General Assembly Flashcards
Learn the basic components and terms that relate to x86 Assembly
What are the CPU Instructions in Immunity?
displays the memory address, opcode and assembly instructions, additional comments, function names and other information related to the CPU instructions
What is the purpose of the Registers pane in Immunity?
displays the contents of the general purpose registers, instruction pointer, and flags associated with the current state of the application
What does the STACK pane display in Immunity?
shows the contents of the current stack
What does the Memory Dump display in Immunity
shows the contents of the application’s memory
What programs can be used to debug a Windows system?
Immunity or WinDbg
What is the EAX register?
The Accumulator Register - it’s the primary register used for common calculations (such as ADD and SUB). and it has preferential status by assigning it more efficient, one-byte opcodes. In addition, EAX is also used to store the return value of a function.
How many bits is the EAX registry?
32-bits total in length
Name EAX least and most significant bits?
EAX refers to the 32-bit register in its entirety. AX refers to the least significant 16 bits which can be further broken down into AH (the 8 most high significant bits of AX) and AL (the 8 lowest significant bits).
What is the EBX register?
a catch-all for available storage
What is the ECX register?
frequently used as a loop and function repetition counter, though it can also be used to store any data
What is the EDX register?
often used in mathematical operations like division and multiplication to deal with overflow where the most significant bits would be stored in EDX and the least significant in EAX; also commonly used for storing function variables.
What is the ESI register?
The Source Index, ESI, is often used to store the pointer to a read location.
What is the EDI register?
EDI, the Destination Index, was primarily designed to store the storage pointers of functions, such as the write address of a string operation.
What is the EBP register?
EBP, Base Pointer, is used to keep track of the base/bottom of the stack within the current stack frame.
What is the ESP register?
ESP, the Stack Pointer is used to track the top of the stack. As items are moved to and from the stack ESP increments/decrements accordingly.
What is the EIP?
EIP, Instruction Pointer, points to the memory address of the next instruction to be executed by the CPU. Holy grail for shell coding.
What is a DLL?
Shared code libraries called Dynamic Link Libraries (DLLs), which allows for efficient code reuse and memory allocation. DLLs (also known as modules or executable modules) occupy a portion of the memory. space
What is the HEAP?
Dynamically allocated (e.g. malloc( )) portion of memory a program uses to store global variables.
What is a Program Image?
Portion of memory where the executable resides including the .text section (containing the executable code/CPU instructions) the .data section (containing the program’s global data) and the .rsrc section (contains non-executable resources, including icons, images, and strings).
What is the Kernel Land?
Portion of memory is reserved by the OS for device drivers, system cache, paged/non-paged pool, HAL, etc
What is the PEB?
Process Environment Block (PEB) residing in user-accessible memory. It contains various user-mode parameters about a running process.
What is the TEB?
Thread Environment Block (TEB) stores context information for the image loader and various Windows DLLs, as well as the location for the exception handler list.
What is ADD, SUB op1,op2?
Add or subtract two operands, storing the result in the first operand.
What does ‘XOR EAX, EAX’ syntax perform?
Performs an ‘exclusive or’ of a register with itself sets its value to zero; an easy way of clearing the contents of a register.
What is INC/DEC op1?
Increment or decrement the value of the operand by one
What is CMP op1, op2?
Compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value.
What does the instruction Jump (JMP) do?
The JMP instruction simply jumps to a location.
What does the conditional jump (je, jz,) do?
Conditional jumps are taken only if certain criteria are met (using the EFLAGS register values).
When you see a value in brackets such as ADD DWORD PTR [X] or MOV eax, [ebx], what does it mean?
It is referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.
What does the MOV instruction accomplish?
The MOV instruction copies a data item from one location to another. With x86 Intel syntax it’s MOV [dst], [src]. Moves data b/w memory & registers, & immediate data to registers or memory.
What are relevant size keywords and its coded abbreviations?
BYTE (db) = 8 bits, WORD (dw) = 16 bits, DWORD (dd) = 32 bits, QWORD (dq) = 64 bits, DQWORD (dt) = 128 bits
What does the times value do in a program?
The “times” value multiplies an instruction by a specified value.
Ex:
Data:
Zerobuf: times 64 db 0 (repeat db 0 64 times.)
What is resb and resw?
resb = reserves bytes (resb 100) reserves 100 bytes resw = reserves words (resw20) reserves 20 words
What is LEA?
Load Effective Address: loads pointer values
Ex:
LEA EAX, [label]
What is exchange?
exchanges or swaps values
Ex:
XCHG Register, Register
XCHG Register, Memory
