Modern Exploits – Do You Still Need To Learn Assembly Language (ASM)

This is a fairly interesting subject I think as a lot of people still ask me if they are entering the security field if they still need to learn Assembly Language or not?

Assembly Language

For those that aren’t what it is, it’s pretty much the lowest level programming languages computers understand without resorting to simply 1’s and 0’s.

An assembly language is a low-level language for programming computers. It implements a symbolic representation of the numeric machine codes and other constants needed to program a particular CPU architecture. This representation is usually defined by the hardware manufacturer, and is based on abbreviations (called mnemonics) that help the programmer remember individual instructions, registers, etc. An assembly language is thus specific to a certain physical or virtual computer architecture (as opposed to most high-level languages, which are usually portable).

The mnemonics looks like MOV JMP and PSH.

In straight forward terms the answer is yes, especially if you want to operate on a more advanced level. If you wish to write exploits you need assembly knowledge, there is plenty of great shellcode around but to get your exploit to the point where you can execute the shellcode you need assembly knowledge. Metasploit is a great resource for the shellcode and to shovel in your exploit, but to understand the inner executions and workings of any binary you need to understand assembly.

You might be able to fuzz out an overflow in some software using a pre-written python fuzzer, but what are you going to do then – you need to at least understand the stack/heap and EIP/ESP etc.

Even if you don’t plan to be that hardcore learning Assembly really won’t hurt at all, a great place to start is the PC Assembly Language book by Paul Carter.

The tutorial has extensive coverage of interfacing assembly and C code and so might be of interest to C programmers who want to learn about how C works under the hood. All the examples use the free NASM (Netwide) assembler. The tutorial only covers programming under 32-bit protected mode and requires a 32-bit protected mode compiler.

If you are specialising though you’ll be looking more into the realm of debuggers, disassemblers and reverse engineering – SoftICE was king back in the day.

Another great resource is Iczelion’s Win32 Assembly Homepage which has a bunch of tutorials, source code examples and links.

As many say Assembly is easy to learn but hard to MASTER.

I started out with The Art of Assembly – and I suggest you do too.

Some other resources:

Posted in: Exploits/Vulnerabilities, Secure Coding

, , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

18 Responses to Modern Exploits – Do You Still Need To Learn Assembly Language (ASM)

  1. Cor-Paul September 22, 2008 at 12:28 pm #

    I think it’s a good idea to have at least basic knowledge of ASM. Although I am not a security expert by far, my ASM classes from way back have helped now and then to understand concepts better.

    Also, ASM has improved my general understanding of computers and the way they work. Therefore I can recommend learning ASM to everyone, security and non security experts.

  2. razta September 22, 2008 at 2:53 pm #

    Ive just started an Ethical Hacking course at University and there is no mention of ASM, however they may intergrate it into our C programming classes. If not I will be learning myself anyway. The book ‘Hacking – The art of exploitation’ has some ASM examples in, however for the non programmer like me, its hard to grasp.

  3. m0ng0 September 22, 2008 at 5:11 pm #

    As someone that has been in the IT security for about 10 years, I’m often surprised to discover that my peers, especially newer graduates, aren’t even aware of Assembly. I’m an EE graduate and Assembly was a part of the curicculum, however these days it seems…seems…that Assembly has gone by way of the punch cards. While punch cards were an implementation of getting a program into the computer…and not something that I think is important that folks have experience in, I DO think it’s important for someone that really wants to know how computers work, they should strongly consider the topic. As was pointed out, even for programmers, Assembly isn’t something that comes natural, so if you can find a course…I would GO for it!

  4. Infosec News September 23, 2008 at 6:51 am #

    In this day and age it’s probably not as important in sploit development as it was, especially when things like metasploit hand you perfectly ‘commercial grade’ shellcode on a plate.

    It’s still good to know for less common architectures such as ARM, MIPS etc. when exploiting embedded systems.

  5. Navin September 23, 2008 at 12:21 pm #

    Nice article……something tht everyone I know has asked me!! My answer too was straightforward YES!!

  6. William September 23, 2008 at 2:54 pm #

    OMG…what do people want to be spoon fed the rest of their lives??? I don’t understand why you wouldn’t want to learn assembly in the first place. I have this constant nagging desire to keep digging deeper and deeper to figure out how things work.

    Understanding machine language helps you understand what your compiler does in the first place. It helps you to understand how a machine works. How are you going to truly understand(or even more important-*develop*) various hacking techniques without understanding ***HOW*** a computer truly works.

    HLL’s make more sense to me BECAUSE of my understanding of assembly language and machine architecture. It has allowed me to appreciate the convenience of HLL’s as well as respect powerful and flexible languages such as C.

    You don’t have to be an assembly god to understand the fundamental basics of assembly. A little assembly knowledge along with some basic machine architecture will go a long way when it comes to programming with HLL’s. It will certainly help you fix your applications as well by understanding how to utilize tools such as debuggers and disassemblers.

    I work for a company right now that still uses assembly language for some of their systems because of its speed and efficiency. There are times where specific machine language will out perform current compiler designed applications which is why inline assembly exists in several HLL’s today.

    “Assembly language programs are difficult to maintain.” No shit, so is shitty uncommented bloated code.

    Look the bottom line is if you want to truly grasp topics such as memory corruption, stack/heap BOF’s, function pointer overflows, format string attacks, et cetera, from a computational science perspective so that you can truly develop new creative ways to solve problems; a fundamental understanding of machine language and machine architecture will go a long way.

    “Don’t learn to hack. Hack to learn.”

  7. razta September 23, 2008 at 4:20 pm #


  8. Goodpeople September 23, 2008 at 6:20 pm #

    I do agree with William and others.. to some extent, that is…

    Yes it is important to know how a computer does it’s trick. And yes, it is important to develop programming skills, but I don’t think you need ASM per se. (unless of course you want to reach the top of the IT security field).

    C is fine. Heck any language is fine (although I doubt that Lisp will be a good choice). The important part is that tomorrow’s security experts learn how to think along logical lines. And that is where programming skills come in handy.

  9. Pantagruel September 24, 2008 at 6:45 am #

    With Goodpeople.

    Profound hardware and OS knowledge will get you more possible sploits than just being able to write a sploit in asm. Programming knowledge in general will suit you very nicely (even VBA for applications can be very handy if to want to bring down word/xl/xs/ppt) and C/C++ variants will fit the bill.

    [In the dark ages we did our first novell sploit in Pascal and later on converted it to asm both for fun and size of the exploit].

    With packages like MetaSploit you really do not need to be able to actually code the sploit, it’s very helpfull straight from the box and there are regular additions.

    As Goodpeople mentions, learning to programming will teach you how to think along a logical line and you’ll be able to get things more clear and sorted out (let’s compare it to the way you break up your code into blocks and sections which logically belong to each other). But even more important it good analytical skills. It’s more than just knowing or ‘feeling’ the problem, you need to be able to clearly put down how/why it goes wrong and what would be best to do to avoid or exploit }:) this problem.

  10. Darknet September 24, 2008 at 8:00 am #

    So if you discover a new vulnerability by fuzzing a custom or relatively rare service, what are you going to do then? Sit around and wait for someone to code it into Metasploit? I guess it looks that way.

    You guys should read what William said, you don’t really need to be an Assembly genius but at least know the basics of machine code and how the CPU works. If you can’t read shellcode you’re in a bit of a bind because you might end up pwning yourself.

    Learning C is also a requisite to understand 90% of the exploits out there, C++ is ok but not really a requirement. You could get by like Pantagruel says by writing the xploits in C (by mashing up existing stuff) then whacking in some shell code from Metasploit – but really that’s the not the way to do it.

  11. Pantagruel September 24, 2008 at 2:08 pm #


    Sitting around waiting for the coconut to fall down from the tree can take a while, that’s true and the bunch of us are (atleast what I gather from the various responses on this and other bloggings here @ Darknet) of the pro-active type.

    I am not ashamed to admit recycling the odd bit and bob of code in new projects, there’s little use in reinventing the wheel.

    Mashing up existing stuff is a nice way to start but you’re right, it will leave you highly dependant on other people’s skills

  12. XerMeLL September 25, 2008 at 12:26 am #

    nice topic.. my answer is Yes with a uppercase Y.

  13. Bogwitch September 27, 2008 at 4:52 pm #

    I guess I’m pretty lucky, ahving cut my teeth on Z80 (Thank you, Sir Clive) and on the 6809 and 68000 series.
    Moving on to x86 is pretty straightforward, although I doubt I’ll ever remember the full instruction set, hell, for the ZX81, I could actually dump straight hex in but 25+ years of mental rot have taken their toll since then!
    Important? Yup, I’d say so. It helps me understand what is going on inside an application and therefore it becomes so much easier to code exploits. It also helps to keep explit code small, and able to avoid detection; if you’re using someone else’s public exploit code it’s much more likely to be detected, or blocked and hence fail.

  14. razta September 27, 2008 at 11:18 pm #

    Heres an entire OS coded in ASM:

    Fits on a floppy!

  15. Navin September 30, 2008 at 12:53 pm #

    wow!!!! Never knew bout this!! Menuet I mean

  16. Yami King September 30, 2008 at 5:26 pm #

    Of course it’s not necessary to learn Assembly language. At least, not any more. As you already mentioned nowadays there are tools like Metasploit easing the task for you.

    But it can always come in handy knowing and understanding Assembly. A nice article, although maybe a liiiiitttle bit off course here:
    describes why it can be needed to learn the inner workings of a programming language/tool.

  17. SpikyHead October 1, 2008 at 5:16 am #

    Well to be a script kiddy.. definitely you dont need to..
    but if you wanna rise in hakcer world by creating new exploits or reverse engineering malware.. its a must

  18. jackDaniels December 16, 2008 at 9:35 pm #

    learning assembly isn’t required to write exploits as they can be
    written in c/c++ which is fairly low level anyway, though learning to read assembly is a must IMO.

    c++ has always done the job for me, and i prefer it as my asm is
    quite newbie.