 ; Invoke the kernel
; Read the first number from the user
mov eax, 3 ; System call number for sys_read
mov ebx, 0 ; File descriptor 0 (stdin)
mov ecx, num1 ; Address to store the input
mov edx, 4 ; Number of bytes to read
int 0x80 ; Invoke the kernel
; Prompt the user to enter the second number
mov eax, 4 ; System call number for sys_write
mov ebx, 1 ; File descriptor 1 (stdout)
mov ecx, prompt2 ; Address of the prompt2 message
mov edx, 23 ; Length of prompt2 message
int 0x80 ; Invoke the kernel
; Read the second number from the user
mov eax, 3 ; System call number for sys_read
mov ebx, 0 ; File descriptor 0 (stdin)
mov ecx, num2 ; Address to store the input
mov edx, 4 ; Number of bytes to read
int 0x80 ; Invoke the kernel
; Add the two numbers
mov eax, [num1] ; Load the first number into eax
add eax, [num2] ; Add the second number to eax
mov [sum], eax ; Store the result in sum
; Print the result
mov eax, 4 ; System call number for sys_write
mov ebx, 1 ; File descriptor 1 (stdout)
mov ecx, result_msg ; Address of the result_msg
mov edx, 28 ; Length of result_msg
int 0x80 ; Invoke the kernel
; Exit the program
mov eax, 1 ; System call number for sys_exit
xor ebx, ebx ; Exit status 0
int 0x80 ; Invoke the kernelAnd You Can Read More About This Point HERE , HERE , HERE And HERE
2- Difference Between x86 And x64 Arch & Assembly
In This Point I Talked About What Is The Arch Of The Computer And Why There Are Some Programs When We Download It Tell Us “ x32 Or x64 “ , I Talked About How Software Engineer Determine This And Determine This Depending On What ?? The Main Idea In This Point Is Something Called “ Registers” Which Is Some Small & Fast Memory Close To CPU , To Made The Processing Process Faster Than Normal This Registers Have A Space , This Space Which Determine Our Processor Is x32 Or x64 Bit
And You Can Read More About This Point HERE And HERE
3- What Are The Registers ??
In This Point I Talked About The Process Of How The CPU Deal With Data , By ( Fetch — Decode — Execute ) Operations , And I Focus In Fetch Operation Which Done By Get The Data From RAM To CPU , But This Operation Take A lot Of Time In Some Data Which CU Deal With It More Than One Time , So We Invented A Close And Fast Memory Called “ Registers” And Put It Close The CPU To Put In It The Most Frequently Used Data Or Instructions Which Will Be Processed By The CPU , And There Are More Than One Type Of Registers Like :
- General Purpose Registers , Segments Registers , Flags Registers , And More And More
And I Talked About The x32 Bit Registers And The x64 Registers , And You Can Take A Look On This Photo To Get More Understand :
And You can Read More About This Point From HERE , HERE , HERE And HERE
4- What Is Cash Memory ??
In This Point , I Talked About The Previous Operation “Fetch” , And I Give An Example About The Browsing Which Is “ When You Visit A Website More Than One Time , In The First Time The Website Will Loading Slowly , But In The Second And Third Time , The Website Will Loading Faster , Why This Happen ? “ , Yes The Answer Is About Cash Concept.
We In Browsers Use Browser Data Cash To Save The Status Of The Website For Faster Loading In The Next Time We Will Visit It , But In Computers In General , We Use “Cash Memory” To Save The Program Status For More Faster Loading , And This Memory Will Synchronized With The Main Memory By Some Mathematical And Mapping Operations Not Interesting For Us As A Malware Analysts
You Can Read About This Point From HERE , HERE And HERE
And You Can Get The Full Session From HERE
Session 4
In This Session , I Talked About CTFs And How We Can Start In It And How We Can Create Our Mindset In CTFs , All This By Discusstion About Some Challenges I Solved In Some CTFs Like ASCWG , CyCtf
And The Second Part Of The Session Was About Python Basics , Which We Will Study From My Script :-
- I Create This Script To Made The Process Of LEARNING Python More Easy By Explaining All Basics Topics In Python In One Script , Which You Can Find The Part And The Explanation Of It , And Ability Of Running A Specific Part To See The Output Of This Part
And This Is Some Photos From It :
And You Can Get The Script From HERE
Also You Can Get The Full Session From HERE
You Can Now Start To Build The Malware Analyst View In Your Mind , And Your Ques Will Be Increased , So Wait Me In The Next Week To Start To Answer Them All..
Good Bye !!
