Assembly Language Basic

 







Bit - This is the smallest piece of data. It can be a 0 or 1 or Off or ON.

Byte - a byte is 8 bits. It has a range of equivalent decimal values of 0 to 255

Word - a word is two bytes together or 16 bits

Double Word - a double word is tow words or 32 bits

Kilobyte - a kilobyte is 1024 (32 * 32) bytes

Megabyte - a megabyte is is 1,048,578 bytes (1024 x 1024).

Regsitry:




These registers are;

EAX - Extended Accumulator Register

EBX - Extended Base Register

ECX - Extended Counter Register

EDX - Extended Data Register

ESI - Extended Source Index

EDI - Extended Destination Index

EBP - Extended Base Pointer

ESP - Extended Stack Pointer

EIP - Extended Instruction Pointer

Flags

Flags are a single bit that indicates status of a register. The flag register on modern 32 bit CPU's is 32 bits long. There are 32 flags. In our studies here, we will only need three of them; (1) the Z flag, the O flag and the C flag.

A flag can only be SET or NOT SET

Z-Flag

The Z-flag (zero flag) is the most useful flag for cracking. It is used in about 90% of all cases. It can be set or cleared by several opcodes when the last instruction that was performed has 0 as a result

O-Flag

The O-flag (overflow flag) is used in about 4% of all cracking attempts. It is set when the last operation changed the highest bit of the register that gets the result of an operation.

C-Flag

The C-Flag (carry Flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or is you subtract a value, so that the register value is less than zero.


Windows Memory Map:

Memory Layout

  • Stack - region of memory is added or removed using "last-in-first-out" (LIFO) procedure
  • Heap - region for dynamic memory allocation
  • Program Image - The PE executable code placed into memory
  • DLLs - Loaded DLL images that are referenced by the PE
  • TEB - Thread Environment Block stores information about the current running thread(s)
  • PEB - Process Environment Block stores information about loaded modules and processes.




Opcodes and Instructions

Each Instruction represents opcodes (hex code) that tell the machine what to do next.

Three categories of instructions:

  • Data Movement/Access
  • Arithmetic / Logic
  • Control-Flow

Common Instructions

  • mov, lea (data movement, data access)
  • add, sub (arithmetic)
  • or, and, xor (Logic)
  • shr, shl (Logic)
  • ror, rol (Logic)
  • jmp, jne, jnz, jnb (Control Flow)
  • push, pop, call, leave, enter, ret (Control Flow)

Example below is moving value at 0xaaaaaaaa into ecx.

Instruction

mov ecx,[0xaaaaaaaa];

Opcode

8B 0D AA AA AA AA

Registers

General-Purpose Registers [1]

Register

Description

EAX

Accumulator Register

EBX

Base Register

ECX

Counter Register

EDX

Data Register

ESI

Source Index

EDI

Destination Index

EBP

Base Pointer

ESP

Stack Pointer

Instruction Pointer

The EIP register contains the address of the next instruction to be executed.

Segment Registers

Register

Description

SS

Stack Segment, Pointer to the stack

CS

Code Segment, Pointer to the code

DS

Data Segment, Pointer to the data

ES

Extra Segment, Pointer to extra data

FS

F Segment, Pointer to more extra data

GS

G Segment, Pointer to still more extra data

EFLAGS Registers

ID

Name

Description

CF

Carry Flag

Set if the last arithmetic operation carried (addition) or borrowed (subtraction) a bit beyond the size of the register. This is then checked when the operation is followed with an add-with-carry or subtract-with-borrow to deal with values too large for just one register to contain

PF

Parity Flag

Set if the number of set bits in the least significant byte is a multiple of 2

AF

Adjust Flag

Carry of Binary Code Decimal (BCD) numbers arithmetic operations

ZF

Zero Flag

Set if the result of an operation is Zero (0)

SF

Sign Flag

Set if the result of an operation is negative

TF

Trap Flag

Set if step by step debugging

IF

Interruption Flag

Set if interrupts are enabled

DF

Direction Flag

Stream direction. If set, string operations will decrement their pointer rather than incrementing it, reading memory backwards

OF

Overflow Flag

Set if signed arithmetic operations result in a value too large for the register to contain

IOPL

I/O Privilege Level field (2 bits)

I/O Privilege Level of the current process

NT

Nested Task flag

Controls chaining of interrupts. Set if the current process is linked to the next process

RF

Resume Flag

Response to debug exceptions

VM

Virtual-8086 Mode

Set if in 8086 compatibility mode

AC

Alignment Check

Set if alignment checking of memory references is done

VIF

Virtual Interrupt Flag

Virtual image of IF

VIP

Virtual Interrupt Pending flag

Set if an interrupt is pending

ID

Identification Flag

Support for CPUID instruction if can be set



Comments

Post a Comment

Popular posts from this blog

System Malware Analysis

What is Malware ?                           Malware is a code that performs malicious actions; it can take the form of an executable,script, code, or any other software. Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives. The following are some of the malicious actions performed by malware: Disrupting computer operations Stealing sensitive information, including personal, business, and financial data Unauthorized access to the victim's system Spying on the victims Sending spam emails Engaging in distributed-denial-of-service attacks (DDOS) Locking up the files on the computer and holding them for ransom Types of Malware  Botnets Ransomware Rootkits Trojans Viruses Worms Adware sp...
Read more

Malware Sample Analysis (29F228F3375C489A8A6E31203AB25787)

Image
File hash: MD5 : 29F228F3375C489A8A6E31203AB25787 Sha1 : 14D713A5C8A2FC01FA2F01D993A249B9FB292810 Sha256: EC905CB2CB8E9F74790ADDE2C138807F3A6CDBECD5735FA5035B547280D7DB79 Note : cmd are mentioned in blue.Imp data marked as "purple". Basic Static Analysis: Determine the file type: Using file command:   test$ file Unknown Unknown: PE32 executable (console) Intel 80386, for MS Windows Using File Signature: Test$ hexdump Unknown  0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000 0000010 00b8 0000 0000 0000 0040 0000 0000 0000 0000020 0000 0000 0000 0000 0000 0000 0000 0000 0000030 0000 0000 0000 0000 0000 0000 00d8 0000 0000040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854 0000050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e 0000060 2074 6562 7220 6e75 6920 206e 4f44 2053 0000070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000 0000080 4be3 9a53 2aa7 c93d 2aa7 c93d 2aa7 c93d 0000090 b7bc c9a3 2aa6 c93d b7bc c997 2aa1 c93d 00000a0 52ae c9ae 2aa2 c93d 2aa7 c93c 2ab5 c93d 00000b0 b7bc c992 2aa6 c93d ...
Read more

Static Analysis

Image
Static Analysis                                          Examine the executable file without viewing the actual instruction. Try to figure out what the malware is trying to do and the commands it is attempting to execute. Identifying the File type Extracting the String Analysis binary with Virus Total   Determining Obfuscation of binary   Examine the PE header Malware Sources:                          Once you have a lab set up, you will need malware samples for performing analysis.The following are some of the sources from where you can get malware samples for your analysis.             ...
Read more