Assembly

Intel x86 Assembly (32bit)

Registers

EAX- Accumulator.  Used in arithmetic operations
ECX- Counter. Used to shift instructions and loops
EDX- Data.  Used in arithmetic and I/O operations
EBX- Base.  Used as a pointer to data
ESP- Stack Pointer.  Points to top of stack (lowest memory address)
EBP- Stack Base Pointer.  Points to the base of the stack frame
ESI-Source Index. Used as a pointer to a source in stream operations
EDI-Destination Index.  Used as a pointer to a destination in stream operations
EIP- Instruction Pointer.  Points to current instruction to be executed

Bitwise Operations

  • NOT- Flip all bits
NOT 111000 = 000111

NOT [al+bl] = Add values of al and bl.  Then get the value that the result points to.  Then flip the bits of that value.
  • AND- Takes two values of the same length. For each bit only 1 AND 1 = 1. All others are 0
AND 1 1 = 1
AND 1 0 = 0
AND 0 0 = 0
AND 11111111 10000001 = 10000001
  • OR- Takes two values of the same length. For each bit only 0 AND 0 = 0. All others are 1
OR 0 0 = 0
OR 1 0 = 1
OR  1 1 = 1
OR 00111111 10000001 = 10111111
  • XOR- Takes two values of the same length and performs and exclusive OR. For each bit only 1 AND 0 = 1. All others are 0
XOR 0 0 = 0
XOR 1 0 = 1
XOR  1 1 = 0
XOR 00111111 10000001 = 10111110

Instructions

  • JMP- Jump to a location in memory.  Essentially mov address to EIP
jmp eax = go to the memory address that is in eax

jmp [eax] = go to the memory address that is stored at the location eax is pointing to

  • CALL- Push next memory address to stack (used for return address).  Then jump to address
call eax = push the next memory address so the called function can return when complete.  Then jump to the value of eax

call [eax] = push the next memory address so the called function can return when complete.  Then jump to the memory address that is stored at the location eax is pointing to
  • RET- Return is used to return from a call.  When a function completes and is ready to return to the function that called it RET will essentially pop the return off the stack and jmp to that address.
ret = pop top value off the stack and jump to that location

ret <value> = pop top value off the stack and jump to that location.  Then increase the value of ESP to remove other unneeded stack values.  Used in some conventions to cleanup the called functions parameters.  Other conventions leave the parameters to be removed by the calling function.
  • PUSH- Put a value on the top of the stack (lowest address on stack and current value of ESP). Then reduce the value of ESP to represent the new top of the stack.
push eax = Reduce the value of ESP by 4 to create a new stack location. Put the value of EAX into that location.

push [eax] = Reduce the value of ESP by 4 to create a new stack location. Go to the location in memory that eax points to and put that value onto the stack.

push = Reduce the value of ESP by 4 to create a new stack location. Put the value of the constant into that location.
  • POP- Take a value off of the stack and place it in a register or memory address. Then add 4 to ESP to represent the new top of the stack.
pop eax = Take the value on top of the stack and place it in the eax register. Then increase ESP by 4.

pop [eax] = Take the value on top of the stack and place it in the memory location that eax points to. Then increase ESP by 4.
  • MOV- Move information from a register to a register, memory to a register, or a register to memory.
mov eax, [ebx] = move 4 bytes from memory at location of ebx to eax. Cant do memory to memory so one has to be a register

 mov eax, [ebx] = move 4 bytes from memory at location of ebx to eax. Cant do memory to memory so one has to be a register

mov eax, [ebx+ecx*X] = do the calculation in the brackets using the values of the registers. Then get 4 bytes at the resulting value and put them into eax. X can only be 1,2,4, or 8

mov eax, [ebx+ecx*X+Y] = do the calculation in the brackets using the values of the registers. Then get 4 bytes at the resulting value and put them into eax. X can only be 1,2,4, or 8. Y can be one byte, 0-255 or 4 bytes, 0 - 2^32-1

Described as [base + index*scale + displacement].  The idea is that you can use a base, lets say EPB. Since stack frames are 4 byes you could use a scale of 4 to represent a stack frame. Then you can set index to how many frames to go up. Offset can move you x bytes from where you end up.
  • LEA- Load effective address.  LEA places the address specified by its second operand into the register specified by its first operand.  This is the only command where [register] does not act as a pointed to a memory location.
lea eax, [edx+ebx*2] = if ebx points to the value 0x2 and edx points to the value 0x1000 then eax will end up as 0x1004 not the value at the memory address 0x1004.
  • ADD- Add value to another value. Store value in left parameter
add esp, 8 = take value of esp register, add 8 to it, and store result in esp.

add [esp], [ebx*2] = take the value stored in the ebx register, multiply it by 2, then get the value in memory that the resulting value point to.  Next add that to the value that the esp register points to in memory.  store the result at the memory address that esp points to.
  • SUB- Subtract value from another value. Store value in left parameter
sub esp, 8 = take value of esp register, subtract 8 from it, and store result in esp.

sub [esp], [ebx*2] = take the value stored in the ebx register, multiply it by 2, then get the value in memory that the resulting value point to.  Next subtract that from the value that the esp register points to in memory.  store the result at the memory address that esp points to.

Conditional Instructions

  • TEST- Perform AND on two values. EFlags are set based on result, then result is thrown out.
test eax,eax = perform AND between EAX and EAX.  Appropriate flags are set.  For example if EAX is zero the zero flag (ZF) would be set since the results of 0 AND 0 = 0.  If EAX was anything else the zero flag would not be set.

test eax,eax = would set the sign flag (SF) if eax is negative.
  • CMP- Perform a signed subtraction on two values. EFlags are set based on result, then result is thrown out. Used for conditional jumps.
cmp eax,10 = subtract 10 from eax.  Appropriate flags are set.  The value of EAX does not change.  
jle = jump if eax was less than or equal to 10.

cmp [eax],eax = subtract the value in eax from the value pointed to by eax.  Appropriate flags are set.  The value pointed to by eax does not change.