IA-32 Architecture

Question 1

What are the four main components of the CPU?

Answer 1

• Control unit
• Execution unit
• Registers
• Flags

Question 2

Control Unit

Answer 2

• retrieve/decode instructions

- retrieve/store data in memory

Question 3

Execution Unit

Answer 3

• actual execution of instruction happens here

Question 4

Registers

Answer 4

• internal memory locations used as “variables”

Question 5

Flags

Answer 5

• used to indicate various ‘events’ when execution is happening

Question 6

What are the 6 different IA-32 Registers?

Answer 6

• General Purpose Registers
• Segment Registers
• Flags, EIP
• Floating Point Unit Registers
• MMX Registers
• XMM Registers

Question 7

What is the structure of the first 4 General Purpose Registers?

Answer 7

• Each register is 32-bits wide (0-31)
  1. EAX
• • AX (16-bits wide)
• — AH (8-15), AL (0-7) (each are 8-bits wide)
  2. EBX
• • BX (16-bits wide)
• — BH (8-15), BL (0-7) (each are 8-bits wide)
  3. ECX
• • CX (16-bits wide)
• — CH (8-15), CL (0-7) (each are 8-bits wide)
  4. EDX
• • DX (16-bits wide)
• — DH (8-15), DL (0-7) (each are 8-bits wide)

Question 8

What is the structure of the second 4 General Purpose Registers?

Answer 8

• Each register is 32-bits wide (0-31)
• There are no further divisions into 8-bit halves like the first 4 general purpose registers
  1. ESP
• • SP (16-bits wide)
    2. EBP
• • BP (16-bits wide)
    3. ESI
• • SI (16-bits wide)
    4. EDP
• • DI (16-bits wide)

Question 9

What is the common functionality of each of the 8 General Purpose Registers?

Answer 9

• EAX: accumulator register, used for storing operands and result data
• EBX: base register, pointer to data
• ECX: counter register, loop operations
• EDX: data register, I/O pointer
• ESI/EDI: data pointer registers for memory operations
• ESP: stack pointer registers
• EBP: stack data pointer register

Question 10

What are the 6 Segment Registers and what is the purpose and length of each?

Answer 10

• Each Segment Register is 16-bits wide
• CS: code
• DS: data
• SS: stack
• ES: data
• FS: data
• GS: data

Question 11

EIP

Answer 11

• Instruction Point (the next instruction executed)
• Holy Grail for Shellcoding, Exploit Research, etc.
• 32 bits wide
• Not like a register where you can change the value with MOV, ADD, SUB, etc
• Instead, EIP is changed by using JMP operations

Question 12

How wide is the FPU?

Answer 12

• Floating Point Unit (x87)

- 80 bits wide

Question 13

SIMD

Answer 13

• Single Instruction Multiple Data
• 4 extensions
• Uses MMX and XMM registers

Question 14

What are the four extensions of SIMD?

Answer 14

• MMX
• SSE
• SSE2
• SSE3

Question 15

How wide is the MMX register?

Answer 15

64 bits

Question 16

How wide is the XMM register?

Answer 16

128 bits

Question 17

How do you start the GDB debugger?

Answer 17

gdb /bin/bash

Question 18

What command do you need to execute before running GDB?

Answer 18

break main

Question 19

What command do you execute after creating the break point?

Answer 19

run

Question 20

What command do you run to view the default set of registers?

Answer 20

info registers

Question 21

What command would you execute to see the contents of the EAX register?

Answer 21

display /x $eax

Question 22

What command shows you the next instruction set to be run?

Answer 22

disassemble $eip

Question 23

By default, GDB doesn’t show what three registers?

Answer 23

• FPU
• MMX
• XMM

Question 24

What command would you run to display ALL registers?

Answer 24

info all-registers

Question 25

What are the 2 disassembly "flavors"?

Answer 25

- ATT | - Intel

Question 26

What is the default disassembly flavor of Linux?

Answer 26

ATT

Question 27

What command would you use to change the disassembly flavor to Intel?

Answer 27

- set disassembly-flavor intel

Question 28

What are registers?

Answer 28

- volatile, data not meant to stay here for long - working memory for the processor - data is loaded in to perform computations - data is then loaded out for permanent storage elsewhere - fixed width

Question 29

The Stack

Answer 29

- An array of data sets - LIFO data structure - Behaves similar to a stack of books - Push puts a data set on top of the stack - Pop pulls a data set off the top of the stack - Stack pointer holds the position of the top of the stack - When you push/pop the pointer is moved to the new position of the top of the stack - The Stack pointer is just a register that can be manipulated

Question 30

What is a 'label'?

Answer 30

- A location in assembly code - Syntax is followed by ':' - Example: '_start:'

Question 31

What does 'int x80' do?

Answer 31

- This is the interrupt command that transfers control to an interrupt handler and represents the end of the program - 'int' is the command for 'interrupt' - 0x80 is the hex value for the interrupt handler for system calls

Question 32

What are the steps to create an executable from an assembly file?

Answer 32

1. nasm -f elf32 ex1.asm -o ex1.o | 2. ld -m elf_i386 ex1.o -o ex1

Question 33

What is the executable format used by Linux?

Answer 33

- elf | - Executable and Linking Format

Question 34

What does the 'ld' command do?

Answer 34

- This is the 'linking' command that builds and executable from the output file

Question 35

What does 'echo $?' output?

Answer 35

- the 'exit status' of the assembly/executable program

Question 36

What is multiplied against EBX in the command 'mul ebx'

Answer 36

EAX

Question 37

What is divided by EBX in the command 'mul ebx'

Answer 37

EAX

Question 38

What is the hex value for a new line character?

Answer 38

0x0a

Question 39

What does '.data' do in an assembly program?

Answer 39

- Used to declare the memory region, where data variable are stored for the program - This section can not be expanded after the data elements are declared, and remains static throughout the program - Contains global or static variables which have a pre-defined value and can be modified. - The variables are initially stored within the read-only memory (.text section) and are copied into the .data segment during the start-up routine of the program

Question 40

Which segment does '_start:' belong?

Answer 40

- section .text | - '_start:' is a label, and all labels go within the .text section

Question 41

What does 'jmp skip' instruction do?

Answer 41

- jump to the 'skip:' label in the .text section

Question 42

What does 'cmp ecx, 100' instruction do?

Answer 42

compares ECX to 100

Question 43

What does 'jl skip' instruction do?

Answer 43

- jumps to the 'skip:' label if the preceding 'compare' statement evaluates to 'less than' status. - example: if 'cmp exc, 100' was the preceding instruction, and if 100 is less than ECX, then the 'jl skip' instruction would execute

Question 44

What does 'je' mean?

Answer 44

jump if equal

Question 45

What does 'jne' mean?

Answer 45

jump if not equal

Question 46

What does 'jg' mean?

Answer 46

jump if greater

Question 47

What does 'jge' mean?

Answer 47

jump if greater or equal

Question 48

What does 'jl' mean?

Answer 48

jump if less

Question 49

What does 'jle' mean?

Answer 49

jump if less or equal

Question 50

What does 'dec ecx' instruction do?

Answer 50

decrements ECX by 1

Question 51

What would be the outcome of 'mov [addr], byte 'H'?

Answer 51

- It is important to note that [addr] references a label without an offset, so it is the first place of a string located at 'addr' - 'H' would be placed at the first place of the string located at 'addr' - For example, if 'addr' was created in the .data section as 'addr db "yellow"', the outcome would be "Hellow"

Question 52

What would be the outcome of 'mov [addr+5], byte '!'

Answer 52

- [addr+5] references the first position of 'addr' plus an offset of 5...so it is essentially the sixth place of the string stored at 'addr' - '!' would be placed at the sixth position of the string located at 'addr' - For example, if 'addr' was created in the .data section as 'addr db "Hellow", the outcome would be "Hello!"

Question 53

How large is the value 'db'? | What are some possible example values?

Answer 53

- 1 byte, 8-bits | - db "string", db 0xff, db 100

Question 54

How large is the value 'dw'? | What are some possible example values?

Answer 54

- 2 bytes, 16-bits | - dw 0x1234, dw 1000

Question 55

How large is the value 'dd'? | What are some possible example values?

Answer 55

- 4 bytes, 32-bits | - dd 0x12345678, dd 100000

Question 56

What are the memory addresses of the Stack for a 32-bit system?

Answer 56

- [00] - [04] - [08] - [12] - [16] - [20] - [24] - [28]

Question 57

Where does the Stack pointer (ESP) start before any pushes and pops?

Answer 57

- The bottom of the Stack, [28]

Question 58

If ESP = 28 and the instruction 'push 1234' is executed, where does 1234 go and what is the new value of ESP?

Answer 58

- 1234 goes to [24] and ESP = 24

Question 59

If the Stack looks like the example below, what is the outcome if the instruction 'pop eax' is executed? ESP = 12 ``` [00] 0 [04] 0 [08] 0 [12] 357 [16] 246 [20] 8765 [24] 1234 [28] 0 ```

Answer 59

ESP = 16 ``` [00] 0 [04] 0 [08] 0 [12] 357 [16] 246 [20] 8765 [24] 1234 [28] 0 ``` ** Note: the value of '357' still resides at [12], even though it has been moved to EAX. '357' will remain at [12] until that memory position of the Stack is overwritten with a new value