Overview

Brief Intro

Application of AL & RE
Big/Little-endian

Basic info of IA32

Architecture
Work Mode
Register

Assembly Instruction

Data Define
mov, add, cmp, ja, jb, jg, jl, in&out, push&pop
jmp&loop

Addressing Mode

Direct Addressing
Register Direct Addressing
Register Indirect Addressing
Register Relative Addressing
Base Index Addressing

Interrupt

INTR
INTP
Interrupt Type Code
Keep the break point
Interrupt Vector Table

Block

Memory attribute: readable, writeable and executable.

Static Reversing

IDA Pro
Function Call
- Stack: ESP EBP
- Stack Frame
Calling Convention⚠️
- __cdecl
- __stdcall

Software Protection

Sequence ID Protection
Warning Windows
Time Restriction
Menu Function Restriction
KeyFile

Brief Introduction

Application of AL & RE

Assembly language application

Embedded system
Real-time system
Driver
Videospiel Console

Reverse Engineering

Debugging
Vulnerability mining
Computer Virus Analysis
Software Intellectual Property Protection

Big/Little-endian

Big-endian:

Usually in network transmit. The high-byte store in low-byte
z.B. 127.0.0.1 in memory: 7F 00 00 01

Little-endian:

In x86 etc, The low-byte store in low-byte
z.B. 127.0.0.1 in memory: 01 00 00 7F

Basic info of IA32

Architecture

32-bit memory address
32-bit oprand

Work Mode

Real-Address Mode

16 data lines
20 address lines
Memorize space 1 MiB, is divided into 4 parts: CS DS SS(stack seg) ES(extra seg)
physical address = segment address * 16 + logical address

Why we need segment?

Reduce the length of instructions and the execution time of instruction.
We have 20 address lines, which means we have 1 MiB storage space, but we have only 16 bits registers, so we use segment address * 16 + offset to access 20 bits physical address with 16 bits registers.

Protected Mode

32 bit
multi-task OS
Memory space: 4 GiB

Register

more detail

GPR

aka general purpose register.

In IA-32, there are 8 gpr.

EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI

for E[ABCD]X,

Right half of E?X is ?X.
Left half of ?X is ?H, right half is ?L

Stack pointer register: ESP, right half SP

Basic-address pointer register: EBP, right half BP

Source Index register: ESI, right half SI

Destination index register: EDI, right half DI.

Segment Register

CS code segment

DS data segment

SS stack segment

ES extra data segment

FS data segment (handle exception)

GS data segment

Assembly Instruction

more detail

Data Define

BYTE db 8-bit
WORD dw 16-bit
DWORD dd 32-bit
QWORD dq 64-bit

Several Common Instructions

MOV AX, BX
MOV [1000H], AL

PUSH AX
POP AX

IN AL
PORT IN AX
PORT

OUT PORT
AL OUT PORT AX

INC EBX
DEC EAX
ADD AX, BX
SUB AX, BX

CMP AX, BX
SHL/SHR reg/mem, 1/CL;logic left/right shift
SAL/SAR;arithmic left/right shift

JNE/JE/JA/JB

LOOP START
INT 21H

Addressing Mode

Direct Addressing
MOV, AX, 1234H
Register Direct Addressing
MOV AX,[2000H]
if (DS) = 3000H (AX)=[32000H] EA=2000H
Register Indirect Addressing
MOV AX,[BX]
Register Relative Addressing
MOV AX,[label+BX/SI/DI]
Base Index Addressing
MOV AX,[BX+DI]

Interrupt

INT N, N is the interrupt type code.

How do CPU response to the interrupt?

receive a interrupt signal from the INTR pin
send a responding signal to the INTA pin
read the interrupt type code from the data bus and store it to a temporary register.
keep a breakpoint for the next instruction, store the address of next instruction to the stack including the address of code segment CS and current offset IP.
use the interrupt type code to find the starting address of the interrupt service program at the interrupt vector table.

Block

Memory attribute: readable, writeable and executable.

Static Reversing

IDA Pro

Function Call

Stack: ESP(store address of stack top) EBP(store address of stack bottom)
Stack Frame more detail
Calling Convention⚠️
- __cdecl
  1. C/C++
  2. passing args from right to left
  3. caller function pop stack.
- __stdcall
  1. Win32 API
  2. passing args from left to right
  3. callee function pop stack.
How to identify?
check whether ESP is changed after calling, if true, __cdecl; else, __stdcall.