General Assembly

Question 1

What are the CPU Instructions in Immunity?

Answer 1

displays the memory address, opcode and assembly instructions, additional comments, function names and other information related to the CPU instructions

Question 2

What is the purpose of the Registers pane in Immunity?

Answer 2

displays the contents of the general purpose registers, instruction pointer, and flags associated with the current state of the application

Question 3

What does the STACK pane display in Immunity?

Answer 3

shows the contents of the current stack

Question 4

What does the Memory Dump display in Immunity

Answer 4

shows the contents of the application’s memory

Question 5

What programs can be used to debug a Windows system?

Answer 5

Immunity or WinDbg

Question 6

What is the EAX register?

Answer 6

The Accumulator Register - it’s the primary register used for common calculations (such as ADD and SUB). and it has preferential status by assigning it more efficient, one-byte opcodes. In addition, EAX is also used to store the return value of a function.

Question 7

How many bits is the EAX registry?

Answer 7

32-bits total in length

Question 8

Name EAX least and most significant bits?

Answer 8

EAX refers to the 32-bit register in its entirety. AX refers to the least significant 16 bits which can be further broken down into AH (the 8 most high significant bits of AX) and AL (the 8 lowest significant bits).

Question 9

What is the EBX register?

Answer 9

a catch-all for available storage

Question 10

What is the ECX register?

Answer 10

frequently used as a loop and function repetition counter, though it can also be used to store any data

Question 11

What is the EDX register?

Answer 11

often used in mathematical operations like division and multiplication to deal with overflow where the most significant bits would be stored in EDX and the least significant in EAX; also commonly used for storing function variables.

Question 12

What is the ESI register?

Answer 12

The Source Index, ESI, is often used to store the pointer to a read location.

Question 13

What is the EDI register?

Answer 13

EDI, the Destination Index, was primarily designed to store the storage pointers of functions, such as the write address of a string operation.

Question 14

What is the EBP register?

Answer 14

EBP, Base Pointer, is used to keep track of the base/bottom of the stack within the current stack frame.

Question 15

What is the ESP register?

Answer 15

ESP, the Stack Pointer is used to track the top of the stack. As items are moved to and from the stack ESP increments/decrements accordingly.

Question 16

What is the EIP?

Answer 16

EIP, Instruction Pointer, points to the memory address of the next instruction to be executed by the CPU. Holy grail for shell coding.

Question 17

What is a DLL?

Answer 17

Shared code libraries called Dynamic Link Libraries (DLLs), which allows for efficient code reuse and memory allocation. DLLs (also known as modules or executable modules) occupy a portion of the memory. space

Question 18

What is the HEAP?

Answer 18

Dynamically allocated (e.g. malloc( )) portion of memory a program uses to store global variables.

Question 19

What is a Program Image?

Answer 19

Portion of memory where the executable resides including the .text section (containing the executable code/CPU instructions) the .data section (containing the program’s global data) and the .rsrc section (contains non-executable resources, including icons, images, and strings).

Question 20

What is the Kernel Land?

Answer 20

Portion of memory is reserved by the OS for device drivers, system cache, paged/non-paged pool, HAL, etc

Question 21

What is the PEB?

Answer 21

Process Environment Block (PEB) residing in user-accessible memory. It contains various user-mode parameters about a running process.

Question 22

What is the TEB?

Answer 22

Thread Environment Block (TEB) stores context information for the image loader and various Windows DLLs, as well as the location for the exception handler list.

Question 23

What is ADD, SUB op1,op2?

Answer 23

Add or subtract two operands, storing the result in the first operand.

Question 24

What does ‘XOR EAX, EAX’ syntax perform?

Answer 24

Performs an ‘exclusive or’ of a register with itself sets its value to zero; an easy way of clearing the contents of a register.

Question 25

What is INC/DEC op1?

Answer 25

Increment or decrement the value of the operand by one

Question 26

What is CMP op1, op2?

Answer 26

Compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value.

Question 27

What does the instruction Jump (JMP) do?

Answer 27

The JMP instruction simply jumps to a location.

Question 28

What does the conditional jump (je, jz,) do?

Answer 28

Conditional jumps are taken only if certain criteria are met (using the EFLAGS register values).

Question 29

When you see a value in brackets such as ADD DWORD PTR [X] or MOV eax, [ebx], what does it mean?

Answer 29

It is referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.

Question 30

What does the MOV instruction accomplish?

Answer 30

The MOV instruction copies a data item from one location to another. With x86 Intel syntax it’s MOV [dst], [src]. Moves data b/w memory & registers, & immediate data to registers or memory.

Question 31

What are relevant size keywords and its coded abbreviations?

Answer 31

BYTE (db) = 8 bits, WORD (dw) = 16 bits, DWORD (dd) = 32 bits, QWORD (dq) = 64 bits, DQWORD (dt) = 128 bits

Question 32

What does the times value do in a program?

Answer 32

The “times” value multiplies an instruction by a specified value.
Ex:
Data:
Zerobuf: times 64 db 0 (repeat db 0 64 times.)

Question 33

What is resb and resw?

Answer 33

resb = reserves bytes (resb 100) reserves 100 bytes
resw = reserves words (resw20) reserves 20 words

Question 34

What is LEA?

Answer 34

Load Effective Address: loads pointer values
Ex:
LEA EAX, [label]

Question 35

What is exchange?

Answer 35

exchanges or swaps values
Ex:
XCHG Register, Register
XCHG Register, Memory