asm

Question 1

EAX

Answer 1

The Accumulator Register.

It’s called the accumulator register because it’s the primary register used for common calculations (such as ADD and SUB). While other registers can be used for calculations, EAX has been given preferential status by assigning it more efficient, one-byte opcodes. Such efficiency can be important when it comes to writing exploit shellcode for a limited available buffer space (more on that in future tutorials!). In addition to its use in calculations, EAX is also used to store the return value of a function.

Question 2

AX

Answer 2

the least significant 16 bits

Question 3

AH

Answer 3

(the 8 most significant bits of AX)

Question 4

AL

Answer 4

the 8 least significant bits of AX

Question 5

EBX

Answer 5

The Base Register.

In 32-bit architecture, EBX doesn’t really have a special purpose so just think of it as a catch-all for available storage. Like EAX, it can be referenced in whole (EBX) or in part (BX, BH, BL).

Question 6

ECX

Answer 6

The Counter Register.

As its name implies, the counter (or count) register is frequently used as a loop and function repetition counter, though it can also be used to store any data. Like EAX, it can be referenced in whole (ECX) or in part (CX, CH, CL).

Question 7

EDX

Answer 7

The Data Register

EDX is kind of like a partner register to EAX. It’s often used in mathematical operations like division and multiplication to deal with overflow where the most significant bits would be stored in EDX and the least significant in EAX. It is also commonly used for storing function variables. Like EAX, it can be referenced in whole (EDX) or in part (DX, DH, DL).

Question 8

ESI

Answer 8

The Source Index

The counterpart to EDI, ESI is often used to store the pointer to a read location. For example, if a function is designed to read a string, ESI would hold the pointer to the location of that string.

Question 9

EDI

Answer 9

The Destination Index

Though it can be (and is) used for general data storage, EDI was primarily designed to store the storage pointers of functions, such as the write address of a string operation.

Question 10

EBP

Answer 10

The Base Pointer

EBP is used to keep track of the base/bottom of the stack. It is often used to reference variables located on the stack by using an offset to the current value of EBP, though if parameters are only referenced by register, you may choose to use EBP for general use purposes.

Question 11

ESP

Answer 11

ESP is used to track the top of the stack. As items are moved to and from the stack ESP increments/decrements accordingly. Of all of the general purpose registers, ESP is rarely/never used for anything other than it’s intended purpose.

Question 12

EIP

Answer 12

The Instruction Pointer (EIP)

Not a general purpose register, but fitting to cover here, EIP points to the memory address of the next instruction to be executed by the CPU. As you’ll see in the coming tutorials, control the value of EIP and you can control the execution flow of the application (to execute code of your choosing).

Question 13

ADD/SUB op1, op2

Answer 13

add or subtract two operands, storing the result in the first operand. These can be registers, memory locations (limit of one) or constants. For example, ADD EAX, 10 means add 10 to the value of EAX and store the result in EAX

Question 14

XOR EAX, EAX

Answer 14

Performing an ‘exclusive or’ of a register with itself sets its value to zero; an easy way of clearing the contents of a register

Question 15

INC/DEC op1

Answer 15

increment or decrement the value of the operand by one

Question 16

CMP op1, op2

Answer 16

compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value.

Question 17

Jump (JMP) and conditional jump (je, jz, etc)

Answer 17

as the name implies these instructions allow you to jump to another location in the execution flow/instruction set. The JMP instruction simply jumps to a location whereas the conditional jumps (je, jz, etc) are taken only if certain criteria are met (using the EFLAGS register values mentioned earlier). For example, you might compare the values of two registers and jump to a location if they are both equal (uses je instruction and zero flag (zf) = 1).

Question 18

ADD DWORD PTR [X] or MOV eax, [ebx]

Answer 18

it is referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.

Question 19

BYTE

Answer 19

1 byte

Question 20

WORD

Answer 20

2 bytes

Question 21

DWORD

Answer 21

4 bytes

Question 22

Kernel Land

Answer 22

This portion of memory is reserved by the OS for device drivers, system cache, paged/non-paged pool, HAL, etc. There is no user access to this portion of memory. Note: for a thorough explanation of Windows memory management you should check out the Windows Internals books (currently two volumes).

Question 23

PEB and TEB(s)

Answer 23

When you run a program/application, an instance of that executable known as a process is run. Each process provides the resources necessary to run an instance of that program. Every Windows process has an executive process (EPROCESS) structure that contains process attributes and pointers to related data structures. While most of these EPROCESS structures reside in Kernel Land, the Process Environment Block (PEB) resides in user-accessible memory. The PEB contains various user-mode parameters about a running process. You can use WinDbg to easily examine the contents of the PEB by issuing the !peb command.
A program, or process, can have one or more threads which serve as the basic unit to which the operating system allocates processor time. Each process begins with a single thread (primary thread) but can create additional threads as needed. All of the threads share the same virtual address space and system resources allocated to the parent process. Each thread also has its own resources including exception handlers, priorities, local storage, etc. Just like each program/process has a PEB, each thread has a Thread Environment Block (TEB). The TEB stores context information for the image loader and various Windows DLLs, as well as the location for the exception handler list (which we’ll cover in detail in a later post). Like the PEB, the TEB resides in the process address space since user-mode components require writable access.

Question 24

DLLs

Answer 24

Windows programs take advantage of shared code libraries called Dynamic Link Libraries (DLLs) which allows for efficient code reuse and memory allocation. These DLLs (also known as modules or executable modules) occupy a portion of the memory space. As shown in the Memory Map screenshot, you can view them in Immunity in the Memory view (Alt+M) or if you want to only view the DLLs you can select the Executable Module view (Alt+E). There are OS/system modules (ntdll, user32, etc) as well as application-specific modules and the latter are often useful in crafting overflow exploits (covered in future posts).

Question 25

Program Image

Answer 25

The Program Image portion of memory is where the executable resides. This includes the .text section (containing the executable code/CPU instructions) the .data section (containing the program’s global data) and the .rsrc section (contains non-executable resources, including icons, images, and strings).

Question 26

Heap

Answer 26

The heap is the dynamically allocated (e.g. malloc( )) portion of memory a program uses to store global variables. Unlike the stack, heap memory allocation must be managed by the application. In other words, that memory will remain allocated until it is freed by the program or the program itself terminates. You can think of the heap as a shared pool of memory whereas the stack, which we’ll cover next, is more organized and compartmentalized. I won’t go too much deeper to the heap just yet but plan to cover it in a later post on heap overflows.

Question 27

The Stack

Answer 27

Unlike the heap, where memory allocation for global variables is relative arbitrary and persistent, the stack is used to allocate short-term storage for local (function/method) variables in an ordered manner and that memory is subsequently freed at the termination of the given function. Recall how a given process can have multiple threads. Each thread/function is allocated its own stack frame. The size of that stack frame is fixed after creation and the stack frame is deleted at the conclusion of the function.

Question 28

PUSH and POP

Answer 28

Before we look at how a function is assigned a stack frame, let’s take a quick look at some simple PUSH and POP instructions so you can see how data is placed onto and taken off of the stack. The stack is a last-in first-out (LIFO) structure meaning the last item you put on the stack is the first item you take off. You “push” items onto the top of the stack and you “pop” items off of the top of the stack. Let’s take a look at this in action…

Question 29

Stack Frames and Functions

Answer 29

When a program function executes, a stack frame is created to store its local variables. Each function gets its own stack frame, which is put on top of the current stack and causes the stack to grow upwards to lower addresses.

Question 30

SP

Answer 30

Lower 16 bytes of ESP

Question 31

CS

Answer 31

Code register

Question 32

DS

Answer 32

Data register

Question 33

SS

Answer 33

Stack register

Question 34

ES

Answer 34

Data Register

Question 35

FS

Answer 35

Data Register

Question 36

GS

Answer 36

Data Register

Question 37

EFLAGS

Answer 37

Indicates status on conditional statements

Question 38

FPU

Answer 38

Floating point unit or x87 size is 80bits sd0 to sd7

Question 39

SIMD

Answer 39

single instruction multiple data
extensions 
-mmx
-sse
-sse2
-sse3

Question 40

MMX

Answer 40

carved out of FPU registers (st0-st7)

Question 41

XMM

Answer 41

128 bit size xmm0-xmm7

Question 42

CPU Real Mdoe

Answer 42

at power up or reset
can only access 1mb memory
no memory protection
privilege levels not possible

Question 43

CPU Protected Mode

Answer 43

up to 4gb memory
memory protection/priv levels/multitasking possible
have a special virtual-8086 mode

Question 44

System management mode

Answer 44

used for power management tasks

Question 45

Double Word

Answer 45

32bits

Question 46

Quad Word

Answer 46

64bits

Question 47

Double Quad Word

Answer 47

128bits

Question 48

access memory reference

Answer 48

use [] eg. mov eax, [message] moves the value stored at the address into eas instead of just the address

Question 49

MOV

Answer 49

move data between registers, registers and memeorty, data to registers, registers to data

Question 50

LEA

Answer 50

ex. LEA EAX, [label] loads the pointer into EAX

Question 51

XCHG

Answer 51

XCHG register, register would exchange data between two registers

Question 52

MOV dword [sample], eax

Answer 52

moves 32 byrtes of eax into sample

Question 53

clc

Answer 53

clear carry flag

Question 54

stc

Answer 54

set carry flag

Question 55

adc

Answer 55

adds values plus the carry flag