Personal.X-Istence.com

Bert JW Regeer (畢傑龍)

Maker Faire: San Mateo Fairgrounds

I just got back from Maker Faire in San Mateo, California. I went with a whole group of students, in the UAT van and drove from Phoenix to San Francisco in 14 hours. 10 of us, packed into a tight space for 14 hours, it was a blast. Most of us slept on the way there, trying to catch up on the sleep we had not had because of finals week. When we finally got to San Mateo we went to our hotel, a dump, to say the least. The Hillsdale Inn sucks. We got there and the lady at the registration had clearly been drinking, and kept walking away from the front desk to the bar. At the same time our leader LostboY (Ryan) was trying to get things sorted, as the lady said we had not paid for the rooms yet, when clearly she had the credit card data on file, AND the credit card showed that it had been charged. She tried to run the card again, but since it was a duplicate charge, american express denied the charge. Eventually she gave us the keys after recording all of the people who would stay in the Hotel rooms ID's.

We unpack the van, and get ourselves situated. We locate a restaurant and head out to go eat dinner. We end up failing to follow the GPS, and we end up at a Denny's, not everyone was too happy, but at least it was food. Sarah one of my room mates who is also on the trip ends up getting sick. We drive back to the Hotel so she can go to bed, as we all have to be up early in the morning to get to the Faire in time. When we get back to the Hotel we find that they have locked us out of the rooms, our stuff is still inside. Ryan goes to the front desk and calmly asks them to unlock the rooms, and asks why they were locked in the first place. At this point someone who was at the bar comes out, and wants to start a fight with Ryan. It is at this point that the front desk lady gives us a few minutes to grab our stuff and get the hell out of there. She is swearing, and at this time heavily intoxicated. We quickly grab our stuff, and throw it all back into the van. At this point the lady threatens to call the police, so we preempt her, and do exactly that. We end up waiting outside in the cold of the night at 0130 in the morning until the San Mateo police arrive so that we could tell them what happened, and to be able to double check both rooms to make sure we did not leave anything behind, and also get the names and numbers of the people involved. Ryan decides to not press charges.

We start looking for new Hotels almost immediately, using the GPS that Ryan brought with him, we find a Best Western right across the highway, and they have two rooms available. So after wrapping up the business with the police, we head over there. We walk in, the lady is extremely nice, gives us our cards to the rooms, and we finally are able to get to a nice hotel room. No identification required, no threats, no problems what so ever. She even gives us a discount when we tell her our horror story about what we just went through. It was a nice change from what had happened.

We finally got situated in our hotel rooms by 0230 in the morning, and we did not fall asleep until 0300 or later. Ryan and I got up at 0600 in the morning, took a shower and left for Maker Faire at around 0700 to help Jon and John from EFX Tek set up their booth (Ryan is part of their company). Ryan had told me much about the two of them, and it was awesome to finally get to meet them in person. They exceeded the expectations that Ryan had set by just talking about them. They are extremely awesome and knowledgeable guys, who have amazing pasts, and really interesting hobbies. They have one of the most awesome booth designs I have ever seen. It came out of two large shipping crates, was made out of solid wood and was panelling that all fit together in an organised fashion. This was a well thought out and perfectly engineered booth.

We finished setting up at around 0930 in the morning. I had been running on 3 hours of sleep, and I was not yet feeling tired at all. Maker Faire just opened for the day, and people are slowly starting to trickle in, as I walk around I already see some very amazing projects in motion, or being worked on. At around 1000 or so the others finally head over to the Faire from the hotel. It is at this time that I start looking at things. The amazing projects people have worked on to show case. Everywhere I go with Ryan people recognise him, or he recognises someone. There are even several people from Defcon there to check things out and they all come over and greet Ryan, mostly to ask him about his Mystery Challenge. What was most interesting is that people were protesting fossil fuels by burning fossil fuels. Beautiful irony, damn hippies. I did get to meet Johnny Lee of Wiimote hacking fame, with the tracking of the pens using the infrared camera in the Wiimotes. Sean and I had worked on replicating one of his many set ups using very simple parts, just to see if we could and it was really cool to meet the person who started it all. Day 1 for the rest was rather uneventful, mostly because I was getting way to tired to enjoy walking around. My feet really hurt, mainly because I had been standing all day, and with very little sleep. At night Abney Park would be playing, I ended up not going to their show mainly because I was too tired and I really did not want to be on my feet any longer. We went out to TGIF for dinner, and then I went straight back to the Hotel. I don't remember much of the rest of the night, other than that I fell asleep!

The next day we all woke up at around 1000 or so, we went out to breakfast at Denny's, had a big breakfast and then headed out to Maker Faire at around 0100 or so, we go there and the parking lot was full, but we all had special badges we had acquired, so we talked our way past the security guard. And guess who was waiting to get in, but the security guard not knowing who he was would not let him in. Adam Savage from MythBusters. The guard did not know who he was and would not let him in, and he needed to be on stage in the next 20 minutes to give a presentation. Eventually Ryan talked the security guard into letting Adam and his wife and kids into the parking lot, at the same time handing over his business card. We park the van and start walking in when we notice that Adam has parked and has the badge he requires, so we let him know what gate he should use to enter, and when Ryan mentions he has a bunch of his students with him, Adam tips his hat in our direction. We all nod, in return as an acknowledgement. Adam's presentation was about his Maltese Falcon and the story behind how he got started making things, building models and everything along those lines. His work has been featured in many movies, including Star Wars, AI, and many others. It is really cool to see some of the work he has done, and how he obsesses over the smallest details. Afterwards Ryan and I head over to tech shop to get our laptops laser etched. He has his Asus eeePC with him, and I have my MacBook Pro. At first I am hesitant to get it engraved, but when the engraver reassures me that Apple never gave him problems over his engraved iPhone or engraved MacBook Pro I go ahead and do it. My MacBook Pro has now been engraved with my nickname (X-Istence) and the following short program:

#include <stdio.h>

int main() { printf("%c", 0x58);

return 0;

}

Re-sale value be damned, this looks fantastic on my laptop. It took off such a small tiny miniscule layer that you are unable to feel it at all when you run your hands across it. If Apple gives me any crap for it, I will just slap some stickers over top of it, as I had stickers on my laptop the last time, and they were not a problem at all. There was another cool design I could have etched instead, but I did not feel that it spoke to me, it did not feel personal enough, hence the small program and my nickname. It makes my laptop mine. At this point it is already 1740 and the Maker Faire is starting to shut down. They want everyone that is not a "Maker" out of the Fairgrounds as soon as 1800 so that they can start packing up and cleaning the place up. We students all end up standing at the EFX Tek booth listening to John talk about his earlier days working for several major companies, and the state of credit card security, and the security of credit card devices. I wish we could have spent more time with both John and Jon since they both have very different and interesting backgrounds. For example, John is certified to nuclear soldering standards. What this means is that he knows the procedures and steps to solder a joint in such a way that it will be guaranteed good for the next 10 years as the human body can only withstand so much radiation. So much knowledge, way too little time.

Hopefully they will be able to make it out to UAT for Tech Forum to talk about their experiences. It is a Sunday and being the last day we all head out to Maccaroni Grill for dinner. Jon goes with us, unfortunately John had to leave. Dinner with a bunch of college students is always fun, so there are jokes, there is talking, laughing. It is an all around good time. We end up going back to the hotel and falling asleep. Ryan and I both wake up at around 0800 in the morning, we start getting ready, packing things back up into suitcases, taking showers and going for the free continental breakfast Best Western serves. We get everyone else up, so that we can leave to head home. We all climb into the van and head home at 1015. Just over 12 hours later, we get to UAT at 2250. On the trip back home many of us are not feeling too great, mainly because of the amount of fast food we have been eating on the trip, combined with the bad road conditions and the amount of sleep we did not get. We get home without any issues what so ever though.

The weekend was awesome. I really enjoyed myself and would like to thank Ryan for driving there, and back. I am surprised he is still sane after that trip. I would like to thank UAT for paying for the hotel rooms, the gas, and the tickets into Maker Faire. I am glad that I did go after all, at first I was not really sure if I wanted to go since I am not into most of what was shown. However the people I met, the cool things I saw, have planted a few seeds here and there as to what I could do, and who knows what the future holds, maybe someday I will be standing at Maker Faire showing off my cool projects.

AVNet Tech Games: Defense in Depth

Yesterday (I am typing this at 00:02, midnight on Sunday) I was part of a team for the University of Advancing Technology competing in the AVNet Tech Games. I was part of a three man team competing against two other teams in the Defense in Depth game. The game consisted of us setting up a network using gear they provided to us, and locking it down in the time they specified.

The game had three parts.

  1. Write a security policy (max 5 pages)
  2. Secure the network and the machines on the network
  3. Find the rogue access point

The night before we figured we should probably get the paper done, so we started writing this on Friday night. Since my team consists of me, and two room mates, when we get tired we head home and start figuring out what software we want to use. In the end we use all open source software, since the game specifically state that the business does not want to spend money on licensing software. We came up with the following free software to supplement what they already had available:

  1. WinPooch
  2. ClamAV
  3. wipfw (IPFW from FreeBSD ported to Windows. Take note Windows admins!)
  4. OpenVPN
  5. OpenWRT

What we got was the following:

  1. Windows 2000
  2. Windows XP
  3. Windows 2003 Server
  4. WRT54G Wireless Linksys router

The night before we also prepped, we had a friend who had a WRT54G they did not mind letting us flash and use, so the day of, I woke up early in the morning and flashed it with OpenWRT, I set it up, and added certain packages I was going to need to be able to configure it properly. Unfortunately the WRT54G's have less memory than I had hoped for, so I had to reflash the router just to be able to finally finish installing the bare minimum packages I required. You will find out more about the configuration I used on this router as I go along.

When we get to our stations, we walk in, and we immediately unplug our router, and replace it with the one we had pre-flashed. Since it was flashed, we could also bridge it with the wireless network that was available, because of problems with the network drops that were given to us to use by the UAT IT staff. We start getting our updates onto the different machines. This takes for ever and a day. Multiple machines are all rebooting all the time. We started at 0800, by 1030 we have completed about half the updates for all the machines. By 1145 the updates for the Windows 2003 Server have been completed and it is on it's final reboot. The Windows 2000 client had been all ready to go, and set up.

During this update cycle, I had created a domain/activate directory on the Windows 2003 server and then joined the other two machines. We now had a way to log in to all the machines with the same usernames/passwords that we set up in the active directory, so now we could easily share folders and make sure that when people accessed files on the server they had the proper permissions to do so. We set up the anti-virus software WinPooch, we installed the firewall and set up some basic rules. And we started setting static IP addresses on all the different machines:

  • 10.55.10.1 - Router
  • 10.55.10.2 - Windows 2003
  • 10.55.10.10 - Windows XP
  • 10.55.10.11 - Windows 2000

At this point I head back into the OpenWRT flashed router, and turn off DHCP for the network. All of them have been set to perfectly static IP addresses, and everything functions as expected. Attackers that want to attack the network will now have a more difficult time trying to figure out what IP address range is in use, where the gateway is, and what the machines on the network is. Especially since most people will blindly try the default ranges of 10.10.10.x, 10.x.x.x and 192.168.x.x.

Now I will give a bit more background on the WRT54G from Linksys, if you are not familiar with it. It contains one Broadcom chip, and 5 ports on the back. 1 WAN, and 4 LAN. The cool thing about these ports is that they really are a switch and they are vlan tagged and then handled differently by Linux because of the tagging. So WAN really is vlan network 1, and the other 4 LAN ports are really vlan network 0. Vlans are a way of splitting up networks into logical segments, without actually splitting up routers and switches. It is a hardware based solution to having multiple routers for multiple departments.

As I mentioned before, we had three computers, and one outgoing connection. So I left the WAN port alone, and the other three computers were plugged into ports 1, 2, and 3. The last port was left open, and a network cable was plugged into it, but was not going anywhere. The contest was being judged on how well we could secure our network, so what I did was move port number 4 to vlan number 2. So now we have the following three vlans:

  • 0 is physical ports 1, 2 and 3
  • 1 is physical port WAN
  • 2 is physical port 4

The hackers that read this blog will recognise what happened next. Nowhere in the competition did it state we had to leave this port connected, or at all accessible. So using OpenWRT's config files in /etc/config I set up a "network" I named blocked. This network was going to have the router have a static IP of 192.168.1.1, and we shall turn on DHCP. We won't allow any outgoing, so really it was a dead port that handed out 192.168.1.x ip addresses, yet it would not allow them to anything on the network. So at one point was I was talking to a cute girl and walking over to the contest area, one of the judges pulled me aside and asked me what the hell was up. Apparently the fact that we had turned this port into a dead port stopped them from doing their judging, which was basically running a Nessus scan over the network (I laughed at this! Suckers). This meant that to do their nessus scan, they would have to unplug one of the other machines and plug in, find the IP range (remember, the other ports don't have DHCP turned on), and then set a static IP and do their scans. I had left an extra Asus switch I had grabbed from the LAN Party stash in the contest area, so they made use of that to be able to plug their multiple devices in to do the judging.

I don't know yet what they judges us on, what we scored in what categories. We however set up some fun traps. Windows 2000, even when fully patched, since it is not maintained by Microsoft anymore is vulnerable to many exploits (go search milw0rm.com). Using the firewall that we had found (wipfw, and the front-end for it qtipfw) I quickly set up some basic rules that basically said any outgoing connections are allowed, and state was kept. So that it could correctly connect to the domain controller, and connect to websites. However incoming connections were only allowed for IP addresses 10.55.10.2 and 10.55.10.10. So unless the judges unplugged one of the machines on the network, and took its ip address, the Windows 2000 machine would reply with an RST or ICMP UNREACHABLE packet for every single thing thrown at it. We had reduced a huge target to that the size of a mosquito, by merely setting up a proper firewall. Could it be hacked some other way. Yes, absolutely, and the solution we used was not a hundred percent complete, and would not stop all attacks.

When I finally get some sleep, I am going to email LostboY, who was our team lead, and I am going to see if we can get some clue into what they judged us on, what we did well on, and what we need to learn for next time. For three Unix/Linux/Mac OS X administrators we did pretty damn well. We were pretty lost in Windows, but we pulled through just fine.

I skipped over the first part, which was the security policy, since it sucked, and was something I hate doing. Especially since they wanted us to complete it ahead of time, rather than document while we were working through the problems. So I am going to skip that.

The last part of the challenge was to find the rogue wireless access node. We were the first team to find it, we were also the first time to set up a decoy using the same OpenWRT we had flashed! Since wireless on our router was disabled on purpose (why set something up that is a security hazard, when nowhere it was required to be turned on). So now we had our router also advertising AVNETAP which was the name of the AP we had to find.

We as a team ended up winning the competition. What this means is that we all three will be receiving a scholarship worth a $1000. Which will be going towards paying for security conferences I want to visit this year, those include LayerOne, DefCon and ToorCon, at least, and will most likely also include Maker Faire. The games were a lot of fun, and at the same time were very frustrating because at multiple points in time the judges while judging us were not able to understand what we did and why we did it, and thus wanted to deduct points. All in all, a good day, and probably the quickest I have ever made a $1000, eventhough it took a whole lot of sweating to get the network up and running, and working the way we wanted it to work. Notes for next time. More sleep. 5 hours of sleep before a competition is hell.

addnumbers.asm updated

If you have no clue what I am talking about, check out my previous post. I have fixed the flaws, and now it will parse the commands it is handed on the command line, and stick them into an integer. It will now print it to stdout.

This has been an awesome learning experience for me. Especially with regards to how to do recursion, how to debug a pure assembly program with gdb and whatnot.

Here comes the code, as I said before, see my previous thread if you don't know what I am talking about, as well as instructions on how to compile the program.

; File: addnumbers2.asm
; Bert JW Regeer
; 
; 2008-01-27
; 
; Function:
;   Add numbers together that are provided as arguments to the program in argv[1] and argv[2].
;
; Known limitations:
;   This will hopefully be fixed in the next revision. Floating point numbers will not work.
;   Any input that is larger than an integer will cause overflows, and thus will not work.

section .data

    ; Define some strings that are going to be used throughout the program

    ; This string is to let the user know they failed to provide the proper amount of arguments.
args    db  "Program addnumbers: ", 0xa, 0x9, "addnumbers <number 1> <number 2>", 0xa, 0x9, "Arguments 1 and 2 are required.", 0xa, 0x9, "Anything that will cause addition to overflow an int (2,147,483,647), will fail! :P", 0xa
largs   equ $ - args

    ; This string contains part of the output that we are going to send to the terminal. The last two
    ; bytes will be filled automatically by the program, before it is output to stdout.
msg db  'Answer: ', 0
lmsg    equ $ - msg

num1    dd  0
num2    dd  0

section .bss
    ; This is where I am going to store the output of my conversion from an integer to a char
answer  resb    64

section .text
global start                ; Linker defined entry point. Mac OS X this is start. 
global _start               ; FreeBSD and others _start.

_start:
start:
    push    ebp         ; 
    mov ebp, esp        ; Set up the stack frame

    mov ecx, [ebp + 4]      ; Get argc, we check if it set to at least 3
    mov edx, ebp        ; Put the base pointer into edx, so we can use that in 
                    ; our dereferences coming up
    add edx, 8          ; Add 8. We want to skip ebp and argc

    cmp ecx, 3          ; Check if we have at least 3 arguments to the program. 
                    ; At least two arguments are required, and the 3rd one is 
                    ; the name of the program
    jl  exit            ; If the value in ecx is less than 3, jump to exit

    mov esi, 1          ; Set the index to 1

    mov eax, [edx + esi * 4]    ; Move the pointer to the character array into eax
    push    eax         ; Push eax onto the stack
    push    num1            ; Push the pointer to num1 onto the stack
    call    ctoi            ; Call my char to int function
    add esp, byte 8     ; Put the stack pointer back to where it was.

    inc esi         ; Increase the index

    mov eax, [edx + esi * 4]    ; Move the pointer to the character array into eax
    push    eax         ; Push eax onto the stack
    push    num2            ; Push the pointer to num2 onto the stack
    call    ctoi            ; Call my char to int function
    add esp, byte 8     ; Put the stack pointer back to where it was.

    mov eax, [num1]     ; Move value stored in num1 into eax
    add eax, [num2]     ; Add num2 to eax, this will now be stored in eax

    push    eax         ; Push the new calculated number onto the stack
    call    itoa            ; Convert the integer to a character array

    push    dword lmsg      ; Push the length of the string
    push    msg         ; Push the location of the string in memory
    push    dword 0x1       ; Push the file descriptor to write to
    mov eax,4           ; Move the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel
    add esp, byte 16        ; Clean up the stack

    push    answer          ; Push answer onto the stack
    call    len         ; Get it's length

    push    edi         ; Push the length onto the stack
    push    answer          ; Push the pointer to the character string onto the stack
    push    dword 0x1       ; Push the file descriptor to write to
    mov eax,4           ; Push the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel
    add esp, byte 16        ; Clean up the stack

    jmp done            ; Program is done. Jump to done

exit:
    ; This label is jumped to when we want to exit the program and let the user know how
    ; to run the program. Like for instance what paramaters to send the program.
                    ; Call sys_write
    push    dword largs     ; Push the length of the string
    push    dword args      ; Push the location of the string in memory
    push    dword 0x1       ; Push the file descriptor to write to
    mov eax,4           ; Move the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel
    add esp, byte 16        ; Clean up the stack

done:
    ; This is the label we jump to when we want to exit the program, we set the exit code
    ; to 0.
                    ; Call sys_exit
    push    dword 0x0       ; Push the value to return to the operating system
    mov eax,1           ; Move the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel

    ; We never return to this function, so no need to clean the stack. :P

ctoi:
    ; char to i. We actually convert entire character array's to integers.
    ;
    ; We get two paramaters on the stack. The first one we grab is the pointer to the place to store
    ; the number. The second is the pointer to the character array.

    push    ebp         ; Push the old base pointer onto the stack
    mov ebp, esp        ; Create a new base pointer
    push    esi         ; Store all the original registers
    push    eax
    push    ebx
    push    ecx 
    push    edx         ; Push edx, so that we can overwrite it
    sub esp, 4          ; We get another storage space on the stack
    mov [esp], dword 10     ; This is the number we are going to multiply by

    mov eax, [ebp + 12]     ; Move the pointer to the character array into eax
    push    eax         ; Push the pointer to the character array onto the stack
    call    len         ; Call the string length versoin
    add esp, byte 4     ; Reclaim the space we lost when we pushed eax onto the stack

    mov ebx, [ebp + 8]      ; This is where we are going to store the numbers
    mov esi, [ebp + 12]     ; This is the pointer to the character array
    movzx   ecx, di         ; move with extended zero edi.
    mov edi, 0          ; Clean up edi

    ctoi_loop:
    mov eax, [ebx]      ; Move the value stored in ebx into eax
    mul dword [esp]     ; Move it over a 10s place.
    mov [ebx], eax      ; Move the new number back into ebx

    movzx   eax, byte [esi + edi]   ; Move the character into eax
    movsx   eax, al         ; We just want the lower part of the character

    sub eax, 0x30       ; Subtract 0x30, ASCII 0 so that it is an actual number
    add [ebx], eax      ; Add the new number to the old number that has been multiplied by 10
    inc edi         ; Increase the counter
    loop ctoi_loop          ; Loop into cx is 0

    add esp, byte 4
    pop edx         ; Restore all the registers
    pop ecx
    pop ebx
    pop eax
    pop esi
    mov esp, ebp        ; Make esp the original base pointer again
    pop ebp         ; Pop the original base pointer into the register
    ret             ; Return caller

itoa:
    ; Recursive function. This is going to convert the integer to the character.
    push    ebp         ; Setup a new stack frame
    mov ebp, esp
    push    eax         ; Save the registers
    push    ebx
    push    ecx
    push    edx

    mov eax, [ebp + 8]      ; eax is going to contain the integer
    mov ebx, dword 10       ; This is our "stop" value as well as our value to divide with
    mov ecx, answer     ; Put a pointer to answer into ecx
    push    ebx         ; Push ebx on the field for our "stop" value

    itoa_loop:
    cmp eax, ebx        ; Compare eax, and ebx
    jl  itoa_unroll     ; Jump if eax is less than ebx (which is 10)
    xor edx, edx        ; Clear edx
    div ebx         ; Divide by ebx (10)
    push    edx         ; Push the remainder onto the stack
    jmp itoa_loop       ; Jump back to the top of the loop
    itoa_unroll:            
    add al, 0x30        ; Add 0x30 to the bottom part of eax to make it an ASCII char
    mov [ecx], byte al      ; Move the ASCII char into the memory references by ecx
    inc ecx         ; Increment ecx
    pop eax         ; Pop the next variable from the stack
    cmp eax, ebx        ; Compare if eax is ebx
    jne itoa_unroll     ; If they are not equal, we jump back to the unroll loop
                    ; else we are done, and we execute the next few commands
    mov [ecx], byte 0xa     ; Add a newline character to the end of the character array
    inc ecx         ; Increment ecx
    mov [ecx], byte 0       ; Add a null byte to ecx, so that when we pass it to our
                    ; len function it will properly give us a length

    pop edx         ; Restore registers
    pop ecx
    pop ebx
    pop eax
    mov esp, ebp        
    pop ebp
    ret

len:
    ; Returns the length of a string. The string has to be null terminated. Otherwise this function
    ; will fail miserably. 
    ; Upon return. edi will contain the length of the string.

    push    ebp         ; Save the previous stack pointer. We restore it on return
    mov ebp, esp        ; We setup a new stack frame
    push    eax         ; Save registers we are going to use. edi returns the length of the string
    push    ecx

    mov ecx,  [ebp + 8]     ; Move the pointer to eax; we want an offset of one, to jump over the return address

    mov edi, 0          ; Set the counter to 0. We are going to increment this each loop

    len_loop:           ; Just a quick label to jump to
    movzx   eax, byte [ecx + edi]   ; Move the character to eax.
    movsx   eax, al         ; Move al to eax. al is part of eax.
    inc di          ; Increase di.
    cmp eax, 0          ; Compare eax to 0.
    jnz     len_loop        ; If it is not zero, we jump back to len_loop and repeat.

    dec di          ; Remove one from the count

    pop ecx         ; Restore registers
    pop eax
    mov esp, ebp        ; Set esp back to what ebp used to be.
    pop ebp         ; Restore the stack frame
    ret             ; Return to caller

Introduction to Intel Assembly

This semester I am taking a class on Intel assembly, because I want more of an insight into how the computer works, and it will allow me to better reverse engineer new viruses and spyware. The class is also required if one is a Software Engineering major, so that means I have to take it.

The professor who teaches it absolutely sucks at teaching. He gets up in front of the class and mumbles through some powerpoint slides, which provide no real information, and then goes on and on about his days at Motorolla. It really sucks. Oh, best part is this quote:

"I think that is how Intel processors do it. I don't know I have not read up on it yet"

Well, we had our first assignment. Sum two numbers and then output them to the screen. We were supposed to write inline assembly using Visual Studio C++, but if we are to do an assembly class, then we should learn how to do write assembly, not have some parts assembly and other parts the compiler. Sure it makes it easy as you will get immediate access to the standard C library, but if you want that, you can just link against it.

The following code examples were written on Mac OS X, and will work on FreeBSD. Linux uses a different calling convention for it's syscalls, and as such this code will not run on Linux, unless it is modified. Do note, you need an Intel Mac for this to work. This is Intel assembly.

Compile the code with (Mac OS X):

nasm -f macho addnumbers.asm
ld -o addnumbers addnumbers.o

or (FreeBSD)

nasm -f elf addnumbers.asm
ld -o addnumbers addnumbers.o

Then you can run it with:

./addnumbers 1 5

As you can see in the comments of the source code, there are still some limitations, but the rest of the source code should be made readable by the comments that are provided.

Porting to Linux: Please double check that all the syscall numbers are the same. There are some differences between Linux and FreeBSD/Mac OS X in that regard.

; File: addnumbers.asm
; Bert JW Regeer
; 
; 2008-01-27
; 
; Function:
;   Add numbers together that are provided as arguments to the program in argv[1] and argv[2].
;
; Known limitations:
;   As of right now, the numbers that are provided may not add up to anything more than 9.
;   This will hopefully be fixed in the next revision. Floating point numbers will not work.
;
; Todo:
;   Write conversion routine, to convert a string of numbers into a real integer on which
;   math may be performed.

section .data

    ; Define some strings that are going to be used throughout the program

    ; This string is to let the user know they failed to provide the proper amount of arguments.
args    db  "You failed to provide the proper amount of arguments", 0xa
largs   equ $ - args

    ; This string contains part of the output that we are going to send to the terminal. The last two
    ; bytes will be filled automatically by the program, before it is output to stdout.
msg db  'Answer: ', 0,  0
lmsg    equ $ - msg

section .text
global start                ; Linker defined entry point. Mac OS X this is start. FreeBSD and others _start.
global _start

_start:
start:

; Start the program here.

    add esp, byte 8     ; We don't care about argc or argv[0]

    pop     ecx         ; Get the first argument or argv[1]
    jecxz   exit            ; If there was no argument. Exit. Let the user know why

    ; Change the number from a character to an actual dword
    mov eax, dword [ecx]    ; Move the character into eax so we can manipulate it
    sub eax, 0x30       ; Remove 0x30 from the character. To make it an actual number, not an ASCII number.

    pop ecx         ; get the second argument or argv[2]
    jecxz   exit            ; If there was no second argument. Exit. Let the user know why

    mov ebx, dword [ecx]    ; Move the character into ebx so we can manipulate it
    sub ebx, 0x30       ; Remove 0x30 from the character. To make it an actual number, not an ASCII number.

    add eax, ebx        ; Add the two numbers together
    add eax, 0x30       ; Make it an ASCII number again

    mov [msg+lmsg-2], eax   ; Replace the null character in the msg with the answer
    mov [msg+lmsg-1], dword 0xa ; Add an newline character so that when it spits it out it is neatly formatted

                    ; Call sys_write
    push    dword lmsg      ; Push the length of the string
    push    msg         ; Push the location of the string in memory
    push    dword 0x1       ; Push the file descriptor to write to
    mov eax,4           ; Move the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel
    add esp, byte 16        ; Advance the stack pointer

    jmp done            ; Program is done. Jump to done

exit:
                    ; Call sys_write
    push    dword largs     ; Push the length of the string
    push    dword args      ; Push the location of the string in memory
    push    dword 0x1       ; Push the file descriptor to write to
    mov eax,4           ; Move the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel
    add esp, byte 16        ; Advance esp past the part we were just at

done:
                    ; sys_exit
    push    dword 0x1       ; Push the value to return to the operating system
    mov eax,1           ; Move the syscall number into eax
    push    eax         ; Push the syscall onto the stack
    int 0x80            ; Interrupt 80, go to kernel

    ; We never return to this function, so no need to clean the stack.