Assembly Instruction Learning (i)

A simple record of the learning process, stay here to find it conveniently later

One, register
1,esp point to the top of the stack
EIP points to the instruction to be executed

There are Eax,ecx,edx,ebx,esp,ebp,esi,edi and EIP, which are all referred to as 32-bit registers.
AX contains a value of EAX after 4 digits. can also continue to be divided into Al and Ah

2, Flag Register
Here the signs are divided into C,p,a,z,s,t,d and O

1) o Flag (overflow flag) overflow flag is set when the operation changes the sign bit and returns an error value. Take a look at the following examples in ollydbg, and also use the crackme of Cruehead ' A.
We change the value of EAX to 7FFFFFFF, which is the largest positive number, as described earlier.

2) A flag (auxiliary carry sign)

3) P mark (parity mark)
If the result of the instruction is in binary notation, the total number of 1 in the binary number is even when the P flag is set.
For example: 1010,1100,1111000.

4) Z mark (0 mark)
This is one of the most famous and useful signs in the cracking process. When the operation produces a result of 0 o'clock is set.

5) S flag (symbol sign)
This flag is set to 1 when the result of the operation is negative

6) C Flag carry Mark
(The result of an unsigned operation) is set when the maximum value is exceeded, possibly the value of the Register

Two, mathematical instruction

1,inc plus one, DEC minus one.

The 2,add instruction has two operands, and the added result is stored in the first operand.
ADD eax,1 is equivalent to Inc EAX. Add can also add two registers

3,ADC (add with Carry)
In this case, the value of the two operand and the rounding flag, the result is stored in the first operand.

4,sub
It holds the value of the first operand minus the second operand to the first operand
SUB Eax,dword PTR ds:[405000]
The register EAX subtracts the value of 405000 memory cells and saves the results in EAX.

5,sbb
The directive, in contrast to the ADC, calculates the difference between the two operands and subtracts the carry flag, and the result is stored in the first operand.

6,mul (multiplication of unsigned numbers)
There are two kinds of multiplication, the first one is Mul, this is the unsigned number multiplication, only one operand, the other operand is eax, and the result is stored in edx:eax.
For example:
MUL ECX
Here is the unsigned number eax,ecx multiplied, and the result is stored in edx:eax.
Part is saved in the EAX, and the other part is stored in edx, the EAX holds 8 of the high level, so it is stored in edx, that is, twice times the size of a single register.

7,imul (multiplication of signed numbers), Imul also allows the use of multiple operands, which is different from mul.
Although the EAX and edx registers are used by default, we can also specify additional data sources and target up to three operands

Imul EBP, DWORD PTR [esi+74], FF800002
Esi+74 the value of the memory unit multiplied by FF800002 and stores the result in EBP

8,div (unsigned Division)/IDIV (signed division)
Div has only one operand, the operand must be an unsigned number, and the result is stored in edx:eax.
Idiv instructions are often used. If it is an operand, then it is similar to a Div, except that the operand is signed and the result is still stored in the edx:eax. In the case of two operands, the first operand is divided by the second operand, and the result is stored in the first operand.
In the case of three operands, the second operand is divided by the third operand, and the result is stored in the first operand.

9,xadd (Swap and add)
As you can imagine, this command is actually a combination of XCHG and add two simple commands.

10,neg
The purpose of this instruction is to reverse the symbol of the operand, that is, if we have a 32-bit 16 binary number, the result will be reversed if we use neg.

Three, operation instructions

1,nop no-action coasting instruction NOP instruction takes only one byte to replace the push command with two NOP

2,push pressing the operand into the stack
Push [401000] is not the same as push 401000
Read/write content in-memory reverse placement is one of the features of the processor

3,pop
A pop instruction is a stack: it takes the first letter or the first value from the top of the stack and then stores it in the specified destination address memory unit.
For example, POP EAX takes the first value out of the top of the stack and stores it in eax, and then a value becomes the top of the stack.

4,pushad
The Pushad instruction presses the contents of all common registers into the stack in a certain order,
Pushad is also equivalent to ' push Eax,push ecx,push edx,push ebx,push esp,push ebp,push ESI, Push EDI '.

5,popad
The directive is exactly the opposite of Pushad, which takes values from the stack and places them in the appropriate registers.
Popad is equivalent to "POP edi,pop esi,pop ebp,pop esp,pop ebx,pop edx,pop ecx,pop EAX".

There is also the use of this
Pusha is equivalent to ' PUSH AX, CX, DX, BX, SP, BP, SI, DI '.
POPA is equivalent to ' pop DI, SI, BP, SP, BX, DX, CX, AX '.

6,mov
The instruction assigns the second operand to the first operand, for example:
MOV EAX, EBX

MOVSX (transfer instruction with symbol extension)
The second operand may also be a register of memory cells, the number of bits of the first operand is greater than the second operand, and the symbol bit of the second operand fills the remainder of the first operand.
The 16-digit range is 0000 to FFFF. 0000 to 7FFF is a positive number, and 8000 to FFFF is a negative number.
If it is negative, fill F, positive fill 0

MOVZX (with 0 extended delivery instructions)
MOVZX is similar to the preceding statement, but in this case the remainder is not populated based on the positive or negative of the second operand. The remaining parts are always populated with 0.

7,XCHG (Swap register/memory unit and register)
You can also use this directive to swap the values of registers and memory cells,

8,lea (take address instruction)
Similar to the MOV instruction, but the first operand is a universal register, and the second operand is an internal deposit element. This command is useful when the calculation depends on the previous result.

Four, compare and jump instructions

1,cmp
The directive compares two operands, which, in effect, is equivalent to a sub instruction, but the result of subtracting is not saved to the first operand. Just change the 0 flag bit according to the result of subtraction, when two operands are equal, 0 flag position 1.
can follow the JZ command, set 1 to jump to success.

2,test logical comparison
Two operands and operation results are not saved but will change the corresponding flag (for example, SF,ZF,PF flag bit)

3,jumps Jump
jmp– Jump
JE, jz– result is zero jump (0 flag bit is Z z=1 jump)
JNE, jnz– result not zero jump
js– result is negative then jump (symbol flag bit s=1 result is negative)
jns– results are not negative then jump
JP, jpe– the number of 1 in the result is even (odd parity bit p =1)
JNP, the number of jnpe– results is 1 is odd, jump
jo– results overflow, then jump
jno– result no overflow then jump
JB, jnae– less than jump (unsigned number)
JNB, jae– is greater than or equal to jump (unsigned number)
Jbe, jna– is less than or equal to jump (unsigned number)
Jnbe, ja– is greater than jump (unsigned number)
JL, jnge– less then jump (signed number)
JNL, jge– is greater than or equal to jump (signed number)
Jle, jng– is less than or equal to jump (signed number)
Jnle, jg– is greater than jump (signed number)

Assembly Instruction Learning (i)