03 - x86 Assembly Code Flashcards
Explain the GPR: EAX?
Accumulator, Return value of functions, data storage
Explain the GPR: EBX?
Data Index, data storage
Explain the GPR: ECX?
Loop Counter
Explain the GPR: EDX?
Data register, data storage
Explain the GPR: EIP?
Instruction Pointer
Explain the GPR: ESP?
Stack Pointer
Goes along the stack. Always contains the memory address of the top of the current stack.
Explain the GPR: EBP?
Base Pointer
Manages stack frame. EBP always contains the memory address of the bottom of the current stack.
Explain the GPR: ESI?
Source index, string operations
Explain the GPR: EDI?
Destination index, string operations
Explain the EEFLAG: CF
Carry Flag; is set if the last operation caused a carry. If the result of some arithmetic operation was bigger than the space allowed.
Explain the EEFLAG: PF
Parity Flag; is 1 if there is an even number of binary 1s in the result of an operation.
Explain the EEFLAG: ZF
Zero Flag: It is set if the last instruction had a result of zero.
Explain the EEFLAG: SF
Sign Flag; is set to indicate whether the last mathematical operation resulted in a value whose most significant bit was set to 1 (e.g it is a signed number, and is negative)
Explain the EEFLAG: TF
Trap Flag; Used with debuggers – instead of running all instructions, it will generate an exception that can be caught be a debugger after every instruction.
Explain the EEFLAG: DF
Direction Flag; Is used in string operations, e.g. do you want to read right-left or left-right.
Explain the EEFLAG: OF
Overflow Flag; is set when the MSB (most significant bit) is changed, indicating an arithmetic overflow.
MOV?
Simply moves a byte, word or dword from the source location to the destination location. There are some limitations to the mov instruction – for example the source and destination cannot both be a memory address, and the source and destination must be the same size.
- mov eax, ebx // Moves the value in the ebx register into eax
- mov eax, [ebx] // Moves the value at the memory address
LEA?
Load Effective Address. Takes the value passed in the source (which is normally a sum), calculates the final result, and stores that value into the destination.
- lea eax, [ebx+1] // Adds +1 to the value in the ebx register and moves it into eax
ADD, SUB, INC, DEC, NEG?
- add <dest>, <src></src></dest> // Dest = Dest + Src
- sub <dest>, <src></src></dest> // Dest = Dest - Src
- inc <dest> </dest>// Dest = Dest + 1
- dec <dest></dest> // Dest = Dest - 1
- neg <dest> </dest>// Dest = Dest * -1
XOR?
When reversing malware, the main place we see logical operators like this are in encryption loops, or deliberately obfuscated code. XOR in particular is very popular. This is due to a very useful property that: If a XOR b = c then c XOR a = b and c XOR b = a.
- XOR EAX, EAX // = 0
NOT?
The NOT instruction implements the bitwise NOT operation. NOT operation reverses the bits in an operand. The operand could be either in a register or in the memory. It changes every 1 => 0 and every 0 => 1
SHL/SHR?
The shifting instructions move all of the bits in the destination left or rights by a number of places specified in the count operand (and fills the gaps with zeros). The bit that is shifted out is stored in the CF.
shl al, 1 // al = 00000101 => al = 00001010 / CF = 0
ROL/ROR?
Bits in the destination are moved left or rights by a number of places specified in the count just like before. The bit that is shifted out of the destination is stored in the carry flag BUT also is pushed back into the destination from the other side instead of filling with zeros.
ror al, 1 // al = 00000101 => al = 1000010 / CF = 1
MUL?
- mov eax, 0x08
- mov ebx, 0x02
- mul ebx
EDX:EAX = 0x10 (16dec), ebx is still 0x02 (2 in dec)