AH dan AL merupakan bagian dari AX. Ini berarti jika AH diubah, atau AL diubah (atau keduanya diubah), Maka AX akan berubah juga!
EAX -> Ingat 'accumulator': biasanya return fungsi disimpan di eax
EBX -> Ingat 'base': umum
ECX -> Ingat 'counter'
EDX -> Ingat 'data': umum
EDI -> 'destination index': operasi string
ESI -> 'source index': operasi string pasangan EDI
EDI dan ESI digunakan oleh instruksi STOSB untuk menyalin data string. Isi EDI dengan alamat memori tujuan
lalu isi ESI dengan alamat memori sumber kemudian panggil instruksi STOSB untuk menyalin data.
Dulu segmen register digunakan oleh DOS 16bit. Sekarang windows 32bit dan linux tidak perlu mengatur register segmen.
CS -> 'code segment': instructions an application has to execute (see later)
DS -> 'data segment': the data your application needs (see later)
ES -> 'extra segment': duh! (see later)
SS -> 'stack segment': here we'll find the stack (see later)
III. FLAG
Flag adalah bit tunggal yang mengidentifikasikan status dari suatu operasi. Misalnya operasi test akan mempengaruhi zero flag. Zero flag akan bernilai 1 jika hasil operasi test bernilai nol. Beberapa instruksi akan merujuk pada kondisi flag. Misalnya JNZ (jump if not zero) , jika instruksi sebelum JNZ menyebabkan zero flag bernilai 0, maka instruksi JNZ akan di eksekusi. Alur program akan melompat ke alamat yang ditunjuk JNZ. Ada banyak flag, namun tidak semuanya akan dijelaskan, hanya beberapa saja yang dianggap penting.
• Z-Flag:
o Z-Flag (zero flag) seperti sudah dijelaskan sebelumnya.
• O-Flag:
o O-Flag (overflow flag) . OF akan di set (status: 1) jika operasi terakhir mengubah bit tertinggi dari register. Contoh: EAX bernilai 7FFF FFFF. Jika kita melakukan instruksi yang menyebabkan EAX bertambah 1, maka OF akan di set, sebab operasi mengubah bit tertinggi dari EAX (yang mana akan menjadi 8000 0000). Hal lain yang akan menyebabkan OF bernilai 1 yaitu jika register tujuan tidak bernilai 0 sebelum dan sesudah operasi.
• C-Flag:
o C-Flag (Carry flag) CF akan diset jika kita menambahkan sesuatu ke register sehingga nilainya lebih dari FFFF FFFF atau kita mengurangi nilai register yang bernilai 0.
IV. STACK
Stack adalah bagian dari memori yang dapat digunakan untuk menyimpan data sementara untuk digunakan nantinya. Bedanya dengan memori biasa adalah stack berurutan dari alamat memori tinggi ke alamat memori rendah dengan lebar data sesuai processor (32bit untuk processor 32bit). Untuk menyimpan data ke stack menggunakan instruksi PUSH dan untuk mengambil data dari stack digunakan instruksi POP.
V. INSTRUCTION
Please note, that all values in ASM mnemonics (instructions) are *always* hexadecimal.
Most instructions have two operators (like "add EAX, EBX"), but some have one ("not EAX") or even three ("IMUL EAX, EDX, 64"). When you have an instruction that says something with "DWORD PTR [XXX]" then the DWORD (4 byte) value at memory offset [XXX] is meant. Note that the bytes are saved in reverse order in the memory (WinTel CPUs use the so called “Little Endian” format. The same is for "WORD PTR [XXX]" (2 byte) and "BYTE PTR [XXX]" (1 byte).
Most instructions with 2 operators can be used in the following ways (example: add):
add eax,ebx ;; Register, Register
add eax,123 ;; Register, Value
add eax,dword ptr [404000] ;; Register, Dword Pointer [value]
add eax,dword ptr [eax] ;; Register, Dword Pointer [register]
add eax,dword ptr [eax+00404000] ;; Register, Dword Pointer [register+value]
add dword ptr [404000],eax ;; Dword Pointer [value], Register
add dword ptr [404000],123 ;; Dword Pointer [value], Value
add dword ptr [eax],eax ;; Dword Pointer [register], Register
add dword ptr [eax],123 ;; Dword Pointer [register], Value
add dword ptr [eax+404000],eax ;; Dword Pointer [register+value], Register
add dword ptr [eax+404000],123 ;; Dword Pointer [register+value], value
ADD (Addition)
Syntax: ADD destination, source
The ADD instruction adds a value to a register or a memory address. It can be used in
these ways:
These instruction can set the Z-Flag, the O-Flag and the C-Flag (and some others, which
are not needed for cracking).
AND (Logical And)
Syntax: AND destination, source
The AND instruction uses a logical AND on two values.
This instruction *will* clear the O-Flag and the C-Flag and can set the Z-Flag.
To understand AND better, consider those two binary values:
1001010110
0101001101
If you AND them, the result is 0001000100
When two 1 stand below each other, the result is of this bit is 1, if not: The result
is 0. You can use calc.exe to calculate AND easily.
CALL (Call)
Syntax: CALL something
The instruction CALL pushes the RVA (Relative Virtual Address) of the instruction that
follows the CALL to the stack and calls a sub program/procedure.
CALL can be used in the following ways:
CALL 404000 ;; MOST COMMON: CALL ADDRESS
CALL EAX ;; CALL REGISTER - IF EAX WOULD BE 404000 IT WOULD BE SAME AS THE ONE ABOVE
CALL DWORD PTR [EAX] ;; CALLS THE ADDRESS THAT IS STORED AT [EAX]
CALL DWORD PTR [EAX+5] ;; CALLS THE ADDRESS THAT IS STORED AT [EAX+5]
CDQ (Convert DWord (4Byte) to QWord (8 Byte))
Syntax: CQD
CDQ is an instruction that always confuses newbies when it appears first time. It is
mostly used in front of divisions and does nothing else then setting all bytes of EDX
to the value of the highest bit of EAX. (That is: if EAX <80000000, then EDX will be
00000000; if EAX >= 80000000, EDX will be FFFFFFFF).
CMP (Compare)
Syntax: CMP dest, source
The CMP instruction compares two things and can set the C/O/Z flags if the result fits.
CMP EAX, EBX ;; compares eax and ebx and sets z-flag if they are equal
CMP EAX,[404000] ;; compares eax with the dword at 404000
CMP [404000],EAX ;; compares eax with the dword at 404000
DEC (Decrement)
Syntax: DEC something
dec is used to decrease a value (that is: value=value-1)
dec can be used in the following ways:
dec eax ;; decrease eax
dec [eax] ;; decrease the dword that is stored at [eax]
dec [401000] ;; decrease the dword that is stored at [401000]
dec [eax+401000] ;; decrease the dword that is stored at [eax+401000]
The dec instruction can set the Z/O flags if the result fits.
DIV (Division)
Syntax: DIV divisor
DIV is used to divide EAX through divisor (unsigned division). The dividend is always
EAX, the result is stored in EAX, the modulo-value in EDX.
An example:
mov eax,64 ;; EAX = 64h = 100
mov ecx,9 ;; ECX = 9
div ecx ;; DIVIDE EAX THROUGH ECX
After the division EAX = 100/9 = 0B and ECX = 100 MOD 9 = 1
The div instruction can set the C/O/Z flags if the result fits.
IDIV (Integer Division)
Syntax: IDIV divisor
The IDIV works in the same way as DIV, but IDIV is a signed division.
The idiv instruction can set the C/O/Z flags if the result fits.
IMUL (Integer Multiplication)
Syntax: IMUL value
IMUL dest,value,value
IMUL dest,value
IMUL multiplies either EAX with value (IMUL value) or it multiplies two values and puts
them into a destination register (IMUL dest, value, value) or it multiplies a register
with a value (IMUL dest, value).
If the multiplication result is too big to fit into the destination register, the
O/C flags are set. The Z flag can be set, too.
INC (Increment)
Syntax: INC register
INC is the opposite of the DEC instruction; it increases values by 1.
INC can set the Z/O flags.
INT
Syntax: int dest
Generates a call to an interrupt handler. The dest value must be an integer (e.g., Int 21h).
INT3 and INTO are interrupt calls that take no parameters but call the handlers for
interrupts 3 and 4, respectively.
JUMP
Berikut beberapa instruksi jump yang sering digunakan untuk membuat struktur kondisi dalam assembly.
JA - Jump if (unsigned) above - CF=0 and ZF=0
JAE - Jump if (unsigned) above or equal - CF=0
JB - Jump if (unsigned) below - CF=1
JBE - Jump if (unsigned) below or equal - CF=1 or ZF=1
JC - Jump if carry flag set - CF=1
JCXZ- Jump if CX is 0 - CX=0
JE - Jump if equal - ZF=1
JECXZ- Jump if ECX is 0 - ECX=0
JG - Jump if (signed) greater - ZF=0 and SF=OF (SF = Sign Flag)
JGE - Jump if (signed) greater or equal - SF=OF
JL - Jump if (signed) less - SF != OF (!= is not)
JLE - Jump if (signed) less or equal - ZF=1 and OF != OF
JMP - Jump - Selalu jump, tidak tergantung pada kondisi
JNA - Jump if (unsigned) not above - CF=1 or ZF=1
JNAE- Jump if (unsigned) not above or equal - CF=1
JNB - Jump if (unsigned) not below - CF=0
JNBE - Jump if (unsigned) not below or equal - CF=0 and ZF=0
JNC - Jump if carry flag not set - CF=0
JNE - Jump if not equal - ZF=0
JNG - Jump if (signed) not greater - ZF=1 or SF!=OF
JNGE- Jump if (signed) not greater or equal - SF!=OF
JNL - Jump if (signed) not less - SF=OF
JNLE - Jump if (signed) not less or equal - ZF=0 and SF=OF
JNO - Jump if overflow flag not set - OF=0
JNP - Jump if parity flag not set - PF=0
JNS - Jump if sign flag not set - SF=0
JNZ - Jump if not zero - ZF=0
JO - Jump if overflow flag is set - OF=1
JP - Jump if parity flag set - PF=1
JPE - Jump if parity is equal - PF=1
JPO - Jump if parity is odd - PF=0
JS - Jump if sign flag is set - SF=1
JZ - Jump if zero - ZF=1
LEA (Load Effective Address)
Syntax: LEA dest,src
LEA can be treated the same way as the MOV instruction. It isn't used too much for its
original function, but more for quick multiplications like this:
lea eax, dword ptr [4*ecx+ebx]
which gives eax the value of 4*ecx+ebx
MOV (Move)
Syntax: MOV dest,src
This is an easy to understand instruction. MOV copies the value from src to dest and src
stays what it was before.
There are some variants of MOV:
MOVS/MOVSB/MOVSW/MOVSD EDI, ESI: Those variants copy the byte/word/dword ESI points to,
to the space EDI points to.
MOVSX: MOVSX expands Byte or Word operands to Word or Dword size and keeps the sign of the
value.
MOVZX: MOVZX expands Byte or Word operands to Word or Dword size and fills the rest of the
space with 0.
MUL (Multiplication)
Syntax: MUL value
This instruction is the same as IMUL, except that it multiplies unsigned. It can set the
O/Z/F flags.
NOP (No Operation)
Syntax: NOP
This instruction does absolutely nothing
That's the reason why it is used so often in reversing ;)
OR (Logical Inclusive Or)
Syntax: OR dest,src
The OR instruction connects two values using the logical inclusive or.
This instruction clears the O-Flag and the C-Flag and can set the Z-Flag.
To understand OR better, consider those two binary values:
1001010110
0101001101
If you OR them, the result is 1101011111
Only when there are two 0 on top of each other, the resulting bit is 0. Else the resulting
bit is 1. You can use calc.exe to calculate OR. I hope you understand why, else
write down a value on paper and try ;)
POP
Syntax: POP dest
POP loads the value of byte/word/dword ptr [esp] and puts it into dest. Additionally it
increases the stack by the size of the value that was popped of the stack, so that the next
POP would get the next value.
PUSH
Syntax: PUSH operand
PUSH is the opposite of POP. It stores a value on the stack and decreases it by the size
of the operand that was pushed, so that ESP points to the value that was PUSHed.
REP/REPE/REPZ/REPNE/REPNZ
Syntax: REP/REPE/REPZ/REPNE/REPNZ ins
Repeat Following String Instruction: Repeats ins until CX=0 or until indicated condition
(ZF=1, ZF=1, ZF=0, ZF=0) is met. The ins value must be a string operation such as CMPS, INS,
LODS, MOVS, OUTS, SCAS, or STOS.
RET (Return)
Syntax: RET
RET digit
RET does nothing but return from a part of code that was reached using a CALL instruction.
RET digit cleans the stack before it returns.
SUB (Subtraction)
Syntax: SUB dest,src
SUB is the opposite of the ADD command. It subtracts the value of src from the value of
dest and stores the result in dest.
SUB can set the Z/O/C flags.
VII. Operasi Logical
Berikut ini truth tabel logical :
AND
0 and 0 = 0
0 and 1 = 0
1 and 0 = 0
1 and 1 = 1
Jadi, operator and hanya menghasilkan 1 jika kedua operand bernilai 1.
contoh :
mov al, 0000 0001
mov bl, 0000 1111
and al, bl
maka hasilnya disimpan pada register al.
al bernilai 0000 0001.
Salah satu kegunaan and adalah untuk mengidentifikasi nilai low nible atau high nible. Kata low nible digunakan untuk merujuk pada 4bit dari kanan dari satu byte dan high nible adalah 4bit dari kiri. Mengapa tidak diakses langsung?jawabnya tidak bisa. Satuan terkecil dari register yang dapat diakses adalah 1byte. Misalnya al berisi 0xCA. Untuk mengetahui bilangan kiri maka digunakan operasi berikut :
and al, 0x0F
atau bisa ditulis :
and 1100 1010, 0000 1111,
karena high nible dari al di and dengan 0, maka hasilnya high nible al bernilai 0000 dan low nible tidak berubah. Hasilnya setelah operasi itu adalah al = 0x0A atau 0000 1010
TEST
Test mirip dengan and, bedanya adalah test tidak menyimpan hasilnya pada register. Tapi test akan membuat zero flag bernilai 1 jika hasil operasinya nol.
Syntax: TEST operand1, operand2
This instruction is in 99% of all cases used for "TEST EAX, EAX". It performs a Logical
AND(AND instruction) but does not save the values. It only sets the Z-Flag, when EAX is 0
or clears it, when EAX is not 0. The O/C flags are always cleared.
XOR
Syntax: XOR dest,src
The XOR instruction connects two values using logical exclusive OR (remember OR uses
inclusive OR).
This instruction clears the O-Flag and the C-Flag and can set the Z-Flag.
To understand XOR better, consider those two binary values:
1001010110
0101001101
If you OR them, the result is 1100011011
When two bits on top of each other are equal, the resulting bit is 0. Else the resulting
bit is 1. You can use calc.exe to calculate XOR.
The most often seen use of XOR is “XOR, EAX, EAX”. This will set EAX to 0, because when
you XOR a value with itself, the result is always 0. I hope you understand why, else
write down a value on paper and try ;)
