CIS-261 Home http://www.c-jump.com/bcc/c261c/CIS261syllabus.html
Download and assemble program ABC.ASM. (Recall guidelines of HOWTO assemble and debug an .ASM program.)
If you are assembling your program using Visual Studio 2005, make sure to switch to Release build:
click Build menu -> Configuration Manager... -> change Active solution configuration to Release.
Alternatively, you can build your program from the command line:
"C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\vsvars32.bat" ML /coff /c /Fl M1.ASM LINK /subsystem:console /entry:main /out:M1.exe M1.obj
; CIS-261 Lab exercise M01 ; ABC.asm ; Empty program that reserves 3 bytes of memory ; in the data segment. .386 ; Tells MASM to use Intel 80386 instruction set. .MODEL FLAT ; Flat memory model option casemap:none ; Treat labels as case-sensitive .CONST ; Constant data segment .STACK 100h ; (default is 1-kilobyte stack) .DATA ; Begin initialised data segment BYTE 'A' BYTE 'B' BYTE 'C' .CODE ; Begin code segment _main PROC ; Main entry point into program BYTE 16 DUP (90h) ret _main ENDP END _main ; Marks the end of the module and sets the program entry point label
Start OllyDbg.
NOTE: If using Microsoft Vista, run OllyDbg as Administrator.
Click File menu -> Open, then locate and load the executable file.
Debugging session will start automatically.
Click View menu -> Executable Modules.
Why are there more than one module in this view?
Your Answer:
Double-click your program to bring up the CPU view.
Which CPU register contains the address of the next executable instruction?
Your Answer:
What is the address of the next executable instruction?
Your Answer:
What is the next executable instruction as shown by OllyDbg?
Your Answer:
Click View menu -> Memory.
Examine the view and briefly describe what do you see in the window.
Your Answer:
In your own words, explain the purpose of
.text .rdata .data
Your Answer:
In Memory View window, right-click the .text section of your program, and choose View in Disassembler.
In your own words, explain what do you see in the Disassembler window.
Your Answer:
Hint: you can copy and paste the information from any OllyDbg window at any time.
Press ALT+F9 (or click Debug menu -> Execute till user code.)
Recall that the original program ABC.ASM contains the line
BYTE 16 DUP (90h)
in its .CODE segment. What happened to the original line of code? What do you see in the Disassembler window instead?
Please explain:
Recall that the original program ABC.ASM reserved three bytes corresponding to characters A, B, and C:
BYTE 'A' BYTE 'B' BYTE 'C'
In Memory View window, double-click the .data section of your program to open the Dump View window.
What is the starting address of each character?
Your Answer:
'A' 'B' 'C'
Switch back to the CPU window.
You next task is to modify the EXE file so that program does something useful and replaces "ABC" with "XYZ".
Consider using instructions
mov BYTE PTR [ addr-of-A ], 'X' mov BYTE PTR [ addr-of-B ], 'Y' mov BYTE PTR [ addr-of-C ], 'Z'
where addr-of-A, addr-of-B, and addr-of-C are the corresponding hexadecimal addresses of each character in memory.
Replace the NOP instructions (opcodes 90h) by entering the first of the three MOV instructions,
mov BYTE PTR [ addr-of-A ], 'X'
To do this, double-click the first NOP instruction in the disassembly window. You should see the following prompt:
Enter the MOV instruction mnemonic and operands, then click Assemble.
Click Cancel to close the assemble prompt.
OllyDbg instantly assembles entered instructions and patches your program in memory.
Copy and paste the result of your modification here:
Your Answer:
How many bytes does the MOV instruction occupy?
Your Answer:
Why the "XYZ" problem cannot be solved by simply entering the three of the above MOV instructions in a row?
Your Answer:
Why BYTE PTR operator was needed by the destination operand of the MOV instruction?
Your Answer:
Restore program to its original state by pressing CTRL+F2 (or clicking Debug menu -> Restart.)
This time, replace the NOP instructions by the following fragment of code:
MOV EDI, addr-of-A MOV AL,58 MOV [EDI],AL INC EDI INC AL CMP AL,5A JLE addr-of-mov
where addr-of-mov is the address of the
MOV [EDI],AL
instruction, and addr-of-A is the addresses of character 'A' in memory.
Run program step-by-step (F8) in OllyDbg.
Explain the logic of the new solution:
Your Answer:
Recall x86 instruction format:
Copy and paste the result of your latest modifications from the Disassembly window here:
Program modifications:
For each instruction from the above fragment, please describe the following:
What is the instruction opcode? If possible, provide additional info about specific bit fields in the opcode:
Your Answer:
Does the instruction include Mod-R/M byte? If so, explain briefly how Mod-R/M fields are used:
Your Answer:
Explain the presence of any additional bytes in the instruction format (for example, the immediate value):
Your Answer:
Feel free to refer to the following materials while working on this part of the Lab:
Intel Instruction Set Reference Volume 2 , Chapters 2 and 3, Instruction Format and Reference.
Encoding Real x86 Instructions lecture.
You can save the changes back to the original EXE file. Here is how:
In CPU window, right-click the modified fragment, and select Copy to executable -> All modifications.
Click Copy All.
New Disassembly window will open. Close this window. When File changed prompt appears, indicating that EXE file differs from the original, click YES.
Answer positively that you wish to overwrite the original executable.
Submit your answers to the questions highlighted in this handout.
It is okay to copy and paste the entire lab description into a word processor of your choice and add your answers there.
PLEASE DO NOT send any EXEcutables or Visual Studio project files.