X86-assembly/Registers
Jump to navigation
Jump to search
| You are here: | Registers
|
Description
Definition
A register is a small storage space available as part of the CPU.
Register breakdown
Registers are 32 bits in size and can be referenced as 16 or 8 bits registers. Here is an example:
EAX
|<--------------------- 32 bits ----------------------->|
+------+------+------+------+------+------+------+------+
| 1010 | 1001 | 1101 | 1100 | 1000 | 0001 | 1111 | 0101 |
| A | 9 | D | C | 8 | 1 | F | 5 |
+------+------+------+------+------+------+------+------+
AX
|<-------- 16 bits -------->|
+------+------+------+------+
| 1000 | 0001 | 1111 | 0101 |
| 8 | 1 | F | 5 |
+------+------+------+------+
AH
|<-- 8 bits ->|
+------+------+
| 1000 | 0001 |
| 8 | 1 |
+------+------+
AL
|<-- 8 bits ->|
+------+------+
| 1111 | 0101 |
| F | 5 |
+------+------+
General purpose registers
Extended Accumulator Register (EAX)
+----+----+
| AH | AL |
+----+----+
| AX |
+---------+---------+
| EAX |
+-------------------+
<----- 32 bits ----->
- EAX generally contains the return of a function. If you see the EAX register just after a function call, chances are that EAX contains the return value of the function.
- EAX and EDX are always implied in multiplication and division instructions
- EAX can also be used as a temporary CPU memory for additions:
mov [ebp+var_4], 0 ; int a = 0 mov eax, [ebp+var_4] ; store local variable var_4 in EAX add eax, 0Bh ; add 11 to EAX mov [ebp+var_4], eax ; store new content (11+0) into var_4
Extended Base Register (EBX)
+----+----+
| BH | BL |
+----+----+
| BX |
+---------+---------+
| EBX |
+-------------------+
Extended Counter Register (ECX)
+----+----+
| CH | CL |
+----+----+
| CX |
+---------+---------+
| ECX |
+-------------------+
- Used as a counter
Extended Data Register (EDX)
+----+----+
| DH | DL |
+----+----+
| DX |
+---------+---------+
| EDX |
+-------------------+
Extended Stack Pointer (ESP)
+---------+
| SP |
+---------+---------+
| ESP |
+-------------------+
- Points to last item in the stack
Extended Base Pointer (EBP)
+---------+
| BP | 16 bits
+---------+---------+
| EBP | 32 bits
+-------------------+
- EBP is called the Base Pointer.
- Used to reference arguments and local variables
- In the above example, IDA Pro shows that this is an EBP-based stack frame used in the function, which means the local variables and parameters will be referenced via the EBP register throughout the function. Local variables will be at a negative offset relative to EBP and arguments will be at a positive offset:
.text:00403E25 ; =============== S U B R O U T I N E ======================================= .text:00403E25 .text:00403E25 ; Attributes: bp-based frame .text:00403E25 .text:00403E25 ; int __stdcall sub_403E25(int, HDC hdc, HWND hWnd) .text:00403E25 sub_403E25 proc near ; CODE XREF: sub_4038EB+149↑p .text:00403E25 ; sub_403F06+27F↓p ... .text:00403E25 .text:00403E25 plbrush = LOGBRUSH ptr -0Ch .text:00403E25 arg_0 = dword ptr 8 .text:00403E25 hdc = dword ptr 0Ch .text:00403E25 hWnd = dword ptr 10h .text:00403E25 .text:00403E25 push ebp .text:00403E26 mov ebp, esp .text:00403E28 sub esp, 0Ch .text:00403E2B mov eax, [ebp+arg_0] .text:00403E2E push esi .text:00403E2F add eax, 0FFFFFECDh .text:00403E34 cmp eax, 5 .text:00403E37 ja loc_403ECB .text:00403E3D push 0FFFFFFEBh ; nIndex .text:00403E3F push [ebp+hWnd] ; hWnd .text:00403E42 call ds:GetWindowLongA .text:00403E48 mov esi, eax .text:00403E4A test esi, esi .text:00403E4C jz short loc_403ECB .text:00403E4E test byte ptr [esi+14h], 2 .text:00403E52 mov eax, [esi] .text:00403E54 push edi .text:00403E55 mov edi, ds:GetSysColor .text:00403E5B jz short loc_403E60 .text:00403E5D push eax ; nIndex .text:00403E5E call edi ; GetSysColor [SNIP]
Extended Source Index (ESI)
+---------+
| SI |
+---------+---------+
| ESI |
+-------------------+
- Used by memory transfer instructions
Extended Destination Index (EDI)
+---------+
| DI |
+---------+---------+
| EDI |
+-------------------+
- Used by memory transfer instructions
Extended Instruction Pointer (EIP)
- Points to instruction to execute next
- EIP can be affected by the following instructions: CALL, RET and JMP
push 0xdeadbeef ; push 0xdeadbeef to top of the stack
ret ; pops the return address off the stack and set EIP to this value
jmp 0xdeadbeef ; will set EIP to 0xdeadbeef
call 0xdeadbeef ; similar to jmp
Segment registers
CS (Code Segement)
- Default segment register when fetching instructions
SS (Stack Segment)
- Default segment register for accessing data with the ESP register
DS (Data Segment)
ES
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
FS
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
GS
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Status register
Description
- The FLAGS/EFLAGS register is a 32 bit long string where each flag represents 1 bit (0 or 1). For a detailed list of FLAGS and EFLAGS, refer to the this link.
- Following flags are the most common ones for malware analysis.
CF (Carry Flag)
Only has a meaning for unsigned numbers. The Carry Flag (CF) is set (1) when the result of an operation is too large or to small for the destination operand. Otherwise, it is cleared (0).
Example: CF = 1 in these cases:
- The carry flag is set if the addition of two numbers causes a carry out of the most significant (leftmost) bits added.
+---+---+---+---+
| 1 | 1 | 1 | 1 |
+ | 0 | 0 | 0 | 1 |
+---+---+---+---+---+
= | 1 | 0 | 0 | 0 | 0 |
+---+---+---+---+---+
|
+---> CF = 1
- The carry (borrow) flag is also set if the subtraction of two numbers requires a borrow into the most significant (leftmost) bits subtracted.
0000 - 0001 = 1111 (carry flag is turned on)
Otherwise, the carry flag is turned off (zero).
0111 + 0001 = 1000 (carry flag is turned off [zero])
1000 - 0001 = 0111 (carry flag is turned off [zero])
- In unsigned arithmetic, watch the carry flag to detect errors.
- In signed arithmetic, the carry flag tells you nothing interesting.
PF (Parity Flag)
The parity flag (PF) indicates if the number of set bits is even (e.g. 2, 4, 6, ...) or odd (1, 3, 5, ...) in the binary representation of the low 8 bits of the result of the last operation.
For example:
| Result of last operation |
In binary | Parity Flag (PF) | Comments |
|---|---|---|---|
| 26 | 00011010 | 0 | Number of set bits is odd |
| 102 | 01100110 | 1 | Number of set bits is even |
AF (Adjust Flag)
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
ZF (Zero Flag)
The Zero Flag (ZF) is set (1) when the result of an operation is zero. Otherwise, it is cleared (0).
SF (Sign Flag)
The Sign Flag (SF) is set (1) when the result of an operation is negative. Otherwise (positive result), it is cleared (0).
TF (Trap Flag)
The Trap Flag (TF) is used for debugging. When set (1), the x86 processor will execute only one instruction at a time.
IF (Interrupt enable flag)
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
DF (Direction Flag)
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
OF (Overflow Flag)
The Overflow Flag (OF) has only a meaning for signed numbers. It will be set:
- if the result of 2 positive numbers results in a negative number
- or if the sum of 2 negative numbers result in a positive number.
Below is an example of the sum of 2 positive numbers (bit sign is 0). It results in a negative number (bit sign is 1). In this case, the overflow flag will be set.
┌─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┐
│ 31 30 29 28 │ 27 26 25 24 │ 23 22 21 20 │ 19 18 17 16 │ 15 14 13 12 │ 11 10 09 08 │ 07 06 05 04 │ 03 02 01 00 │
┌──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤
│ carry │ 1 1 1 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 │
├──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤
│ 0x7020470F │ 0 1 1 1 │ 0 0 0 0 │ 0 0 1 0 │ 0 0 0 0 │ 0 1 0 0 │ 0 1 1 1 │ 0 0 0 0 │ 1 1 1 1 │
│ + 0x10000000 │ 0 0 0 1 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │ 0 0 0 0 │
├──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤
│ = 0x8020470f │ 1 0 0 0 │ 0 0 0 0 │ 0 0 1 0 │ 0 0 0 0 │ 0 1 0 0 │ 0 1 1 1 │ 0 0 0 0 │ 1 1 1 1 │
└──────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┼─────────────┤
│ 8 │ 0 │ 2 │ 0 │ 4 │ 7 │ 0 │ F │
└─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┘
Here are examples where the overflow flag will be turned off:
0100 + 0001 = 0101 0110 + 1001 = 1111 1000 + 0001 = 1001 1100 + 1100 = 1000