Comments on: Modern Exploits – Do You Still Need To Learn Assembly Language (ASM)

By: jackDaniels

jackDaniels — Tue, 16 Dec 2008 21:35:52 +0000

learning assembly isn’t required to write exploits as they can be
written in c/c++ which is fairly low level anyway, though learning to read assembly is a must IMO.

c++ has always done the job for me, and i prefer it as my asm is
quite newbie.

By: SpikyHead

SpikyHead — Wed, 01 Oct 2008 05:16:28 +0000

Well to be a script kiddy.. definitely you dont need to..
but if you wanna rise in hakcer world by creating new exploits or reverse engineering malware.. its a must

By: Yami King

Yami King — Tue, 30 Sep 2008 17:26:33 +0000

Of course it’s not necessary to learn Assembly language. At least, not any more. As you already mentioned nowadays there are tools like Metasploit easing the task for you.

But it can always come in handy knowing and understanding Assembly. A nice article, although maybe a liiiiitttle bit off course here: http://www.joelonsoftware.com/articles/LeakyAbstractions.html
describes why it can be needed to learn the inner workings of a programming language/tool.

By: Navin

Navin — Tue, 30 Sep 2008 12:53:33 +0000

wow!!!! Never knew bout this!! Menuet I mean

By: razta

razta — Sat, 27 Sep 2008 23:18:27 +0000

Heres an entire OS coded in ASM:
http://www.menuetos.net

Fits on a floppy!

By: Bogwitch

Bogwitch — Sat, 27 Sep 2008 16:52:36 +0000

I guess I’m pretty lucky, ahving cut my teeth on Z80 (Thank you, Sir Clive) and on the 6809 and 68000 series.
Moving on to x86 is pretty straightforward, although I doubt I’ll ever remember the full instruction set, hell, for the ZX81, I could actually dump straight hex in but 25+ years of mental rot have taken their toll since then!
Important? Yup, I’d say so. It helps me understand what is going on inside an application and therefore it becomes so much easier to code exploits. It also helps to keep explit code small, and able to avoid detection; if you’re using someone else’s public exploit code it’s much more likely to be detected, or blocked and hence fail.

By: XerMeLL

XerMeLL — Thu, 25 Sep 2008 00:26:25 +0000

nice topic.. my answer is Yes with a uppercase Y.

By: Pantagruel

Pantagruel — Wed, 24 Sep 2008 14:08:21 +0000

@Darknet

Sitting around waiting for the coconut to fall down from the tree can take a while, that’s true and the bunch of us are (atleast what I gather from the various responses on this and other bloggings here @ Darknet) of the pro-active type.

I am not ashamed to admit recycling the odd bit and bob of code in new projects, there’s little use in reinventing the wheel.

Mashing up existing stuff is a nice way to start but you’re right, it will leave you highly dependant on other people’s skills

By: Darknet

Darknet — Wed, 24 Sep 2008 08:00:49 +0000

So if you discover a new vulnerability by fuzzing a custom or relatively rare service, what are you going to do then? Sit around and wait for someone to code it into Metasploit? I guess it looks that way.

You guys should read what William said, you don’t really need to be an Assembly genius but at least know the basics of machine code and how the CPU works. If you can’t read shellcode you’re in a bit of a bind because you might end up pwning yourself.

Learning C is also a requisite to understand 90% of the exploits out there, C++ is ok but not really a requirement. You could get by like Pantagruel says by writing the xploits in C (by mashing up existing stuff) then whacking in some shell code from Metasploit – but really that’s the not the way to do it.

By: Pantagruel

Pantagruel — Wed, 24 Sep 2008 06:45:42 +0000

With Goodpeople.

Profound hardware and OS knowledge will get you more possible sploits than just being able to write a sploit in asm. Programming knowledge in general will suit you very nicely (even VBA for applications can be very handy if to want to bring down word/xl/xs/ppt) and C/C++ variants will fit the bill.

[In the dark ages we did our first novell sploit in Pascal and later on converted it to asm both for fun and size of the exploit].

With packages like MetaSploit you really do not need to be able to actually code the sploit, it’s very helpfull straight from the box and there are regular additions.

As Goodpeople mentions, learning to programming will teach you how to think along a logical line and you’ll be able to get things more clear and sorted out (let’s compare it to the way you break up your code into blocks and sections which logically belong to each other). But even more important it good analytical skills. It’s more than just knowing or ‘feeling’ the problem, you need to be able to clearly put down how/why it goes wrong and what would be best to do to avoid or exploit }:) this problem.