Basic for concentrated Assembly)

Question: How to introduce new users to the concentrated assembly
Prepared by: dashu No. 1
Duration: 2007-04-27,09: 54

Preface:
I am writing this article for my personal interest. I must declare that my abilities are very limited! I have referenced many articles! Because more information and tutorials cannot be provided, the topic of the article is called "the basis of concentrated compilation for Beginners ". The main focus is on the Compilation knowledge required in the cracking process, which is easy for beginners to understand. I will describe it in a more popular language! I hope you will not say "low-level"--B
Reason for writing this article:
1. Out of interest
2. Helping you learn and consolidate yourself, helping new users
Note:
This article does not teach you how to compile assembler programs, but just wants to introduce new users to the Crack door. This is also the reason for some people who are too late to succeed in Crack!
It is best to be able to inspire others to learn the compilation!

The important point is that, without understanding assembly, there is no way to Crack it. I hope you can learn it with this!

Bytes -----------------------------------------------------------------------------------------------
1.0 Assembly Language
The Assembly Language is created to replace the original binary code that can only be understood by the processor, that is, the common machine code in OD! If you use machine code to write programs, you can imagine the difficulty. Therefore, the assembly language appears. The Assembly Code directly describes the code that can be executed by the processor, that is, the most common disassembly code in OD! (Of course, it's a bit different), while the Assembly Language is cpu-related, and one-to-one correspondence with the machine language!

2.0 about cpu
The CPU task is to execute the command sequence stored in the memory. Therefore, in addition to completing arithmetic logic operations, you also need to perform data transmission tasks between the CPU, memory, and I/O. Early CPU chips only included two major components: the memory generator and the Controller. In recent years, in order to make the memory speed better match the speed of the timer, high-speed buffer memory is introduced into the chip (Do you know why P4 is much more expensive than P4 ?).
See the main components:
1. The arithmetic logic component ALU (arithmetic logic unit) is used for arithmetic and logical operations. This part has little to do with us, so we don't have to worry about it.
2. control logic. It has little to do with us.
3. Working register. Register! Hello, register !~

3.0 registers
We want to know eight 32-bit registers, including eax, ebx, ecx, edx, esp, ebp, edi, and esi.
Eax-edX these four are General registers, although each has its own use, but you can use them to do anything! It is 32-bit. Naturally there are low and high positions. We can use ax, BX, CX, and dx to access its 16-bit low, but the 16-bit high won't be accessible! For example, if eax = 12345678 H, the 16-bit AX = 5678 H is low! However, there are naturally low and high 16 bits, but high 8 bits can be accessed. For example, ax can be divided into AH and Al, which can be understood literally, AH (high) when the height is 8 bits, Al is the lower 8 bits! In the previous example, Ax = 5678 H, Ah = 56 h, Al = 78 H! These four registers are mainly used to temporarily release the calculation results or something!
The four ESP-ESI addresses are mainly used to store offsets or pointers. Therefore, they are also called pointer registers or address change registers ~ As shown in [eax] In OD, eax actually stores a memory address, and actually accesses the content in that memory address!
ESP (Stack pointer register ):
An important introduction is that the stack has advanced features, as if there is a cylindrical tube, which is exactly the diameter of a table tennis ball, so the first ball to be put will come out. ESP always points to the top ball, that is, always points to the top of the stack! It is also common in OD. For example, push and pop are Stack operations. Push pushes data into the stack, that is, putting a ball in, put another one when calling push, and ESP points to the second ball! When pop is used, a piece of data is popped up from the stack. As mentioned above, the stack has the characteristics of being advanced and later, so with Pop, the ball that is finally put in goes out first (unless you destroy the package (destroy the stack? That's impossible. The program will die for you immediately ))! ESP points to the top of the stack!
Sample Code:
(1) mov ECx, 100 <--------- 100 transfer ECx
(2) mov eax, 200 <--------- 200 incoming eax
(3) push eax <------------ ecx advanced
(4) push ecx <------------- and then eax
(5) pop ebx <-------------- extracts one from the top of the stack, which is also the last one. The result is saved to ebx.
(6) pop ecx <-------------- extract one from the top of the stack, that is, the first one, and save the result to ecx.
Finally, ebx = 200, ecx = 100
On the win32 platform, everyone knows the api! Api parameters are transmitted by stacks. For example, if a FindWindow is used, I call
->:: FindWindow (NULL, "a")-> after disassembly, the code at the underlying level of the system is like this:
Push xxxxxxxx-> xxxxxxxx is the memory address of ""
Push yyyyyyyy-> yyyyyyyy is the pointer of a character string in the air.
Call zzzzzzzz-> call FindWindow
In the call, pop is used to pop up the parameters pushed into the stack before use.

Ebp (base address pointer register ):
It is called base address pointer registers. They can all be used with the stack segment register SS (stack segment) to determine the address of a storage unit in the stack. ESP is used to indicate the offset address at the top of the segment, the EBP can be used as a base address in the stack area to access information in the stack.

ESI (source address change register) and EDI (Destination Address Change register) are generally used together with the data segment register DS to determine the address of a storage unit in the data segment. The two address change registers provide the automatic increment and automatic reduction functions, which can be easily used for address change.

There are two dedicated registers, eip and flags.
Flags:
This is a register that stores the condition flag, control mark, and system sign! We can also see a lot in od, such as zf (zero mark). When we use cmp for comparison, we subtract two operands. If we set it to 0, we set zf to 1. Otherwise, zf is 0. Jnz is to check whether zf is 0. If it is 0, it will jump! In this case, it seems even more messy. We suggest you remember the ones that are bigger than just jump, and those that are smaller than just jump, which is relatively simple (jnz is just jump if they are not equal) ''Oh !! As for other logos, I will not elaborate on them here. You can refer to quick query of compilation!
Cmp eax, ebx <-compare eax and ebx. If the two values are subtracted, zf is the same. Otherwise, zf is 0.
Jnz xxxxxxx <-determine whether zf is 0. If it is 0, it will jump to xxxxxxx. That is, if it is not equal, it will jump.

Eip (Instruction Pointer register ):
This is easy to understand. According to od, after loading a program, the code is like this:
0043C412>/$ Content $ nbsp; 55 push ebp <-stop here after loading. Check that the eip in the register window is 43c412.
0043C413 |. 8BEC mov ebp, after esp <-f8 runs one step, the eip is 43c413
0043C415 |. 6A FF push-1 <-eip: 43c415
0043C417 |. 68 C8B64800 push 0048B6C8 <-eip: 43c417
Someone will say, "the original EIP indicates the address currently executed to the code! ", This is not correct !! Because F8 has not passed the Code, it is not executed yet. Yes, the EIP points to the pointer of the next command to be executed!

Segment register:
CS code segment, DS data segment, SS stack segment, and ES additional segment
The concept in the middle section of Win32 programming is no longer important! In the crack era, you won't always be calling programs in the DOS era! -!

4.0 Common Assembly commands
MoV ax, CX <-is very common. The CX value is sent to ax, and the Cx value remains unchanged.
CMP eax and ECx <-very common. Compare eax and ECx to set the flag! Method
XOR eax and eax <-here, eax is different from itself or, it is a zeroed operation!
Lea eax, STR <-do not transmit data, only transmit the address of the data, send the address of the STR string to eax
Push eax <-stack import operation. As mentioned earlier, eax is used for Stack import.
Pop EBX <-out stack operation. As mentioned above, the pop-up of data stored on the top of the stack is saved to EBX.
Add addition Command Format: Add DST, Src: (DST) <-(SRC) + (DST)
Sub subtraction Command Format: Sub DST, Src: (DST) <-(DST)-(SRC)
MUL unsigned multiplication Command Format: operations performed by mul src: byte operations (AX) <-(AL) * (SRC); word operations (DX, AX) <-(AX) * (SRC); double-word operations: (EDX, EAX) <-(EAX) * (SRC)
DIV unsigned division command format: operations performed by div src: byte operations: 16. The divisor is in AX. The 8-bit divisor is the source operand, and the result's 8-bit operator is in AL, the 8-digit remainder is in AH. Indicates:
(AL) <-(AX)/(SRC) operator, (AH) <-(AX)/(SRC) remainder. Word operation: 32-bit dividend in DX and AX. DX is a high-level word, and the 16-bit Division is the source operand. the result's 16-bit quotient is in AX, and the 16-bit remainder is in DX. The remainder of (AX) <-(DX, AX)/(SRC) operator, (DX) <-(DX, AX)/(SRC.
Nop <-no operation. Remove the command! Remove a jump and let the program go down directly. The registration is successful (it's far away '''')
Call <-used to call a subroutine or function

For instructions on jump, you can view the compilation quick query manual. Don't force yourself to remember all the instructions. It's a waste of energy. If you don't understand them, check them again. You'll remember it after a long time!

5.0 compilation of advanced language programs
The assembly language should deal with hardware directly. It is easy to write viruses !! In advanced languages, for example, in C, we need to solve the problem. For hardware resource operations, the compiler has done it! Here we will talk a little bit about the corresponding content of the disassembly code in the advanced language:
1. Define Variables
Int;
A variable is actually stored in a memory address. If "a = 10" is assigned to a, it may be manifested in disassembly:
Mov word ptr [007e58c2],
Like this, the memory address corresponding to a is 0x007e58c2. Of course, it is a random address. How can the system allocate it? (Days know ...)

2. For example, an array
Char str [] = "hello ";
It occupies 6 bytes, And the last empty byte ending with 0. The array name can be used as an array pointer! Str [0] = 'h', str [0] corresponds to a variable address, for example, [0040e123], then [0040e124] is 'E ', [0040e125] Is 'L '....'

3. pointer
Char * p;
The pointer is also a variable, so it also corresponds to a memory address! However, the access should be the content directed to the memory address, rather than the content of the pointer variable. The content is just an address! If the pointer variable address is 007e1000, then the statement p = a. In the advanced language, the pointer p is directed to the memory unit! The content in p is the address of a, and * p is actually the content of! However, disassembly may look like this:
Mov [007e1000], 007e2000 <-If 007e2000 is the address of variable a, the address of a is uploaded to the content of 007e1000!

4. function call
Sub (a, B );
If sub is a user-defined subtraction function, the function is to subtract parameter 1 from parameter 2. The preceding statement is used to pass parameters in C! As mentioned above, function call parameters on the Win32 platform are passed through stacks, so disassembly is:
(Suppose a = 2, B = 1)
Mov eax, 2
Mov ebx, 1
Push eax
Push ebx
Call address (sub)
.......
Bytes -----------------------------------------------------------------------------------------------

Well, I 'd like to thank you for reading this article. I have also reviewed a lot of knowledge! I don't know if it is helpful to new users in my ability. I also want to remind you that if you really want to learn Crack well, not fully understand assembly! So after reading this article, it would be the best if you could inspire confidence in the compilation! It's hard to wait until the Crack encounters any problem and try again to learn the compilation !~

Note: if there is something wrong with this article, please criticize and correct it (even if it is a big dish). In addition, I have referred to many articles. Some of the articles are copied directly because they are relatively lazy ~ However, I tried to explain it to new users based on my own understanding !!