Don't like this style? Click here to change it! blue.css
So we're going to do a ton of low-level hackery. At first it will feel far removed from your daily coding life.
But my goal is to give you a shot at understanding how malware really works. As you learn about CPUs you realize that every program is eventually reduced to machine language, so learning it, and how it gets exploited, and how to prevent that is essential to understanding cyber. If you look at it as learning to PWN some weak C code it will seem myopic. As your eyes become clear you realize that this course shows you to see the cracks beneath every program ever executed.
My goal is to teach you how your computer really works, how to exploit the simple mechanics of those computers, and how to jump into the fight to prevent the nuclear wars of our age.
These might take us 1-3 classes depending on the vibe you give me as students.
C is the most common language in the world. It sticks around as the language that your operating system is written in and the language for writing other languages. Your cell phone and watch run C programs as does your alarm clock and car. It's everywhere. Why? Check out this poem.
I don't think C gets enough credit. Sure, C doesn't love you. C isn't about love--C is about thrills. C hangs around in the bad part of town. C knows all the gang signs. C has a motorcycle, and wears the leathers everywhere, and never wears a helmet, because that would mess up C's punked-out hair. C likes to give cops the finger and grin and speed away. Mention that you'd like something, and C will pretend to ignore you; the next day, C will bring you one, no questions asked, and toss it to you with a you-know-you-want-me smirk that makes your heart race. Where did C get it? "It fell off a truck," C says, putting away the boltcutters. You start to feel like C doesn't know the meaning of "private" or "protected": what C wants, C takes. This excites you. C knows how to get you anything but safety. C will give you anything but commitment.
In the end, you'll leave C, not because you want something better, but because you can't handle the intensity. C says "I'm gonna live fast, die young, and leave a good-looking corpse," but you know that C can never die, not so long as C is still the fastest thing on the road.
I don't think that listening to me blather on about technical nuances of C standards will really improve your lives. You've got to code, code early, code often, code poorly to code well. Get interactive with this material. When you have doubts, just make a version and test it. No actual human harm will happen when you code.
Save your program. Create an account, title the program, save the program. Observe the URL. Click share.
Generally this is a fine way to get a program to a partner or me when you need to share your work.
GitHub as code starter: Get to a terminal and execute the line:
git clone https://github.com/cpeg476/hello
Compile hello.c: Open a terminal (either as a new tab or in the "bash" window). Change to the directory with
hello.cpp (the command is
cd directory_name). Now compile the C program using
gcc hello.c. That creates an executable file named
a.out. Run that program using
Compile hello.cpp The C++ hello world can be compiled using
g++ hello.cpp then executing
Compile hello.c with C++: since C++ is a super-set of C we can compile C with C++ and be happy. Execute
g++ hello.c then
Name your executable: Just for fun let's add a compiler flag into this:
g++ hello.cpp -o edgar Now you have a file named
edgar which you can execute using
./edgar. Now if we even wanted to save a couple of characters try this:
export PATH=$PATH:$PWD then type
edgar. (Edgar I was an early king of England.)
Behold x86: Now find the edgar executable. Run
objdump -M intel -D a.out or on OSX
objdump -x86-asm-syntax=intel -D a.out
I intend to show you how to read this over time.
Continue that journey at https://pwnwizard.com/
OK, so you want to make edits and not lose your code. Here's what you do.
Make an edit: I'm a big fan of VIM because it is on every machine ever and you can code at about 300% your normal speed. So do
vi hello.cpp then carefully type the following
3jfisello<esc>ZZ (to learn more about VIM please go play http://www.vimgolf.com/)
Save your edit: Now execute the command
git commit -am "changed the code"
Now I want to have you create a GitHub repo where you can save your code.
GitHub Repo making: Head to github and create a new repository. It will give you a URL that you should copy.
Back in cslabs: Now execute the command:
git remote add gh URL_PASTED_HERE with your URL in the magic spot there.
Push your changes to the internet: Now do
git push gh master and give it your GitHub username and password when prompted.
Check it out: Now refresh the GitHub repo page and see your code.
We will dive into the harder parts of C later but for now I want you to be comfortable with
if, displaying output, writing functions, calling functions, and dealing with strings.
Whenever I pick up a new coding language I do the following.
Project Euler Optional Training: Go to https://projecteuler.net/archives and solve the first 10 problems using C++. Then refactor your answers to be raw C. This will take a bit but afterwards you'll feel like you understand everything. If you want some more basic training first then keep reading this page, otherwise move on.
For the basics here is a simple "hello world" function with lots of comments to explain what each line does:
Adapt: Run that hello world and add one more printed line.
Display a variable value: Now use the line
int a = 12; printf("a == %d", a); to print the value of an integer variable.
This snippet shows a basic character array C string.
Try it: Execute that code and see the output.
Length research: Adapt that script to use
strlen to display the length of the "string" stored in
I had to resolve two minor issues to get this to work perfectly. Use the internet to help yourself.
Here is a Hello world written in C++.
What are the differences?
Now here is the "string" class in C++.
Run it: Now adapt the string.
Extrapolate: Now use
.length() to display the length of the string in the variable
text. (Feel free to google a bit.)
Take a look at this specification of the string class. Use a method you find to write a function that displays the first 7 characters of
String comparison is interesting and it returns 0 on equality, so be careful.
Adapt: Run the above snippet then change the
text2 to be different and re-run.
Also notice how the
if statement works.
You will often find yourself needing to execute code loops. That is a set of code which runs many many times and each time there is one small change per execution.
Here is another valid loop that does the same thing.
Here is another version of the same loop.
Devise your own: If you use the word
break and an
if statement can you make your own loop which does the same thing but has an opening
Write a string compare for C: Using the original C character array example can you compare two C strings?
Here is a snippet that uses a custom function to compare two integers.
Note that it matches the way
main is declared. There is a return type a function name and a list of input arguments.
This function is called inside the
Write a function: Call it
square have it consume one integer and return the integer squared.
We will deal with passing arguments to functions in the next part.
Here is a complete list of every base C keyword/command:
These make up the base language of C. Some of them I have never used. So when it comes to picking up comfort with a new language what do you do? Well I like to consult the documentation when I need to understand something new. Let's do that now.
Use a new word: Pick a word from this list that you've never used before. Look up the usage, inputs, and outputs of that command/keyword at a C reference site like http://en.cppreference.com/w/ or the gnu-c-manual. Build a program that uses it (if you need a goal for the program then calculate the sum of the first 10 fibonacci numbers or something).
Now this sort of exercise accomplished several things. One, you learn to use complete documentation which has a benefit over tutorials and snippets. This makes you feel secure that you see a wider range of possibilities (you're not missing something). Two, you learn to teach yourself in a just-in-time manner from the right sources. Most coders spend daily time on stackoverflow and search engines. Three, if you get a rough sense of what is possible then you can come back to that possibility in your thinking. When it's time to structure a program you get a feel for what the language can do easily and what requires a library.
The next stage is to learn what is possible in the standard libraries. For instance,
printf is NOT on my list of basic C words. It is in the
So I won't list every function in every standard library but here are some ways for you to find a similar comprehensive list:
To see the standard libraries gives you a notion of the other tricks available.
Randomize: Write me a function that rolls a die by displaying to the screen a random number from 1 to 6. Use the links above to find the right libraries to include and research around to understand the nature of
It is essential to success in any endeavor to have goals and timelines on those goals. It is no different with teaching yourself a coding language. Setting a goal is easy and to pursue it seriously often shows you if it was the right goal to set.
In this case pick small tasks and try to do them in a fixed amount of time.
Learn by task: Your goal is to write a program which can read a file named "input.txt". The file will contain numbers separated by dashes and spaces. The numbers translate 1 to A and 26 to Z. Then those letters have been encrypted by ROT13. Spaces are breaks in words and dashes are separators for letters in the same word. Your job is to read in the file and then create a new file in which you write the final plaintext message. Create a cloud9 workspace, share it with a partner from Slack. Split the overall goal into micro tasks that you can each work on independently (e.g. FileIO, word separation, from number to plaintext). Give yourself one afternoon to get it done.
As an example here is the message "this is encoded with a caesar cipher" as input.txt:
If you want a message that you don't know use: