32bit assembly Flashcards
Stack pointer register is used to track the top of the stack. As items are moved to and from the stack, this register increments/decrements accordingly. Of all the general purpose registers, this register is rarely/never used for anything other than its intended purpose.
ESP
in this view you can see contents of memory in the debugger. when you right click for example in ESP and choose “follow in dump” this will take you to that memory space to view.
Memory dump in CPU window. (bottom left pane)
EDI
Destination Index, was designed to store storage pointers of functions such as write address of a string operation.
what are the default views for ollydb/immunity debugger
CPU instructions (top left)
Registers (top right)
Memory dump (bottom left)
Stack(bottom right)
This registers represent boolean values resulting from calculations
EFLAGS/segment registers
base pointer, holds the base/bottom address of the stack
EBP -Enhanced Base Pointer
in 32bit CPU there are 8 registers, They can technically be used to store any data, though they were originally architected to perform specific tasks, and in many cases are still used that way today, what are they?
EAX, EBX, ECX, EDX, EDI, ESI, EBP, and ESP
This is the data register
EDX, used for mathematical equations like EAX, it compliments EAX.
Base Pointer, used to keep track of the base/bottom of the stack. It is used to reference variables located on the stack by using an offset to the current value of EBP, though if parameters are only referenced by resgister you may choose ot use EBP for general porpuse
EBP
how does MOV work in intel architecture
remember with x86 Intel syntax it’s MOV [dst] [src])
Source index register, stores pointer to a read location, counter part of EDI
ESI
2 ways to attach/open a process in immunity Debugger
In Immunity, click File –> Attach and select the name of the application/process (in my example, wmplayer).
Note: you can also launch WMP directly from Immunity by clicking File –> Open and selecting the executable.
It’s called the accumulator register because it’s the primary register used for common calculations (such as ADD and SUB). While other registers can be used for calculations, THIS REGISTER has been given preferential status by assigning it more efficient, one-byte opcodes. Such efficiency can be important when it comes to writing exploit shellcode for a limited available buffer space (more on that in future tutorials!). In addition to its use in calculations, THIS REGISTER is also used to store the return value of a function.
EAX
Not a general purpose register but stores the location of the next instruction. If you control this register you control execution flow of the application.
EIP
What is ECX
Counter register, used in loops and function repetition counter. it can also store any data like the rest of the registers.
