SlideShare a Scribd company logo

CNIT 126: Ch 6: Recognizing C Constructs in Assembly

Sam Bowne
Sam Bowne

This document discusses recognizing C constructs in assembly code. It explains how to find function calls in IDA Pro using strings and XREF, how function arguments are pushed onto the stack in reverse order before a call instruction launches the function. It also describes global variables, which are available to any function, and local variables, which are stored on the stack and only available within their defined function. The document provides examples of arithmetic operations, branching with conditional jumps, for loops with initialization, comparison, execution, and increment/decrement components, and arrays in assembly code.

Education
1 of 16
Downloaded 12 times
1
2
3
4
5
Most read
6
7
8
9
10
11
12
13
14
15
16
Most read
Practical Malware Analysis Ch 6: Recognizing C Constructs in Assembly Updated for FLARE-VM 10-6-20
Function Call
Finding the Code in IDA Pro • IDA shows only the entry point
Use Strings, then XREF • Shift+F12 • Double- click • Double- click XREF
Disassembly in IDA Pro • Arguments for printf() function • Pushed onto stack • Reverse order • call launches function
Global vs. Local Variables • Global variables – Available to any function in the program – Stored outside all functions • Local variables – Defined in a function and only available to that function – Stored on the stack
Global vs. Local Variables
Arithmetic Operations
Branching (if)
Finding for Loops • Four components • Initialization: i starts at 0 • Comparison: is i<100 ? • Execution: printf • Increment/decrement: i++
CNIT 126: Ch 6: Recognizing C Constructs in Assembly
Arrays
CNIT 126: Ch 6: Recognizing C Constructs in Assembly
Summary • Finding the Code – Strings, then XREF • Function Call – Arguments pushed onto stack – Reverse order – call • Variables – Global: in memory, available to all functions – Local: on stack, only available to one function
Summary • Arithmetic – Move variables into registers – Perform arithmetic (add, sub, idiv, etc.) – Move results back into variables • Branching – Compare (cmp, test, etc.) – Conditional jump (jz, jnz, etc.) – Red arrow if false, green arrow if true
CNIT 126: Ch 6: Recognizing C Constructs in Assembly

More Related Content

What's hot (20)

PPT
Instruction Level Parallelism and Superscalar Processors
Syed Zaid Irshad
 
PPTX
Microkernel
Suraj Mehta
 
PPT
JIT Compiler
United International University
 
PPTX
Practical Malware Analysis: Ch 5: IDA Pro
Sam Bowne
 
PPTX
Debugging
Jonathan Holloway
 
PDF
Android - Data Storage
MingHo Chang
 
PPTX
Dining Philosopher Problem and Solution
Lahiru Danushka
 
PPTX
Operating system 22 threading issues
Vaibhav Khanna
 
PDF
Linux System Monitoring basic commands
Mohammad Rafiee
 
PPT
Linux command ppt
kalyanineve
 
PPTX
Linux booting Process
Gaurav Sharma
 
PPTX
Process management in linux
Mazenetsolution
 
PPTX
Object Oriented Programming Languages
Mannu Khani
 
PDF
CNIT 126 8: Debugging
Sam Bowne
 
PPTX
Android Architecture.pptx
priya Nithya
 
PPTX
RPC: Remote procedure call
Sunita Sahu
 
PPTX
Introduction to xampp
Jin Castor
 
PPTX
Operating system 24 mutex locks and semaphores
Vaibhav Khanna
 
PPTX
Virtualization
Ydel Capales
 
PPTX
Thread scheduling in Operating Systems
Nitish Gulati
 
Instruction Level Parallelism and Superscalar Processors
Syed Zaid Irshad
 
Microkernel
Suraj Mehta
 
JIT Compiler
United International University
 
Practical Malware Analysis: Ch 5: IDA Pro
Sam Bowne
 
Debugging
Jonathan Holloway
 
Android - Data Storage
MingHo Chang
 
Dining Philosopher Problem and Solution
Lahiru Danushka
 
Operating system 22 threading issues
Vaibhav Khanna
 
Linux System Monitoring basic commands
Mohammad Rafiee
 
Linux command ppt
kalyanineve
 
Linux booting Process
Gaurav Sharma
 
Process management in linux
Mazenetsolution
 
Object Oriented Programming Languages
Mannu Khani
 
CNIT 126 8: Debugging
Sam Bowne
 
Android Architecture.pptx
priya Nithya
 
RPC: Remote procedure call
Sunita Sahu
 
Introduction to xampp
Jin Castor
 
Operating system 24 mutex locks and semaphores
Vaibhav Khanna
 
Virtualization
Ydel Capales
 
Thread scheduling in Operating Systems
Nitish Gulati
 

Similar to CNIT 126: Ch 6: Recognizing C Constructs in Assembly (20)

PDF
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
PPTX
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
PDF
Intro. to static analysis
Chong-Kuan Chen
 
PPTX
Functional Programming in Javascript - IL Tech Talks week
yoavrubin
 
PDF
Redesigning FFI calls in Pharo: Exploiting the baseline JIT for more performa...
ESUG
 
PPTX
OOP-Module-1-Section-4-LectureNo1-5.pptx
sarthakgithub
 
PDF
Cs4hs2008 track a-programming
Rashi Agarwal
 
PPTX
Parallel and Async Programming With C#
Rainer Stropek
 
PDF
CNIT 127: Ch 8: Windows overflows (Part 2)
Sam Bowne
 
PPTX
Golang
Software Infrastructure
 
PPTX
Golang
Fatih Şimşek
 
PPT
Functions in c++
Abdullah Turkistani
 
PPTX
Functional programming for the Advanced Beginner
Luis Atencio
 
PPT
Function
Sukhdarshan Singh
 
PDF
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
PDF
running stable diffusion on android
Koan-Sin Tan
 
PDF
The Scheme Language -- Using it on the iPhone
James Long
 
PPTX
Introduction to C programming
Rutvik Pensionwar
 
PDF
Introduction to functional programming (In Arabic)
Omar Abdelhafith
 
PPTX
News In The Net40
Florin Cardasim
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
Intro. to static analysis
Chong-Kuan Chen
 
Functional Programming in Javascript - IL Tech Talks week
yoavrubin
 
Redesigning FFI calls in Pharo: Exploiting the baseline JIT for more performa...
ESUG
 
OOP-Module-1-Section-4-LectureNo1-5.pptx
sarthakgithub
 
Cs4hs2008 track a-programming
Rashi Agarwal
 
Parallel and Async Programming With C#
Rainer Stropek
 
CNIT 127: Ch 8: Windows overflows (Part 2)
Sam Bowne
 
Golang
Software Infrastructure
 
Golang
Fatih Şimşek
 
Functions in c++
Abdullah Turkistani
 
Functional programming for the Advanced Beginner
Luis Atencio
 
Function
Sukhdarshan Singh
 
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
running stable diffusion on android
Koan-Sin Tan
 
The Scheme Language -- Using it on the iPhone
James Long
 
Introduction to C programming
Rutvik Pensionwar
 
Introduction to functional programming (In Arabic)
Omar Abdelhafith
 
News In The Net40
Florin Cardasim
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 
Ad

Recently uploaded (20)

PDF
The Different Types of Non-Experimental Research
Thelma Villaflores
 
PDF
Biological Bilingual Glossary Hindi and English Medium
World of Wisdom
 
PPT
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
PDF
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
PPTX
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
PDF
community health nursing question paper 2.pdf
Prince kumar
 
PPTX
Cultivation practice of Litchi in Nepal.pptx
UmeshTimilsina1
 
PDF
Chapter-V-DED-Entrepreneurship: Institutions Facilitating Entrepreneurship
Dayanand Huded
 
PPTX
How to Manage Large Scrollbar in Odoo 18 POS
Celine George
 
PDF
SSHS-2025-PKLP_Quarter-1-Dr.-Kerby-Alvarez.pdf
AishahSangcopan1
 
PPTX
PATIENT ASSIGNMENTS AND NURSING CARE RESPONSIBILITIES.pptx
PRADEEP ABOTHU
 
PDF
Isharyanti-2025-Cross Language Communication in Indonesian Language
Neny Isharyanti
 
PDF
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
PDF
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
PPTX
I AM MALALA The Girl Who Stood Up for Education and was Shot by the Taliban...
Beena E S
 
PPTX
Soil and agriculture microbiology .pptx
Keerthana Ramesh
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PDF
The-Ever-Evolving-World-of-Science (1).pdf/7TH CLASS CURIOSITY /1ST CHAPTER/B...
Sandeep Swamy
 
PDF
Lesson 2 - WATER,pH, BUFFERS, AND ACID-BASE.pdf
marvinnbustamante1
 
PDF
LAW OF CONTRACT (5 YEAR LLB & UNITARY LLB )- MODULE - 1.& 2 - LEARN THROUGH P...
APARNA T SHAIL KUMAR
 
The Different Types of Non-Experimental Research
Thelma Villaflores
 
Biological Bilingual Glossary Hindi and English Medium
World of Wisdom
 
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
community health nursing question paper 2.pdf
Prince kumar
 
Cultivation practice of Litchi in Nepal.pptx
UmeshTimilsina1
 
Chapter-V-DED-Entrepreneurship: Institutions Facilitating Entrepreneurship
Dayanand Huded
 
How to Manage Large Scrollbar in Odoo 18 POS
Celine George
 
SSHS-2025-PKLP_Quarter-1-Dr.-Kerby-Alvarez.pdf
AishahSangcopan1
 
PATIENT ASSIGNMENTS AND NURSING CARE RESPONSIBILITIES.pptx
PRADEEP ABOTHU
 
Isharyanti-2025-Cross Language Communication in Indonesian Language
Neny Isharyanti
 
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
I AM MALALA The Girl Who Stood Up for Education and was Shot by the Taliban...
Beena E S
 
Soil and agriculture microbiology .pptx
Keerthana Ramesh
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
The-Ever-Evolving-World-of-Science (1).pdf/7TH CLASS CURIOSITY /1ST CHAPTER/B...
Sandeep Swamy
 
Lesson 2 - WATER,pH, BUFFERS, AND ACID-BASE.pdf
marvinnbustamante1
 
LAW OF CONTRACT (5 YEAR LLB & UNITARY LLB )- MODULE - 1.& 2 - LEARN THROUGH P...
APARNA T SHAIL KUMAR
 

CNIT 126: Ch 6: Recognizing C Constructs in Assembly

  • 1. Practical Malware Analysis Ch 6: Recognizing C Constructs in Assembly Updated for FLARE-VM 10-6-20
  • 3. Finding the Code in IDA Pro • IDA shows only the entry point
  • 4. Use Strings, then XREF • Shift+F12 • Double- click • Double- click XREF
  • 5. Disassembly in IDA Pro • Arguments for printf() function • Pushed onto stack • Reverse order • call launches function
  • 6. Global vs. Local Variables • Global variables – Available to any function in the program – Stored outside all functions • Local variables – Defined in a function and only available to that function – Stored on the stack
  • 7. Global vs. Local Variables
  • 10. Finding for Loops • Four components • Initialization: i starts at 0 • Comparison: is i<100 ? • Execution: printf • Increment/decrement: i++
  • 14. Summary • Finding the Code – Strings, then XREF • Function Call – Arguments pushed onto stack – Reverse order – call • Variables – Global: in memory, available to all functions – Local: on stack, only available to one function
  • 15. Summary • Arithmetic – Move variables into registers – Perform arithmetic (add, sub, idiv, etc.) – Move results back into variables • Branching – Compare (cmp, test, etc.) – Conditional jump (jz, jnz, etc.) – Red arrow if false, green arrow if true