03 - x86 Assembly Code

Question 1

Explain the GPR: EAX?

Answer 1

Accumulator, Return value of functions, data storage

Question 2

Explain the GPR: EBX?

Answer 2

Data Index, data storage

Question 3

Explain the GPR: ECX?

Answer 3

Loop Counter

Question 4

Explain the GPR: EDX?

Answer 4

Data register, data storage

Question 5

Explain the GPR: EIP?

Answer 5

Instruction Pointer

Question 6

Explain the GPR: ESP?

Answer 6

Stack Pointer

Goes along the stack. Always contains the memory address of the top of the current stack.

Question 7

Explain the GPR: EBP?

Answer 7

Base Pointer

Manages stack frame. EBP always contains the memory address of the bottom of the current stack.

Question 8

Explain the GPR: ESI?

Answer 8

Source index, string operations

Question 9

Explain the GPR: EDI?

Answer 9

Destination index, string operations

Question 10

Explain the EEFLAG: CF

Answer 10

Carry Flag; is set if the last operation caused a carry. If the result of some arithmetic operation was bigger than the space allowed.

Question 11

Explain the EEFLAG: PF

Answer 11

Parity Flag; is 1 if there is an even number of binary 1s in the result of an operation.

Question 12

Explain the EEFLAG: ZF

Answer 12

Zero Flag: It is set if the last instruction had a result of zero.

Question 13

Explain the EEFLAG: SF

Answer 13

Sign Flag; is set to indicate whether the last mathematical operation resulted in a value whose most significant bit was set to 1 (e.g it is a signed number, and is negative)

Question 14

Explain the EEFLAG: TF

Answer 14

Trap Flag; Used with debuggers – instead of running all instructions, it will generate an exception that can be caught be a debugger after every instruction.

Question 15

Explain the EEFLAG: DF

Answer 15

Direction Flag; Is used in string operations, e.g. do you want to read right-left or left-right.

Question 16

Explain the EEFLAG: OF

Answer 16

Overflow Flag; is set when the MSB (most significant bit) is changed, indicating an arithmetic overflow.

Question 17

MOV?

Answer 17

Simply moves a byte, word or dword from the source location to the destination location. There are some limitations to the mov instruction – for example the source and destination cannot both be a memory address, and the source and destination must be the same size.

• mov eax, ebx // Moves the value in the ebx register into eax
• mov eax, [ebx] // Moves the value at the memory address

Question 18

LEA?

Answer 18

Load Effective Address. Takes the value passed in the source (which is normally a sum), calculates the final result, and stores that value into the destination.

• lea eax, [ebx+1] // Adds +1 to the value in the ebx register and moves it into eax

Question 19

ADD, SUB, INC, DEC, NEG?

Answer 19

• add <dest>, <src></src></dest> // Dest = Dest + Src
• sub <dest>, <src></src></dest> // Dest = Dest - Src
• inc <dest> </dest>// Dest = Dest + 1
• dec <dest></dest> // Dest = Dest - 1
• neg <dest> </dest>// Dest = Dest * -1

Question 20

XOR?

Answer 20

When reversing malware, the main place we see logical operators like this are in encryption loops, or deliberately obfuscated code. XOR in particular is very popular. This is due to a very useful property that: If a XOR b = c then c XOR a = b and c XOR b = a.

• XOR EAX, EAX // = 0

Question 21

NOT?

Answer 21

The NOT instruction implements the bitwise NOT operation. NOT operation reverses the bits in an operand. The operand could be either in a register or in the memory. It changes every 1 => 0 and every 0 => 1

Question 22

SHL/SHR?

Answer 22

The shifting instructions move all of the bits in the destination left or rights by a number of places specified in the count operand (and fills the gaps with zeros). The bit that is shifted out is stored in the CF.

shl al, 1 // al = 00000101 => al = 00001010 / CF = 0

Question 23

ROL/ROR?

Answer 23

Bits in the destination are moved left or rights by a number of places specified in the count just like before. The bit that is shifted out of the destination is stored in the carry flag BUT also is pushed back into the destination from the other side instead of filling with zeros.

ror al, 1 // al = 00000101 => al = 1000010 / CF = 1

Question 24

MUL?

Answer 24

• mov eax, 0x08
• mov ebx, 0x02
• mul ebx

EDX:EAX = 0x10 (16dec), ebx is still 0x02 (2 in dec)

Question 25

DIV?

Answer 25

• mov eax, 0x7005 // EAX = 0x7005 (28677d)
• mov ebx, 0x100 // EBX = 0x100 (256d)
• div ebx

After div eax = 0x70 (112 dec) and edx = 0x05.

Question 26

CMP?

Answer 26

The CMP instruction is normally followed by a jump instruction which is based on the flags that were set. How cmp actually works is performs a subtraction (just like the sub function), but instead of storing the value in the destination operand – it simply sets the appropriate flags (ZF, SF, PF).

• mov eax, 0x1234
• mov ebx, 0x5678
• cmp eax, ebx

The result of the SUB is 0xFFFFBBBC, so ZF=0, SF=1, PF=0. Hence the sign flag is set (as the result is a negative number). The zero flag is not set (that would only happen if the two values where the same). In this case the parity flag is also not set (as there are an odd number of 1s in the result).

Question 27

TEST?

Answer 27

Like cmp test performs an operation on two operands in order to set some flags, and does alter either of the values passed to it. Cmp uses a subtract function to do this whereas test uses a binary AND function. We only really see test used in one case:
test eax, eax
Why test eax, eax? Because if eax = 0, the result will be zero – if it is anything else, result will be 1. So this function is equivalent to cmp eax, 0 – but it is slightly faster for the CPU to execute.

Question 28

scasb, scasw, scasd?

Answer 28

• Compares value in edi to the value in al, ax, eax
• Sets appropriate flags (e.g. Zero Flag)
• Increments edi by 1
• Decrements ecx by 1
• ScasX makes use of direction flag (DF=0 -> inc; DF=1 -> dec)

Question 29

rep & repXX?

Answer 29

• rep carries out an instruction a number of times equal to the value in ecx. Will decrement ecx.
• repXX repeats an instruction until a specific condition is met e.g. repz, repnz (REPeat while Not Equal) / repe, repne

rep ; Repeats until ecx = 0

repe, repz ; Repeats until ecx = 0 or ZF = 0

repne, repnz ; Repeats until ecx = 0 or ZF = 1

Question 30

stosX and lodsX?

Answer 30

stosb, stosw, and stosd: copies a value from al, ax or eax respectively to the memory location stored in edi. Then it increments the value in edi. This allows it to be used with a repeating instruction to overwrite an area of memory.

lodsb, lodsw, and lodsd copies a value which is stored in esi to al / ax / or eax respectively, and then incrementing esi.

Both of these instructions are effected by the direction flag (DF).

Question 31

call/ret?

Answer 31

• call [label]: Saves the current value of EIP onto the stack, and jumps to the specified location.
• Ret : Pops the return address off the stack and returns control to that location.

Question 32

JMP?

Answer 32

Unconditional Jump; doesn’t care about flags.

Question 33

JG / JGE / JNG [label]

Answer 33

Jump if greater than / greater than or equal to / not greater than. It performs a signed comparison jump after a cmp if the destination operand is greater than the source operand.

Question 34

JL / JLE / JNL [label]

Answer 34

Jump if less than / less than or equal to / not less than. It performs a signed comparison jump after a cmp if the destination operand is less than the source operand.

Question 35

JA / JAE / JNA [label]

Answer 35

Jump if above / above or equal to / not above. Same as JG, but unsigned.

Question 36

JB / JBE / JNB [label]

Answer 36

Jump if below / below or equal to / not below. Same as JL, but unsigned.

Question 37

JE / JZ [label]

Answer 37

It jumps to the specified location if the Zero Flag (ZF) is set (1). jz is commonly used to explicitly test for something being equal to zero (e.g. after test) whereas je is commonly found after a cmp instruction.

• cmp edx, 42
• je short loc_402B13 ; if edx equals 42, jump to loc_402B13

Question 38

JNE / JNZ [label]

Answer 38

It jumps to the specified location if the Zero Flag (ZF) is cleared (0). jnz is commonly used to explicitly test for something not being equal to zero whereas jne is commonly found after a cmp instruction.

• TEST 5,5 => ZF is 1 => jump
• CMP 5,5 => ZF is 1 => no jump

Question 39

loop [label]

Answer 39

Decrements ECX. If ecx not zero, it jumps to label.

mov ecx, 5

start_loop:

; the code here would be executed 5 times

loop start_loop

Question 40

NOP

Answer 40

Move to next instruction; same as: xchg eax, eax

Question 41

NEG 0x00000001?

Answer 41

FFFFFFFF or -1

A NEG instruction is the result of a not and add 1.

Question 42

What does CLD?

Answer 42

Clears the Direction Flag (DF = 0)

Question 43

How to you normally initiate and end stack instructions?

Answer 43

Beginning:
PUSH EBP
MOV EBP, ESP
SUB ESP, 4

Ending:
MOV ESP, EBP
POP EBP
RET (8)

Question 44

repnz?

Answer 44

Repeat while not zero

Question 45

repz?

Answer 45

Repeat while zero