Assembly Basics

Question 1

Immunity Debugger - F9

Answer 1

Play/Run Program

Question 2

Immunity Debugger - F7

Answer 2

Step into next instruction (but pause execution)

Question 3

EAX

Answer 3

Accumulator Register
32-bits
common calculations (ADD / SUB)
efficient - one-byte opcodes
good for limited available buffer space (compact shellcode)

Question 4

AX

Answer 4

Lower half of EAX

16-bits

Question 5

AH

Answer 5

Higher half of AX 8-bits

Question 6

AL

Answer 6

Lower half of AX 8-bits

Question 7

EBX

Answer 7

Base Register
32-bits
Catch-all register
No special purpose

Question 8

BX

Answer 8

Lower half of EBX

16-bits

Question 9

BH

Answer 9

Higher half of BX 8-bits

Question 10

BL

Answer 10

Lower half of BX 8-bits

Question 11

ECX

Answer 11

Counter Register
32-bits
Frequently used for Loop and Function repetition counter
Can store any data like EAX

Question 12

CX

Answer 12

Lower half of ECX

16-bits

Question 13

CH

Answer 13

Higher half of CX 8-bits

Question 14

CL

Answer 14

Lower half of CX 8-bits

Question 15

EDX

Answer 15

Data Register
32-bits
Mathematical operations
Division / Multiplication
used for overflow were most significant bits stored in EDX and least significant bits stored in EAX

Question 16

DX

Answer 16

Lower half of EDX

16-bits

Question 17

DH

Answer 17

Higher half of DX 8-bits

Question 18

DL

Answer 18

Lower half of CX 8-bits

Question 19

ESI

Answer 19

Source Index
Counterpart to EDI
Stores the pointer to the read location
E.g. If a function is designed to read a string, ESI would hold the pointer to the location of that string

Question 20

EDI

Answer 20

Destination Index
Can be and is used for general data storage it’s primarily designed to store the storage pointers functions, such as the write address of a string operation

Question 21

EBP

Answer 21

Base Pointer
Used to keep track of the base/bottom of the stack
Used to reference variables located on the stack by using an offset to the current value of EBP
If parameters are only referenced by register, you may choose to use EBP for general use

Question 22

ESP

Answer 22

Stack Pointer
Used to track the top of the stack - LIFO
ESP increments/decrements when items are added/removed from the stack

Question 23

EIP

Answer 23

Instruction Pointer

Points to the memory address of the next instruction to be executed by the CPU

Question 24

EFLAGS

Answer 24

Comprised of a series of flags that represent Boolean values resulting from calculations and comparisons and can be used to determine when/if to take conditional jumps

Question 25

ADD/SUB op1,op2

Answer 25

add or subtract two operands, storing the result in the first operand
These can be registers, memory locations(limit 1) or constants
E.g. ADD EAX, 10 == add 10 to the VALUE of EAX and store the result in EAX

Question 26

XOR EAX, EAX

Answer 26

Perform an ‘exclusive or’ of a register with itself sets it’s value to zero. Easy way of clearing the contents of a register

Question 27

INC/DEC op1

Answer 27

Increment or Decrement the value of the operand by one

Question 28

CMP op1, op2

Answer 28

compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value

Question 29

JMP (Jump) and conditional jump(je, jz, etc)

Answer 29

as the name implies these instructions allow you to jump to another location in the execution flow/instruction set. The JMP instruction simply jumps to a location whereas the conditional jumps (je, jz, etc) are taken only if certain criteria are met (using the EFLAGS register values mentioned earlier). For example, you might compare the values of two registers and jump to a location if they are both equal (uses je instruction and zero flag (zf) = 1).

Question 30

Brackets [] E.g. [x] or MOV eax, [ebx]

Answer 30

it is referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.

Question 31

BYTE

Answer 31

1 byte or 8 bits

Question 32

WORD

Answer 32

2 bytes or 16 bits

Question 33

DWORD (double word)

Answer 33

4 bytes or 32 bits

Question 34

NOP

Answer 34

No Operation - used as padding

NOP = XCHG (E)AX,(E)AX : just swapping EAX value with itself - does nothing

Question 35

PUSH

Answer 35

Push Word, Doubleword, or Quadword onto the stack

Question 36

POP

Answer 36

Pop a value from the Stack

Take a DWORD off the stack, put it in a register, and increment ESP by 4

Question 37

CALL

Answer 37

CALL’s job is to transfer control to a different function, in a way that control can later be resumed where it left off (EIP)
First it pushes the address of the next instruction on tot the stack - for use by RET for when the procedure is done

Question 38

RET

Answer 38

Two forms:

• Pop the top of the stack into EIP (remember pop increments stack pointer)
• Pop the top of the stack into EIP and add a constant number of bytes to ESP

Question 39

MOV

Answer 39

Move
Can move :
- register to register
- memory to register, register to memory
- immediate to register, immediate to memory
*Never memory to memory

Question 40

.text

Answer 40

contains the executable code/CPU instructions

Question 41

.data

Answer 41

contains the program’s global data

Question 42

.rsrc

Answer 42

contains non-executable resources, including icons, images, and strings

Question 43

Heap

Answer 43

dynamically allocated
store global variables
managed by the program NOT the OS and thus must be freed

Question 44

/proc/{pid}/maps

Answer 44

view process organization

Question 45

pmaps

Answer 45

view process organization

Question 46

Symbol Files

Answer 46

Info sources
Info variables (not local variables)
Info scope function_name
Info functions
maint print symbols filename_to_store

Question 47

NM Symbol Type - A

Answer 47

Absolute Symbol

Question 48

NM Symbol Type - B

Answer 48

In the Uninitialized Data Section (BSS)

Question 49

NM Symbol Type - D

Answer 49

In the Initialized Data Section

Question 50

NM Symbol Type - N

Answer 50

Debugging Symbol

Question 51

NM Symbol Type - T

Answer 51

In the Text Section

Question 52

NM Symbol Type - U

Answer 52

Symbol Undefined right now

Question 53

Strace

Answer 53

Traces all System Calls made by the program

Question 54

Strace Filter for system calls

Answer 54

strace -r -e {list of calls} file_name args

Question 55

Strace attach to running process

Answer 55

Strace -p process_id