03 - x86 Assembly Code Flashcards
Explain the GPR: EAX?
Accumulator, Return value of functions, data storage
Explain the GPR: EBX?
Data Index, data storage
Explain the GPR: ECX?
Loop Counter
Explain the GPR: EDX?
Data register, data storage
Explain the GPR: EIP?
Instruction Pointer
Explain the GPR: ESP?
Stack Pointer
Goes along the stack. Always contains the memory address of the top of the current stack.
Explain the GPR: EBP?
Base Pointer
Manages stack frame. EBP always contains the memory address of the bottom of the current stack.
Explain the GPR: ESI?
Source index, string operations
Explain the GPR: EDI?
Destination index, string operations
Explain the EEFLAG: CF
Carry Flag; is set if the last operation caused a carry. If the result of some arithmetic operation was bigger than the space allowed.
Explain the EEFLAG: PF
Parity Flag; is 1 if there is an even number of binary 1s in the result of an operation.
Explain the EEFLAG: ZF
Zero Flag: It is set if the last instruction had a result of zero.
Explain the EEFLAG: SF
Sign Flag; is set to indicate whether the last mathematical operation resulted in a value whose most significant bit was set to 1 (e.g it is a signed number, and is negative)
Explain the EEFLAG: TF
Trap Flag; Used with debuggers – instead of running all instructions, it will generate an exception that can be caught be a debugger after every instruction.
Explain the EEFLAG: DF
Direction Flag; Is used in string operations, e.g. do you want to read right-left or left-right.
Explain the EEFLAG: OF
Overflow Flag; is set when the MSB (most significant bit) is changed, indicating an arithmetic overflow.
MOV?
Simply moves a byte, word or dword from the source location to the destination location. There are some limitations to the mov instruction – for example the source and destination cannot both be a memory address, and the source and destination must be the same size.
- mov eax, ebx // Moves the value in the ebx register into eax
- mov eax, [ebx] // Moves the value at the memory address
LEA?
Load Effective Address. Takes the value passed in the source (which is normally a sum), calculates the final result, and stores that value into the destination.
- lea eax, [ebx+1] // Adds +1 to the value in the ebx register and moves it into eax
ADD, SUB, INC, DEC, NEG?
- add <dest>, <src></src></dest> // Dest = Dest + Src
- sub <dest>, <src></src></dest> // Dest = Dest - Src
- inc <dest> </dest>// Dest = Dest + 1
- dec <dest></dest> // Dest = Dest - 1
- neg <dest> </dest>// Dest = Dest * -1
XOR?
When reversing malware, the main place we see logical operators like this are in encryption loops, or deliberately obfuscated code. XOR in particular is very popular. This is due to a very useful property that: If a XOR b = c then c XOR a = b and c XOR b = a.
- XOR EAX, EAX // = 0
NOT?
The NOT instruction implements the bitwise NOT operation. NOT operation reverses the bits in an operand. The operand could be either in a register or in the memory. It changes every 1 => 0 and every 0 => 1
SHL/SHR?
The shifting instructions move all of the bits in the destination left or rights by a number of places specified in the count operand (and fills the gaps with zeros). The bit that is shifted out is stored in the CF.
shl al, 1 // al = 00000101 => al = 00001010 / CF = 0
ROL/ROR?
Bits in the destination are moved left or rights by a number of places specified in the count just like before. The bit that is shifted out of the destination is stored in the carry flag BUT also is pushed back into the destination from the other side instead of filling with zeros.
ror al, 1 // al = 00000101 => al = 1000010 / CF = 1
MUL?
- mov eax, 0x08
- mov ebx, 0x02
- mul ebx
EDX:EAX = 0x10 (16dec), ebx is still 0x02 (2 in dec)
DIV?
- mov eax, 0x7005 // EAX = 0x7005 (28677d)
- mov ebx, 0x100 // EBX = 0x100 (256d)
- div ebx
After div eax = 0x70 (112 dec) and edx = 0x05.
CMP?
The CMP instruction is normally followed by a jump instruction which is based on the flags that were set. How cmp actually works is performs a subtraction (just like the sub function), but instead of storing the value in the destination operand – it simply sets the appropriate flags (ZF, SF, PF).
- mov eax, 0x1234
- mov ebx, 0x5678
- cmp eax, ebx
The result of the SUB is 0xFFFFBBBC, so ZF=0, SF=1, PF=0. Hence the sign flag is set (as the result is a negative number). The zero flag is not set (that would only happen if the two values where the same). In this case the parity flag is also not set (as there are an odd number of 1s in the result).
TEST?
Like cmp test performs an operation on two operands in order to set some flags, and does alter either of the values passed to it. Cmp uses a subtract function to do this whereas test uses a binary AND function. We only really see test used in one case:
test eax, eax
Why test eax, eax? Because if eax = 0, the result will be zero – if it is anything else, result will be 1. So this function is equivalent to cmp eax, 0 – but it is slightly faster for the CPU to execute.
scasb, scasw, scasd?
- Compares value in edi to the value in al, ax, eax
- Sets appropriate flags (e.g. Zero Flag)
- Increments edi by 1
- Decrements ecx by 1
- ScasX makes use of direction flag (DF=0 -> inc; DF=1 -> dec)
rep & repXX?
- rep carries out an instruction a number of times equal to the value in ecx. Will decrement ecx.
- repXX repeats an instruction until a specific condition is met e.g. repz, repnz (REPeat while Not Equal) / repe, repne
rep ; Repeats until ecx = 0
repe, repz ; Repeats until ecx = 0 or ZF = 0
repne, repnz ; Repeats until ecx = 0 or ZF = 1
stosX and lodsX?
stosb, stosw, and stosd: copies a value from al, ax or eax respectively to the memory location stored in edi. Then it increments the value in edi. This allows it to be used with a repeating instruction to overwrite an area of memory.
lodsb, lodsw, and lodsd copies a value which is stored in esi to al / ax / or eax respectively, and then incrementing esi.
Both of these instructions are effected by the direction flag (DF).
call/ret?
- call [label]: Saves the current value of EIP onto the stack, and jumps to the specified location.
- Ret : Pops the return address off the stack and returns control to that location.
JMP?
Unconditional Jump; doesn’t care about flags.
JG / JGE / JNG [label]
Jump if greater than / greater than or equal to / not greater than. It performs a signed comparison jump after a cmp if the destination operand is greater than the source operand.
JL / JLE / JNL [label]
Jump if less than / less than or equal to / not less than. It performs a signed comparison jump after a cmp if the destination operand is less than the source operand.
JA / JAE / JNA [label]
Jump if above / above or equal to / not above. Same as JG, but unsigned.
JB / JBE / JNB [label]
Jump if below / below or equal to / not below. Same as JL, but unsigned.
JE / JZ [label]
It jumps to the specified location if the Zero Flag (ZF) is set (1). jz is commonly used to explicitly test for something being equal to zero (e.g. after test) whereas je is commonly found after a cmp instruction.
- cmp edx, 42
- je short loc_402B13 ; if edx equals 42, jump to loc_402B13
JNE / JNZ [label]
It jumps to the specified location if the Zero Flag (ZF) is cleared (0). jnz is commonly used to explicitly test for something not being equal to zero whereas jne is commonly found after a cmp instruction.
- TEST 5,5 => ZF is 1 => jump
- CMP 5,5 => ZF is 1 => no jump
loop [label]
Decrements ECX. If ecx not zero, it jumps to label.
mov ecx, 5
start_loop:
; the code here would be executed 5 times
loop start_loop
NOP
Move to next instruction; same as: xchg eax, eax
NEG 0x00000001?
FFFFFFFF or -1
A NEG instruction is the result of a not and add 1.
What does CLD?
Clears the Direction Flag (DF = 0)
How to you normally initiate and end stack instructions?
Beginning:
PUSH EBP
MOV EBP, ESP
SUB ESP, 4
Ending:
MOV ESP, EBP
POP EBP
RET (8)
repnz?
Repeat while not zero
repz?
Repeat while zero
