Assembly Basics Flashcards
Immunity Debugger - F9
Play/Run Program
Immunity Debugger - F7
Step into next instruction (but pause execution)
EAX
Accumulator Register 32-bits common calculations (ADD / SUB) efficient - one-byte opcodes good for limited available buffer space (compact shellcode)
AX
Lower half of EAX
16-bits
AH
Higher half of AX 8-bits
AL
Lower half of AX 8-bits
EBX
Base Register
32-bits
Catch-all register
No special purpose
BX
Lower half of EBX
16-bits
BH
Higher half of BX 8-bits
BL
Lower half of BX 8-bits
ECX
Counter Register
32-bits
Frequently used for Loop and Function repetition counter
Can store any data like EAX
CX
Lower half of ECX
16-bits
CH
Higher half of CX 8-bits
CL
Lower half of CX 8-bits
EDX
Data Register 32-bits Mathematical operations Division / Multiplication used for overflow were most significant bits stored in EDX and least significant bits stored in EAX
DX
Lower half of EDX
16-bits
DH
Higher half of DX 8-bits
DL
Lower half of CX 8-bits
ESI
Source Index
Counterpart to EDI
Stores the pointer to the read location
E.g. If a function is designed to read a string, ESI would hold the pointer to the location of that string
EDI
Destination Index
Can be and is used for general data storage it’s primarily designed to store the storage pointers functions, such as the write address of a string operation
EBP
Base Pointer
Used to keep track of the base/bottom of the stack
Used to reference variables located on the stack by using an offset to the current value of EBP
If parameters are only referenced by register, you may choose to use EBP for general use
ESP
Stack Pointer
Used to track the top of the stack - LIFO
ESP increments/decrements when items are added/removed from the stack
EIP
Instruction Pointer
Points to the memory address of the next instruction to be executed by the CPU
EFLAGS
Comprised of a series of flags that represent Boolean values resulting from calculations and comparisons and can be used to determine when/if to take conditional jumps
ADD/SUB op1,op2
add or subtract two operands, storing the result in the first operand
These can be registers, memory locations(limit 1) or constants
E.g. ADD EAX, 10 == add 10 to the VALUE of EAX and store the result in EAX
XOR EAX, EAX
Perform an ‘exclusive or’ of a register with itself sets it’s value to zero. Easy way of clearing the contents of a register
INC/DEC op1
Increment or Decrement the value of the operand by one
CMP op1, op2
compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value
JMP (Jump) and conditional jump(je, jz, etc)
as the name implies these instructions allow you to jump to another location in the execution flow/instruction set. The JMP instruction simply jumps to a location whereas the conditional jumps (je, jz, etc) are taken only if certain criteria are met (using the EFLAGS register values mentioned earlier). For example, you might compare the values of two registers and jump to a location if they are both equal (uses je instruction and zero flag (zf) = 1).
Brackets [] E.g. [x] or MOV eax, [ebx]
it is referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.
BYTE
1 byte or 8 bits
WORD
2 bytes or 16 bits
DWORD (double word)
4 bytes or 32 bits
NOP
No Operation - used as padding
NOP = XCHG (E)AX,(E)AX : just swapping EAX value with itself - does nothing
PUSH
Push Word, Doubleword, or Quadword onto the stack
POP
Pop a value from the Stack
Take a DWORD off the stack, put it in a register, and increment ESP by 4
CALL
CALL’s job is to transfer control to a different function, in a way that control can later be resumed where it left off (EIP)
First it pushes the address of the next instruction on tot the stack - for use by RET for when the procedure is done
RET
Two forms:
- Pop the top of the stack into EIP (remember pop increments stack pointer)
- Pop the top of the stack into EIP and add a constant number of bytes to ESP
MOV
Move Can move : - register to register - memory to register, register to memory - immediate to register, immediate to memory *Never memory to memory
.text
contains the executable code/CPU instructions
.data
contains the program’s global data
.rsrc
contains non-executable resources, including icons, images, and strings
Heap
dynamically allocated
store global variables
managed by the program NOT the OS and thus must be freed
/proc/{pid}/maps
view process organization
pmaps
view process organization
Symbol Files
Info sources Info variables (not local variables) Info scope function_name Info functions maint print symbols filename_to_store
NM Symbol Type - A
Absolute Symbol
NM Symbol Type - B
In the Uninitialized Data Section (BSS)
NM Symbol Type - D
In the Initialized Data Section
NM Symbol Type - N
Debugging Symbol
NM Symbol Type - T
In the Text Section
NM Symbol Type - U
Symbol Undefined right now
Strace
Traces all System Calls made by the program
Strace Filter for system calls
strace -r -e {list of calls} file_name args
Strace attach to running process
Strace -p process_id
