IA-32 Architecture Flashcards
What are the four main components of the CPU?
- Control unit
- Execution unit
- Registers
- Flags
Control Unit
- retrieve/decode instructions
- retrieve/store data in memory
Execution Unit
- actual execution of instruction happens here
Registers
- internal memory locations used as “variables”
Flags
- used to indicate various ‘events’ when execution is happening
What are the 6 different IA-32 Registers?
- General Purpose Registers
- Segment Registers
- Flags, EIP
- Floating Point Unit Registers
- MMX Registers
- XMM Registers
What is the structure of the first 4 General Purpose Registers?
- Each register is 32-bits wide (0-31)
1. EAX - AX (16-bits wide)
- — AH (8-15), AL (0-7) (each are 8-bits wide)
2. EBX - BX (16-bits wide)
- — BH (8-15), BL (0-7) (each are 8-bits wide)
3. ECX - CX (16-bits wide)
- — CH (8-15), CL (0-7) (each are 8-bits wide)
4. EDX - DX (16-bits wide)
- — DH (8-15), DL (0-7) (each are 8-bits wide)
What is the structure of the second 4 General Purpose Registers?
- Each register is 32-bits wide (0-31)
- There are no further divisions into 8-bit halves like the first 4 general purpose registers
1. ESP - SP (16-bits wide)
2. EBP
- SP (16-bits wide)
- BP (16-bits wide)
3. ESI
- BP (16-bits wide)
- SI (16-bits wide)
4. EDP
- SI (16-bits wide)
- DI (16-bits wide)
What is the common functionality of each of the 8 General Purpose Registers?
- EAX: accumulator register, used for storing operands and result data
- EBX: base register, pointer to data
- ECX: counter register, loop operations
- EDX: data register, I/O pointer
- ESI/EDI: data pointer registers for memory operations
- ESP: stack pointer registers
- EBP: stack data pointer register
What are the 6 Segment Registers and what is the purpose and length of each?
- Each Segment Register is 16-bits wide
- CS: code
- DS: data
- SS: stack
- ES: data
- FS: data
- GS: data
EIP
- Instruction Point (the next instruction executed)
- Holy Grail for Shellcoding, Exploit Research, etc.
- 32 bits wide
- Not like a register where you can change the value with MOV, ADD, SUB, etc
- Instead, EIP is changed by using JMP operations
How wide is the FPU?
- Floating Point Unit (x87)
- 80 bits wide
SIMD
- Single Instruction Multiple Data
- 4 extensions
- Uses MMX and XMM registers
What are the four extensions of SIMD?
- MMX
- SSE
- SSE2
- SSE3
How wide is the MMX register?
64 bits
How wide is the XMM register?
128 bits
How do you start the GDB debugger?
gdb /bin/bash
What command do you need to execute before running GDB?
break main
What command do you execute after creating the break point?
run
What command do you run to view the default set of registers?
info registers
What command would you execute to see the contents of the EAX register?
display /x $eax
What command shows you the next instruction set to be run?
disassemble $eip
By default, GDB doesn’t show what three registers?
- FPU
- MMX
- XMM
What command would you run to display ALL registers?
info all-registers
What are the 2 disassembly “flavors”?
- ATT
- Intel
What is the default disassembly flavor of Linux?
ATT
What command would you use to change the disassembly flavor to Intel?
- set disassembly-flavor intel
What are registers?
- volatile, data not meant to stay here for long
- working memory for the processor
- data is loaded in to perform computations
- data is then loaded out for permanent storage elsewhere
- fixed width
The Stack
- An array of data sets
- LIFO data structure
- Behaves similar to a stack of books
- Push puts a data set on top of the stack
- Pop pulls a data set off the top of the stack
- Stack pointer holds the position of the top of the stack
- When you push/pop the pointer is moved to the new position of the top of the stack
- The Stack pointer is just a register that can be manipulated
What is a ‘label’?
- A location in assembly code
- Syntax is followed by ‘:’
- Example: ‘_start:’
What does ‘int x80’ do?
- This is the interrupt command that transfers control to an interrupt handler and represents the end of the program
- ‘int’ is the command for ‘interrupt’
- 0x80 is the hex value for the interrupt handler for system calls
What are the steps to create an executable from an assembly file?
- nasm -f elf32 ex1.asm -o ex1.o
2. ld -m elf_i386 ex1.o -o ex1
What is the executable format used by Linux?
- elf
- Executable and Linking Format
What does the ‘ld’ command do?
- This is the ‘linking’ command that builds and executable from the output file
What does ‘echo $?’ output?
- the ‘exit status’ of the assembly/executable program
What is multiplied against EBX in the command ‘mul ebx’
EAX
What is divided by EBX in the command ‘mul ebx’
EAX
What is the hex value for a new line character?
0x0a
What does ‘.data’ do in an assembly program?
- Used to declare the memory region, where data variable are stored for the program
- This section can not be expanded after the data elements are declared, and remains static throughout the program
- Contains global or static variables which have a pre-defined value and can be modified.
- The variables are initially stored within the read-only memory (.text section) and are copied into the .data segment during the start-up routine of the program
Which segment does ‘_start:’ belong?
- section .text
- ‘_start:’ is a label, and all labels go within the .text section
What does ‘jmp skip’ instruction do?
- jump to the ‘skip:’ label in the .text section
What does ‘cmp ecx, 100’ instruction do?
compares ECX to 100
What does ‘jl skip’ instruction do?
- jumps to the ‘skip:’ label if the preceding ‘compare’ statement evaluates to ‘less than’ status.
- example: if ‘cmp exc, 100’ was the preceding instruction, and if 100 is less than ECX, then the ‘jl skip’ instruction would execute
What does ‘je’ mean?
jump if equal
What does ‘jne’ mean?
jump if not equal
What does ‘jg’ mean?
jump if greater
What does ‘jge’ mean?
jump if greater or equal
What does ‘jl’ mean?
jump if less
What does ‘jle’ mean?
jump if less or equal
What does ‘dec ecx’ instruction do?
decrements ECX by 1
What would be the outcome of ‘mov [addr], byte ‘H’?
- It is important to note that [addr] references a label without an offset, so it is the first place of a string located at ‘addr’
- ‘H’ would be placed at the first place of the string located at ‘addr’
- For example, if ‘addr’ was created in the .data section as ‘addr db “yellow”’, the outcome would be “Hellow”
What would be the outcome of ‘mov [addr+5], byte ‘!’
- [addr+5] references the first position of ‘addr’ plus an offset of 5…so it is essentially the sixth place of the string stored at ‘addr’
- ’!’ would be placed at the sixth position of the string located at ‘addr’
- For example, if ‘addr’ was created in the .data section as ‘addr db “Hellow”, the outcome would be “Hello!”
How large is the value ‘db’?
What are some possible example values?
- 1 byte, 8-bits
- db “string”, db 0xff, db 100
How large is the value ‘dw’?
What are some possible example values?
- 2 bytes, 16-bits
- dw 0x1234, dw 1000
How large is the value ‘dd’?
What are some possible example values?
- 4 bytes, 32-bits
- dd 0x12345678, dd 100000
What are the memory addresses of the Stack for a 32-bit system?
- [00]
- [04]
- [08]
- [12]
- [16]
- [20]
- [24]
- [28]
Where does the Stack pointer (ESP) start before any pushes and pops?
- The bottom of the Stack, [28]
If ESP = 28 and the instruction ‘push 1234’ is executed, where does 1234 go and what is the new value of ESP?
- 1234 goes to [24] and ESP = 24
If the Stack looks like the example below, what is the outcome if the instruction ‘pop eax’ is executed?
ESP = 12
[00] 0 [04] 0 [08] 0 [12] 357 [16] 246 [20] 8765 [24] 1234 [28] 0
ESP = 16
[00] 0 [04] 0 [08] 0 [12] 357 [16] 246 [20] 8765 [24] 1234 [28] 0
** Note: the value of ‘357’ still resides at [12], even though it has been moved to EAX. ‘357’ will remain at [12] until that memory position of the Stack is overwritten with a new value
