My HTML Tutorial

[MeTi]

Registry Tutorial
Heres a Tutorial on the Registry.

The Tutorial is Broken down into 3 sections.

1)Little Background on the Registry.

2)Adding values to the registry.

3)Deleting Keys and Values.

-------------------------------------------------------------------------------------------------------

1) ****Little Background on the Registry.****

The Registry is basically a database used to store Information,Settings and Options. It contains everything from settings of all the Hardware, Software and Users.

The registry is mainly made up of the similar directory structure made of on your hard disk. Each branch is called a Hive. Now inside the Hive there lies Key's. Now within the Key there are values of course. There are really three main types of values.

1)String
2)Binary
3)DWORD

I will go into more detail about them further on in the tutorial.

Now you might be saying to your self? What are Branches?

Branches are shown as a Folder Icon in the registry with the Branches name to the right of it.

There are 5 main branches in Windows XP and 2000 each with a portion of information which make up the registry.

1)HKEY_CLASSES_ROOT: This branch has all the file types on your computer.

2)HKEY_CURRENT_USER: This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the Computer.

3)HKEY_LOCAL_MACHINE: This branch contains the Computer's specific information about the type of hardware, software, and other preferences on the Computer.

4)HKEY_USERS: This contains certain prefernces for each of the user at the Computer.

5)HKEY_CURRENT_CONFIG: This branches to the HKEY_LOCAL_MACHINE for current hardware configuration.

Now onto the Values of the Registry but more in depth this time.

1)REG_BINARY: This type stores the value as raw binary data.

2)REG_DWORD: This type represents the data by a four byte number and is commonly used for boolean values such as "0" to disable and "1" for enabling. Like a Light Switch, Up to put light on and down to put light off.

3)REG_SZ: This type is a standard string used to represent human readable text values.

Also there are REG_EXPAND_SZ and REG_MULTI_SZ.

2) ****Adding values to the registry.****

Now enough of just explaining the registry lets do something with the registry.

Firstly you will need Notepad. Im sure everyones got that.

My First Example is going to input "Hello" on the top Bar of Internet Explorer.

Now to input the commands.

<--------------Starting Commands-------------->

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Window Title"="Hello"

<--------------End of Commands-------------->

Now I Will explain this to you.

The line "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]" means that Your little reg file will look for that location in the registry.

The line "Window Title"="Hello"

Now all this does is make a new String Value "Window Title" and in that Key the Data is "Hello"

Pretty simple isnt it. Now just save this as a .reg file and run it. Now these commands have only been tested on Windows XP it might be a different location in other Versions of Windows.

Now go check if it has worked.

This is how you can add things to the registry or change things to the registry.

3) ****Deleting Keys and Values.****

Now to delete a whole Key from the registry do the same as I told you above but with different commands.

<--------------Starting Commands-------------->

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

<--------------End of Commands-------------->

Now I dont reccomend doing that if you use Internet Explorer. But as you can see all we done is place a "-" sign in front of the Branch.

Now to delete Individual Keys like the one we made for Internet Explorer is as followed.

<--------------Starting Commands-------------->

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window Title"=-

<--------------End of Commands-------------->

Now as you can see we have specified the branch and location. Then we have placed the Value's name and put a "-" sign to it so it deletes whats inside that value.

This is the end to another tutorial. Hope this helps you understand abit about the registry.

[MeTi]

Assembler Basic Guide
Assembler

Assembler is the start and the end of all programming languages. After all, all languages are translated to assembler. In most languages we deal with relatively clear syntaxes. However, it's a completely other story in assembler where we use abbreviations and numbers and where it all seems so weird …


I. Pieces, bits and bytes:

• BIT - The smallest possible piece of data. It can be either a 0 or a 1. If you put a bunch of bits together, you end up in the 'binary number system'

i.e. 00000001 = 1 00000010 = 2 00000011 = 3 etc.

• BYTE - A byte consists of 8 bits. It can have a maximal value of 255 (0-255). To make it easier to read binary numbers, we use the 'hexadecimal number system'. It's a 'base-16 system', while binary is a 'base-2 system'

• WORD - A word is just 2 bytes put together or 16 bits. A word can have a maximal value of 0FFFFh (or 65535d).

• DOUBLE WORD - A double word is 2 words together or 32 bits. Max value = 0FFFFFFFF (or 4294967295d).

• KILOBYTE - 1000 bytes? No, a kilobyte does NOT equal 1000 bytes! Actually, there are 1024 (32*32) bytes.

• MEGABYTE - Again, not just 1 million bytes, but 1024*1024 or 1,048,578 bytes.


---------------------------------------------------------------------------------------------


II. Registers:

Registers are “special places” in your computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder.

On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are:

EAX: Extended Accumulator Register
EBX: Extended Base Register
ECX: Extended Counter Register
EDX: Extended Data Register
ESI: Extended Source Index
EDI: Extended Destination Index
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
EIP: Extended Instruction Pointer

Generally the size of the registers is 32bit (=4 bytes). They can hold data from 0-FFFFFFFF (unsigned). In the beginning most registers had certain main functions which the names imply, like ECX = Counter, but in these days you can - nearly - use whichever register you like for a counter or stuff (only the self defined ones, there are counter-functions which need to be used with ECX). The functions of EAX, EBX, ECX, EDX, ESI and EDI will be explained when I explain certain functions that use those registers. So, there are EBP, ESP, EIP left:

EBP: EBP has mostly to do with stack and stack frames. Nothing you really need to worry about, when you start.

ESP: ESP points to the stack of a current process. The stack is the place where data can be stored for later use (for more information, see the explanation of the push/pop instructions)

EIP: EIP always points to the next instruction that is to be executed.


There's one more thing you have to know about registers: although they are all 32bits large, some parts of them (16bit or even 8bit) can not be addressed directly.

The possibilities are:

32bit Register 16bit Register 8bit Register
EAX AX AH/AL
EBX BX BH/BL
ECX CX CH/CL
EDX DX DH/DL
ESI SI -----
EDI DI -----
EBP BP -----
ESP SP -----
EIP IP -----

A register looks generally this way:

|--------------------------- EAX: 32bit (=1 DWORD =4BYTES) -------------------------|

|------- AX: 16bit (=1 WORD =2 BYTES) ----|

|- AH:8bit (=1 BYTE)-|- AL:8bit (=1 BYTE)-|

|-----------------------------------------|--------------------|--------------------|
|XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX|XXXXXXX XXXXXXXXXXXXX|XXXXXXXXXXXXXXXXXXXX|
|-----------------------------------------|--------------------|--------------------|

So, EAX is the name of the 32bit register, AX is the name of the "Low Word" (16bit) of EAX and AL/AH (8bit) are the “names” of the "Low Part" and “High Part” of AX. BTW, 4 bytes is 1 DWORD, 2 bytes is 1 WORD.

REMARK: make sure you at least read the following about registers. It’s quite practical to know it although not that important.

All this makes it possible for us to make a distinction regarding size:

• i. byte-size registers: As the name says, these registers all exactly 1 byte in size. This does not mean that the whole (32bit) register is fully loaded with data! Eventually empty spaces in a register are just filled with zeroes. These are the byte-sized registers, all 1 byte or 8 bits in size:

o AL and AH
o BL and BH
o CL and CH
o DL and DH

• ii. word-size registers: Are 1 word (= 2 bytes = 16 bits) in size. A word-sized register is constructed of 2 byte-sized registers. Again, we can divide these regarding their purpose:

o 1. general purpose registers:

AX (word-sized) = AH + AL -> the '+' does *not* mean: 'add them up'. AH and AL exist independently, but together they form AX. This means that if you change AH or AL (or both), AX will change too!

-> 'accumulator': used to mathematical operations, store strings,..

BX -> 'base': used in conjunction with the stack (see later)

CX -> 'counter'

DX -> 'data': mostly, here the remainder of mathematical operations is stored

DI -> 'destination index': i.e. a string will be copied to DI

SI -> 'source index': i.e. a string will be copied from SI

o 2. index registers:

BP -> 'base pointer': points to a specified position on the stack (see later)
SP -> 'stack pointer': points to a specified position on the stack (see later)

o 3. segment registers:

CS -> 'code segment': instructions an application has to execute (see later)
DS -> 'data segment': the data your application needs (see later)
ES -> 'extra segment': duh! (see later)
SS -> 'stack segment': here we'll find the stack (see later)

o 4. special:

IP -> 'instruction pointer': points to the next instruction. Just leave it alone

• iii. Doubleword-size registers:

2 words = 4 bytes = 32 bits. EAX, EBX, ECX, EDX, EDI…

If you find an 'E' in front of a 16-bits register, it means that you are dealing with a 32-bits register. So, AX = 16-bits; EAX = the 32-bits version of EAX.

[MeTi]

II. The flags:

Flags are single bits which indicate the status of something. The flag register on modern 32bit CPUs is 32bit large. There are 32 different flags, but don't worry. You will mostly only need 3 of them in reversing. The Z-Flag, the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'.

• The Z-Flag:
o The Z-Flag (zero flag) . It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "CMP" (more on this later) could set the zero flag, because it compares something - how can the result of the comparison be 0? The answer on this comes later

• The O-Flag:
o The O-Flag (overflow flag) It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.

• The C-Flag:
o The C-Flag (Carry flag). It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.


---------------------------------------------------------------------------------------------


IV. Segments en offsets

A segment is a piece in memory where instructions (CS), data (DS), the stack (SS) or just an extra segment (ES) are stored. Every segment is divided in 'offsets'. In 32-bits applications (Windows 95/98/ME/2000), these offsets are numbered from 00000000 to FFFFFFFF. 65536 pieces of memory thus 65536 memory addresses per segment. The standard notation for segments and offsets is:

SEGMENT : OFFSET = Together, they point to a specific place (address) in memory.

See it like this:

A segment is a page in a book : An offset is a specific line at that page.


---------------------------------------------------------------------------------------------


V. The stack:

The Stack is a part in memory where you can store different things for later use. See t as a pile of books in a chest where the last put in is the first to grab out. Or imagine the stack as a paper basket where you put in sheets. The basket is the stack and a sheet is a memory address (indicated by the stack pointer) in that stack segment. Remember following rule: the last sheet of paper you put in the stack, is the first one you'll take out! The command 'push' saves the contents of a register onto the stack. The command 'pop' grabs the last saved contents of a register from the stack and puts it in a specific register.


---------------------------------------------------------------------------------------------


VI. INSTRUCTIONS (alphabetical)

Please note, that all values in ASM mnemonics (instructions) are *always* hexadecimal.


Most instructions have two operators (like "add EAX, EBX"), but some have one ("not EAX") or even three ("IMUL EAX, EDX, 64"). When you have an instruction that says something with "DWORD PTR [XXX]" then the DWORD (4 byte) value at memory offset [XXX] is meant. Note that the bytes are saved in reverse order in the memory (WinTel CPUs use the so called “Little Endian” format. The same is for "WORD PTR [XXX]" (2 byte) and "BYTE PTR [XXX]" (1 byte).

Most instructions with 2 operators can be used in the following ways (example: add):

add eax,ebx ;; Register, Register
add eax,123 ;; Register, Value
add eax,dword ptr [404000] ;; Register, Dword Pointer [value]
add eax,dword ptr [eax] ;; Register, Dword Pointer [register]
add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value]
add dword ptr [404000],eax ;; Dword Pointer [value], Register
add dword ptr [404000],123 ;; Dword Pointer [value], Value
add dword ptr [eax],eax ;; Dword Pointer [register], Register
add dword ptr [eax],123 ;; Dword Pointer [register], Value
add dword ptr [eax+404000],eax ;; Dword Pointer [register+value], Register
add dword ptr [eax+404000],123 ;; Dword Pointer [register+value], value

---------------------------------------------------------------------------------------------

ADD (Addition)
Syntax: ADD destination, source

The ADD instruction adds a value to a register or a memory address. It can be used in
these ways:

These instruction can set the Z-Flag, the O-Flag and the C-Flag (and some others, which
are not needed for cracking).

---------------------------------------------------------------------------------------------

AND (Logical And)
Syntax: AND destination, source

The AND instruction uses a logical AND on two values.
This instruction *will* clear the O-Flag and the C-Flag and can set the Z-Flag.
To understand AND better, consider those two binary values:

1001010110
0101001101

If you AND them, the result is 0001000100
When two 1 stand below each other, the result is of this bit is 1, if not: The result
is 0. You can use calc.exe to calculate AND easily.

[kev woodman]

Wow it's like the third generation never happened. Does anyone still code in Assembler?

[MeTi]

Well, yea some guys are still coding in Assember

[Pumazooma]

Nice tutorial....but you should credit the <b>hackthissite.org</b> website that you've lifted it from.