Reverse Engineering Malware, Part 2: Assembler Language Basics
Reverse Engineering Malware, Part 2: Assembler Language Basics maximum of the paintings we are able to be doing in reverse engineering.
can be with assembler language Reverse Engineering Malware, Part 2: Assembler Language Basics:
. This simple and now and again tedious language can screen a plethora of statistics at the source code. when we can’t see or get better the supply code of the malware or different software program, we can use tools which include dis-assemblers and debuggers to recover the underlying assembler of the software. From there, of route, we will then decipher what the software was attempting to do.
in this academic, i can virtually be listing the most simple and fundamental assembler commands. i suspect maximum of you will certainly use it a a reference as we development though this study, so ensure to bookmark this web page so that you can without problems come lower back to it.
portions
allow’s start a few each basic concepts. optimistically, this all evaluate for you, but if no longer, you want to apprehend these basic principles before proceeding in this path of take a look at.
Bit – this is the smallest piece of facts. it can be a 0 or 1 or Off or ON.
Byte – a byte is eight bits. It has a number equal decimal values of zero to 255
word – a word is bytes collectively or sixteen bits
Double phrase – a double phrase is tow words or 32 bits
Kilobyte – a kilobyte is 1024 (32 * 32) bytes
Megabyte – a megabyte is is 1,048,578 bytes (1024 x 1024).
Registers
Registers are locations in computer reminiscence where facts is stored.
while operating within the assembler, we are typically using these registers to move and manage statistics, so that you need to be familiar with them.
hose registers are;
EAX – prolonged Accumulator sign up
BX – extended Base check in
ECX – prolonged Counter sign in
EDX – prolonged records sign up
eSI – prolonged supply Index
ED – extended vacation spot Index
EBP – extended Base Pointer
ESP – extended Stack Pointer
EIP – prolonged practise Pointer
Flags
Flags are a single bit that indicates reputation of a register. The flag register on current 32 bit CPU’s is 32 bits lengthy. There are 32 flags. In our research here, we are able to simplest want 3 of them; (1) the Z flag, the O flag and the C flag.
A flag can handiest be SET or no longer SET
Z-Flag
The Z-flag (zero flag) is the maximum useful flag for cracking. it is used in about ninety% of all cases. it may be set or cleared by means of several opcodes when the last instruction that changed into achieved has 0 as a result
O-Flag
The O-flag (overflow flag) is used in approximately 4% of all cracking attempts. it is set whilst the last operation modified the very best bit of the sign up that gets the result of an operation.
C-Flag
The C-Flag (deliver Flag) is utilized in about 1% of all cracking tries. it’s miles set, if you upload a value to a check in, in order that it receives larger than FFFFFFFF or is you subtract a fee so that the check in price is much less than zero.
Stack
The stack is a part of reminiscence where you could shop various things for later use.
Like a stack of books on a desk wherein the last on top (closing in or LI) is the first to go away (LIFO).
The command PUSH saves the contents of a check in at the stack. The command POP grabs the last stored contents of a sign up from the stack and then locations it into a selected sign in.
instructions
Assembler language has a small wide variety of essential instructions. these encompass;
upload – The upload coaching adds a cost to a sign in or reminiscence cope with.
Syntax:
upload vacation spot, supply
AND – the AND training uses a logical and on values
Syntax:
AND destination, supply
call – the decision practise pushes the Relative digital cope with (RVA) of the
guidance that follows to the stack and calls a subprogram or
sub-method
Syntax:
call some thing
CDQ – Convert DWORD to QWORD (Convert D to Q)
Syntax:
CDQ
CMP – evaluate
the CMP guidance compares two matters and can set the C/O/Z flags
if the end result of the evaluate suits
Syntax:
CMP vacation spot, supply
DEC – Decrement
the decrement command is used to decrease a value
decreases a fee (price= value -1 )
Syntax:
DEC some thing
DIV – department
the DIV command is used to divide EAX through a divisor. The dividend
is continually EAX, the end result is saved in EAX and the modulus is saved in
EDX.
Syntax:
DIV divisor
IDIV – Integer department. Signed department and can set C/O/Z flags
Sntax:
IDIV divisor
IMUL – integer multiplication
Syntax:
IMUL value
IMUL dest, cost, price
IMUL dest, cost
INC – increment, contrary of DEC instruction (fee = price +1)
Syntax:
INC check in
INT – the INT command generates a name to an interrupt handler
JUMPS – there are a diffusion of jumps, however the maximum common and crucial jumps are;
JE – leap if equal
JG – bounce if extra
JGE – bounce if extra or identical
JL – bounce if lesser
JLE – jump if less or same
JMP – bounce always
JNE – bounce if now not equal
JNZ – jump if now not zero
JZ – leap if zero
LEA – Load effective cope with
Syntax:
LEA destination, source
MOV – pass copies the fee from the source to the destination
ynta:
MOV vacation spot, supply
MUL – multiply is the same as IMUL but it multiplies unsigned
Syntax:
MUL value
NOP – no operation does not anything
Syntax:
NOP
OR – logical inclusive OR
Syntax:
OR vacation spot, supply
POP – the POP preparation hundreds the cost of the byte/word/dword pointer (ESP) and places it into the vacation spot.
Syntax:
POP destination
PUSH – the push education shops a value at the stack and decreases it by means of the dimensions of the operand that became driven, in order that the ESP factors to the price that was pushed.
Syntax:
PUSH operand
REP – repeat following string preparation. not unusual uses are REPE(repeat if equal), REPZ (repeat if zero), REPNE (repeat if nonequal), and REPNZ (repeat if non-0)
Syntax:
REP ins
where ins is a string operation
RET – return
Syntax:
RET digit
SUB – subtraction. Is the opposite of upload command. Subtracts the cost of the source from the price of destination and shops the result in destination
Syntax:
SUB destination, source
test – it performs a logical AND but does not save the price
Syntax:
take a look at operand1 , operand2
XOR – the XOR instruction connects values the use of logical exceptional OR
Syntax:
XOR destination, source
Logical Operations
The desk beneath summarizes the logical operations displaying the consequences of AND, OR, no longer and XOR while the supply or vacation spot is a 1 or zero.
maximum of the paintings we are able to be doing in reverse engineering can be with assembler language. This simple and now and again tedious language can screen a plethora of statistics at the source code. when we can’t see or get better the supply code of the malware or different software program, we can use tools which include dis-assemblers and debuggers to recover the underlying assembler of the software. From there, of route, we will then decipher what the software was attempting to do.
in this academic, i can virtually be listing the most simple and fundamental assembler commands.
i suspect maximum of you will certainly use it a a reference as we development though this study, so ensure to bookmark this web page so that you can without problems come lower back to it.
portions
allow’s start a few each basic concepts. optimistically, this all evaluate for you, but if no longer, you want to apprehend these basic principles before proceeding in this path of take a look at.
it – this is the smallest piece of facts. it can be a 0 or 1 or Off or ON.
Byte – a byte is eight bits. It has a number equal decimal values of zero to 255
word – a word is bytes collectively or sixteen bits
Double phrase – a double phrase is tow words or 32 bits
Kilobyte – a kilobyte is 1024 (32 * 32) bytes
Megabyte – a megabyte is is 1,048,578 bytes (1024 x 1024).
Registers
Registers are locations in computer reminiscence where facts is stored. while operating within the assembler, we are typically using these registers to move and manage statistics, so that you need to be familiar with them.
those registers are;
EAX – prolonged Accumulator sign up
EBX – extended Base check in
ECX – prolonged Counter sign in
EDX – prolonged records sign up
ESI – prolonged supply Index
EDI – extended vacation spot Index
EBP – extended Base Pointer
SP – extended Stack Pointer
EIP – prolonged practise Pointer
Flags
Flags are a single bit that indicates reputation of a register. The flag register on current 32 bit CPU’s is 32 bits lengthy. There are 32 flags. In our research here, we are able to simplest want 3 of them; (1) the Z fla, the O flag and the C flag.
A flag can handiest be SET or no longer SET
Z-Flag
The Z-flag (zero flag) is the maximum useful flag for cracking. it is used in about ninety% of all cases. it may be set or cleared by means of several opcodes when the last instruction that changed into achieved has 0 as a result
O-Flag
The O-flag (overflow flag) is used in approximately 4% of all cracking attempts.
it is set whilst the last operation modified the very best bit of the sign up that gets the result of an operation Reverse Engineering Malware, Part 2: Assembler Language Basics.
C-Flag
The C-Flag (deliver Flag) is utilized in about 1% of all cracking tries. it’s miles set, if you upload a value to a check in, in order that it receives larger than FFFFFFFF or is you subtract a fee so that the check in price is much less than zero.
Stack
The stack is a part of reminiscence where you could shop various things for later use. Like a stack of books on a desk wherein the last on top (closing in or LI) is the first to go away (LIFO).
The command PUSH saves the contents of a check in at the stack. The command POP grabs the last stored contents of a sign up from the stack and then locations it into a selected sign in Reverse Engineering Malware, Part 2: Assembler Language Basics.
instructions
Assembler language has a small wide variety of essential instructions. these encompass;
upload – The upload coaching adds a cost to a sign in or reminiscence cope with .
Syntax:
upload vacation spot, supply Reverse Engineering Malware, Part 2: Assembler Language Basics
AND – the AND training uses a logical and on values
Syntax:
AND destination, supply Reverse Engineering Malware, Part 2: Assembler Language Basics
call – the decision practise pushes the Relative digital cope with (RVA) of the
guidance that follows to the stack and calls a subprogram or
sub-method Reverse Engineering Malware, Part 2: Assembler Language Basics
Syntax:
call some thing
CDQ – Convert DWORD to QWORD (Convert D to Q)
Syntx:
CDQ
CMP – evaluate
the CMP guidance compares two matters and can set the C/O/Z flags
if the end result of the evaluate suits Reverse Engineering Malware, Part 2: Assembler Language Basics
Synta:
CMP vacation spot, supply Reverse Engineering Malware, Part 2: Assembler Language Basics
DEC – Decrement Reverse Engineering Malware, Part 2: Assembler Language Basics
the decrement command is used to decrease a value
decreases a fee (price= value -1 )
Syntax:
DEC some thing
DIV – department
the DIV command is used to divide EAX through a divisor. The dividend
is continually EAX, the end result is saved in EAX and the modulus is saved in
EDX Reverse Engineering Malware, Part 2: Assembler Language Basics.
Syntax:
DIV divsor
IDIV – Integer department. Signed department and can set C/O/Z flags
Syntax:
IDIV divisor
IMUL – integer multiplication Reverse Engineering Malware, Part 2: Assembler Language Basics
Syntax:
IMUL value
IMUL dest, cost, price
IMUL dest, cost
INC – increment, contrary of DEC instruction (fee = price +1)
Syntax:
INC check in
INT – the INT command generates a name to an interrupt handler Reverse Engineering Malware, Part 2: Assembler Language Basics
JUMPS – there are a diffusion of jumps, however the maximum common and crucial jumps are;
JE – leap if equal
JG – bounce if extra
JGE – bounce if extra or identical
JL – bounce if lesser Reverse Engineering Malware, Part 2: Assembler Language Basics
JLE – jump if less or same
JMP – bounce always
JNE – bounce if now not equal Reverse Engineering Malware, Part 2: Assembler Language Basics
JNZ – jump if now not zero
JZ – leap if zero
LEA – Load effective cope with
Syntax:
LEA destination, source
MOV – pass copies the fee from the source to the destination Reverse Engineering Malware, Part 2: Assembler Language Basics
Syntax:
MOV vacation spot, supply
MUL – multiply is the same as IMUL but it multiplies unsigned
Syntax:MUL value
NOP – no operation does not anything Reverse Engineering Malware, Part 2: Assembler Language Basics
Syntax:
NOP
OR – logical inclusive OR
Syntax:
OR vacation spot, supply Reverse Engineering Malware, Part 2: Assembler Language Basics
POP – the POP preparation hundreds the cost of the byte/word/dword pointer (ESP) and places it into the vacation spot.
Syntax:
POP destination
PUSH – the push education shops a value at the stack and decreases it by means of the dimensions of the operand that became driven, in order that the ESP factors to the price that was pushed.
Syntax:
PUSH operand
REP – repeat following string preparation. not unusual uses are REPE(repeat if equal), REPZ (repeat if zero), REPNE (repeat if nonequal), and REPNZ (repeat if non-0)
Syntax:
REP ins
where ins is a string operation Reverse Engineering Malware, Part 2: Assembler Language Basics
RET – return
Syntax:
RET digit
SUB – subtraction. Is the opposite of upload command. Subtracts the cost of the source from the price of destination and shops the result in destination
Syntax:
SUB destination, source
test – it performs a logical AND but does not save the price Reverse Engineering Malware, Part 2: Assembler Language Basics
Syntax:
take a look at operand1 , operand2 Reverse Engineering Malware, Part 2: Assembler Language Basics
XOR – the XOR instruction connects values the use of logical exceptional OR
Syntax:
XOR destination, source
Logical Operations Reverse Engineering Malware, Part 2: Assembler Language Basics
The desk beneath summarizes the logical operations displaying the consequences of AND, OR, no longer and XOR while the supply or vacation spot is a 1 or zero.
Sources
