x86 Assembly for Reverse Engineers (Crash Course)

1. https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf
2.  
3. 1.1
4. Introduction
5. The hardest part of learning x86 assembly in 2013 is find
6. ing
7. good
8. tutorials
9. . As the popularity
10. of low level languages
11. decreases
12. the
13. incitement
14. to create fresh up to date
15. tutori
16. als
17. is limited.
18. At the same time x86 assembly is critical
19. in many security related fields
20. such as malware
21. ana
22. lysis, vulnerability research and
23. exploit
24. development
25. .
26. This
27. document
28. was created
29. to address the lack of
30. tutorials
31. in a fast, pedagogical and cheap
32. manner. While it is not a complete introduction, it addresses enough to prepare careful
33. readers
34. with the
35. necessary knowledge
36. base to be able to decipher non
37. -
38. obfuscated assembly.
39. And it does so within less than thirty pages.
40. For pedagogical reasons
41. focus i
42. s kept to what the reader
43. assumedly
44. knows about C or C
45. -
46. based languages
47. (like Java or C#)
48. . Hopefully this minimizes the confusion that usually
49. appears when people are trying to learn a stack based language for the first time.
50.  
51. 1
52. T
53. ABLE OF
54. C
55. ONTENTS
56. 1
57. Table of Contents
58. ................................
59. ................................
60. ................................
61. ..............
62. 2
63. 1.1
64. Introduction
65. ................................
66. ................................
67. ................................
68. ................
69. 3
70. 1.2
71. Bits, bytes, words, double words
72. ................................
73. ................................
74. ...............
75. 4
76. 1.3
77. Registers
78. ................................
79. ................................
80. ................................
81. ....................
82. 5
83. 1.3.1
84. General purpose registers
85. ................................
86. ................................
87. .................
88. 5
89. 1.3.2
90. Segment registers
91. ................................
92. ................................
93. ..............................
94. 6
95. 1.3.3
96. Status flag registers
97. ................................
98. ................................
99. ...........................
100. 6
101. 1.3.4
102. EIP
103. -
104. Extended Instruction Pointer
105. ................................
106. ................................
107. ....
108. 7
109. 1.4
110. Segments & offsets
111. ................................
112. ................................
113. ................................
114. ....
115. 8
116. 1.4.1
117. The sta
118. ck
119. ................................
120. ................................
121. ................................
122. ...........
123. 8
124. 1.4.2
125. Stack frames
126. ................................
127. ................................
128. ................................
129. ......
130. 8
131. 1.4.3
132. The Heap
133. ................................
134. ................................
135. ................................
136. ...........
137. 8
138. 1.5
139. Instructions
140. ................................
141. ................................
142. ................................
143. ..............
144. 10
145. 1.5.1
146. Arithmetic operations
147. -
148. ADD , SUB, MUL, IMUL, DIV, IDIV...
149. .........................
150. 11
151. 1.5.2
152. Bitwise operations
153. –
154. AND, OR, XOR, NOT
155. ................................
156. .....................
157. 12
158. 1.5.3
159. Branching
160. –
161. JMP, JE, JLE, JNZ, JZ, JBE, JGE...
162. ................................
163. ...........
164. 13
165. 1.5.4
166. Data moving
167. –
168. MOV, MOVS, MOVSB, MOVSW, MOVZX, MOVSX, LEA...
169. ..
170. 14
171. 1.5.5
172. Loops
173. –
174. LOOP, REP...
175. ................................
176. ................................
177. ....................
178. 15
179. 1.5.6
180. Stack management
181. –
182. POP, PUSH
183. ................................
184. ................................
185. ..
186. 16
187. 1.5.7
188. Functions
189. –
190. CA
191. LL, RET
192. ................................
193. ................................
194. ...................
195. 16
196. 1.5.8
197. Interrupts, Debugger traps
198. –
199. INT, trap flag
200. ................................
201. .....................
202. 18
203. 1.6
204. Calling conventions
205. ................................
206. ................................
207. ................................
208. ..
209. 19
210. 1.6.1
211. stdcall
212. ................................
213. ................................
214. ................................
215. ...............
216. 19
217. 1.6.2
218. cdecl
219. ................................
220. ................................
221. ................................
222. .................
223. 19
224. 1.6.3
225. pascal
226. ................................
227. ................................
228. ................................
229. ...............
230. 19
231. 1.6.4
232. fastcall
233. ................................
234. ................................
235. ................................
236. ..............
237. 19
238. 1.6.5
239. Others calling conventions
240. ................................
241. ................................
242. ...............
243. 19
244. 1.7
245. C to x86 assembly
246. ................................
247. ................................
248. ................................
249. ...
250. 20
251. 1.7.1
252. Single
253. -
254. Branch Conditionals
255. ................................
256. ................................
257. .............
258. 20
259. 1.7.2
260. Two
261. -
262. way Conditionals
263. ................................
264. ................................
265. ......................
266. 21
267. 1.7.3
268. L
269. ogical operations
270. -
271. AND
272. ................................
273. ................................
274. .................
275. 22
276. 1.7.4
277. Logical operations
278. -
279. OR
280. ................................
281. ................................
282. ...................
283. 23
284. 1.7.5
285. Loops
286. ................................
287. ................................
288. ................................
289. ...............
290. 24
291. 1.7.6
292. Function ca
293. lls
294. ................................
295. ................................
296. ................................
297. ...
298. 25
299. 1.8
300. Reverse engineering tools
301. ................................
302. ................................
303. .......................
304. 26
305. 1.8.1
306. OllyDBG tutorials
307. ................................
308. ................................
309. .............................
310. 26
311. 1.8.2
312. IDA Pro tutorials
313. ................................
314. ................................
315. ...............................
316. 26