SLAE

Question 1

EAX

Answer 1

Accumulator Register

• Used for common calculations such as ADD and SUB.
• Used to store a return value of a function.
• EAX refers to the 32-bit register in its entirety.
• AX refers to the least significant 16 bits.
• AH: the 8 most significant bits of AX
• AL: the 8 least significant bits of AX

Question 2

EBX

Answer 2

Base Register

• Does not have a special purpose.
• A catch-all for available storage.
• Can be referenced in whole (EBX), or in part (BX, BA, BL)

Question 3

ECX

Answer 3

Counter Register

• The counter or count register, used as a loop and function repetition counter.
• Can also be used to store any data.
• Like EAX, it can be referenced in whole (ECX) or in part (CX, CH, CL).

Question 4

EDX

Answer 4

Data Register

• Like a partner register to EAX.
• Often used in mathematical operations like division and multiplication, to deal with overflow where the most significant bits would be stored in EDX and the least significant in EAX.
• Also commonly used for storing function variables.
• Like EAX, it can be referenced in whole (EDX) or in part (DX, DH, DL)

Question 5

ESI

Answer 5

Source Index

• Used to store the pointer to a read location.
• If a function is designed to read a string, ESI would hold the pointer to the location of that string.

Question 6

EDI

Answer 6

Destination Index

• Can be (and is) used for general data storage.
• Primarily designed to store the storage pointers of functions, such as the write address of a string operation.

Question 7

EBP

Answer 7

Base Pointer

• Used to keep track of the base/bottom of the stack.
• Often used to reference variables located on the stack by using an offset to the current value of EBP, though if parameters are only referenced by register, you may choose to use EBP for general use purposes.

Question 8

ESP

Answer 8

Stack Pointer

• Used to keep track of the top of the stack.
• As items are moved to and from the stack, ESP increments/decrements accordingly.
• Of all the general purpose registers, ESP is rarely/never used for anything other than it’s intended purpose.

Question 9

EIP

Answer 9

Instruction Pointer

• Points to the memory address of the next instruction to be executed by the CPU.
• Control the value of EIP and you control the execution flow of the application (to execute code of your choosing.)

Question 10

ADD/SUB op1, op2

Answer 10

add or subtract two operands, storing the result in the first operand. These can be registers, memory locations (limit of one) or constants. For example, ADD EAX, 10 means add 10 to the value of EAX and store the result in EAX

Question 11

XOR EAX, EAX

Answer 11

Performing an ‘exclusive or’ of a register with itself sets its value to zero; an easy way of clearing the contents of a register

Question 12

INC/DEC op1

Answer 12

increment or decrement the value of the operand by one

Question 13

CMP op1, op2

Answer 13

compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value

Question 14

Jump (JMP) and conditional jump (je, jz, etc)

Answer 14

as the name implies these instructions allow you to jump to another location in the execution flow/instruction set. The JMP instruction simply jumps to a location whereas the conditional jumps (je, jz, etc) are taken only if certain criteria are met (using the EFLAGS register values mentioned earlier). For example, you might compare the values of two registers and jump to a location if they are both equal (uses je instruction and zero flag (zf) = 1).

Question 15

ADD DWORD PTR [X] or MOV eax, [ebx]

Answer 15

Referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.

Question 16

Relevant size keywords

BYTE, WORD, DWORD

Answer 16

Relevant size keywords

BYTE = 1 byte
WORD = 2 bytes
DWORD = 4 bytes

Question 17

Kernal Land (Memory Stack)

Answer 17

Reserved by the OS for device drivers, system cache, paged/non-paged pool, HAL, etc. There is no user access to this portion of memory.

Question 18

PEB (Process Environment Block)

Answer 18

• Resides in user-accessible memory. (When you run a program/application, an instance of that executable known as a process is run. Each process provides the resources necessary to run an instance of that program. Every Windows process has an executive process (EPROCESS) structure that contains process attributes and pointers to related data structures.)
• Examine the contents of PEB by issuing the !peb command.
• The PEB includes information such as the base address of the image (executable), the location of the heap, the loaded modules (DLLs), and Environment variables (Operating system, relevant paths, etc).

Question 19

TEB (Thread Environment Block)

Answer 19

• A program, or process, can have one or more threads which serve as the basic unit to which the operating system allocates processor time. Each process begins with a single thread (primary thread) but can create additional threads as needed. All of the threads share the same virtual address space and system resources allocated to the parent process. Each thread also has its own resources including exception handlers, priorities, local storage, etc
• Just like each program/process has a PEB, each thread has a Thread Environment Block (TEB). The TEB stores context information for the image loader and various Windows DLLs, as well as the location for the exception handler list
• Like the PEB, the TEB resides in the process address space since user-mode components require writable access

Question 20

DLL (Dynamic Link Libraries)

Answer 20

• Shared code libraries which allow for effecient code reuse and memory allocation.
• Known as executable modules, they occupy a portion of the memory space.

Question 21

Heap

Answer 21

• Dynamically allocated (e.g. malloc()) portion of memory a program uses to store global variables.
• Must be managed by the application.
• The memory will remain allocated until it is freed by the program or the program itself terminates.
• Think of it as a shared pool of memory.

Question 22

The Stack

Answer 22

• The stack is used to allocate short-term storage for local (function/method) variables in an ordered manner and that memory is subsequently freed at the termination of the given function.
• Each thread/function is allocated its own stack frame. The size of that stack frame is fixed after creation and the stack frame is deleted at the conclusion of the function.

Question 23

PUSH and POP

Answer 23

• The stack is a last-in first-out (LIFO) structure meaning the last item you put on the stack is the first item you take off. You “push” items onto the top of the stack and you “pop” items off of the top of the stack.

Question 24

System Calls

Answer 24

Leverage OS for tasks. Provides a simple interface for userspace programs to the Kernel.

Imagine if you had to write code from scratch to:

• write to disk
• print on screen
• etc…

Question 25

What are Mechanisms to invoke System Calls?

Answer 25

• int 0x80
• SYSENTER
• Modern implementations using VDSO [Virtual Dynamic Shared Object]

Question 26

Where can you find System call numbers on a linux distro?

Answer 26

/usr/include/i386-linux-gnu/asm/unistd_32.h

Question 27

How do you compile an asm file?

Answer 27

nasm -f elf32 -o (name-of-output-file) (name-of-asm-file)

Question 28

How do you compile an object file?

Answer 28

ld -o (name-of-output-file) (name-of-object-file)

Question 29

define hook-stop

Answer 29

Define’s conditions used to print the values of variables as you step through the program.

example: 
> define hook-stop
> print/x $eax
> print/x $ebx
> disassemble $eip,+10
> x/8xb &sample

Question 30

‘nexti’ command in gdb

Answer 30

steps through a program one command at a time. Simple run the command once and press enter to step through each command.

Question 31

‘display’ command in gdb

Answer 31

Use this to display output or value of variables prior to setting a breakpoint and running the program.

example:
> display/x $eax
> display/x $ebx
> display/x $ecx
> break _start
> run

The output will show the values of each register every time the breakpoint is hit.