II. The flags:
Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.
• The Z-Flag:
o The Z-Flag (zero flag) . It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later
• The O-Flag:
o The O-Flag (overflow flag) It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.
• The C-Flag:
o The C-Flag (Carry flag). It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.
---------------------------------------------------------------------------------------------
IV. Segments en offsets
A segment is a piece in memory where instructions (CS), data (DS), the stack (SS) or just an extra segment (ES) are stored. Every segment is divided in 'offsets'. In 32-bits applications (Windows 95/98/ME/2000), these offsets are numbered from 00000000 to FFFFFFFF. 65536 pieces of memory thus 65536 memory addresses per segment. The standard notation for segments and offsets is:
SEGMENT : OFFSET = Together, they point to a specific place (address) in memory.
See it like this:
A segment is a page in a book : An offset is a specific line at that page.
---------------------------------------------------------------------------------------------
V. The stack:
The Stack is a part in memory where you can store different things for later use. See t as a pile of books in a chest where the last put in is the first to grab out. Or imagine the stack as a paper basket where you put in sheets. The basket is the stack and a sheet is a memory address (indicated by the stack pointer) in that stack segment. Remember following rule: the last sheet of paper you put in the stack, is the first one you'll take out! The command 'push' saves the contents of a register onto the stack. The command 'pop' grabs the last saved contents of a register from the stack and puts it in a specific register.
---------------------------------------------------------------------------------------------
VI. INSTRUCTIONS (alphabetical)
Please note, that all values in ASM mnemonics (instructions) are *always* hexadecimal.
Most instructions have two operators (like "add EAX, EBX"), but some have one ("not EAX") or even three ("IMUL EAX, EDX, 64"). When you have an instruction that says something with "DWORD PTR [XXX]" then the DWORD (4 byte) value at memory offset [XXX] is meant. Note that the bytes are saved in reverse order in the memory (WinTel CPUs use the so called “Little Endian” format. The same is for "WORD PTR [XXX]" (2 byte) and "BYTE PTR [XXX]" (1 byte).
Most instructions with 2 operators can be used in the following ways (example: add):
add eax,ebx ;; Register, Register
add eax,123 ;; Register, Value
add eax,dword ptr [404000] ;; Register, Dword Pointer [value]
add eax,dword ptr [eax] ;; Register, Dword Pointer [register]
add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value]
add dword ptr [404000],eax ;; Dword Pointer [value], Register
add dword ptr [404000],123 ;; Dword Pointer [value], Value
add dword ptr [eax],eax ;; Dword Pointer [register], Register
add dword ptr [eax],123 ;; Dword Pointer [register], Value
add dword ptr [eax+404000],eax ;; Dword Pointer [register+value], Register
add dword ptr [eax+404000],123 ;; Dword Pointer [register+value], value
---------------------------------------------------------------------------------------------
ADD (Addition)
Syntax: ADD destination, source
The ADD instruction adds a value to a register or a memory address. It can be used in
these ways:
These instruction can set the Z-Flag, the O-Flag and the C-Flag (and some others, which
are not needed for cracking).
---------------------------------------------------------------------------------------------
AND (Logical And)
Syntax: AND destination, source
The AND instruction uses a logical AND on two values.
This instruction *will* clear the O-Flag and the C-Flag and can set the Z-Flag.
To understand AND better, consider those two binary values:
1001010110
0101001101
If you AND them, the result is 0001000100
When two 1 stand below each other, the result is of this bit is 1, if not: The result
is 0. You can use calc.exe to calculate AND easily.
|