securedorg.github.io/fundamentals3.md

layout, permalink, title

layout	permalink	title
default	/RE101/section1.3/	Fundamentals

Go Back to Reverse Engineering Malware 101

Section 1.3: Fundamentals

x86 Assembly Language

The C programming is a high level language interpreted by the compiler that converts code into machine instructions called assembly language. By using a disassembler tool we can get the assembly language of a compiled C program.

The Intel 8086 and 8088 were the first CPUs to have an instruction set that is now commonly referred to as x86. Intel Architecture 32-bit (IA-32) sometimes also called i386 is the 32-bit version of the x86 instruction set architecture.

The x86 architecture is little-endian, meaning that multi-byte values are written least significant byte first.

How we see it:

| A0 | A1 | A2 | A3 |

Stored as Little Endian

| A3 | A2 | A1 | A0 |

---

Opcodes and Instructions

Each Instruction represents opcodes (hex code) that tell the machine what to do next.

Three categories of instructions:

• Data Movement/Access
• Arithmetic / Logic
• Control-Flow

Common Instructions

• mov, lea (data movement, data access)
• add, sub (arithmetic)
• or, and, xor (Logic)
• shr, shl (Logic)
• ror, rol (Logic)
• jmp, jne, jnz, jnb (Control Flow)
• push, pop, call, leave, enter, ret (Control Flow)

Example below is moving value at 0xaaaaaaaa into ecx.

Instruction	Opcode
mov ecx,[0xaaaaaaaa];	8B 0D AA AA AA AA

Use the search page below or open the Search Instructions page to search for functions discussed above

---

Registers

The image below is what registers will look like in a debugger.

General-Purpose Registers [1]1

Register	Description
EAX	Accumulator Register
EBX	Base Register
ECX	Counter Register
EDX	Data Register
ESI	Source Index
EDI	Destination Index
EBP	Base Pointer
ESP	Stack Pointer

Segment Registers

Register	Description
SS	Stack Segment, Pointer to the stack
CS	Code Segment, Pointer to the code
DS	Data Segment, Pointer to the data
ES	Extra Segment, Pointer to extra data
FS	F Segment, Pointer to more extra data
GS	G Segment, Pointer to still more extra data

EFLAGS Register

ID	Name	Description
CF	Carry Flag	Set if the last arithmetic operation carried (addition) or borrowed (subtraction) a bit beyond the size of the register. This is then checked when the operation is followed with an add-with-carry or subtract-with-borrow to deal with values too large for just one register to contain
PF	Parity Flag	Set if the number of set bits in the least significant byte is a multiple of 2
AF	Adjust Flag	Carry of Binary Code Decimal (BCD) numbers arithmetic operations
ZF	Zero Flag	Set if the result of an operation is Zero (0)
SF	Sign Flag	Set if the result of an operation is negative
TF	Trap Flag	Set if step by step debugging
IF	Interruption Flag	Set if interrupts are enabled
DF	Direction Flag	Stream direction. If set, string operations will decrement their pointer rather than incrementing it, reading memory backwards
OF	Overflow Flag	Set if signed arithmetic operations result in a value too large for the register to contain
IOPL	I/O Privilege Level field (2 bits)	I/O Privilege Level of the current process
NT	Nested Task flag	Controls chaining of interrupts. Set if the current process is linked to the next process
RF	Resume Flag	Response to debug exceptions
VM	Virtual-8086 Mode	Set if in 8086 compatibility mode
AC	Alignment Check	Set if alignment checking of memory references is done
VIF	Virtual Interrupt Flag	Virtual image of IF
VIP	Virtual Interrupt Pending flag	Set if an interrupt is pending
ID	Identification Flag	Support for CPUID instruction if can be set

Instruction Pointer

The EIP register contains the address of the next instruction to be executed.

---

Hello World

Click Image to Enlarge

Calling a Function

Arguments on the Stack

Click Image to Enlarge

Local Variables on the Stack

Click Image to Enlarge

Anatomy of PE <- Back | Next -> Section 2