Part 1: The Basics

Question 1

Immunity Debugger: What is the top-left pane, and what does it display

Answer 1

CPU Instructions

The CPU Instructions – displays the memory address, opcode and assembly instructions, additional comments, function names and other information related to the CPU instructions

Question 2

Immunity Debugger: What is the bottom-left pane, and what does it display

Answer 2

Memory Dump

The Memory Dump – shows the contents of the application’s memory

Question 3

Immunity Debugger: What is the top-right pane, and what does it display

Answer 3

Registers

The Registers – displays the contents of the general purpose registers, instruction pointer, and flags associated with the current state of the application.

Question 4

Immunity Debugger: What is the bottom-right pane, and what does it display

Answer 4

Stack

The Stack – shows the contents of the current stack

Question 5

There are 8 general-purpose registers in the x86 architecture, what are they?

Answer 5

EAX, EBX, ECX, EDX, EDI, ESI, EBP, and ESP

Question 6

What is EAX

Answer 6

The Accumulator Register.

it’s the primary register used for common calculations (such as ADD and SUB).

EAX has been given preferential status by assigning it more efficient, one-byte opcodes. Such efficiency can be important when it comes to writing exploit shellcode for a limited available buffer space

EAX is also used to store the return value of a function.

Question 7

EAX refers to the 32-bit register in its entirety. {BLANK1} refers to the least significant 16 bits which can be further broken down into {BLANK2} (the 8 most significant bits of (2)) and {BLANK3} (the 8 least significant bits).

This same whole/partial 32-, 16-, and 8-bit referencing also applies to the next three registers (EBX, ECX, and EDX)

Answer 7

1: AX
2. AH
3. AL

Question 8

What is EBX

Answer 8

The Base Register.

In 32-bit architecture, EBX doesn’t really have a special purpose so just think of it as a catch-all for available storage. Like EAX, it can be referenced in whole (EBX) or in part (BX, BH, BL).

Question 9

What is ECX

Answer 9

The Counter Register.

As its name implies, the counter (or count) register is frequently used as a loop and function repetition counter, though it can also be used to store any data.

Like EAX, it can be referenced in whole (ECX) or in part (CX, CH, CL).

Question 10

What is EDX

Answer 10

The Data Register

EDX is kind of like a partner register to EAX. It’s often used in mathematical operations like division and multiplication to deal with overflow where the most significant bits would be stored in EDX and the least significant in EAX. It is also commonly used for storing function variables.

Like EAX, it can be referenced in whole (EDX) or in part (DX, DH, DL).

Question 11

What is ESI

Answer 11

The Source Index

The counterpart to EDI, ESI is often used to store the pointer to a read location. For example, if a function is designed to read a string, ESI would hold the pointer to the location of that string.

Question 12

What is EDI

Answer 12

The Destination Index

Though it can be (and is) used for general data storage, EDI was primarily designed to store the storage pointers of functions, such as the write address of a string operation.

Question 13

What is EBP

Answer 13

The Base Pointer

EBP is used to keep track of the base/bottom of the stack. It is often used to reference variables located on the stack by using an offset to the current value of EBP, though if parameters are only referenced by register, you may choose to use EBP for general use purposes.

Question 14

What is ESP

Answer 14

The Stack Pointer

ESP is used to track the top of the stack. As items are moved to and from the stack ESP increments/decrements accordingly.

Of all of the general purpose registers, ESP is rarely/never used for anything other than it’s intended purpose.

Question 15

What is EIP

Answer 15

The Instruction Pointer

Not a general purpose register, but fitting to cover here,

EIP points to the memory address of the next instruction to be executed by the CPU.

Control the value of EIP and you can control the execution flow of the application (to execute code of your choosing).

Question 16

What is the Segment Registers and EFLAGS register

Answer 16

There are two additional registers you’ll see in the Register pane, the Segment Register and EFLAGS register. I won’t cover either in detail but note that the EFLAGS register is comprised of a series of flags that represent Boolean values resulting from calculations and comparisons and can be used to determine when/if to take conditional jumps (more on these later).

Question 17

Memory Dump: How do you view the content of a memory location. where in the panel is it?

Answer 17

For example: let’s say you want to view the contents of memory at ESP.

Right-click on ESP, select “Follow in Dump” and the Memory Dump pane will display that location

Bottom left panel.

Question 18

How can you view each Assembly instruction (and corresponding opcode) being processed by the CPU within the CPU Instruction Pane?

Where is the CPU Instruction Pane?

Answer 18

You can step through the execution flow of the program one at a time (F7) and see the result of each CPU instruction.

Top-left pane.

Question 19

What is:

ADD/SUB op1, op2

Answer 19

add or subtract two operands, storing the result in the first operand. These can be registers, memory locations (limit of one) or constants.

For example, ADD EAX, 10 means add 10 to the value of EAX and store the result in EAX

Question 20

What is:

XOR EAX, EAX

Answer 20

Performing an ‘exclusive or’ of a register with itself sets its value to zero; an easy way of clearing the contents of a register

Question 21

What is:

INC/DEC op1

Answer 21

increment or decrement the value of the operand by one

Question 22

What is:

CMP op1, op2

Answer 22

compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value.

Question 23

What is:

Jump (JMP) and conditional jump (je, jz, etc)

Answer 23

as the name implies these instructions allow you to jump to another location in the execution flow/instruction set. The JMP instruction simply jumps to a location whereas the conditional jumps (je, jz, etc) are taken only if certain criteria are met (using the EFLAGS register values mentioned earlier). For example, you might compare the values of two registers and jump to a location if they are both equal (uses je instruction and zero flag (zf) = 1).

Question 24

When you see a value in brackets such as ADD DWORD PTR [X] or MOV eax, [ebx] it is referring to the value stored in ________ ?

Answer 24

When you see a value in brackets such as ADD DWORD PTR [X] or MOV eax, [ebx] it is referring to the value stored at memory address X.

In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.

Question 25

BYTE = _ byte(s)
WORD = _ byte(s)
DWORD = _ byte(s)

Answer 25

BYTE = 1 byte, 
WORD = 2 bytes, 
DWORD = 4 bytes.