Solo disponible en BuenasTareas
  • Páginas : 15 (3562 palabras )
  • Descarga(s) : 6
  • Publicado : 14 de julio de 2010
Leer documento completo
Vista previa del texto
Assembler : The Basics In Reversing

Indeed: the basics!! This is all far from complete but covers about everything you need to know about assembler to start on your reversing journey! Assembler is the start and the end of all programming languages. After all, all (computer LOL) languages are translated to assembler. In most languages we deal with relatively clear syntaxes. However, it's acompletely other story in assembler where we use abbreviations and numbers and where it all seems so weird …

I. Pieces, bits and bytes:

• BIT - The smallest possible piece of data. It can be either a 0 or a 1. If you put a bunch of bits together, you end up in the 'binary number system'

i.e. 00000001 = 1 00000010 = 2 00000011 = 3 etc.

• BYTE - Abyte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system'

• WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d).

• DOUBLE WORD - A double word is 2 words together or 32 bits.Max value = 0FFFFFFFF (or 4294967295d).

• KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes.

• MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes.


II. Registers:

Registers are “special places” inyour computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder.

On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are:

EAX: Extended Accumulator Register
EBX: Extended Base Register
ECX: Extended CounterRegister
EDX: Extended Data Register
ESI: Extended Source Index
EDI: Extended Destination Index
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
EIP: Extended Instruction Pointer

Generally the size of the registers is 32bit (=4 bytes). They can hold data from 0-FFFFFFFF (unsigned). In the beginning most registers had certain main functionswhich the names imply, like ECX = Counter, but in these days you can - nearly - use whichever register you like for a counter or stuff (only the self defined ones, there are counter-functions which need to be used with ECX). The functions of EAX, EBX, ECX, EDX, ESI and EDI will be explained when I explain certain functions that use those registers. So, there are EBP, ESP, EIP left:

EBP: EBPhas mostly to do with stack and stack frames. Nothing you really need to worry about, when you start. ;)

ESP: ESP points to the stack of a current process. The stack is the place where data can be stored for later use (for more information, see the explanation of the push/pop instructions)

EIP: EIP always points to the next instruction that is to be executed.

There's onemore thing you have to know about registers: although they are all 32bits large, some parts of them (16bit or even 8bit) can not be addressed directly.

The possibilities are:

32bit Register 16bit Register 8bit Register
ESI SI -----EDI DI -----
EBP BP -----
ESP SP -----
EIP IP -----

A register looks generally this way:

|--------------------------- EAX: 32bit (=1 DWORD =4BYTES) -------------------------|

|------- AX: 16bit (=1 WORD =2 BYTES) ----|...
tracking img